1 /* 2 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 /* 25 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 26 * Use is subject to license terms. 27 */ 28 29 #include "includes.h" 30 RCSID("$OpenBSD: auth2-hostbased.c,v 1.2 2002/05/31 11:35:15 markus Exp $"); 31 32 #pragma ident "%Z%%M% %I% %E% SMI" 33 34 #include "ssh2.h" 35 #include "xmalloc.h" 36 #include "packet.h" 37 #include "buffer.h" 38 #include "log.h" 39 #include "servconf.h" 40 #include "compat.h" 41 #include "bufaux.h" 42 #include "auth.h" 43 44 #ifdef USE_PAM 45 #include "auth-pam.h" 46 #endif /* USE_PAM */ 47 48 #include "key.h" 49 #include "canohost.h" 50 #include "monitor_wrap.h" 51 #include "pathnames.h" 52 53 /* import */ 54 extern ServerOptions options; 55 extern u_char *session_id2; 56 extern int session_id2_len; 57 58 static void 59 userauth_hostbased(Authctxt *authctxt) 60 { 61 Buffer b; 62 Key *key = NULL; 63 char *pkalg, *cuser, *chost, *service; 64 u_char *pkblob, *sig; 65 u_int alen, blen, slen; 66 int pktype; 67 int authenticated = 0; 68 69 if (!authctxt || !authctxt->method) 70 fatal("%s: missing context", __func__); 71 72 pkalg = packet_get_string(&alen); 73 pkblob = packet_get_string(&blen); 74 chost = packet_get_string(NULL); 75 cuser = packet_get_string(NULL); 76 sig = packet_get_string(&slen); 77 78 debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d", 79 cuser, chost, pkalg, slen); 80 #ifdef DEBUG_PK 81 debug("signature:"); 82 buffer_init(&b); 83 buffer_append(&b, sig, slen); 84 buffer_dump(&b); 85 buffer_free(&b); 86 #endif 87 pktype = key_type_from_name(pkalg); 88 if (pktype == KEY_UNSPEC) { 89 /* this is perfectly legal */ 90 log("userauth_hostbased: unsupported " 91 "public key algorithm: %s", pkalg); 92 goto done; 93 } 94 key = key_from_blob(pkblob, blen); 95 if (key == NULL) { 96 error("userauth_hostbased: cannot decode key: %s", pkalg); 97 goto done; 98 } 99 if (key->type != pktype) { 100 error("userauth_hostbased: type mismatch for decoded key " 101 "(received %d, expected %d)", key->type, pktype); 102 goto done; 103 } 104 service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : 105 authctxt->service; 106 buffer_init(&b); 107 buffer_put_string(&b, session_id2, session_id2_len); 108 /* reconstruct packet */ 109 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); 110 buffer_put_cstring(&b, authctxt->user); 111 buffer_put_cstring(&b, service); 112 buffer_put_cstring(&b, "hostbased"); 113 buffer_put_string(&b, pkalg, alen); 114 buffer_put_string(&b, pkblob, blen); 115 buffer_put_cstring(&b, chost); 116 buffer_put_cstring(&b, cuser); 117 #ifdef DEBUG_PK 118 buffer_dump(&b); 119 #endif 120 /* test for allowed key and correct signature */ 121 authenticated = 0; 122 if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && 123 PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), 124 buffer_len(&b))) == 1) 125 authenticated = 1; 126 127 buffer_clear(&b); 128 done: 129 /* 130 * XXX TODO: Add config options for specifying users for whom 131 * this userauth is insufficient and what userauths 132 * may continue. 133 * 134 * NOTE: do_pam_non_initial_userauth() does this for 135 * users with expired passwords. 136 */ 137 #ifdef USE_PAM 138 if (authenticated) { 139 authctxt->cuser = cuser; 140 if (!do_pam_non_initial_userauth(authctxt)) 141 authenticated = 0; 142 /* Make sure nobody else will use this pointer since we are 143 * going to free that string. */ 144 authctxt->cuser = NULL; 145 } 146 #endif /* USE_PAM */ 147 148 if (authenticated) 149 authctxt->method->authenticated = 1; 150 151 debug2("userauth_hostbased: authenticated %d", authenticated); 152 if (key != NULL) 153 key_free(key); 154 xfree(pkalg); 155 xfree(pkblob); 156 xfree(cuser); 157 xfree(chost); 158 xfree(sig); 159 return; 160 } 161 162 /* return 1 if given hostkey is allowed */ 163 int 164 hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, 165 Key *key) 166 { 167 const char *resolvedname, *ipaddr, *lookup; 168 HostStatus host_status; 169 int len; 170 171 resolvedname = get_canonical_hostname(options.verify_reverse_mapping); 172 ipaddr = get_remote_ipaddr(); 173 174 debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s", 175 chost, resolvedname, ipaddr); 176 177 if (pw == NULL) 178 return 0; 179 180 if (options.hostbased_uses_name_from_packet_only) { 181 if (auth_rhosts2(pw, cuser, chost, chost) == 0) 182 return 0; 183 lookup = chost; 184 } else { 185 if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') { 186 debug2("stripping trailing dot from chost %s", chost); 187 chost[len - 1] = '\0'; 188 } 189 if (strcasecmp(resolvedname, chost) != 0) 190 log("userauth_hostbased mismatch: " 191 "client sends %s, but we resolve %s to %s", 192 chost, ipaddr, resolvedname); 193 if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) 194 return 0; 195 lookup = resolvedname; 196 } 197 debug2("userauth_hostbased: access allowed by auth_rhosts2"); 198 199 host_status = check_key_in_hostfiles(pw, key, lookup, 200 _PATH_SSH_SYSTEM_HOSTFILE, 201 options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE); 202 203 /* backward compat if no key has been found. */ 204 if (host_status == HOST_NEW) 205 host_status = check_key_in_hostfiles(pw, key, lookup, 206 _PATH_SSH_SYSTEM_HOSTFILE2, 207 options.ignore_user_known_hosts ? NULL : 208 _PATH_SSH_USER_HOSTFILE2); 209 210 return (host_status == HOST_OK); 211 } 212 213 Authmethod method_hostbased = { 214 "hostbased", 215 &options.hostbased_authentication, 216 userauth_hostbased, 217 NULL, /* no abandon function */ 218 NULL, NULL, /* method data and hist data */ 219 0, /* is not initial userauth */ 220 0, 0, 0, /* counters */ 221 0, 0, 0, 0, 0, 0 /* state */ 222 }; 223