1d4af9e69SDag-Erling Smørgrav /* $OpenBSD: auth2.c,v 1.119 2008/07/04 23:30:16 djm Exp $ */ 2a04a10f8SKris Kennaway /* 3a04a10f8SKris Kennaway * Copyright (c) 2000 Markus Friedl. All rights reserved. 4a04a10f8SKris Kennaway * 5a04a10f8SKris Kennaway * Redistribution and use in source and binary forms, with or without 6a04a10f8SKris Kennaway * modification, are permitted provided that the following conditions 7a04a10f8SKris Kennaway * are met: 8a04a10f8SKris Kennaway * 1. Redistributions of source code must retain the above copyright 9a04a10f8SKris Kennaway * notice, this list of conditions and the following disclaimer. 10a04a10f8SKris Kennaway * 2. Redistributions in binary form must reproduce the above copyright 11a04a10f8SKris Kennaway * notice, this list of conditions and the following disclaimer in the 12a04a10f8SKris Kennaway * documentation and/or other materials provided with the distribution. 13a04a10f8SKris Kennaway * 14a04a10f8SKris Kennaway * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15a04a10f8SKris Kennaway * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16a04a10f8SKris Kennaway * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17a04a10f8SKris Kennaway * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18a04a10f8SKris Kennaway * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19a04a10f8SKris Kennaway * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20a04a10f8SKris Kennaway * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21a04a10f8SKris Kennaway * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22a04a10f8SKris Kennaway * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23a04a10f8SKris Kennaway * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24a04a10f8SKris Kennaway */ 25c2d3a559SKris Kennaway 26a04a10f8SKris Kennaway #include "includes.h" 27333ee039SDag-Erling Smørgrav __RCSID("$FreeBSD$"); 28a04a10f8SKris Kennaway 29333ee039SDag-Erling Smørgrav #include <sys/types.h> 30d4af9e69SDag-Erling Smørgrav #include <sys/stat.h> 31d4af9e69SDag-Erling Smørgrav #include <sys/uio.h> 32333ee039SDag-Erling Smørgrav 33d4af9e69SDag-Erling Smørgrav #include <fcntl.h> 34333ee039SDag-Erling Smørgrav #include <pwd.h> 35333ee039SDag-Erling Smørgrav #include <stdarg.h> 36333ee039SDag-Erling Smørgrav #include <string.h> 37d4af9e69SDag-Erling Smørgrav #include <unistd.h> 38333ee039SDag-Erling Smørgrav 39a04a10f8SKris Kennaway #include "xmalloc.h" 40d4af9e69SDag-Erling Smørgrav #include "atomicio.h" 41333ee039SDag-Erling Smørgrav #include "ssh2.h" 42a04a10f8SKris Kennaway #include "packet.h" 43ca3176e7SBrian Feldman #include "log.h" 44333ee039SDag-Erling Smørgrav #include "buffer.h" 45a04a10f8SKris Kennaway #include "servconf.h" 46a04a10f8SKris Kennaway #include "compat.h" 47333ee039SDag-Erling Smørgrav #include "key.h" 48333ee039SDag-Erling Smørgrav #include "hostfile.h" 49a04a10f8SKris Kennaway #include "auth.h" 50a04a10f8SKris Kennaway #include "dispatch.h" 51ca3176e7SBrian Feldman #include "pathnames.h" 52aa49c926SDag-Erling Smørgrav #include "buffer.h" 53333ee039SDag-Erling Smørgrav #include "canohost.h" 54a04a10f8SKris Kennaway 55cf2b5f3bSDag-Erling Smørgrav #ifdef GSSAPI 56cf2b5f3bSDag-Erling Smørgrav #include "ssh-gss.h" 57cf2b5f3bSDag-Erling Smørgrav #endif 58333ee039SDag-Erling Smørgrav #include "monitor_wrap.h" 59cf2b5f3bSDag-Erling Smørgrav 60a04a10f8SKris Kennaway /* import */ 61a04a10f8SKris Kennaway extern ServerOptions options; 62ca3176e7SBrian Feldman extern u_char *session_id2; 63cf2b5f3bSDag-Erling Smørgrav extern u_int session_id2_len; 64aa49c926SDag-Erling Smørgrav extern Buffer loginmsg; 65a04a10f8SKris Kennaway 6680628bacSDag-Erling Smørgrav /* methods */ 6780628bacSDag-Erling Smørgrav 6880628bacSDag-Erling Smørgrav extern Authmethod method_none; 6980628bacSDag-Erling Smørgrav extern Authmethod method_pubkey; 7080628bacSDag-Erling Smørgrav extern Authmethod method_passwd; 7180628bacSDag-Erling Smørgrav extern Authmethod method_kbdint; 7280628bacSDag-Erling Smørgrav extern Authmethod method_hostbased; 73cf2b5f3bSDag-Erling Smørgrav #ifdef GSSAPI 74cf2b5f3bSDag-Erling Smørgrav extern Authmethod method_gssapi; 75cf2b5f3bSDag-Erling Smørgrav #endif 7680628bacSDag-Erling Smørgrav 7780628bacSDag-Erling Smørgrav Authmethod *authmethods[] = { 7880628bacSDag-Erling Smørgrav &method_none, 7980628bacSDag-Erling Smørgrav &method_pubkey, 80cf2b5f3bSDag-Erling Smørgrav #ifdef GSSAPI 81cf2b5f3bSDag-Erling Smørgrav &method_gssapi, 82cf2b5f3bSDag-Erling Smørgrav #endif 8380628bacSDag-Erling Smørgrav &method_passwd, 8480628bacSDag-Erling Smørgrav &method_kbdint, 8580628bacSDag-Erling Smørgrav &method_hostbased, 8680628bacSDag-Erling Smørgrav NULL 8709958426SBrian Feldman }; 8809958426SBrian Feldman 89a04a10f8SKris Kennaway /* protocol */ 90a04a10f8SKris Kennaway 91af12a3e7SDag-Erling Smørgrav static void input_service_request(int, u_int32_t, void *); 92af12a3e7SDag-Erling Smørgrav static void input_userauth_request(int, u_int32_t, void *); 93a04a10f8SKris Kennaway 94a04a10f8SKris Kennaway /* helper */ 95af12a3e7SDag-Erling Smørgrav static Authmethod *authmethod_lookup(const char *); 96af12a3e7SDag-Erling Smørgrav static char *authmethods_get(void); 97d4af9e69SDag-Erling Smørgrav 98d4af9e69SDag-Erling Smørgrav char * 99d4af9e69SDag-Erling Smørgrav auth2_read_banner(void) 100d4af9e69SDag-Erling Smørgrav { 101d4af9e69SDag-Erling Smørgrav struct stat st; 102d4af9e69SDag-Erling Smørgrav char *banner = NULL; 103d4af9e69SDag-Erling Smørgrav size_t len, n; 104d4af9e69SDag-Erling Smørgrav int fd; 105d4af9e69SDag-Erling Smørgrav 106d4af9e69SDag-Erling Smørgrav if ((fd = open(options.banner, O_RDONLY)) == -1) 107d4af9e69SDag-Erling Smørgrav return (NULL); 108d4af9e69SDag-Erling Smørgrav if (fstat(fd, &st) == -1) { 109d4af9e69SDag-Erling Smørgrav close(fd); 110d4af9e69SDag-Erling Smørgrav return (NULL); 111d4af9e69SDag-Erling Smørgrav } 112d4af9e69SDag-Erling Smørgrav if (st.st_size > 1*1024*1024) { 113d4af9e69SDag-Erling Smørgrav close(fd); 114d4af9e69SDag-Erling Smørgrav return (NULL); 115d4af9e69SDag-Erling Smørgrav } 116d4af9e69SDag-Erling Smørgrav 117d4af9e69SDag-Erling Smørgrav len = (size_t)st.st_size; /* truncate */ 118d4af9e69SDag-Erling Smørgrav banner = xmalloc(len + 1); 119d4af9e69SDag-Erling Smørgrav n = atomicio(read, fd, banner, len); 120d4af9e69SDag-Erling Smørgrav close(fd); 121d4af9e69SDag-Erling Smørgrav 122d4af9e69SDag-Erling Smørgrav if (n != len) { 123d4af9e69SDag-Erling Smørgrav xfree(banner); 124d4af9e69SDag-Erling Smørgrav return (NULL); 125d4af9e69SDag-Erling Smørgrav } 126d4af9e69SDag-Erling Smørgrav banner[n] = '\0'; 127d4af9e69SDag-Erling Smørgrav 128d4af9e69SDag-Erling Smørgrav return (banner); 129d4af9e69SDag-Erling Smørgrav } 130d4af9e69SDag-Erling Smørgrav 131d4af9e69SDag-Erling Smørgrav void 132d4af9e69SDag-Erling Smørgrav userauth_send_banner(const char *msg) 133d4af9e69SDag-Erling Smørgrav { 134d4af9e69SDag-Erling Smørgrav if (datafellows & SSH_BUG_BANNER) 135d4af9e69SDag-Erling Smørgrav return; 136d4af9e69SDag-Erling Smørgrav 137d4af9e69SDag-Erling Smørgrav packet_start(SSH2_MSG_USERAUTH_BANNER); 138d4af9e69SDag-Erling Smørgrav packet_put_cstring(msg); 139d4af9e69SDag-Erling Smørgrav packet_put_cstring(""); /* language, unused */ 140d4af9e69SDag-Erling Smørgrav packet_send(); 141d4af9e69SDag-Erling Smørgrav debug("%s: sent", __func__); 142d4af9e69SDag-Erling Smørgrav } 143d4af9e69SDag-Erling Smørgrav 144d4af9e69SDag-Erling Smørgrav static void 145d4af9e69SDag-Erling Smørgrav userauth_banner(void) 146d4af9e69SDag-Erling Smørgrav { 147d4af9e69SDag-Erling Smørgrav char *banner = NULL; 148d4af9e69SDag-Erling Smørgrav 149d4af9e69SDag-Erling Smørgrav if (options.banner == NULL || 150d4af9e69SDag-Erling Smørgrav strcasecmp(options.banner, "none") == 0 || 151d4af9e69SDag-Erling Smørgrav (datafellows & SSH_BUG_BANNER) != 0) 152d4af9e69SDag-Erling Smørgrav return; 153d4af9e69SDag-Erling Smørgrav 154d4af9e69SDag-Erling Smørgrav if ((banner = PRIVSEP(auth2_read_banner())) == NULL) 155d4af9e69SDag-Erling Smørgrav goto done; 156d4af9e69SDag-Erling Smørgrav userauth_send_banner(banner); 157d4af9e69SDag-Erling Smørgrav 158d4af9e69SDag-Erling Smørgrav done: 159d4af9e69SDag-Erling Smørgrav if (banner) 160d4af9e69SDag-Erling Smørgrav xfree(banner); 161d4af9e69SDag-Erling Smørgrav } 162a04a10f8SKris Kennaway 163a04a10f8SKris Kennaway /* 16409958426SBrian Feldman * loop until authctxt->success == TRUE 165a04a10f8SKris Kennaway */ 1661ec0d754SDag-Erling Smørgrav void 1671ec0d754SDag-Erling Smørgrav do_authentication2(Authctxt *authctxt) 168a04a10f8SKris Kennaway { 169af12a3e7SDag-Erling Smørgrav dispatch_init(&dispatch_protocol_error); 170a04a10f8SKris Kennaway dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); 17109958426SBrian Feldman dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); 172a04a10f8SKris Kennaway } 173a04a10f8SKris Kennaway 174333ee039SDag-Erling Smørgrav /*ARGSUSED*/ 175af12a3e7SDag-Erling Smørgrav static void 176af12a3e7SDag-Erling Smørgrav input_service_request(int type, u_int32_t seq, void *ctxt) 177a04a10f8SKris Kennaway { 17809958426SBrian Feldman Authctxt *authctxt = ctxt; 179ca3176e7SBrian Feldman u_int len; 180f388f5efSDag-Erling Smørgrav int acceptit = 0; 181a04a10f8SKris Kennaway char *service = packet_get_string(&len); 182af12a3e7SDag-Erling Smørgrav packet_check_eom(); 183a04a10f8SKris Kennaway 18409958426SBrian Feldman if (authctxt == NULL) 18509958426SBrian Feldman fatal("input_service_request: no authctxt"); 18609958426SBrian Feldman 187a04a10f8SKris Kennaway if (strcmp(service, "ssh-userauth") == 0) { 18809958426SBrian Feldman if (!authctxt->success) { 189f388f5efSDag-Erling Smørgrav acceptit = 1; 190a04a10f8SKris Kennaway /* now we can handle user-auth requests */ 191a04a10f8SKris Kennaway dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request); 192a04a10f8SKris Kennaway } 193a04a10f8SKris Kennaway } 194a04a10f8SKris Kennaway /* XXX all other service requests are denied */ 195a04a10f8SKris Kennaway 196f388f5efSDag-Erling Smørgrav if (acceptit) { 197a04a10f8SKris Kennaway packet_start(SSH2_MSG_SERVICE_ACCEPT); 198a04a10f8SKris Kennaway packet_put_cstring(service); 199a04a10f8SKris Kennaway packet_send(); 200a04a10f8SKris Kennaway packet_write_wait(); 201a04a10f8SKris Kennaway } else { 202a04a10f8SKris Kennaway debug("bad service request %s", service); 203a04a10f8SKris Kennaway packet_disconnect("bad service request %s", service); 204a04a10f8SKris Kennaway } 205a04a10f8SKris Kennaway xfree(service); 206a04a10f8SKris Kennaway } 207a04a10f8SKris Kennaway 208333ee039SDag-Erling Smørgrav /*ARGSUSED*/ 209af12a3e7SDag-Erling Smørgrav static void 210af12a3e7SDag-Erling Smørgrav input_userauth_request(int type, u_int32_t seq, void *ctxt) 211a04a10f8SKris Kennaway { 21209958426SBrian Feldman Authctxt *authctxt = ctxt; 21309958426SBrian Feldman Authmethod *m = NULL; 214ca3176e7SBrian Feldman char *user, *service, *method, *style = NULL; 215a04a10f8SKris Kennaway int authenticated = 0; 2165b400a39SDag-Erling Smørgrav #ifdef HAVE_LOGIN_CAP 2175b400a39SDag-Erling Smørgrav login_cap_t *lc; 2185b400a39SDag-Erling Smørgrav const char *from_host, *from_ip; 2195b400a39SDag-Erling Smørgrav 220cf2b5f3bSDag-Erling Smørgrav from_host = get_canonical_hostname(options.use_dns); 2215b400a39SDag-Erling Smørgrav from_ip = get_remote_ipaddr(); 2225b400a39SDag-Erling Smørgrav #endif 223a04a10f8SKris Kennaway 22409958426SBrian Feldman if (authctxt == NULL) 22509958426SBrian Feldman fatal("input_userauth_request: no authctxt"); 226a04a10f8SKris Kennaway 22709958426SBrian Feldman user = packet_get_string(NULL); 22809958426SBrian Feldman service = packet_get_string(NULL); 22909958426SBrian Feldman method = packet_get_string(NULL); 230a04a10f8SKris Kennaway debug("userauth-request for user %s service %s method %s", user, service, method); 231ca3176e7SBrian Feldman debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 232a04a10f8SKris Kennaway 233ca3176e7SBrian Feldman if ((style = strchr(user, ':')) != NULL) 234ca3176e7SBrian Feldman *style++ = 0; 235ca3176e7SBrian Feldman 236ca3176e7SBrian Feldman if (authctxt->attempt++ == 0) { 23709958426SBrian Feldman /* setup auth context */ 23880628bacSDag-Erling Smørgrav authctxt->pw = PRIVSEP(getpwnamallow(user)); 2395962c0e9SDag-Erling Smørgrav authctxt->user = xstrdup(user); 24080628bacSDag-Erling Smørgrav if (authctxt->pw && strcmp(service, "ssh-connection")==0) { 24109958426SBrian Feldman authctxt->valid = 1; 24209958426SBrian Feldman debug2("input_userauth_request: setting up authctxt for %s", user); 24309958426SBrian Feldman } else { 24421e764dfSDag-Erling Smørgrav logit("input_userauth_request: invalid user %s", user); 245cf2b5f3bSDag-Erling Smørgrav authctxt->pw = fakepw(); 246aa49c926SDag-Erling Smørgrav #ifdef SSH_AUDIT_EVENTS 247aa49c926SDag-Erling Smørgrav PRIVSEP(audit_event(SSH_INVALID_USER)); 248aa49c926SDag-Erling Smørgrav #endif 249a04a10f8SKris Kennaway } 250b74df5b2SDag-Erling Smørgrav #ifdef USE_PAM 251b74df5b2SDag-Erling Smørgrav if (options.use_pam) 252b74df5b2SDag-Erling Smørgrav PRIVSEP(start_pam(authctxt)); 253b74df5b2SDag-Erling Smørgrav #endif 25421e764dfSDag-Erling Smørgrav setproctitle("%s%s", authctxt->valid ? user : "unknown", 25580628bacSDag-Erling Smørgrav use_privsep ? " [net]" : ""); 25609958426SBrian Feldman authctxt->service = xstrdup(service); 257af12a3e7SDag-Erling Smørgrav authctxt->style = style ? xstrdup(style) : NULL; 25880628bacSDag-Erling Smørgrav if (use_privsep) 25980628bacSDag-Erling Smørgrav mm_inform_authserv(service, style); 260d4af9e69SDag-Erling Smørgrav userauth_banner(); 261af12a3e7SDag-Erling Smørgrav } else if (strcmp(user, authctxt->user) != 0 || 26209958426SBrian Feldman strcmp(service, authctxt->service) != 0) { 263af12a3e7SDag-Erling Smørgrav packet_disconnect("Change of username or service not allowed: " 264af12a3e7SDag-Erling Smørgrav "(%s,%s) -> (%s,%s)", 265af12a3e7SDag-Erling Smørgrav authctxt->user, authctxt->service, user, service); 266a04a10f8SKris Kennaway } 2675b400a39SDag-Erling Smørgrav 2685b400a39SDag-Erling Smørgrav #ifdef HAVE_LOGIN_CAP 2695b400a39SDag-Erling Smørgrav if (authctxt->pw != NULL) { 2705b400a39SDag-Erling Smørgrav lc = login_getpwclass(authctxt->pw); 2715b400a39SDag-Erling Smørgrav if (lc == NULL) 2725b400a39SDag-Erling Smørgrav lc = login_getclassbyname(NULL, authctxt->pw); 2735b400a39SDag-Erling Smørgrav if (!auth_hostok(lc, from_host, from_ip)) { 274cf2b5f3bSDag-Erling Smørgrav logit("Denied connection for %.200s from %.200s [%.200s].", 2755b400a39SDag-Erling Smørgrav authctxt->pw->pw_name, from_host, from_ip); 2765b400a39SDag-Erling Smørgrav packet_disconnect("Sorry, you are not allowed to connect."); 2775b400a39SDag-Erling Smørgrav } 2785b400a39SDag-Erling Smørgrav if (!auth_timeok(lc, time(NULL))) { 279cf2b5f3bSDag-Erling Smørgrav logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", 2805b400a39SDag-Erling Smørgrav authctxt->pw->pw_name, from_host); 2815b400a39SDag-Erling Smørgrav packet_disconnect("Logins not available right now."); 2825b400a39SDag-Erling Smørgrav } 2835b400a39SDag-Erling Smørgrav login_close(lc); 2845b400a39SDag-Erling Smørgrav lc = NULL; 2855b400a39SDag-Erling Smørgrav } 2865b400a39SDag-Erling Smørgrav #endif /* HAVE_LOGIN_CAP */ 2875b400a39SDag-Erling Smørgrav 288ca3176e7SBrian Feldman /* reset state */ 289af12a3e7SDag-Erling Smørgrav auth2_challenge_stop(authctxt); 290cf2b5f3bSDag-Erling Smørgrav 291cf2b5f3bSDag-Erling Smørgrav #ifdef GSSAPI 292cf2b5f3bSDag-Erling Smørgrav dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 293cf2b5f3bSDag-Erling Smørgrav dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 294cf2b5f3bSDag-Erling Smørgrav #endif 295cf2b5f3bSDag-Erling Smørgrav 296ca3176e7SBrian Feldman authctxt->postponed = 0; 29703e72be8SBrian Feldman 298ca3176e7SBrian Feldman /* try to authenticate user */ 29909958426SBrian Feldman m = authmethod_lookup(method); 300d4af9e69SDag-Erling Smørgrav if (m != NULL && authctxt->failures < options.max_authtries) { 30109958426SBrian Feldman debug2("input_userauth_request: try method %s", method); 30209958426SBrian Feldman authenticated = m->userauth(authctxt); 30309958426SBrian Feldman } 304ca3176e7SBrian Feldman userauth_finish(authctxt, authenticated, method); 30509958426SBrian Feldman 30609958426SBrian Feldman xfree(service); 30709958426SBrian Feldman xfree(user); 30809958426SBrian Feldman xfree(method); 30909958426SBrian Feldman } 31009958426SBrian Feldman 311ca3176e7SBrian Feldman void 312ca3176e7SBrian Feldman userauth_finish(Authctxt *authctxt, int authenticated, char *method) 313ca3176e7SBrian Feldman { 314af12a3e7SDag-Erling Smørgrav char *methods; 315af12a3e7SDag-Erling Smørgrav 316ca3176e7SBrian Feldman if (!authctxt->valid && authenticated) 317ca3176e7SBrian Feldman fatal("INTERNAL ERROR: authenticated invalid user %s", 318ca3176e7SBrian Feldman authctxt->user); 319ca3176e7SBrian Feldman 320ca3176e7SBrian Feldman /* Special handling for root */ 321e73e9afaSDag-Erling Smørgrav if (authenticated && authctxt->pw->pw_uid == 0 && 322aa49c926SDag-Erling Smørgrav !auth_root_allowed(method)) { 323ca3176e7SBrian Feldman authenticated = 0; 324aa49c926SDag-Erling Smørgrav #ifdef SSH_AUDIT_EVENTS 325aa49c926SDag-Erling Smørgrav PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); 326aa49c926SDag-Erling Smørgrav #endif 327aa49c926SDag-Erling Smørgrav } 328ca3176e7SBrian Feldman 329989dd127SDag-Erling Smørgrav #ifdef USE_PAM 330aa49c926SDag-Erling Smørgrav if (options.use_pam && authenticated) { 331aa49c926SDag-Erling Smørgrav if (!PRIVSEP(do_pam_account())) { 332aa49c926SDag-Erling Smørgrav /* if PAM returned a message, send it to the user */ 333aa49c926SDag-Erling Smørgrav if (buffer_len(&loginmsg) > 0) { 334aa49c926SDag-Erling Smørgrav buffer_append(&loginmsg, "\0", 1); 335aa49c926SDag-Erling Smørgrav userauth_send_banner(buffer_ptr(&loginmsg)); 336aa49c926SDag-Erling Smørgrav packet_write_wait(); 337aa49c926SDag-Erling Smørgrav } 338aa49c926SDag-Erling Smørgrav fatal("Access denied for user %s by PAM account " 339aa49c926SDag-Erling Smørgrav "configuration", authctxt->user); 340aa49c926SDag-Erling Smørgrav } 341aa49c926SDag-Erling Smørgrav } 342cf2b5f3bSDag-Erling Smørgrav #endif 343989dd127SDag-Erling Smørgrav 344f388f5efSDag-Erling Smørgrav #ifdef _UNICOS 345f388f5efSDag-Erling Smørgrav if (authenticated && cray_access_denied(authctxt->user)) { 346f388f5efSDag-Erling Smørgrav authenticated = 0; 347f388f5efSDag-Erling Smørgrav fatal("Access denied for user %s.",authctxt->user); 348f388f5efSDag-Erling Smørgrav } 349f388f5efSDag-Erling Smørgrav #endif /* _UNICOS */ 350f388f5efSDag-Erling Smørgrav 351ca3176e7SBrian Feldman /* Log before sending the reply */ 352ca3176e7SBrian Feldman auth_log(authctxt, authenticated, method, " ssh2"); 353ca3176e7SBrian Feldman 354af12a3e7SDag-Erling Smørgrav if (authctxt->postponed) 355af12a3e7SDag-Erling Smørgrav return; 356af12a3e7SDag-Erling Smørgrav 357af12a3e7SDag-Erling Smørgrav /* XXX todo: check if multiple auth methods are needed */ 358af12a3e7SDag-Erling Smørgrav if (authenticated == 1) { 359af12a3e7SDag-Erling Smørgrav /* turn off userauth */ 360af12a3e7SDag-Erling Smørgrav dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 361af12a3e7SDag-Erling Smørgrav packet_start(SSH2_MSG_USERAUTH_SUCCESS); 362af12a3e7SDag-Erling Smørgrav packet_send(); 363af12a3e7SDag-Erling Smørgrav packet_write_wait(); 364af12a3e7SDag-Erling Smørgrav /* now we can break out */ 365af12a3e7SDag-Erling Smørgrav authctxt->success = 1; 366af12a3e7SDag-Erling Smørgrav } else { 367d4af9e69SDag-Erling Smørgrav 368d4af9e69SDag-Erling Smørgrav /* Allow initial try of "none" auth without failure penalty */ 369d4af9e69SDag-Erling Smørgrav if (authctxt->attempt > 1 || strcmp(method, "none") != 0) 370d4af9e69SDag-Erling Smørgrav authctxt->failures++; 371d4af9e69SDag-Erling Smørgrav if (authctxt->failures >= options.max_authtries) { 372aa49c926SDag-Erling Smørgrav #ifdef SSH_AUDIT_EVENTS 373aa49c926SDag-Erling Smørgrav PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); 374aa49c926SDag-Erling Smørgrav #endif 375af12a3e7SDag-Erling Smørgrav packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 376aa49c926SDag-Erling Smørgrav } 377af12a3e7SDag-Erling Smørgrav methods = authmethods_get(); 378af12a3e7SDag-Erling Smørgrav packet_start(SSH2_MSG_USERAUTH_FAILURE); 379af12a3e7SDag-Erling Smørgrav packet_put_cstring(methods); 380af12a3e7SDag-Erling Smørgrav packet_put_char(0); /* XXX partial success, unused */ 381af12a3e7SDag-Erling Smørgrav packet_send(); 382af12a3e7SDag-Erling Smørgrav packet_write_wait(); 383af12a3e7SDag-Erling Smørgrav xfree(methods); 384af12a3e7SDag-Erling Smørgrav } 385ca3176e7SBrian Feldman } 38609958426SBrian Feldman 387af12a3e7SDag-Erling Smørgrav static char * 38809958426SBrian Feldman authmethods_get(void) 389a04a10f8SKris Kennaway { 390af12a3e7SDag-Erling Smørgrav Buffer b; 39109958426SBrian Feldman char *list; 39280628bacSDag-Erling Smørgrav int i; 393a04a10f8SKris Kennaway 394af12a3e7SDag-Erling Smørgrav buffer_init(&b); 39580628bacSDag-Erling Smørgrav for (i = 0; authmethods[i] != NULL; i++) { 39680628bacSDag-Erling Smørgrav if (strcmp(authmethods[i]->name, "none") == 0) 39709958426SBrian Feldman continue; 39880628bacSDag-Erling Smørgrav if (authmethods[i]->enabled != NULL && 39980628bacSDag-Erling Smørgrav *(authmethods[i]->enabled) != 0) { 400af12a3e7SDag-Erling Smørgrav if (buffer_len(&b) > 0) 401af12a3e7SDag-Erling Smørgrav buffer_append(&b, ",", 1); 40280628bacSDag-Erling Smørgrav buffer_append(&b, authmethods[i]->name, 40380628bacSDag-Erling Smørgrav strlen(authmethods[i]->name)); 40409958426SBrian Feldman } 40509958426SBrian Feldman } 406af12a3e7SDag-Erling Smørgrav buffer_append(&b, "\0", 1); 407af12a3e7SDag-Erling Smørgrav list = xstrdup(buffer_ptr(&b)); 408af12a3e7SDag-Erling Smørgrav buffer_free(&b); 40909958426SBrian Feldman return list; 41009958426SBrian Feldman } 41109958426SBrian Feldman 412af12a3e7SDag-Erling Smørgrav static Authmethod * 41309958426SBrian Feldman authmethod_lookup(const char *name) 41409958426SBrian Feldman { 41580628bacSDag-Erling Smørgrav int i; 41680628bacSDag-Erling Smørgrav 41709958426SBrian Feldman if (name != NULL) 41880628bacSDag-Erling Smørgrav for (i = 0; authmethods[i] != NULL; i++) 41980628bacSDag-Erling Smørgrav if (authmethods[i]->enabled != NULL && 42080628bacSDag-Erling Smørgrav *(authmethods[i]->enabled) != 0 && 42180628bacSDag-Erling Smørgrav strcmp(name, authmethods[i]->name) == 0) 42280628bacSDag-Erling Smørgrav return authmethods[i]; 42380628bacSDag-Erling Smørgrav debug2("Unrecognized authentication method name: %s", 42480628bacSDag-Erling Smørgrav name ? name : "NULL"); 425a04a10f8SKris Kennaway return NULL; 426a04a10f8SKris Kennaway } 427d4af9e69SDag-Erling Smørgrav 428