1a04a10f8SKris Kennaway /* 2a04a10f8SKris Kennaway * Copyright (c) 2000 Markus Friedl. All rights reserved. 3a04a10f8SKris Kennaway * 4a04a10f8SKris Kennaway * Redistribution and use in source and binary forms, with or without 5a04a10f8SKris Kennaway * modification, are permitted provided that the following conditions 6a04a10f8SKris Kennaway * are met: 7a04a10f8SKris Kennaway * 1. Redistributions of source code must retain the above copyright 8a04a10f8SKris Kennaway * notice, this list of conditions and the following disclaimer. 9a04a10f8SKris Kennaway * 2. Redistributions in binary form must reproduce the above copyright 10a04a10f8SKris Kennaway * notice, this list of conditions and the following disclaimer in the 11a04a10f8SKris Kennaway * documentation and/or other materials provided with the distribution. 12a04a10f8SKris Kennaway * 13a04a10f8SKris Kennaway * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14a04a10f8SKris Kennaway * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15a04a10f8SKris Kennaway * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16a04a10f8SKris Kennaway * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17a04a10f8SKris Kennaway * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18a04a10f8SKris Kennaway * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19a04a10f8SKris Kennaway * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20a04a10f8SKris Kennaway * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21a04a10f8SKris Kennaway * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22a04a10f8SKris Kennaway * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23a04a10f8SKris Kennaway */ 24c2d3a559SKris Kennaway 25a04a10f8SKris Kennaway #include "includes.h" 26f388f5efSDag-Erling Smørgrav RCSID("$OpenBSD: auth2.c,v 1.95 2002/08/22 21:33:58 markus Exp $"); 275b400a39SDag-Erling Smørgrav RCSID("$FreeBSD$"); 28a04a10f8SKris Kennaway 29ca3176e7SBrian Feldman #include "ssh2.h" 30a04a10f8SKris Kennaway #include "xmalloc.h" 31a04a10f8SKris Kennaway #include "packet.h" 32ca3176e7SBrian Feldman #include "log.h" 33a04a10f8SKris Kennaway #include "servconf.h" 34a04a10f8SKris Kennaway #include "compat.h" 35a04a10f8SKris Kennaway #include "auth.h" 36a04a10f8SKris Kennaway #include "dispatch.h" 37ca3176e7SBrian Feldman #include "pathnames.h" 3880628bacSDag-Erling Smørgrav #include "monitor_wrap.h" 39a04a10f8SKris Kennaway 40a04a10f8SKris Kennaway /* import */ 41a04a10f8SKris Kennaway extern ServerOptions options; 42ca3176e7SBrian Feldman extern u_char *session_id2; 43a04a10f8SKris Kennaway extern int session_id2_len; 44a04a10f8SKris Kennaway 4580628bacSDag-Erling Smørgrav Authctxt *x_authctxt = NULL; 4609958426SBrian Feldman 4780628bacSDag-Erling Smørgrav /* methods */ 4880628bacSDag-Erling Smørgrav 4980628bacSDag-Erling Smørgrav extern Authmethod method_none; 5080628bacSDag-Erling Smørgrav extern Authmethod method_pubkey; 5180628bacSDag-Erling Smørgrav extern Authmethod method_passwd; 5280628bacSDag-Erling Smørgrav extern Authmethod method_kbdint; 5380628bacSDag-Erling Smørgrav extern Authmethod method_hostbased; 5480628bacSDag-Erling Smørgrav 5580628bacSDag-Erling Smørgrav Authmethod *authmethods[] = { 5680628bacSDag-Erling Smørgrav &method_none, 5780628bacSDag-Erling Smørgrav &method_pubkey, 5880628bacSDag-Erling Smørgrav &method_passwd, 5980628bacSDag-Erling Smørgrav &method_kbdint, 6080628bacSDag-Erling Smørgrav &method_hostbased, 6180628bacSDag-Erling Smørgrav NULL 6209958426SBrian Feldman }; 6309958426SBrian Feldman 64a04a10f8SKris Kennaway /* protocol */ 65a04a10f8SKris Kennaway 66af12a3e7SDag-Erling Smørgrav static void input_service_request(int, u_int32_t, void *); 67af12a3e7SDag-Erling Smørgrav static void input_userauth_request(int, u_int32_t, void *); 68a04a10f8SKris Kennaway 69a04a10f8SKris Kennaway /* helper */ 70af12a3e7SDag-Erling Smørgrav static Authmethod *authmethod_lookup(const char *); 71af12a3e7SDag-Erling Smørgrav static char *authmethods_get(void); 7280628bacSDag-Erling Smørgrav int user_key_allowed(struct passwd *, Key *); 7380628bacSDag-Erling Smørgrav int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); 74a04a10f8SKris Kennaway 75a04a10f8SKris Kennaway /* 7609958426SBrian Feldman * loop until authctxt->success == TRUE 77a04a10f8SKris Kennaway */ 78a04a10f8SKris Kennaway 7980628bacSDag-Erling Smørgrav Authctxt * 80af12a3e7SDag-Erling Smørgrav do_authentication2(void) 81a04a10f8SKris Kennaway { 82ca3176e7SBrian Feldman Authctxt *authctxt = authctxt_new(); 83ca3176e7SBrian Feldman 8409958426SBrian Feldman x_authctxt = authctxt; /*XXX*/ 8509958426SBrian Feldman 86af12a3e7SDag-Erling Smørgrav /* challenge-response is implemented via keyboard interactive */ 87af12a3e7SDag-Erling Smørgrav if (options.challenge_response_authentication) 88ca3176e7SBrian Feldman options.kbd_interactive_authentication = 1; 89989dd127SDag-Erling Smørgrav if (options.pam_authentication_via_kbd_int) 90989dd127SDag-Erling Smørgrav options.kbd_interactive_authentication = 1; 91989dd127SDag-Erling Smørgrav if (use_privsep) 92989dd127SDag-Erling Smørgrav options.pam_authentication_via_kbd_int = 0; 93ca3176e7SBrian Feldman 94af12a3e7SDag-Erling Smørgrav dispatch_init(&dispatch_protocol_error); 95a04a10f8SKris Kennaway dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); 9609958426SBrian Feldman dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); 9780628bacSDag-Erling Smørgrav 9880628bacSDag-Erling Smørgrav return (authctxt); 99a04a10f8SKris Kennaway } 100a04a10f8SKris Kennaway 101af12a3e7SDag-Erling Smørgrav static void 102af12a3e7SDag-Erling Smørgrav input_service_request(int type, u_int32_t seq, void *ctxt) 103a04a10f8SKris Kennaway { 10409958426SBrian Feldman Authctxt *authctxt = ctxt; 105ca3176e7SBrian Feldman u_int len; 106f388f5efSDag-Erling Smørgrav int acceptit = 0; 107a04a10f8SKris Kennaway char *service = packet_get_string(&len); 108af12a3e7SDag-Erling Smørgrav packet_check_eom(); 109a04a10f8SKris Kennaway 11009958426SBrian Feldman if (authctxt == NULL) 11109958426SBrian Feldman fatal("input_service_request: no authctxt"); 11209958426SBrian Feldman 113a04a10f8SKris Kennaway if (strcmp(service, "ssh-userauth") == 0) { 11409958426SBrian Feldman if (!authctxt->success) { 115f388f5efSDag-Erling Smørgrav acceptit = 1; 116a04a10f8SKris Kennaway /* now we can handle user-auth requests */ 117a04a10f8SKris Kennaway dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request); 118a04a10f8SKris Kennaway } 119a04a10f8SKris Kennaway } 120a04a10f8SKris Kennaway /* XXX all other service requests are denied */ 121a04a10f8SKris Kennaway 122f388f5efSDag-Erling Smørgrav if (acceptit) { 123a04a10f8SKris Kennaway packet_start(SSH2_MSG_SERVICE_ACCEPT); 124a04a10f8SKris Kennaway packet_put_cstring(service); 125a04a10f8SKris Kennaway packet_send(); 126a04a10f8SKris Kennaway packet_write_wait(); 127a04a10f8SKris Kennaway } else { 128a04a10f8SKris Kennaway debug("bad service request %s", service); 129a04a10f8SKris Kennaway packet_disconnect("bad service request %s", service); 130a04a10f8SKris Kennaway } 131a04a10f8SKris Kennaway xfree(service); 132a04a10f8SKris Kennaway } 133a04a10f8SKris Kennaway 134af12a3e7SDag-Erling Smørgrav static void 135af12a3e7SDag-Erling Smørgrav input_userauth_request(int type, u_int32_t seq, void *ctxt) 136a04a10f8SKris Kennaway { 13709958426SBrian Feldman Authctxt *authctxt = ctxt; 13809958426SBrian Feldman Authmethod *m = NULL; 139ca3176e7SBrian Feldman char *user, *service, *method, *style = NULL; 140a04a10f8SKris Kennaway int authenticated = 0; 1415b400a39SDag-Erling Smørgrav #ifdef HAVE_LOGIN_CAP 1425b400a39SDag-Erling Smørgrav login_cap_t *lc; 1435b400a39SDag-Erling Smørgrav const char *from_host, *from_ip; 1445b400a39SDag-Erling Smørgrav 1455b400a39SDag-Erling Smørgrav from_host = get_canonical_hostname(options.verify_reverse_mapping); 1465b400a39SDag-Erling Smørgrav from_ip = get_remote_ipaddr(); 1475b400a39SDag-Erling Smørgrav #endif 148a04a10f8SKris Kennaway 14909958426SBrian Feldman if (authctxt == NULL) 15009958426SBrian Feldman fatal("input_userauth_request: no authctxt"); 151a04a10f8SKris Kennaway 15209958426SBrian Feldman user = packet_get_string(NULL); 15309958426SBrian Feldman service = packet_get_string(NULL); 15409958426SBrian Feldman method = packet_get_string(NULL); 155a04a10f8SKris Kennaway debug("userauth-request for user %s service %s method %s", user, service, method); 156ca3176e7SBrian Feldman debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 157a04a10f8SKris Kennaway 158ca3176e7SBrian Feldman if ((style = strchr(user, ':')) != NULL) 159ca3176e7SBrian Feldman *style++ = 0; 160ca3176e7SBrian Feldman 161ca3176e7SBrian Feldman if (authctxt->attempt++ == 0) { 16209958426SBrian Feldman /* setup auth context */ 16380628bacSDag-Erling Smørgrav authctxt->pw = PRIVSEP(getpwnamallow(user)); 16480628bacSDag-Erling Smørgrav if (authctxt->pw && strcmp(service, "ssh-connection")==0) { 16509958426SBrian Feldman authctxt->valid = 1; 16609958426SBrian Feldman debug2("input_userauth_request: setting up authctxt for %s", user); 16709958426SBrian Feldman #ifdef USE_PAM 168989dd127SDag-Erling Smørgrav PRIVSEP(start_pam(authctxt->pw->pw_name)); 16909958426SBrian Feldman #endif 17009958426SBrian Feldman } else { 17109958426SBrian Feldman log("input_userauth_request: illegal user %s", user); 172989dd127SDag-Erling Smørgrav #ifdef USE_PAM 173989dd127SDag-Erling Smørgrav PRIVSEP(start_pam("NOUSER")); 174989dd127SDag-Erling Smørgrav #endif 175a04a10f8SKris Kennaway } 17680628bacSDag-Erling Smørgrav setproctitle("%s%s", authctxt->pw ? user : "unknown", 17780628bacSDag-Erling Smørgrav use_privsep ? " [net]" : ""); 17809958426SBrian Feldman authctxt->user = xstrdup(user); 17909958426SBrian Feldman authctxt->service = xstrdup(service); 180af12a3e7SDag-Erling Smørgrav authctxt->style = style ? xstrdup(style) : NULL; 18180628bacSDag-Erling Smørgrav if (use_privsep) 18280628bacSDag-Erling Smørgrav mm_inform_authserv(service, style); 183af12a3e7SDag-Erling Smørgrav } else if (strcmp(user, authctxt->user) != 0 || 18409958426SBrian Feldman strcmp(service, authctxt->service) != 0) { 185af12a3e7SDag-Erling Smørgrav packet_disconnect("Change of username or service not allowed: " 186af12a3e7SDag-Erling Smørgrav "(%s,%s) -> (%s,%s)", 187af12a3e7SDag-Erling Smørgrav authctxt->user, authctxt->service, user, service); 188a04a10f8SKris Kennaway } 1895b400a39SDag-Erling Smørgrav 1905b400a39SDag-Erling Smørgrav #ifdef HAVE_LOGIN_CAP 1915b400a39SDag-Erling Smørgrav if (authctxt->pw != NULL) { 1925b400a39SDag-Erling Smørgrav lc = login_getpwclass(authctxt->pw); 1935b400a39SDag-Erling Smørgrav if (lc == NULL) 1945b400a39SDag-Erling Smørgrav lc = login_getclassbyname(NULL, authctxt->pw); 1955b400a39SDag-Erling Smørgrav if (!auth_hostok(lc, from_host, from_ip)) { 1965b400a39SDag-Erling Smørgrav log("Denied connection for %.200s from %.200s [%.200s].", 1975b400a39SDag-Erling Smørgrav authctxt->pw->pw_name, from_host, from_ip); 1985b400a39SDag-Erling Smørgrav packet_disconnect("Sorry, you are not allowed to connect."); 1995b400a39SDag-Erling Smørgrav } 2005b400a39SDag-Erling Smørgrav if (!auth_timeok(lc, time(NULL))) { 2015b400a39SDag-Erling Smørgrav log("LOGIN %.200s REFUSED (TIME) FROM %.200s", 2025b400a39SDag-Erling Smørgrav authctxt->pw->pw_name, from_host); 2035b400a39SDag-Erling Smørgrav packet_disconnect("Logins not available right now."); 2045b400a39SDag-Erling Smørgrav } 2055b400a39SDag-Erling Smørgrav login_close(lc); 2065b400a39SDag-Erling Smørgrav lc = NULL; 2075b400a39SDag-Erling Smørgrav } 2085b400a39SDag-Erling Smørgrav #endif /* HAVE_LOGIN_CAP */ 2095b400a39SDag-Erling Smørgrav 210ca3176e7SBrian Feldman /* reset state */ 211af12a3e7SDag-Erling Smørgrav auth2_challenge_stop(authctxt); 212ca3176e7SBrian Feldman authctxt->postponed = 0; 21303e72be8SBrian Feldman 214ca3176e7SBrian Feldman /* try to authenticate user */ 21509958426SBrian Feldman m = authmethod_lookup(method); 21609958426SBrian Feldman if (m != NULL) { 21709958426SBrian Feldman debug2("input_userauth_request: try method %s", method); 21809958426SBrian Feldman authenticated = m->userauth(authctxt); 21909958426SBrian Feldman } 220ca3176e7SBrian Feldman userauth_finish(authctxt, authenticated, method); 22109958426SBrian Feldman 22209958426SBrian Feldman xfree(service); 22309958426SBrian Feldman xfree(user); 22409958426SBrian Feldman xfree(method); 22509958426SBrian Feldman } 22609958426SBrian Feldman 227ca3176e7SBrian Feldman void 228ca3176e7SBrian Feldman userauth_finish(Authctxt *authctxt, int authenticated, char *method) 229ca3176e7SBrian Feldman { 230af12a3e7SDag-Erling Smørgrav char *methods; 231af12a3e7SDag-Erling Smørgrav 232ca3176e7SBrian Feldman if (!authctxt->valid && authenticated) 233ca3176e7SBrian Feldman fatal("INTERNAL ERROR: authenticated invalid user %s", 234ca3176e7SBrian Feldman authctxt->user); 235ca3176e7SBrian Feldman 236ca3176e7SBrian Feldman /* Special handling for root */ 237f388f5efSDag-Erling Smørgrav if (!use_privsep && 238f388f5efSDag-Erling Smørgrav authenticated && authctxt->pw->pw_uid == 0 && 239ca3176e7SBrian Feldman !auth_root_allowed(method)) 240ca3176e7SBrian Feldman authenticated = 0; 241ca3176e7SBrian Feldman 242989dd127SDag-Erling Smørgrav #ifdef USE_PAM 243989dd127SDag-Erling Smørgrav if (!use_privsep && authenticated && authctxt->user && 244989dd127SDag-Erling Smørgrav !do_pam_account(authctxt->user, NULL)) 245989dd127SDag-Erling Smørgrav authenticated = 0; 246989dd127SDag-Erling Smørgrav #endif /* USE_PAM */ 247989dd127SDag-Erling Smørgrav 248f388f5efSDag-Erling Smørgrav #ifdef _UNICOS 249f388f5efSDag-Erling Smørgrav if (authenticated && cray_access_denied(authctxt->user)) { 250f388f5efSDag-Erling Smørgrav authenticated = 0; 251f388f5efSDag-Erling Smørgrav fatal("Access denied for user %s.",authctxt->user); 252f388f5efSDag-Erling Smørgrav } 253f388f5efSDag-Erling Smørgrav #endif /* _UNICOS */ 254f388f5efSDag-Erling Smørgrav 255ca3176e7SBrian Feldman /* Log before sending the reply */ 256ca3176e7SBrian Feldman auth_log(authctxt, authenticated, method, " ssh2"); 257ca3176e7SBrian Feldman 258af12a3e7SDag-Erling Smørgrav if (authctxt->postponed) 259af12a3e7SDag-Erling Smørgrav return; 260af12a3e7SDag-Erling Smørgrav 261af12a3e7SDag-Erling Smørgrav /* XXX todo: check if multiple auth methods are needed */ 262af12a3e7SDag-Erling Smørgrav if (authenticated == 1) { 263af12a3e7SDag-Erling Smørgrav /* turn off userauth */ 264af12a3e7SDag-Erling Smørgrav dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 265af12a3e7SDag-Erling Smørgrav packet_start(SSH2_MSG_USERAUTH_SUCCESS); 266af12a3e7SDag-Erling Smørgrav packet_send(); 267af12a3e7SDag-Erling Smørgrav packet_write_wait(); 268af12a3e7SDag-Erling Smørgrav /* now we can break out */ 269af12a3e7SDag-Erling Smørgrav authctxt->success = 1; 270af12a3e7SDag-Erling Smørgrav } else { 271989dd127SDag-Erling Smørgrav if (authctxt->failures++ > AUTH_FAIL_MAX) { 272af12a3e7SDag-Erling Smørgrav packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 273989dd127SDag-Erling Smørgrav } 274f388f5efSDag-Erling Smørgrav #ifdef _UNICOS 275f388f5efSDag-Erling Smørgrav if (strcmp(method, "password") == 0) 276f388f5efSDag-Erling Smørgrav cray_login_failure(authctxt->user, IA_UDBERR); 277f388f5efSDag-Erling Smørgrav #endif /* _UNICOS */ 278af12a3e7SDag-Erling Smørgrav methods = authmethods_get(); 279af12a3e7SDag-Erling Smørgrav packet_start(SSH2_MSG_USERAUTH_FAILURE); 280af12a3e7SDag-Erling Smørgrav packet_put_cstring(methods); 281af12a3e7SDag-Erling Smørgrav packet_put_char(0); /* XXX partial success, unused */ 282af12a3e7SDag-Erling Smørgrav packet_send(); 283af12a3e7SDag-Erling Smørgrav packet_write_wait(); 284af12a3e7SDag-Erling Smørgrav xfree(methods); 285af12a3e7SDag-Erling Smørgrav } 286ca3176e7SBrian Feldman } 28709958426SBrian Feldman 28809958426SBrian Feldman /* get current user */ 289a04a10f8SKris Kennaway 290a04a10f8SKris Kennaway struct passwd* 291a04a10f8SKris Kennaway auth_get_user(void) 292a04a10f8SKris Kennaway { 29309958426SBrian Feldman return (x_authctxt != NULL && x_authctxt->valid) ? x_authctxt->pw : NULL; 294a04a10f8SKris Kennaway } 295a04a10f8SKris Kennaway 29609958426SBrian Feldman #define DELIM "," 29709958426SBrian Feldman 298af12a3e7SDag-Erling Smørgrav static char * 29909958426SBrian Feldman authmethods_get(void) 300a04a10f8SKris Kennaway { 301af12a3e7SDag-Erling Smørgrav Buffer b; 30209958426SBrian Feldman char *list; 30380628bacSDag-Erling Smørgrav int i; 304a04a10f8SKris Kennaway 305af12a3e7SDag-Erling Smørgrav buffer_init(&b); 30680628bacSDag-Erling Smørgrav for (i = 0; authmethods[i] != NULL; i++) { 30780628bacSDag-Erling Smørgrav if (strcmp(authmethods[i]->name, "none") == 0) 30809958426SBrian Feldman continue; 30980628bacSDag-Erling Smørgrav if (authmethods[i]->enabled != NULL && 31080628bacSDag-Erling Smørgrav *(authmethods[i]->enabled) != 0) { 311af12a3e7SDag-Erling Smørgrav if (buffer_len(&b) > 0) 312af12a3e7SDag-Erling Smørgrav buffer_append(&b, ",", 1); 31380628bacSDag-Erling Smørgrav buffer_append(&b, authmethods[i]->name, 31480628bacSDag-Erling Smørgrav strlen(authmethods[i]->name)); 31509958426SBrian Feldman } 31609958426SBrian Feldman } 317af12a3e7SDag-Erling Smørgrav buffer_append(&b, "\0", 1); 318af12a3e7SDag-Erling Smørgrav list = xstrdup(buffer_ptr(&b)); 319af12a3e7SDag-Erling Smørgrav buffer_free(&b); 32009958426SBrian Feldman return list; 32109958426SBrian Feldman } 32209958426SBrian Feldman 323af12a3e7SDag-Erling Smørgrav static Authmethod * 32409958426SBrian Feldman authmethod_lookup(const char *name) 32509958426SBrian Feldman { 32680628bacSDag-Erling Smørgrav int i; 32780628bacSDag-Erling Smørgrav 32809958426SBrian Feldman if (name != NULL) 32980628bacSDag-Erling Smørgrav for (i = 0; authmethods[i] != NULL; i++) 33080628bacSDag-Erling Smørgrav if (authmethods[i]->enabled != NULL && 33180628bacSDag-Erling Smørgrav *(authmethods[i]->enabled) != 0 && 33280628bacSDag-Erling Smørgrav strcmp(name, authmethods[i]->name) == 0) 33380628bacSDag-Erling Smørgrav return authmethods[i]; 33480628bacSDag-Erling Smørgrav debug2("Unrecognized authentication method name: %s", 33580628bacSDag-Erling Smørgrav name ? name : "NULL"); 336a04a10f8SKris Kennaway return NULL; 337a04a10f8SKris Kennaway } 338