1*6888a9beSDag-Erling Smørgrav /* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */ 2a04a10f8SKris Kennaway /* 3a04a10f8SKris Kennaway * Copyright (c) 2000 Markus Friedl. All rights reserved. 4a04a10f8SKris Kennaway * 5a04a10f8SKris Kennaway * Redistribution and use in source and binary forms, with or without 6a04a10f8SKris Kennaway * modification, are permitted provided that the following conditions 7a04a10f8SKris Kennaway * are met: 8a04a10f8SKris Kennaway * 1. Redistributions of source code must retain the above copyright 9a04a10f8SKris Kennaway * notice, this list of conditions and the following disclaimer. 10a04a10f8SKris Kennaway * 2. Redistributions in binary form must reproduce the above copyright 11a04a10f8SKris Kennaway * notice, this list of conditions and the following disclaimer in the 12a04a10f8SKris Kennaway * documentation and/or other materials provided with the distribution. 13a04a10f8SKris Kennaway * 14a04a10f8SKris Kennaway * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15a04a10f8SKris Kennaway * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16a04a10f8SKris Kennaway * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17a04a10f8SKris Kennaway * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18a04a10f8SKris Kennaway * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19a04a10f8SKris Kennaway * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20a04a10f8SKris Kennaway * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21a04a10f8SKris Kennaway * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22a04a10f8SKris Kennaway * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23a04a10f8SKris Kennaway * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24a04a10f8SKris Kennaway */ 25c2d3a559SKris Kennaway 26a04a10f8SKris Kennaway #include "includes.h" 27333ee039SDag-Erling Smørgrav __RCSID("$FreeBSD$"); 28a04a10f8SKris Kennaway 29333ee039SDag-Erling Smørgrav #include <sys/types.h> 30d4af9e69SDag-Erling Smørgrav #include <sys/stat.h> 31d4af9e69SDag-Erling Smørgrav #include <sys/uio.h> 32333ee039SDag-Erling Smørgrav 33d4af9e69SDag-Erling Smørgrav #include <fcntl.h> 34333ee039SDag-Erling Smørgrav #include <pwd.h> 35333ee039SDag-Erling Smørgrav #include <stdarg.h> 36333ee039SDag-Erling Smørgrav #include <string.h> 37d4af9e69SDag-Erling Smørgrav #include <unistd.h> 38333ee039SDag-Erling Smørgrav 39d4af9e69SDag-Erling Smørgrav #include "atomicio.h" 407aee6ffeSDag-Erling Smørgrav #include "xmalloc.h" 41333ee039SDag-Erling Smørgrav #include "ssh2.h" 42a04a10f8SKris Kennaway #include "packet.h" 43ca3176e7SBrian Feldman #include "log.h" 44333ee039SDag-Erling Smørgrav #include "buffer.h" 45a04a10f8SKris Kennaway #include "servconf.h" 46a04a10f8SKris Kennaway #include "compat.h" 47333ee039SDag-Erling Smørgrav #include "key.h" 48333ee039SDag-Erling Smørgrav #include "hostfile.h" 49a04a10f8SKris Kennaway #include "auth.h" 50a04a10f8SKris Kennaway #include "dispatch.h" 51ca3176e7SBrian Feldman #include "pathnames.h" 52aa49c926SDag-Erling Smørgrav #include "buffer.h" 53333ee039SDag-Erling Smørgrav #include "canohost.h" 54a04a10f8SKris Kennaway 55cf2b5f3bSDag-Erling Smørgrav #ifdef GSSAPI 56cf2b5f3bSDag-Erling Smørgrav #include "ssh-gss.h" 57cf2b5f3bSDag-Erling Smørgrav #endif 58333ee039SDag-Erling Smørgrav #include "monitor_wrap.h" 59cf2b5f3bSDag-Erling Smørgrav 60a04a10f8SKris Kennaway /* import */ 61a04a10f8SKris Kennaway extern ServerOptions options; 62ca3176e7SBrian Feldman extern u_char *session_id2; 63cf2b5f3bSDag-Erling Smørgrav extern u_int session_id2_len; 64aa49c926SDag-Erling Smørgrav extern Buffer loginmsg; 65a04a10f8SKris Kennaway 6680628bacSDag-Erling Smørgrav /* methods */ 6780628bacSDag-Erling Smørgrav 6880628bacSDag-Erling Smørgrav extern Authmethod method_none; 6980628bacSDag-Erling Smørgrav extern Authmethod method_pubkey; 7080628bacSDag-Erling Smørgrav extern Authmethod method_passwd; 7180628bacSDag-Erling Smørgrav extern Authmethod method_kbdint; 7280628bacSDag-Erling Smørgrav extern Authmethod method_hostbased; 73cf2b5f3bSDag-Erling Smørgrav #ifdef GSSAPI 74cf2b5f3bSDag-Erling Smørgrav extern Authmethod method_gssapi; 75cf2b5f3bSDag-Erling Smørgrav #endif 76cce7d346SDag-Erling Smørgrav #ifdef JPAKE 77cce7d346SDag-Erling Smørgrav extern Authmethod method_jpake; 78cce7d346SDag-Erling Smørgrav #endif 7980628bacSDag-Erling Smørgrav 8080628bacSDag-Erling Smørgrav Authmethod *authmethods[] = { 8180628bacSDag-Erling Smørgrav &method_none, 8280628bacSDag-Erling Smørgrav &method_pubkey, 83cf2b5f3bSDag-Erling Smørgrav #ifdef GSSAPI 84cf2b5f3bSDag-Erling Smørgrav &method_gssapi, 85cf2b5f3bSDag-Erling Smørgrav #endif 86cce7d346SDag-Erling Smørgrav #ifdef JPAKE 87cce7d346SDag-Erling Smørgrav &method_jpake, 88cce7d346SDag-Erling Smørgrav #endif 8980628bacSDag-Erling Smørgrav &method_passwd, 9080628bacSDag-Erling Smørgrav &method_kbdint, 9180628bacSDag-Erling Smørgrav &method_hostbased, 9280628bacSDag-Erling Smørgrav NULL 9309958426SBrian Feldman }; 9409958426SBrian Feldman 95a04a10f8SKris Kennaway /* protocol */ 96a04a10f8SKris Kennaway 97af12a3e7SDag-Erling Smørgrav static void input_service_request(int, u_int32_t, void *); 98af12a3e7SDag-Erling Smørgrav static void input_userauth_request(int, u_int32_t, void *); 99a04a10f8SKris Kennaway 100a04a10f8SKris Kennaway /* helper */ 101*6888a9beSDag-Erling Smørgrav static Authmethod *authmethod_lookup(Authctxt *, const char *); 102*6888a9beSDag-Erling Smørgrav static char *authmethods_get(Authctxt *authctxt); 103*6888a9beSDag-Erling Smørgrav static int method_allowed(Authctxt *, const char *); 104*6888a9beSDag-Erling Smørgrav static int list_starts_with(const char *, const char *); 105d4af9e69SDag-Erling Smørgrav 106d4af9e69SDag-Erling Smørgrav char * 107d4af9e69SDag-Erling Smørgrav auth2_read_banner(void) 108d4af9e69SDag-Erling Smørgrav { 109d4af9e69SDag-Erling Smørgrav struct stat st; 110d4af9e69SDag-Erling Smørgrav char *banner = NULL; 111d4af9e69SDag-Erling Smørgrav size_t len, n; 112d4af9e69SDag-Erling Smørgrav int fd; 113d4af9e69SDag-Erling Smørgrav 114d4af9e69SDag-Erling Smørgrav if ((fd = open(options.banner, O_RDONLY)) == -1) 115d4af9e69SDag-Erling Smørgrav return (NULL); 116d4af9e69SDag-Erling Smørgrav if (fstat(fd, &st) == -1) { 117d4af9e69SDag-Erling Smørgrav close(fd); 118d4af9e69SDag-Erling Smørgrav return (NULL); 119d4af9e69SDag-Erling Smørgrav } 120462c32cbSDag-Erling Smørgrav if (st.st_size <= 0 || st.st_size > 1*1024*1024) { 121d4af9e69SDag-Erling Smørgrav close(fd); 122d4af9e69SDag-Erling Smørgrav return (NULL); 123d4af9e69SDag-Erling Smørgrav } 124d4af9e69SDag-Erling Smørgrav 125d4af9e69SDag-Erling Smørgrav len = (size_t)st.st_size; /* truncate */ 126d4af9e69SDag-Erling Smørgrav banner = xmalloc(len + 1); 127d4af9e69SDag-Erling Smørgrav n = atomicio(read, fd, banner, len); 128d4af9e69SDag-Erling Smørgrav close(fd); 129d4af9e69SDag-Erling Smørgrav 130d4af9e69SDag-Erling Smørgrav if (n != len) { 131d4af9e69SDag-Erling Smørgrav xfree(banner); 132d4af9e69SDag-Erling Smørgrav return (NULL); 133d4af9e69SDag-Erling Smørgrav } 134d4af9e69SDag-Erling Smørgrav banner[n] = '\0'; 135d4af9e69SDag-Erling Smørgrav 136d4af9e69SDag-Erling Smørgrav return (banner); 137d4af9e69SDag-Erling Smørgrav } 138d4af9e69SDag-Erling Smørgrav 139d4af9e69SDag-Erling Smørgrav void 140d4af9e69SDag-Erling Smørgrav userauth_send_banner(const char *msg) 141d4af9e69SDag-Erling Smørgrav { 142d4af9e69SDag-Erling Smørgrav if (datafellows & SSH_BUG_BANNER) 143d4af9e69SDag-Erling Smørgrav return; 144d4af9e69SDag-Erling Smørgrav 145d4af9e69SDag-Erling Smørgrav packet_start(SSH2_MSG_USERAUTH_BANNER); 146d4af9e69SDag-Erling Smørgrav packet_put_cstring(msg); 147d4af9e69SDag-Erling Smørgrav packet_put_cstring(""); /* language, unused */ 148d4af9e69SDag-Erling Smørgrav packet_send(); 149d4af9e69SDag-Erling Smørgrav debug("%s: sent", __func__); 150d4af9e69SDag-Erling Smørgrav } 151d4af9e69SDag-Erling Smørgrav 152d4af9e69SDag-Erling Smørgrav static void 153d4af9e69SDag-Erling Smørgrav userauth_banner(void) 154d4af9e69SDag-Erling Smørgrav { 155d4af9e69SDag-Erling Smørgrav char *banner = NULL; 156d4af9e69SDag-Erling Smørgrav 157d4af9e69SDag-Erling Smørgrav if (options.banner == NULL || 158d4af9e69SDag-Erling Smørgrav strcasecmp(options.banner, "none") == 0 || 159d4af9e69SDag-Erling Smørgrav (datafellows & SSH_BUG_BANNER) != 0) 160d4af9e69SDag-Erling Smørgrav return; 161d4af9e69SDag-Erling Smørgrav 162d4af9e69SDag-Erling Smørgrav if ((banner = PRIVSEP(auth2_read_banner())) == NULL) 163d4af9e69SDag-Erling Smørgrav goto done; 164d4af9e69SDag-Erling Smørgrav userauth_send_banner(banner); 165d4af9e69SDag-Erling Smørgrav 166d4af9e69SDag-Erling Smørgrav done: 167d4af9e69SDag-Erling Smørgrav if (banner) 168d4af9e69SDag-Erling Smørgrav xfree(banner); 169d4af9e69SDag-Erling Smørgrav } 170a04a10f8SKris Kennaway 171a04a10f8SKris Kennaway /* 17209958426SBrian Feldman * loop until authctxt->success == TRUE 173a04a10f8SKris Kennaway */ 1741ec0d754SDag-Erling Smørgrav void 1751ec0d754SDag-Erling Smørgrav do_authentication2(Authctxt *authctxt) 176a04a10f8SKris Kennaway { 177af12a3e7SDag-Erling Smørgrav dispatch_init(&dispatch_protocol_error); 178a04a10f8SKris Kennaway dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); 17909958426SBrian Feldman dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); 180a04a10f8SKris Kennaway } 181a04a10f8SKris Kennaway 182333ee039SDag-Erling Smørgrav /*ARGSUSED*/ 183af12a3e7SDag-Erling Smørgrav static void 184af12a3e7SDag-Erling Smørgrav input_service_request(int type, u_int32_t seq, void *ctxt) 185a04a10f8SKris Kennaway { 18609958426SBrian Feldman Authctxt *authctxt = ctxt; 187ca3176e7SBrian Feldman u_int len; 188f388f5efSDag-Erling Smørgrav int acceptit = 0; 1894a421b63SDag-Erling Smørgrav char *service = packet_get_cstring(&len); 190af12a3e7SDag-Erling Smørgrav packet_check_eom(); 191a04a10f8SKris Kennaway 19209958426SBrian Feldman if (authctxt == NULL) 19309958426SBrian Feldman fatal("input_service_request: no authctxt"); 19409958426SBrian Feldman 195a04a10f8SKris Kennaway if (strcmp(service, "ssh-userauth") == 0) { 19609958426SBrian Feldman if (!authctxt->success) { 197f388f5efSDag-Erling Smørgrav acceptit = 1; 198a04a10f8SKris Kennaway /* now we can handle user-auth requests */ 199a04a10f8SKris Kennaway dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request); 200a04a10f8SKris Kennaway } 201a04a10f8SKris Kennaway } 202a04a10f8SKris Kennaway /* XXX all other service requests are denied */ 203a04a10f8SKris Kennaway 204f388f5efSDag-Erling Smørgrav if (acceptit) { 205a04a10f8SKris Kennaway packet_start(SSH2_MSG_SERVICE_ACCEPT); 206a04a10f8SKris Kennaway packet_put_cstring(service); 207a04a10f8SKris Kennaway packet_send(); 208a04a10f8SKris Kennaway packet_write_wait(); 209a04a10f8SKris Kennaway } else { 210a04a10f8SKris Kennaway debug("bad service request %s", service); 211a04a10f8SKris Kennaway packet_disconnect("bad service request %s", service); 212a04a10f8SKris Kennaway } 213a04a10f8SKris Kennaway xfree(service); 214a04a10f8SKris Kennaway } 215a04a10f8SKris Kennaway 216333ee039SDag-Erling Smørgrav /*ARGSUSED*/ 217af12a3e7SDag-Erling Smørgrav static void 218af12a3e7SDag-Erling Smørgrav input_userauth_request(int type, u_int32_t seq, void *ctxt) 219a04a10f8SKris Kennaway { 22009958426SBrian Feldman Authctxt *authctxt = ctxt; 22109958426SBrian Feldman Authmethod *m = NULL; 222ca3176e7SBrian Feldman char *user, *service, *method, *style = NULL; 223a04a10f8SKris Kennaway int authenticated = 0; 2245b400a39SDag-Erling Smørgrav #ifdef HAVE_LOGIN_CAP 2255b400a39SDag-Erling Smørgrav login_cap_t *lc; 2265b400a39SDag-Erling Smørgrav const char *from_host, *from_ip; 2275b400a39SDag-Erling Smørgrav 228cf2b5f3bSDag-Erling Smørgrav from_host = get_canonical_hostname(options.use_dns); 2295b400a39SDag-Erling Smørgrav from_ip = get_remote_ipaddr(); 2305b400a39SDag-Erling Smørgrav #endif 231a04a10f8SKris Kennaway 23209958426SBrian Feldman if (authctxt == NULL) 23309958426SBrian Feldman fatal("input_userauth_request: no authctxt"); 234a04a10f8SKris Kennaway 2354a421b63SDag-Erling Smørgrav user = packet_get_cstring(NULL); 2364a421b63SDag-Erling Smørgrav service = packet_get_cstring(NULL); 2374a421b63SDag-Erling Smørgrav method = packet_get_cstring(NULL); 238a04a10f8SKris Kennaway debug("userauth-request for user %s service %s method %s", user, service, method); 239ca3176e7SBrian Feldman debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 240a04a10f8SKris Kennaway 241ca3176e7SBrian Feldman if ((style = strchr(user, ':')) != NULL) 242ca3176e7SBrian Feldman *style++ = 0; 243ca3176e7SBrian Feldman 244ca3176e7SBrian Feldman if (authctxt->attempt++ == 0) { 24509958426SBrian Feldman /* setup auth context */ 24680628bacSDag-Erling Smørgrav authctxt->pw = PRIVSEP(getpwnamallow(user)); 2475962c0e9SDag-Erling Smørgrav authctxt->user = xstrdup(user); 24880628bacSDag-Erling Smørgrav if (authctxt->pw && strcmp(service, "ssh-connection")==0) { 24909958426SBrian Feldman authctxt->valid = 1; 25009958426SBrian Feldman debug2("input_userauth_request: setting up authctxt for %s", user); 25109958426SBrian Feldman } else { 25221e764dfSDag-Erling Smørgrav logit("input_userauth_request: invalid user %s", user); 253cf2b5f3bSDag-Erling Smørgrav authctxt->pw = fakepw(); 254aa49c926SDag-Erling Smørgrav #ifdef SSH_AUDIT_EVENTS 255aa49c926SDag-Erling Smørgrav PRIVSEP(audit_event(SSH_INVALID_USER)); 256aa49c926SDag-Erling Smørgrav #endif 257a04a10f8SKris Kennaway } 258b74df5b2SDag-Erling Smørgrav #ifdef USE_PAM 259b74df5b2SDag-Erling Smørgrav if (options.use_pam) 260b74df5b2SDag-Erling Smørgrav PRIVSEP(start_pam(authctxt)); 261b74df5b2SDag-Erling Smørgrav #endif 26221e764dfSDag-Erling Smørgrav setproctitle("%s%s", authctxt->valid ? user : "unknown", 26380628bacSDag-Erling Smørgrav use_privsep ? " [net]" : ""); 26409958426SBrian Feldman authctxt->service = xstrdup(service); 265af12a3e7SDag-Erling Smørgrav authctxt->style = style ? xstrdup(style) : NULL; 26680628bacSDag-Erling Smørgrav if (use_privsep) 26780628bacSDag-Erling Smørgrav mm_inform_authserv(service, style); 268d4af9e69SDag-Erling Smørgrav userauth_banner(); 269*6888a9beSDag-Erling Smørgrav if (auth2_setup_methods_lists(authctxt) != 0) 270*6888a9beSDag-Erling Smørgrav packet_disconnect("no authentication methods enabled"); 271af12a3e7SDag-Erling Smørgrav } else if (strcmp(user, authctxt->user) != 0 || 27209958426SBrian Feldman strcmp(service, authctxt->service) != 0) { 273af12a3e7SDag-Erling Smørgrav packet_disconnect("Change of username or service not allowed: " 274af12a3e7SDag-Erling Smørgrav "(%s,%s) -> (%s,%s)", 275af12a3e7SDag-Erling Smørgrav authctxt->user, authctxt->service, user, service); 276a04a10f8SKris Kennaway } 2775b400a39SDag-Erling Smørgrav 2785b400a39SDag-Erling Smørgrav #ifdef HAVE_LOGIN_CAP 2795b400a39SDag-Erling Smørgrav if (authctxt->pw != NULL) { 2805b400a39SDag-Erling Smørgrav lc = login_getpwclass(authctxt->pw); 2815b400a39SDag-Erling Smørgrav if (lc == NULL) 2825b400a39SDag-Erling Smørgrav lc = login_getclassbyname(NULL, authctxt->pw); 2835b400a39SDag-Erling Smørgrav if (!auth_hostok(lc, from_host, from_ip)) { 284cf2b5f3bSDag-Erling Smørgrav logit("Denied connection for %.200s from %.200s [%.200s].", 2855b400a39SDag-Erling Smørgrav authctxt->pw->pw_name, from_host, from_ip); 2865b400a39SDag-Erling Smørgrav packet_disconnect("Sorry, you are not allowed to connect."); 2875b400a39SDag-Erling Smørgrav } 2885b400a39SDag-Erling Smørgrav if (!auth_timeok(lc, time(NULL))) { 289cf2b5f3bSDag-Erling Smørgrav logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", 2905b400a39SDag-Erling Smørgrav authctxt->pw->pw_name, from_host); 2915b400a39SDag-Erling Smørgrav packet_disconnect("Logins not available right now."); 2925b400a39SDag-Erling Smørgrav } 2935b400a39SDag-Erling Smørgrav login_close(lc); 2945b400a39SDag-Erling Smørgrav lc = NULL; 2955b400a39SDag-Erling Smørgrav } 2965b400a39SDag-Erling Smørgrav #endif /* HAVE_LOGIN_CAP */ 2975b400a39SDag-Erling Smørgrav 298ca3176e7SBrian Feldman /* reset state */ 299af12a3e7SDag-Erling Smørgrav auth2_challenge_stop(authctxt); 300cce7d346SDag-Erling Smørgrav #ifdef JPAKE 301cce7d346SDag-Erling Smørgrav auth2_jpake_stop(authctxt); 302cce7d346SDag-Erling Smørgrav #endif 303cf2b5f3bSDag-Erling Smørgrav 304cf2b5f3bSDag-Erling Smørgrav #ifdef GSSAPI 305cce7d346SDag-Erling Smørgrav /* XXX move to auth2_gssapi_stop() */ 306cf2b5f3bSDag-Erling Smørgrav dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 307cf2b5f3bSDag-Erling Smørgrav dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 308cf2b5f3bSDag-Erling Smørgrav #endif 309cf2b5f3bSDag-Erling Smørgrav 310ca3176e7SBrian Feldman authctxt->postponed = 0; 311e146993eSDag-Erling Smørgrav authctxt->server_caused_failure = 0; 31203e72be8SBrian Feldman 313ca3176e7SBrian Feldman /* try to authenticate user */ 314*6888a9beSDag-Erling Smørgrav m = authmethod_lookup(authctxt, method); 315d4af9e69SDag-Erling Smørgrav if (m != NULL && authctxt->failures < options.max_authtries) { 31609958426SBrian Feldman debug2("input_userauth_request: try method %s", method); 31709958426SBrian Feldman authenticated = m->userauth(authctxt); 31809958426SBrian Feldman } 319*6888a9beSDag-Erling Smørgrav userauth_finish(authctxt, authenticated, method, NULL); 32009958426SBrian Feldman 32109958426SBrian Feldman xfree(service); 32209958426SBrian Feldman xfree(user); 32309958426SBrian Feldman xfree(method); 32409958426SBrian Feldman } 32509958426SBrian Feldman 326ca3176e7SBrian Feldman void 327*6888a9beSDag-Erling Smørgrav userauth_finish(Authctxt *authctxt, int authenticated, const char *method, 328*6888a9beSDag-Erling Smørgrav const char *submethod) 329ca3176e7SBrian Feldman { 330af12a3e7SDag-Erling Smørgrav char *methods; 331*6888a9beSDag-Erling Smørgrav int partial = 0; 332af12a3e7SDag-Erling Smørgrav 333ca3176e7SBrian Feldman if (!authctxt->valid && authenticated) 334ca3176e7SBrian Feldman fatal("INTERNAL ERROR: authenticated invalid user %s", 335ca3176e7SBrian Feldman authctxt->user); 336*6888a9beSDag-Erling Smørgrav if (authenticated && authctxt->postponed) 337*6888a9beSDag-Erling Smørgrav fatal("INTERNAL ERROR: authenticated and postponed"); 338ca3176e7SBrian Feldman 339ca3176e7SBrian Feldman /* Special handling for root */ 340e73e9afaSDag-Erling Smørgrav if (authenticated && authctxt->pw->pw_uid == 0 && 341aa49c926SDag-Erling Smørgrav !auth_root_allowed(method)) { 342ca3176e7SBrian Feldman authenticated = 0; 343aa49c926SDag-Erling Smørgrav #ifdef SSH_AUDIT_EVENTS 344aa49c926SDag-Erling Smørgrav PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); 345aa49c926SDag-Erling Smørgrav #endif 346aa49c926SDag-Erling Smørgrav } 347ca3176e7SBrian Feldman 348*6888a9beSDag-Erling Smørgrav if (authenticated && options.num_auth_methods != 0) { 349*6888a9beSDag-Erling Smørgrav if (!auth2_update_methods_lists(authctxt, method)) { 350*6888a9beSDag-Erling Smørgrav authenticated = 0; 351*6888a9beSDag-Erling Smørgrav partial = 1; 352*6888a9beSDag-Erling Smørgrav } 353*6888a9beSDag-Erling Smørgrav } 354*6888a9beSDag-Erling Smørgrav 355*6888a9beSDag-Erling Smørgrav /* Log before sending the reply */ 356*6888a9beSDag-Erling Smørgrav auth_log(authctxt, authenticated, partial, method, submethod, " ssh2"); 357*6888a9beSDag-Erling Smørgrav 358*6888a9beSDag-Erling Smørgrav if (authctxt->postponed) 359*6888a9beSDag-Erling Smørgrav return; 360*6888a9beSDag-Erling Smørgrav 361989dd127SDag-Erling Smørgrav #ifdef USE_PAM 362aa49c926SDag-Erling Smørgrav if (options.use_pam && authenticated) { 363aa49c926SDag-Erling Smørgrav if (!PRIVSEP(do_pam_account())) { 364aa49c926SDag-Erling Smørgrav /* if PAM returned a message, send it to the user */ 365aa49c926SDag-Erling Smørgrav if (buffer_len(&loginmsg) > 0) { 366aa49c926SDag-Erling Smørgrav buffer_append(&loginmsg, "\0", 1); 367aa49c926SDag-Erling Smørgrav userauth_send_banner(buffer_ptr(&loginmsg)); 368aa49c926SDag-Erling Smørgrav packet_write_wait(); 369aa49c926SDag-Erling Smørgrav } 370aa49c926SDag-Erling Smørgrav fatal("Access denied for user %s by PAM account " 371aa49c926SDag-Erling Smørgrav "configuration", authctxt->user); 372aa49c926SDag-Erling Smørgrav } 373aa49c926SDag-Erling Smørgrav } 374cf2b5f3bSDag-Erling Smørgrav #endif 375989dd127SDag-Erling Smørgrav 376f388f5efSDag-Erling Smørgrav #ifdef _UNICOS 377f388f5efSDag-Erling Smørgrav if (authenticated && cray_access_denied(authctxt->user)) { 378f388f5efSDag-Erling Smørgrav authenticated = 0; 379f388f5efSDag-Erling Smørgrav fatal("Access denied for user %s.", authctxt->user); 380f388f5efSDag-Erling Smørgrav } 381f388f5efSDag-Erling Smørgrav #endif /* _UNICOS */ 382f388f5efSDag-Erling Smørgrav 383af12a3e7SDag-Erling Smørgrav if (authenticated == 1) { 384af12a3e7SDag-Erling Smørgrav /* turn off userauth */ 385af12a3e7SDag-Erling Smørgrav dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 386af12a3e7SDag-Erling Smørgrav packet_start(SSH2_MSG_USERAUTH_SUCCESS); 387af12a3e7SDag-Erling Smørgrav packet_send(); 388af12a3e7SDag-Erling Smørgrav packet_write_wait(); 389af12a3e7SDag-Erling Smørgrav /* now we can break out */ 390af12a3e7SDag-Erling Smørgrav authctxt->success = 1; 391af12a3e7SDag-Erling Smørgrav } else { 392d4af9e69SDag-Erling Smørgrav 393d4af9e69SDag-Erling Smørgrav /* Allow initial try of "none" auth without failure penalty */ 394e146993eSDag-Erling Smørgrav if (!authctxt->server_caused_failure && 395e146993eSDag-Erling Smørgrav (authctxt->attempt > 1 || strcmp(method, "none") != 0)) 396d4af9e69SDag-Erling Smørgrav authctxt->failures++; 397d4af9e69SDag-Erling Smørgrav if (authctxt->failures >= options.max_authtries) { 398aa49c926SDag-Erling Smørgrav #ifdef SSH_AUDIT_EVENTS 399aa49c926SDag-Erling Smørgrav PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); 400aa49c926SDag-Erling Smørgrav #endif 401af12a3e7SDag-Erling Smørgrav packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 402aa49c926SDag-Erling Smørgrav } 403*6888a9beSDag-Erling Smørgrav methods = authmethods_get(authctxt); 404*6888a9beSDag-Erling Smørgrav debug3("%s: failure partial=%d next methods=\"%s\"", __func__, 405*6888a9beSDag-Erling Smørgrav partial, methods); 406af12a3e7SDag-Erling Smørgrav packet_start(SSH2_MSG_USERAUTH_FAILURE); 407af12a3e7SDag-Erling Smørgrav packet_put_cstring(methods); 408*6888a9beSDag-Erling Smørgrav packet_put_char(partial); 409af12a3e7SDag-Erling Smørgrav packet_send(); 410af12a3e7SDag-Erling Smørgrav packet_write_wait(); 411af12a3e7SDag-Erling Smørgrav xfree(methods); 412af12a3e7SDag-Erling Smørgrav } 413ca3176e7SBrian Feldman } 41409958426SBrian Feldman 415*6888a9beSDag-Erling Smørgrav /* 416*6888a9beSDag-Erling Smørgrav * Checks whether method is allowed by at least one AuthenticationMethods 417*6888a9beSDag-Erling Smørgrav * methods list. Returns 1 if allowed, or no methods lists configured. 418*6888a9beSDag-Erling Smørgrav * 0 otherwise. 419*6888a9beSDag-Erling Smørgrav */ 420*6888a9beSDag-Erling Smørgrav static int 421*6888a9beSDag-Erling Smørgrav method_allowed(Authctxt *authctxt, const char *method) 422*6888a9beSDag-Erling Smørgrav { 423*6888a9beSDag-Erling Smørgrav u_int i; 424*6888a9beSDag-Erling Smørgrav 425*6888a9beSDag-Erling Smørgrav /* 426*6888a9beSDag-Erling Smørgrav * NB. authctxt->num_auth_methods might be zero as a result of 427*6888a9beSDag-Erling Smørgrav * auth2_setup_methods_lists(), so check the configuration. 428*6888a9beSDag-Erling Smørgrav */ 429*6888a9beSDag-Erling Smørgrav if (options.num_auth_methods == 0) 430*6888a9beSDag-Erling Smørgrav return 1; 431*6888a9beSDag-Erling Smørgrav for (i = 0; i < authctxt->num_auth_methods; i++) { 432*6888a9beSDag-Erling Smørgrav if (list_starts_with(authctxt->auth_methods[i], method)) 433*6888a9beSDag-Erling Smørgrav return 1; 434*6888a9beSDag-Erling Smørgrav } 435*6888a9beSDag-Erling Smørgrav return 0; 436*6888a9beSDag-Erling Smørgrav } 437*6888a9beSDag-Erling Smørgrav 438af12a3e7SDag-Erling Smørgrav static char * 439*6888a9beSDag-Erling Smørgrav authmethods_get(Authctxt *authctxt) 440a04a10f8SKris Kennaway { 441af12a3e7SDag-Erling Smørgrav Buffer b; 44209958426SBrian Feldman char *list; 443*6888a9beSDag-Erling Smørgrav u_int i; 444a04a10f8SKris Kennaway 445af12a3e7SDag-Erling Smørgrav buffer_init(&b); 44680628bacSDag-Erling Smørgrav for (i = 0; authmethods[i] != NULL; i++) { 44780628bacSDag-Erling Smørgrav if (strcmp(authmethods[i]->name, "none") == 0) 44809958426SBrian Feldman continue; 449*6888a9beSDag-Erling Smørgrav if (authmethods[i]->enabled == NULL || 450*6888a9beSDag-Erling Smørgrav *(authmethods[i]->enabled) == 0) 451*6888a9beSDag-Erling Smørgrav continue; 452*6888a9beSDag-Erling Smørgrav if (!method_allowed(authctxt, authmethods[i]->name)) 453*6888a9beSDag-Erling Smørgrav continue; 454af12a3e7SDag-Erling Smørgrav if (buffer_len(&b) > 0) 455af12a3e7SDag-Erling Smørgrav buffer_append(&b, ",", 1); 45680628bacSDag-Erling Smørgrav buffer_append(&b, authmethods[i]->name, 45780628bacSDag-Erling Smørgrav strlen(authmethods[i]->name)); 45809958426SBrian Feldman } 459af12a3e7SDag-Erling Smørgrav buffer_append(&b, "\0", 1); 460af12a3e7SDag-Erling Smørgrav list = xstrdup(buffer_ptr(&b)); 461af12a3e7SDag-Erling Smørgrav buffer_free(&b); 46209958426SBrian Feldman return list; 46309958426SBrian Feldman } 46409958426SBrian Feldman 465af12a3e7SDag-Erling Smørgrav static Authmethod * 466*6888a9beSDag-Erling Smørgrav authmethod_lookup(Authctxt *authctxt, const char *name) 46709958426SBrian Feldman { 46880628bacSDag-Erling Smørgrav int i; 46980628bacSDag-Erling Smørgrav 47009958426SBrian Feldman if (name != NULL) 47180628bacSDag-Erling Smørgrav for (i = 0; authmethods[i] != NULL; i++) 47280628bacSDag-Erling Smørgrav if (authmethods[i]->enabled != NULL && 47380628bacSDag-Erling Smørgrav *(authmethods[i]->enabled) != 0 && 474*6888a9beSDag-Erling Smørgrav strcmp(name, authmethods[i]->name) == 0 && 475*6888a9beSDag-Erling Smørgrav method_allowed(authctxt, authmethods[i]->name)) 47680628bacSDag-Erling Smørgrav return authmethods[i]; 47780628bacSDag-Erling Smørgrav debug2("Unrecognized authentication method name: %s", 47880628bacSDag-Erling Smørgrav name ? name : "NULL"); 479a04a10f8SKris Kennaway return NULL; 480a04a10f8SKris Kennaway } 481d4af9e69SDag-Erling Smørgrav 482*6888a9beSDag-Erling Smørgrav /* 483*6888a9beSDag-Erling Smørgrav * Check a comma-separated list of methods for validity. Is need_enable is 484*6888a9beSDag-Erling Smørgrav * non-zero, then also require that the methods are enabled. 485*6888a9beSDag-Erling Smørgrav * Returns 0 on success or -1 if the methods list is invalid. 486*6888a9beSDag-Erling Smørgrav */ 487*6888a9beSDag-Erling Smørgrav int 488*6888a9beSDag-Erling Smørgrav auth2_methods_valid(const char *_methods, int need_enable) 489*6888a9beSDag-Erling Smørgrav { 490*6888a9beSDag-Erling Smørgrav char *methods, *omethods, *method; 491*6888a9beSDag-Erling Smørgrav u_int i, found; 492*6888a9beSDag-Erling Smørgrav int ret = -1; 493*6888a9beSDag-Erling Smørgrav 494*6888a9beSDag-Erling Smørgrav if (*_methods == '\0') { 495*6888a9beSDag-Erling Smørgrav error("empty authentication method list"); 496*6888a9beSDag-Erling Smørgrav return -1; 497*6888a9beSDag-Erling Smørgrav } 498*6888a9beSDag-Erling Smørgrav omethods = methods = xstrdup(_methods); 499*6888a9beSDag-Erling Smørgrav while ((method = strsep(&methods, ",")) != NULL) { 500*6888a9beSDag-Erling Smørgrav for (found = i = 0; !found && authmethods[i] != NULL; i++) { 501*6888a9beSDag-Erling Smørgrav if (strcmp(method, authmethods[i]->name) != 0) 502*6888a9beSDag-Erling Smørgrav continue; 503*6888a9beSDag-Erling Smørgrav if (need_enable) { 504*6888a9beSDag-Erling Smørgrav if (authmethods[i]->enabled == NULL || 505*6888a9beSDag-Erling Smørgrav *(authmethods[i]->enabled) == 0) { 506*6888a9beSDag-Erling Smørgrav error("Disabled method \"%s\" in " 507*6888a9beSDag-Erling Smørgrav "AuthenticationMethods list \"%s\"", 508*6888a9beSDag-Erling Smørgrav method, _methods); 509*6888a9beSDag-Erling Smørgrav goto out; 510*6888a9beSDag-Erling Smørgrav } 511*6888a9beSDag-Erling Smørgrav } 512*6888a9beSDag-Erling Smørgrav found = 1; 513*6888a9beSDag-Erling Smørgrav break; 514*6888a9beSDag-Erling Smørgrav } 515*6888a9beSDag-Erling Smørgrav if (!found) { 516*6888a9beSDag-Erling Smørgrav error("Unknown authentication method \"%s\" in list", 517*6888a9beSDag-Erling Smørgrav method); 518*6888a9beSDag-Erling Smørgrav goto out; 519*6888a9beSDag-Erling Smørgrav } 520*6888a9beSDag-Erling Smørgrav } 521*6888a9beSDag-Erling Smørgrav ret = 0; 522*6888a9beSDag-Erling Smørgrav out: 523*6888a9beSDag-Erling Smørgrav free(omethods); 524*6888a9beSDag-Erling Smørgrav return ret; 525*6888a9beSDag-Erling Smørgrav } 526*6888a9beSDag-Erling Smørgrav 527*6888a9beSDag-Erling Smørgrav /* 528*6888a9beSDag-Erling Smørgrav * Prune the AuthenticationMethods supplied in the configuration, removing 529*6888a9beSDag-Erling Smørgrav * any methods lists that include disabled methods. Note that this might 530*6888a9beSDag-Erling Smørgrav * leave authctxt->num_auth_methods == 0, even when multiple required auth 531*6888a9beSDag-Erling Smørgrav * has been requested. For this reason, all tests for whether multiple is 532*6888a9beSDag-Erling Smørgrav * enabled should consult options.num_auth_methods directly. 533*6888a9beSDag-Erling Smørgrav */ 534*6888a9beSDag-Erling Smørgrav int 535*6888a9beSDag-Erling Smørgrav auth2_setup_methods_lists(Authctxt *authctxt) 536*6888a9beSDag-Erling Smørgrav { 537*6888a9beSDag-Erling Smørgrav u_int i; 538*6888a9beSDag-Erling Smørgrav 539*6888a9beSDag-Erling Smørgrav if (options.num_auth_methods == 0) 540*6888a9beSDag-Erling Smørgrav return 0; 541*6888a9beSDag-Erling Smørgrav debug3("%s: checking methods", __func__); 542*6888a9beSDag-Erling Smørgrav authctxt->auth_methods = xcalloc(options.num_auth_methods, 543*6888a9beSDag-Erling Smørgrav sizeof(*authctxt->auth_methods)); 544*6888a9beSDag-Erling Smørgrav authctxt->num_auth_methods = 0; 545*6888a9beSDag-Erling Smørgrav for (i = 0; i < options.num_auth_methods; i++) { 546*6888a9beSDag-Erling Smørgrav if (auth2_methods_valid(options.auth_methods[i], 1) != 0) { 547*6888a9beSDag-Erling Smørgrav logit("Authentication methods list \"%s\" contains " 548*6888a9beSDag-Erling Smørgrav "disabled method, skipping", 549*6888a9beSDag-Erling Smørgrav options.auth_methods[i]); 550*6888a9beSDag-Erling Smørgrav continue; 551*6888a9beSDag-Erling Smørgrav } 552*6888a9beSDag-Erling Smørgrav debug("authentication methods list %d: %s", 553*6888a9beSDag-Erling Smørgrav authctxt->num_auth_methods, options.auth_methods[i]); 554*6888a9beSDag-Erling Smørgrav authctxt->auth_methods[authctxt->num_auth_methods++] = 555*6888a9beSDag-Erling Smørgrav xstrdup(options.auth_methods[i]); 556*6888a9beSDag-Erling Smørgrav } 557*6888a9beSDag-Erling Smørgrav if (authctxt->num_auth_methods == 0) { 558*6888a9beSDag-Erling Smørgrav error("No AuthenticationMethods left after eliminating " 559*6888a9beSDag-Erling Smørgrav "disabled methods"); 560*6888a9beSDag-Erling Smørgrav return -1; 561*6888a9beSDag-Erling Smørgrav } 562*6888a9beSDag-Erling Smørgrav return 0; 563*6888a9beSDag-Erling Smørgrav } 564*6888a9beSDag-Erling Smørgrav 565*6888a9beSDag-Erling Smørgrav static int 566*6888a9beSDag-Erling Smørgrav list_starts_with(const char *methods, const char *method) 567*6888a9beSDag-Erling Smørgrav { 568*6888a9beSDag-Erling Smørgrav size_t l = strlen(method); 569*6888a9beSDag-Erling Smørgrav 570*6888a9beSDag-Erling Smørgrav if (strncmp(methods, method, l) != 0) 571*6888a9beSDag-Erling Smørgrav return 0; 572*6888a9beSDag-Erling Smørgrav if (methods[l] != ',' && methods[l] != '\0') 573*6888a9beSDag-Erling Smørgrav return 0; 574*6888a9beSDag-Erling Smørgrav return 1; 575*6888a9beSDag-Erling Smørgrav } 576*6888a9beSDag-Erling Smørgrav 577*6888a9beSDag-Erling Smørgrav /* 578*6888a9beSDag-Erling Smørgrav * Remove method from the start of a comma-separated list of methods. 579*6888a9beSDag-Erling Smørgrav * Returns 0 if the list of methods did not start with that method or 1 580*6888a9beSDag-Erling Smørgrav * if it did. 581*6888a9beSDag-Erling Smørgrav */ 582*6888a9beSDag-Erling Smørgrav static int 583*6888a9beSDag-Erling Smørgrav remove_method(char **methods, const char *method) 584*6888a9beSDag-Erling Smørgrav { 585*6888a9beSDag-Erling Smørgrav char *omethods = *methods; 586*6888a9beSDag-Erling Smørgrav size_t l = strlen(method); 587*6888a9beSDag-Erling Smørgrav 588*6888a9beSDag-Erling Smørgrav if (!list_starts_with(omethods, method)) 589*6888a9beSDag-Erling Smørgrav return 0; 590*6888a9beSDag-Erling Smørgrav *methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0)); 591*6888a9beSDag-Erling Smørgrav free(omethods); 592*6888a9beSDag-Erling Smørgrav return 1; 593*6888a9beSDag-Erling Smørgrav } 594*6888a9beSDag-Erling Smørgrav 595*6888a9beSDag-Erling Smørgrav /* 596*6888a9beSDag-Erling Smørgrav * Called after successful authentication. Will remove the successful method 597*6888a9beSDag-Erling Smørgrav * from the start of each list in which it occurs. If it was the last method 598*6888a9beSDag-Erling Smørgrav * in any list, then authentication is deemed successful. 599*6888a9beSDag-Erling Smørgrav * Returns 1 if the method completed any authentication list or 0 otherwise. 600*6888a9beSDag-Erling Smørgrav */ 601*6888a9beSDag-Erling Smørgrav int 602*6888a9beSDag-Erling Smørgrav auth2_update_methods_lists(Authctxt *authctxt, const char *method) 603*6888a9beSDag-Erling Smørgrav { 604*6888a9beSDag-Erling Smørgrav u_int i, found = 0; 605*6888a9beSDag-Erling Smørgrav 606*6888a9beSDag-Erling Smørgrav debug3("%s: updating methods list after \"%s\"", __func__, method); 607*6888a9beSDag-Erling Smørgrav for (i = 0; i < authctxt->num_auth_methods; i++) { 608*6888a9beSDag-Erling Smørgrav if (!remove_method(&(authctxt->auth_methods[i]), method)) 609*6888a9beSDag-Erling Smørgrav continue; 610*6888a9beSDag-Erling Smørgrav found = 1; 611*6888a9beSDag-Erling Smørgrav if (*authctxt->auth_methods[i] == '\0') { 612*6888a9beSDag-Erling Smørgrav debug2("authentication methods list %d complete", i); 613*6888a9beSDag-Erling Smørgrav return 1; 614*6888a9beSDag-Erling Smørgrav } 615*6888a9beSDag-Erling Smørgrav debug3("authentication methods list %d remaining: \"%s\"", 616*6888a9beSDag-Erling Smørgrav i, authctxt->auth_methods[i]); 617*6888a9beSDag-Erling Smørgrav } 618*6888a9beSDag-Erling Smørgrav /* This should not happen, but would be bad if it did */ 619*6888a9beSDag-Erling Smørgrav if (!found) 620*6888a9beSDag-Erling Smørgrav fatal("%s: method not in AuthenticationMethods", __func__); 621*6888a9beSDag-Erling Smørgrav return 0; 622*6888a9beSDag-Erling Smørgrav } 623*6888a9beSDag-Erling Smørgrav 624*6888a9beSDag-Erling Smørgrav 625