1a04a10f8SKris Kennaway /* 2a04a10f8SKris Kennaway * Copyright (c) 2000 Markus Friedl. All rights reserved. 3a04a10f8SKris Kennaway * 4a04a10f8SKris Kennaway * Redistribution and use in source and binary forms, with or without 5a04a10f8SKris Kennaway * modification, are permitted provided that the following conditions 6a04a10f8SKris Kennaway * are met: 7a04a10f8SKris Kennaway * 1. Redistributions of source code must retain the above copyright 8a04a10f8SKris Kennaway * notice, this list of conditions and the following disclaimer. 9a04a10f8SKris Kennaway * 2. Redistributions in binary form must reproduce the above copyright 10a04a10f8SKris Kennaway * notice, this list of conditions and the following disclaimer in the 11a04a10f8SKris Kennaway * documentation and/or other materials provided with the distribution. 12a04a10f8SKris Kennaway * 13a04a10f8SKris Kennaway * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14a04a10f8SKris Kennaway * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15a04a10f8SKris Kennaway * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16a04a10f8SKris Kennaway * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17a04a10f8SKris Kennaway * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18a04a10f8SKris Kennaway * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19a04a10f8SKris Kennaway * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20a04a10f8SKris Kennaway * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21a04a10f8SKris Kennaway * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22a04a10f8SKris Kennaway * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23a04a10f8SKris Kennaway */ 24c2d3a559SKris Kennaway 25a04a10f8SKris Kennaway #include "includes.h" 261ec0d754SDag-Erling Smørgrav RCSID("$OpenBSD: auth2.c,v 1.104 2003/11/04 08:54:09 djm Exp $"); 275b400a39SDag-Erling Smørgrav RCSID("$FreeBSD$"); 28a04a10f8SKris Kennaway 299be00009SDag-Erling Smørgrav #include "canohost.h" 30ca3176e7SBrian Feldman #include "ssh2.h" 31a04a10f8SKris Kennaway #include "xmalloc.h" 32a04a10f8SKris Kennaway #include "packet.h" 33ca3176e7SBrian Feldman #include "log.h" 34a04a10f8SKris Kennaway #include "servconf.h" 35a04a10f8SKris Kennaway #include "compat.h" 36a04a10f8SKris Kennaway #include "auth.h" 37a04a10f8SKris Kennaway #include "dispatch.h" 38ca3176e7SBrian Feldman #include "pathnames.h" 3980628bacSDag-Erling Smørgrav #include "monitor_wrap.h" 40a04a10f8SKris Kennaway 41cf2b5f3bSDag-Erling Smørgrav #ifdef GSSAPI 42cf2b5f3bSDag-Erling Smørgrav #include "ssh-gss.h" 43cf2b5f3bSDag-Erling Smørgrav #endif 44cf2b5f3bSDag-Erling Smørgrav 45a04a10f8SKris Kennaway /* import */ 46a04a10f8SKris Kennaway extern ServerOptions options; 47ca3176e7SBrian Feldman extern u_char *session_id2; 48cf2b5f3bSDag-Erling Smørgrav extern u_int session_id2_len; 49a04a10f8SKris Kennaway 5080628bacSDag-Erling Smørgrav /* methods */ 5180628bacSDag-Erling Smørgrav 5280628bacSDag-Erling Smørgrav extern Authmethod method_none; 5380628bacSDag-Erling Smørgrav extern Authmethod method_pubkey; 5480628bacSDag-Erling Smørgrav extern Authmethod method_passwd; 5580628bacSDag-Erling Smørgrav extern Authmethod method_kbdint; 5680628bacSDag-Erling Smørgrav extern Authmethod method_hostbased; 57cf2b5f3bSDag-Erling Smørgrav #ifdef GSSAPI 58cf2b5f3bSDag-Erling Smørgrav extern Authmethod method_gssapi; 59cf2b5f3bSDag-Erling Smørgrav #endif 6080628bacSDag-Erling Smørgrav 6180628bacSDag-Erling Smørgrav Authmethod *authmethods[] = { 6280628bacSDag-Erling Smørgrav &method_none, 6380628bacSDag-Erling Smørgrav &method_pubkey, 64cf2b5f3bSDag-Erling Smørgrav #ifdef GSSAPI 65cf2b5f3bSDag-Erling Smørgrav &method_gssapi, 66cf2b5f3bSDag-Erling Smørgrav #endif 6780628bacSDag-Erling Smørgrav &method_passwd, 6880628bacSDag-Erling Smørgrav &method_kbdint, 6980628bacSDag-Erling Smørgrav &method_hostbased, 7080628bacSDag-Erling Smørgrav NULL 7109958426SBrian Feldman }; 7209958426SBrian Feldman 73a04a10f8SKris Kennaway /* protocol */ 74a04a10f8SKris Kennaway 75af12a3e7SDag-Erling Smørgrav static void input_service_request(int, u_int32_t, void *); 76af12a3e7SDag-Erling Smørgrav static void input_userauth_request(int, u_int32_t, void *); 77a04a10f8SKris Kennaway 78a04a10f8SKris Kennaway /* helper */ 79af12a3e7SDag-Erling Smørgrav static Authmethod *authmethod_lookup(const char *); 80af12a3e7SDag-Erling Smørgrav static char *authmethods_get(void); 8180628bacSDag-Erling Smørgrav int user_key_allowed(struct passwd *, Key *); 82a04a10f8SKris Kennaway 83a04a10f8SKris Kennaway /* 8409958426SBrian Feldman * loop until authctxt->success == TRUE 85a04a10f8SKris Kennaway */ 86a04a10f8SKris Kennaway 871ec0d754SDag-Erling Smørgrav void 881ec0d754SDag-Erling Smørgrav do_authentication2(Authctxt *authctxt) 89a04a10f8SKris Kennaway { 90af12a3e7SDag-Erling Smørgrav /* challenge-response is implemented via keyboard interactive */ 91af12a3e7SDag-Erling Smørgrav if (options.challenge_response_authentication) 92ca3176e7SBrian Feldman options.kbd_interactive_authentication = 1; 93ca3176e7SBrian Feldman 94af12a3e7SDag-Erling Smørgrav dispatch_init(&dispatch_protocol_error); 95a04a10f8SKris Kennaway dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); 9609958426SBrian Feldman dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); 97a04a10f8SKris Kennaway } 98a04a10f8SKris Kennaway 99af12a3e7SDag-Erling Smørgrav static void 100af12a3e7SDag-Erling Smørgrav input_service_request(int type, u_int32_t seq, void *ctxt) 101a04a10f8SKris Kennaway { 10209958426SBrian Feldman Authctxt *authctxt = ctxt; 103ca3176e7SBrian Feldman u_int len; 104f388f5efSDag-Erling Smørgrav int acceptit = 0; 105a04a10f8SKris Kennaway char *service = packet_get_string(&len); 106af12a3e7SDag-Erling Smørgrav packet_check_eom(); 107a04a10f8SKris Kennaway 10809958426SBrian Feldman if (authctxt == NULL) 10909958426SBrian Feldman fatal("input_service_request: no authctxt"); 11009958426SBrian Feldman 111a04a10f8SKris Kennaway if (strcmp(service, "ssh-userauth") == 0) { 11209958426SBrian Feldman if (!authctxt->success) { 113f388f5efSDag-Erling Smørgrav acceptit = 1; 114a04a10f8SKris Kennaway /* now we can handle user-auth requests */ 115a04a10f8SKris Kennaway dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request); 116a04a10f8SKris Kennaway } 117a04a10f8SKris Kennaway } 118a04a10f8SKris Kennaway /* XXX all other service requests are denied */ 119a04a10f8SKris Kennaway 120f388f5efSDag-Erling Smørgrav if (acceptit) { 121a04a10f8SKris Kennaway packet_start(SSH2_MSG_SERVICE_ACCEPT); 122a04a10f8SKris Kennaway packet_put_cstring(service); 123a04a10f8SKris Kennaway packet_send(); 124a04a10f8SKris Kennaway packet_write_wait(); 125a04a10f8SKris Kennaway } else { 126a04a10f8SKris Kennaway debug("bad service request %s", service); 127a04a10f8SKris Kennaway packet_disconnect("bad service request %s", service); 128a04a10f8SKris Kennaway } 129a04a10f8SKris Kennaway xfree(service); 130a04a10f8SKris Kennaway } 131a04a10f8SKris Kennaway 132af12a3e7SDag-Erling Smørgrav static void 133af12a3e7SDag-Erling Smørgrav input_userauth_request(int type, u_int32_t seq, void *ctxt) 134a04a10f8SKris Kennaway { 13509958426SBrian Feldman Authctxt *authctxt = ctxt; 13609958426SBrian Feldman Authmethod *m = NULL; 137ca3176e7SBrian Feldman char *user, *service, *method, *style = NULL; 138a04a10f8SKris Kennaway int authenticated = 0; 1395b400a39SDag-Erling Smørgrav #ifdef HAVE_LOGIN_CAP 1405b400a39SDag-Erling Smørgrav login_cap_t *lc; 1415b400a39SDag-Erling Smørgrav const char *from_host, *from_ip; 1425b400a39SDag-Erling Smørgrav 143cf2b5f3bSDag-Erling Smørgrav from_host = get_canonical_hostname(options.use_dns); 1445b400a39SDag-Erling Smørgrav from_ip = get_remote_ipaddr(); 1455b400a39SDag-Erling Smørgrav #endif 146a04a10f8SKris Kennaway 14709958426SBrian Feldman if (authctxt == NULL) 14809958426SBrian Feldman fatal("input_userauth_request: no authctxt"); 149a04a10f8SKris Kennaway 15009958426SBrian Feldman user = packet_get_string(NULL); 15109958426SBrian Feldman service = packet_get_string(NULL); 15209958426SBrian Feldman method = packet_get_string(NULL); 153a04a10f8SKris Kennaway debug("userauth-request for user %s service %s method %s", user, service, method); 154ca3176e7SBrian Feldman debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 155a04a10f8SKris Kennaway 156ca3176e7SBrian Feldman if ((style = strchr(user, ':')) != NULL) 157ca3176e7SBrian Feldman *style++ = 0; 158ca3176e7SBrian Feldman 159ca3176e7SBrian Feldman if (authctxt->attempt++ == 0) { 16009958426SBrian Feldman /* setup auth context */ 16180628bacSDag-Erling Smørgrav authctxt->pw = PRIVSEP(getpwnamallow(user)); 16280628bacSDag-Erling Smørgrav if (authctxt->pw && strcmp(service, "ssh-connection")==0) { 16309958426SBrian Feldman authctxt->valid = 1; 16409958426SBrian Feldman debug2("input_userauth_request: setting up authctxt for %s", user); 16509958426SBrian Feldman #ifdef USE_PAM 166cf2b5f3bSDag-Erling Smørgrav if (options.use_pam) 167989dd127SDag-Erling Smørgrav PRIVSEP(start_pam(authctxt->pw->pw_name)); 16809958426SBrian Feldman #endif 16909958426SBrian Feldman } else { 170cf2b5f3bSDag-Erling Smørgrav logit("input_userauth_request: illegal user %s", user); 171cf2b5f3bSDag-Erling Smørgrav authctxt->pw = fakepw(); 172989dd127SDag-Erling Smørgrav #ifdef USE_PAM 173cf2b5f3bSDag-Erling Smørgrav if (options.use_pam) 174cf2b5f3bSDag-Erling Smørgrav PRIVSEP(start_pam(user)); 175989dd127SDag-Erling Smørgrav #endif 176a04a10f8SKris Kennaway } 17780628bacSDag-Erling Smørgrav setproctitle("%s%s", authctxt->pw ? user : "unknown", 17880628bacSDag-Erling Smørgrav use_privsep ? " [net]" : ""); 17909958426SBrian Feldman authctxt->user = xstrdup(user); 18009958426SBrian Feldman authctxt->service = xstrdup(service); 181af12a3e7SDag-Erling Smørgrav authctxt->style = style ? xstrdup(style) : NULL; 18280628bacSDag-Erling Smørgrav if (use_privsep) 18380628bacSDag-Erling Smørgrav mm_inform_authserv(service, style); 184af12a3e7SDag-Erling Smørgrav } else if (strcmp(user, authctxt->user) != 0 || 18509958426SBrian Feldman strcmp(service, authctxt->service) != 0) { 186af12a3e7SDag-Erling Smørgrav packet_disconnect("Change of username or service not allowed: " 187af12a3e7SDag-Erling Smørgrav "(%s,%s) -> (%s,%s)", 188af12a3e7SDag-Erling Smørgrav authctxt->user, authctxt->service, user, service); 189a04a10f8SKris Kennaway } 1905b400a39SDag-Erling Smørgrav 1915b400a39SDag-Erling Smørgrav #ifdef HAVE_LOGIN_CAP 1925b400a39SDag-Erling Smørgrav if (authctxt->pw != NULL) { 1935b400a39SDag-Erling Smørgrav lc = login_getpwclass(authctxt->pw); 1945b400a39SDag-Erling Smørgrav if (lc == NULL) 1955b400a39SDag-Erling Smørgrav lc = login_getclassbyname(NULL, authctxt->pw); 1965b400a39SDag-Erling Smørgrav if (!auth_hostok(lc, from_host, from_ip)) { 197cf2b5f3bSDag-Erling Smørgrav logit("Denied connection for %.200s from %.200s [%.200s].", 1985b400a39SDag-Erling Smørgrav authctxt->pw->pw_name, from_host, from_ip); 1995b400a39SDag-Erling Smørgrav packet_disconnect("Sorry, you are not allowed to connect."); 2005b400a39SDag-Erling Smørgrav } 2015b400a39SDag-Erling Smørgrav if (!auth_timeok(lc, time(NULL))) { 202cf2b5f3bSDag-Erling Smørgrav logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", 2035b400a39SDag-Erling Smørgrav authctxt->pw->pw_name, from_host); 2045b400a39SDag-Erling Smørgrav packet_disconnect("Logins not available right now."); 2055b400a39SDag-Erling Smørgrav } 2065b400a39SDag-Erling Smørgrav login_close(lc); 2075b400a39SDag-Erling Smørgrav lc = NULL; 2085b400a39SDag-Erling Smørgrav } 2095b400a39SDag-Erling Smørgrav #endif /* HAVE_LOGIN_CAP */ 2105b400a39SDag-Erling Smørgrav 211ca3176e7SBrian Feldman /* reset state */ 212af12a3e7SDag-Erling Smørgrav auth2_challenge_stop(authctxt); 213cf2b5f3bSDag-Erling Smørgrav 214cf2b5f3bSDag-Erling Smørgrav #ifdef GSSAPI 215cf2b5f3bSDag-Erling Smørgrav dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 216cf2b5f3bSDag-Erling Smørgrav dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 217cf2b5f3bSDag-Erling Smørgrav #endif 218cf2b5f3bSDag-Erling Smørgrav 219ca3176e7SBrian Feldman authctxt->postponed = 0; 22003e72be8SBrian Feldman 221ca3176e7SBrian Feldman /* try to authenticate user */ 22209958426SBrian Feldman m = authmethod_lookup(method); 22309958426SBrian Feldman if (m != NULL) { 22409958426SBrian Feldman debug2("input_userauth_request: try method %s", method); 22509958426SBrian Feldman authenticated = m->userauth(authctxt); 22609958426SBrian Feldman } 227ca3176e7SBrian Feldman userauth_finish(authctxt, authenticated, method); 22809958426SBrian Feldman 22909958426SBrian Feldman xfree(service); 23009958426SBrian Feldman xfree(user); 23109958426SBrian Feldman xfree(method); 23209958426SBrian Feldman } 23309958426SBrian Feldman 234ca3176e7SBrian Feldman void 235ca3176e7SBrian Feldman userauth_finish(Authctxt *authctxt, int authenticated, char *method) 236ca3176e7SBrian Feldman { 237af12a3e7SDag-Erling Smørgrav char *methods; 238af12a3e7SDag-Erling Smørgrav 239ca3176e7SBrian Feldman if (!authctxt->valid && authenticated) 240ca3176e7SBrian Feldman fatal("INTERNAL ERROR: authenticated invalid user %s", 241ca3176e7SBrian Feldman authctxt->user); 242ca3176e7SBrian Feldman 243ca3176e7SBrian Feldman /* Special handling for root */ 244e73e9afaSDag-Erling Smørgrav if (authenticated && authctxt->pw->pw_uid == 0 && 245ca3176e7SBrian Feldman !auth_root_allowed(method)) 246ca3176e7SBrian Feldman authenticated = 0; 247ca3176e7SBrian Feldman 248989dd127SDag-Erling Smørgrav #ifdef USE_PAM 249cf2b5f3bSDag-Erling Smørgrav if (options.use_pam && authenticated && !PRIVSEP(do_pam_account())) 250989dd127SDag-Erling Smørgrav authenticated = 0; 251cf2b5f3bSDag-Erling Smørgrav #endif 252989dd127SDag-Erling Smørgrav 253f388f5efSDag-Erling Smørgrav #ifdef _UNICOS 254f388f5efSDag-Erling Smørgrav if (authenticated && cray_access_denied(authctxt->user)) { 255f388f5efSDag-Erling Smørgrav authenticated = 0; 256f388f5efSDag-Erling Smørgrav fatal("Access denied for user %s.",authctxt->user); 257f388f5efSDag-Erling Smørgrav } 258f388f5efSDag-Erling Smørgrav #endif /* _UNICOS */ 259f388f5efSDag-Erling Smørgrav 260ca3176e7SBrian Feldman /* Log before sending the reply */ 261ca3176e7SBrian Feldman auth_log(authctxt, authenticated, method, " ssh2"); 262ca3176e7SBrian Feldman 263af12a3e7SDag-Erling Smørgrav if (authctxt->postponed) 264af12a3e7SDag-Erling Smørgrav return; 265af12a3e7SDag-Erling Smørgrav 266af12a3e7SDag-Erling Smørgrav /* XXX todo: check if multiple auth methods are needed */ 267af12a3e7SDag-Erling Smørgrav if (authenticated == 1) { 268af12a3e7SDag-Erling Smørgrav /* turn off userauth */ 269af12a3e7SDag-Erling Smørgrav dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 270af12a3e7SDag-Erling Smørgrav packet_start(SSH2_MSG_USERAUTH_SUCCESS); 271af12a3e7SDag-Erling Smørgrav packet_send(); 272af12a3e7SDag-Erling Smørgrav packet_write_wait(); 273af12a3e7SDag-Erling Smørgrav /* now we can break out */ 274af12a3e7SDag-Erling Smørgrav authctxt->success = 1; 275af12a3e7SDag-Erling Smørgrav } else { 276cf2b5f3bSDag-Erling Smørgrav if (authctxt->failures++ > AUTH_FAIL_MAX) 277af12a3e7SDag-Erling Smørgrav packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 278af12a3e7SDag-Erling Smørgrav methods = authmethods_get(); 279af12a3e7SDag-Erling Smørgrav packet_start(SSH2_MSG_USERAUTH_FAILURE); 280af12a3e7SDag-Erling Smørgrav packet_put_cstring(methods); 281af12a3e7SDag-Erling Smørgrav packet_put_char(0); /* XXX partial success, unused */ 282af12a3e7SDag-Erling Smørgrav packet_send(); 283af12a3e7SDag-Erling Smørgrav packet_write_wait(); 284af12a3e7SDag-Erling Smørgrav xfree(methods); 285af12a3e7SDag-Erling Smørgrav } 286ca3176e7SBrian Feldman } 28709958426SBrian Feldman 28809958426SBrian Feldman #define DELIM "," 28909958426SBrian Feldman 290af12a3e7SDag-Erling Smørgrav static char * 29109958426SBrian Feldman authmethods_get(void) 292a04a10f8SKris Kennaway { 293af12a3e7SDag-Erling Smørgrav Buffer b; 29409958426SBrian Feldman char *list; 29580628bacSDag-Erling Smørgrav int i; 296a04a10f8SKris Kennaway 297af12a3e7SDag-Erling Smørgrav buffer_init(&b); 29880628bacSDag-Erling Smørgrav for (i = 0; authmethods[i] != NULL; i++) { 29980628bacSDag-Erling Smørgrav if (strcmp(authmethods[i]->name, "none") == 0) 30009958426SBrian Feldman continue; 30180628bacSDag-Erling Smørgrav if (authmethods[i]->enabled != NULL && 30280628bacSDag-Erling Smørgrav *(authmethods[i]->enabled) != 0) { 303af12a3e7SDag-Erling Smørgrav if (buffer_len(&b) > 0) 304af12a3e7SDag-Erling Smørgrav buffer_append(&b, ",", 1); 30580628bacSDag-Erling Smørgrav buffer_append(&b, authmethods[i]->name, 30680628bacSDag-Erling Smørgrav strlen(authmethods[i]->name)); 30709958426SBrian Feldman } 30809958426SBrian Feldman } 309af12a3e7SDag-Erling Smørgrav buffer_append(&b, "\0", 1); 310af12a3e7SDag-Erling Smørgrav list = xstrdup(buffer_ptr(&b)); 311af12a3e7SDag-Erling Smørgrav buffer_free(&b); 31209958426SBrian Feldman return list; 31309958426SBrian Feldman } 31409958426SBrian Feldman 315af12a3e7SDag-Erling Smørgrav static Authmethod * 31609958426SBrian Feldman authmethod_lookup(const char *name) 31709958426SBrian Feldman { 31880628bacSDag-Erling Smørgrav int i; 31980628bacSDag-Erling Smørgrav 32009958426SBrian Feldman if (name != NULL) 32180628bacSDag-Erling Smørgrav for (i = 0; authmethods[i] != NULL; i++) 32280628bacSDag-Erling Smørgrav if (authmethods[i]->enabled != NULL && 32380628bacSDag-Erling Smørgrav *(authmethods[i]->enabled) != 0 && 32480628bacSDag-Erling Smørgrav strcmp(name, authmethods[i]->name) == 0) 32580628bacSDag-Erling Smørgrav return authmethods[i]; 32680628bacSDag-Erling Smørgrav debug2("Unrecognized authentication method name: %s", 32780628bacSDag-Erling Smørgrav name ? name : "NULL"); 328a04a10f8SKris Kennaway return NULL; 329a04a10f8SKris Kennaway } 330