17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * Copyright (c) 2000 Markus Friedl. All rights reserved. 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * Redistribution and use in source and binary forms, with or without 57c478bd9Sstevel@tonic-gate * modification, are permitted provided that the following conditions 67c478bd9Sstevel@tonic-gate * are met: 77c478bd9Sstevel@tonic-gate * 1. Redistributions of source code must retain the above copyright 87c478bd9Sstevel@tonic-gate * notice, this list of conditions and the following disclaimer. 97c478bd9Sstevel@tonic-gate * 2. Redistributions in binary form must reproduce the above copyright 107c478bd9Sstevel@tonic-gate * notice, this list of conditions and the following disclaimer in the 117c478bd9Sstevel@tonic-gate * documentation and/or other materials provided with the distribution. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 147c478bd9Sstevel@tonic-gate * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 157c478bd9Sstevel@tonic-gate * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 167c478bd9Sstevel@tonic-gate * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 177c478bd9Sstevel@tonic-gate * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 187c478bd9Sstevel@tonic-gate * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 197c478bd9Sstevel@tonic-gate * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 207c478bd9Sstevel@tonic-gate * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 217c478bd9Sstevel@tonic-gate * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 227c478bd9Sstevel@tonic-gate * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 237c478bd9Sstevel@tonic-gate */ 247c478bd9Sstevel@tonic-gate /* 25*d8a94255SErik Trauschke * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 267c478bd9Sstevel@tonic-gate * Use is subject to license terms. 277c478bd9Sstevel@tonic-gate */ 287c478bd9Sstevel@tonic-gate 297c478bd9Sstevel@tonic-gate #include "includes.h" 307c478bd9Sstevel@tonic-gate RCSID("$OpenBSD: auth2.c,v 1.95 2002/08/22 21:33:58 markus Exp $"); 317c478bd9Sstevel@tonic-gate 327c478bd9Sstevel@tonic-gate #include "ssh2.h" 337c478bd9Sstevel@tonic-gate #include "xmalloc.h" 347c478bd9Sstevel@tonic-gate #include "packet.h" 357c478bd9Sstevel@tonic-gate #include "log.h" 367c478bd9Sstevel@tonic-gate #include "servconf.h" 377c478bd9Sstevel@tonic-gate #include "compat.h" 387c478bd9Sstevel@tonic-gate #include "misc.h" 397c478bd9Sstevel@tonic-gate #include "auth.h" 407c478bd9Sstevel@tonic-gate #include "dispatch.h" 417c478bd9Sstevel@tonic-gate #include "sshlogin.h" 427c478bd9Sstevel@tonic-gate #include "pathnames.h" 437c478bd9Sstevel@tonic-gate 447c478bd9Sstevel@tonic-gate #ifdef HAVE_BSM 457c478bd9Sstevel@tonic-gate #include "bsmaudit.h" 467c478bd9Sstevel@tonic-gate extern adt_session_data_t *ah; 477c478bd9Sstevel@tonic-gate #endif /* HAVE_BSM */ 487c478bd9Sstevel@tonic-gate 497c478bd9Sstevel@tonic-gate #ifdef GSSAPI 507c478bd9Sstevel@tonic-gate #include "ssh-gss.h" 517c478bd9Sstevel@tonic-gate #endif 527c478bd9Sstevel@tonic-gate 537c478bd9Sstevel@tonic-gate /* import */ 547c478bd9Sstevel@tonic-gate extern ServerOptions options; 557c478bd9Sstevel@tonic-gate extern u_char *session_id2; 567c478bd9Sstevel@tonic-gate extern int session_id2_len; 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gate Authctxt *x_authctxt = NULL; 597c478bd9Sstevel@tonic-gate 607c478bd9Sstevel@tonic-gate /* methods */ 617c478bd9Sstevel@tonic-gate 627c478bd9Sstevel@tonic-gate extern Authmethod method_none; 637c478bd9Sstevel@tonic-gate extern Authmethod method_pubkey; 647c478bd9Sstevel@tonic-gate extern Authmethod method_passwd; 657c478bd9Sstevel@tonic-gate extern Authmethod method_kbdint; 667c478bd9Sstevel@tonic-gate extern Authmethod method_hostbased; 677c478bd9Sstevel@tonic-gate extern Authmethod method_external; 687c478bd9Sstevel@tonic-gate extern Authmethod method_gssapi; 697c478bd9Sstevel@tonic-gate 707c478bd9Sstevel@tonic-gate static Authmethod *authmethods[] = { 717c478bd9Sstevel@tonic-gate &method_none, 727c478bd9Sstevel@tonic-gate #ifdef GSSAPI 737c478bd9Sstevel@tonic-gate &method_external, 747c478bd9Sstevel@tonic-gate &method_gssapi, 757c478bd9Sstevel@tonic-gate #endif 767c478bd9Sstevel@tonic-gate &method_pubkey, 777c478bd9Sstevel@tonic-gate &method_passwd, 787c478bd9Sstevel@tonic-gate &method_kbdint, 797c478bd9Sstevel@tonic-gate &method_hostbased, 807c478bd9Sstevel@tonic-gate NULL 817c478bd9Sstevel@tonic-gate }; 827c478bd9Sstevel@tonic-gate 837c478bd9Sstevel@tonic-gate /* protocol */ 847c478bd9Sstevel@tonic-gate 857c478bd9Sstevel@tonic-gate static void input_service_request(int, u_int32_t, void *); 867c478bd9Sstevel@tonic-gate static void input_userauth_request(int, u_int32_t, void *); 877c478bd9Sstevel@tonic-gate 887c478bd9Sstevel@tonic-gate /* helper */ 897c478bd9Sstevel@tonic-gate static Authmethod *authmethod_lookup(const char *); 907c478bd9Sstevel@tonic-gate static char *authmethods_get(void); 917c478bd9Sstevel@tonic-gate static char *authmethods_check_abandonment(Authctxt *authctxt, 927c478bd9Sstevel@tonic-gate Authmethod *method); 937c478bd9Sstevel@tonic-gate static void authmethod_count_attempt(Authmethod *method); 947c478bd9Sstevel@tonic-gate /*static char *authmethods_get_kbdint(void);*/ 957c478bd9Sstevel@tonic-gate int user_key_allowed(struct passwd *, Key *); 967c478bd9Sstevel@tonic-gate int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); 977c478bd9Sstevel@tonic-gate static int userauth_method_can_run(Authmethod *method); 987c478bd9Sstevel@tonic-gate static void userauth_reset_methods(void); 997c478bd9Sstevel@tonic-gate 1007c478bd9Sstevel@tonic-gate /* 1017c478bd9Sstevel@tonic-gate * loop until authctxt->success == TRUE 1027c478bd9Sstevel@tonic-gate */ 1037c478bd9Sstevel@tonic-gate 1047c478bd9Sstevel@tonic-gate Authctxt * 1057c478bd9Sstevel@tonic-gate do_authentication2(void) 1067c478bd9Sstevel@tonic-gate { 1077c478bd9Sstevel@tonic-gate Authctxt *authctxt = authctxt_new(); 1087c478bd9Sstevel@tonic-gate 1097c478bd9Sstevel@tonic-gate x_authctxt = authctxt; /*XXX*/ 1107c478bd9Sstevel@tonic-gate 1117c478bd9Sstevel@tonic-gate #ifdef HAVE_BSM 1127c478bd9Sstevel@tonic-gate fatal_add_cleanup(audit_failed_login_cleanup, authctxt); 1137c478bd9Sstevel@tonic-gate #endif /* HAVE_BSM */ 1147c478bd9Sstevel@tonic-gate 1157c478bd9Sstevel@tonic-gate /* challenge-response is implemented via keyboard interactive */ 1167c478bd9Sstevel@tonic-gate if (options.challenge_response_authentication) 1177c478bd9Sstevel@tonic-gate options.kbd_interactive_authentication = 1; 1187c478bd9Sstevel@tonic-gate if (options.pam_authentication_via_kbd_int) 1197c478bd9Sstevel@tonic-gate options.kbd_interactive_authentication = 1; 1207c478bd9Sstevel@tonic-gate 1217c478bd9Sstevel@tonic-gate dispatch_init(&dispatch_protocol_error); 1227c478bd9Sstevel@tonic-gate dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); 1237c478bd9Sstevel@tonic-gate dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); 1247c478bd9Sstevel@tonic-gate 1257c478bd9Sstevel@tonic-gate return (authctxt); 1267c478bd9Sstevel@tonic-gate } 1277c478bd9Sstevel@tonic-gate 1287c478bd9Sstevel@tonic-gate static void 1297c478bd9Sstevel@tonic-gate input_service_request(int type, u_int32_t seq, void *ctxt) 1307c478bd9Sstevel@tonic-gate { 1317c478bd9Sstevel@tonic-gate Authctxt *authctxt = ctxt; 1327c478bd9Sstevel@tonic-gate u_int len; 1337c478bd9Sstevel@tonic-gate int acceptit = 0; 1347c478bd9Sstevel@tonic-gate char *service = packet_get_string(&len); 1357c478bd9Sstevel@tonic-gate packet_check_eom(); 1367c478bd9Sstevel@tonic-gate 1377c478bd9Sstevel@tonic-gate if (authctxt == NULL) 1387c478bd9Sstevel@tonic-gate fatal("input_service_request: no authctxt"); 1397c478bd9Sstevel@tonic-gate 1407c478bd9Sstevel@tonic-gate if (strcmp(service, "ssh-userauth") == 0) { 1417c478bd9Sstevel@tonic-gate if (!authctxt->success) { 1427c478bd9Sstevel@tonic-gate acceptit = 1; 1437c478bd9Sstevel@tonic-gate /* now we can handle user-auth requests */ 1447c478bd9Sstevel@tonic-gate dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request); 1457c478bd9Sstevel@tonic-gate } 1467c478bd9Sstevel@tonic-gate } 1477c478bd9Sstevel@tonic-gate /* XXX all other service requests are denied */ 1487c478bd9Sstevel@tonic-gate 1497c478bd9Sstevel@tonic-gate if (acceptit) { 1507c478bd9Sstevel@tonic-gate packet_start(SSH2_MSG_SERVICE_ACCEPT); 1517c478bd9Sstevel@tonic-gate packet_put_cstring(service); 1527c478bd9Sstevel@tonic-gate packet_send(); 1537c478bd9Sstevel@tonic-gate packet_write_wait(); 1547c478bd9Sstevel@tonic-gate } else { 1557c478bd9Sstevel@tonic-gate debug("bad service request %s", service); 1567c478bd9Sstevel@tonic-gate packet_disconnect("bad service request %s", service); 1577c478bd9Sstevel@tonic-gate } 1587c478bd9Sstevel@tonic-gate xfree(service); 1597c478bd9Sstevel@tonic-gate } 1607c478bd9Sstevel@tonic-gate 1617c478bd9Sstevel@tonic-gate static void 1627c478bd9Sstevel@tonic-gate input_userauth_request(int type, u_int32_t seq, void *ctxt) 1637c478bd9Sstevel@tonic-gate { 1647c478bd9Sstevel@tonic-gate Authctxt *authctxt = ctxt; 1657c478bd9Sstevel@tonic-gate Authmethod *m = NULL; 1667c478bd9Sstevel@tonic-gate char *user, *service, *method, *style = NULL; 167*d8a94255SErik Trauschke int valid_attempt; 1687c478bd9Sstevel@tonic-gate 1697c478bd9Sstevel@tonic-gate if (authctxt == NULL) 1707c478bd9Sstevel@tonic-gate fatal("input_userauth_request: no authctxt"); 1717c478bd9Sstevel@tonic-gate 1727c478bd9Sstevel@tonic-gate user = packet_get_string(NULL); 1737c478bd9Sstevel@tonic-gate service = packet_get_string(NULL); 1747c478bd9Sstevel@tonic-gate method = packet_get_string(NULL); 1757c478bd9Sstevel@tonic-gate debug("userauth-request for user %s service %s method %s", user, 1767c478bd9Sstevel@tonic-gate service, method); 1777c478bd9Sstevel@tonic-gate debug("attempt %d initial attempt %d failures %d initial failures %d", 1787c478bd9Sstevel@tonic-gate authctxt->attempt, authctxt->init_attempt, 1797c478bd9Sstevel@tonic-gate authctxt->failures, authctxt->init_failures); 1807c478bd9Sstevel@tonic-gate 1817c478bd9Sstevel@tonic-gate m = authmethod_lookup(method); 1827c478bd9Sstevel@tonic-gate 1837c478bd9Sstevel@tonic-gate if ((style = strchr(user, ':')) != NULL) 1847c478bd9Sstevel@tonic-gate *style++ = 0; 1857c478bd9Sstevel@tonic-gate 1867c478bd9Sstevel@tonic-gate authctxt->attempt++; 1877c478bd9Sstevel@tonic-gate if (m != NULL && m->is_initial) 1887c478bd9Sstevel@tonic-gate authctxt->init_attempt++; 1897c478bd9Sstevel@tonic-gate 190*d8a94255SErik Trauschke if (options.pre_userauth_hook != NULL && 191*d8a94255SErik Trauschke run_auth_hook(options.pre_userauth_hook, user, m->name) != 0) { 192*d8a94255SErik Trauschke valid_attempt = 0; 193*d8a94255SErik Trauschke } else { 194*d8a94255SErik Trauschke valid_attempt = 1; 195*d8a94255SErik Trauschke } 196*d8a94255SErik Trauschke 1977c478bd9Sstevel@tonic-gate if (authctxt->attempt == 1) { 1987c478bd9Sstevel@tonic-gate /* setup auth context */ 1999a8058b5Sjp161948 authctxt->pw = getpwnamallow(user); 2007c478bd9Sstevel@tonic-gate /* May want to abstract SSHv2 services someday */ 2017c478bd9Sstevel@tonic-gate if (authctxt->pw && strcmp(service, "ssh-connection")==0) { 2027c478bd9Sstevel@tonic-gate /* enforced in userauth_finish() below */ 203*d8a94255SErik Trauschke if (valid_attempt) { 2047c478bd9Sstevel@tonic-gate authctxt->valid = 1; 205*d8a94255SErik Trauschke } 2067c478bd9Sstevel@tonic-gate debug2("input_userauth_request: setting up authctxt for %s", user); 2077c478bd9Sstevel@tonic-gate } else { 2087c478bd9Sstevel@tonic-gate log("input_userauth_request: illegal user %s", user); 2097c478bd9Sstevel@tonic-gate } 2109a8058b5Sjp161948 setproctitle("%s", authctxt->pw ? user : "unknown"); 2117c478bd9Sstevel@tonic-gate authctxt->user = xstrdup(user); 2127c478bd9Sstevel@tonic-gate authctxt->service = xstrdup(service); 2137c478bd9Sstevel@tonic-gate authctxt->style = style ? xstrdup(style) : NULL; 2147c478bd9Sstevel@tonic-gate userauth_reset_methods(); 2157c478bd9Sstevel@tonic-gate } else { 2167c478bd9Sstevel@tonic-gate char *abandoned; 2177c478bd9Sstevel@tonic-gate 2187c478bd9Sstevel@tonic-gate /* 2197c478bd9Sstevel@tonic-gate * Check for abandoned [multi-round-trip] userauths 2207c478bd9Sstevel@tonic-gate * methods (e.g., kbdint). Userauth method abandonment 2217c478bd9Sstevel@tonic-gate * should be treated as userauth method failure and 2227c478bd9Sstevel@tonic-gate * counted against max_auth_tries. 2237c478bd9Sstevel@tonic-gate */ 2247c478bd9Sstevel@tonic-gate abandoned = authmethods_check_abandonment(authctxt, m); 2257c478bd9Sstevel@tonic-gate 2267c478bd9Sstevel@tonic-gate if (abandoned != NULL && 2277c478bd9Sstevel@tonic-gate authctxt->failures > options.max_auth_tries) { 2287c478bd9Sstevel@tonic-gate /* userauth_finish() will now packet_disconnect() */ 2297c478bd9Sstevel@tonic-gate userauth_finish(authctxt, abandoned); 2307c478bd9Sstevel@tonic-gate /* NOTREACHED */ 2317c478bd9Sstevel@tonic-gate } 2327c478bd9Sstevel@tonic-gate 2337c478bd9Sstevel@tonic-gate /* Handle user|service changes, possibly packet_disconnect() */ 2347c478bd9Sstevel@tonic-gate userauth_user_svc_change(authctxt, user, service); 2357c478bd9Sstevel@tonic-gate } 2367c478bd9Sstevel@tonic-gate 2377c478bd9Sstevel@tonic-gate authctxt->method = m; 2387c478bd9Sstevel@tonic-gate 2397c478bd9Sstevel@tonic-gate /* run userauth method, try to authenticate user */ 2407c478bd9Sstevel@tonic-gate if (m != NULL && userauth_method_can_run(m)) { 2417c478bd9Sstevel@tonic-gate debug2("input_userauth_request: try method %s", method); 2427c478bd9Sstevel@tonic-gate 2437c478bd9Sstevel@tonic-gate m->postponed = 0; 2447c478bd9Sstevel@tonic-gate m->abandoned = 0; 2457c478bd9Sstevel@tonic-gate m->authenticated = 0; 2467c478bd9Sstevel@tonic-gate 2477c478bd9Sstevel@tonic-gate if (!m->is_initial || 2487c478bd9Sstevel@tonic-gate authctxt->init_failures < options.max_init_auth_tries) 2497c478bd9Sstevel@tonic-gate m->userauth(authctxt); 2507c478bd9Sstevel@tonic-gate 2517c478bd9Sstevel@tonic-gate authmethod_count_attempt(m); 2527c478bd9Sstevel@tonic-gate 2537c478bd9Sstevel@tonic-gate if (authctxt->unwind_dispatch_loop) { 2547c478bd9Sstevel@tonic-gate /* 2557c478bd9Sstevel@tonic-gate * Method ran nested dispatch loop but was 2567c478bd9Sstevel@tonic-gate * abandoned. Cleanup and return without doing 2577c478bd9Sstevel@tonic-gate * anything else; we're just unwinding the stack. 2587c478bd9Sstevel@tonic-gate */ 2597c478bd9Sstevel@tonic-gate authctxt->unwind_dispatch_loop = 0; 2607c478bd9Sstevel@tonic-gate goto done; 2617c478bd9Sstevel@tonic-gate } 2627c478bd9Sstevel@tonic-gate 2637c478bd9Sstevel@tonic-gate if (m->postponed) 2647c478bd9Sstevel@tonic-gate goto done; /* multi-round trip userauth not finished */ 2657c478bd9Sstevel@tonic-gate 2667c478bd9Sstevel@tonic-gate if (m->abandoned) { 2677c478bd9Sstevel@tonic-gate /* multi-round trip userauth abandoned, log failure */ 2687c478bd9Sstevel@tonic-gate auth_log(authctxt, 0, method, " ssh2"); 2697c478bd9Sstevel@tonic-gate goto done; 2707c478bd9Sstevel@tonic-gate } 2717c478bd9Sstevel@tonic-gate } 2727c478bd9Sstevel@tonic-gate 2737c478bd9Sstevel@tonic-gate userauth_finish(authctxt, method); 2747c478bd9Sstevel@tonic-gate 2757c478bd9Sstevel@tonic-gate done: 2767c478bd9Sstevel@tonic-gate xfree(service); 2777c478bd9Sstevel@tonic-gate xfree(user); 2787c478bd9Sstevel@tonic-gate xfree(method); 2797c478bd9Sstevel@tonic-gate } 2807c478bd9Sstevel@tonic-gate 2817c478bd9Sstevel@tonic-gate void 2827c478bd9Sstevel@tonic-gate userauth_finish(Authctxt *authctxt, char *method) 2837c478bd9Sstevel@tonic-gate { 2847c478bd9Sstevel@tonic-gate int authenticated, partial; 2857c478bd9Sstevel@tonic-gate 2867c478bd9Sstevel@tonic-gate if (authctxt == NULL) 2877c478bd9Sstevel@tonic-gate fatal("%s: missing context", __func__); 2887c478bd9Sstevel@tonic-gate 2897c478bd9Sstevel@tonic-gate /* unknown method handling -- must elicit userauth failure msg */ 2907c478bd9Sstevel@tonic-gate if (authctxt->method == NULL) { 2917c478bd9Sstevel@tonic-gate authenticated = 0; 2927c478bd9Sstevel@tonic-gate partial = 0; 2937c478bd9Sstevel@tonic-gate goto done_checking; 2947c478bd9Sstevel@tonic-gate } 2957c478bd9Sstevel@tonic-gate 2967c478bd9Sstevel@tonic-gate #ifndef USE_PAM 2977c478bd9Sstevel@tonic-gate /* Special handling for root (done elsewhere for PAM) */ 2989a8058b5Sjp161948 if (authctxt->method->authenticated && 2997c478bd9Sstevel@tonic-gate authctxt->pw != NULL && authctxt->pw->pw_uid == 0 && 3007c478bd9Sstevel@tonic-gate !auth_root_allowed(method)) 3017c478bd9Sstevel@tonic-gate authctxt->method->authenticated = 0; 3027c478bd9Sstevel@tonic-gate #endif /* USE_PAM */ 3037c478bd9Sstevel@tonic-gate 3047c478bd9Sstevel@tonic-gate #ifdef _UNICOS 3057c478bd9Sstevel@tonic-gate if (authctxt->method->authenticated && 3067c478bd9Sstevel@tonic-gate cray_access_denied(authctxt->user)) { 3077c478bd9Sstevel@tonic-gate authctxt->method->authenticated = 0; 3087c478bd9Sstevel@tonic-gate fatal("Access denied for user %s.",authctxt->user); 3097c478bd9Sstevel@tonic-gate } 3107c478bd9Sstevel@tonic-gate #endif /* _UNICOS */ 3117c478bd9Sstevel@tonic-gate 3127c478bd9Sstevel@tonic-gate partial = userauth_check_partial_failure(authctxt); 3137c478bd9Sstevel@tonic-gate authenticated = authctxt->method->authenticated; 3147c478bd9Sstevel@tonic-gate 3157c478bd9Sstevel@tonic-gate #ifdef USE_PAM 3167c478bd9Sstevel@tonic-gate /* 3177c478bd9Sstevel@tonic-gate * If the userauth method failed to complete PAM work then force 3187c478bd9Sstevel@tonic-gate * partial failure. 3197c478bd9Sstevel@tonic-gate */ 3207c478bd9Sstevel@tonic-gate if (authenticated && !AUTHPAM_DONE(authctxt)) 3217c478bd9Sstevel@tonic-gate partial = 1; 3227c478bd9Sstevel@tonic-gate #endif /* USE_PAM */ 3237c478bd9Sstevel@tonic-gate 3247c478bd9Sstevel@tonic-gate /* 3257c478bd9Sstevel@tonic-gate * To properly support invalid userauth method names we set 3267c478bd9Sstevel@tonic-gate * authenticated=0, partial=0 above and know that 3277c478bd9Sstevel@tonic-gate * authctxt->method == NULL. 3287c478bd9Sstevel@tonic-gate * 3297c478bd9Sstevel@tonic-gate * No unguarded reference to authctxt->method allowed from here. 3307c478bd9Sstevel@tonic-gate * Checking authenticated != 0 is a valid guard; authctxt->method 3317c478bd9Sstevel@tonic-gate * MUST NOT be NULL if authenticated. 3327c478bd9Sstevel@tonic-gate */ 3337c478bd9Sstevel@tonic-gate done_checking: 3347c478bd9Sstevel@tonic-gate if (!authctxt->valid && authenticated) { 3357c478bd9Sstevel@tonic-gate /* 336*d8a94255SErik Trauschke * We get here if the PreUserauthHook fails but the 337*d8a94255SErik Trauschke * user is otherwise valid. 338*d8a94255SErik Trauschke * An error in the PAM handling could also get us here 3397c478bd9Sstevel@tonic-gate * but we need not panic, just treat as a failure. 3407c478bd9Sstevel@tonic-gate */ 3417c478bd9Sstevel@tonic-gate authctxt->method->authenticated = 0; 3427c478bd9Sstevel@tonic-gate authenticated = 0; 3437c478bd9Sstevel@tonic-gate log("Ignoring authenticated invalid user %s", 3447c478bd9Sstevel@tonic-gate authctxt->user); 3457c478bd9Sstevel@tonic-gate auth_log(authctxt, 0, method, " ssh2"); 3467c478bd9Sstevel@tonic-gate } 3477c478bd9Sstevel@tonic-gate 3487c478bd9Sstevel@tonic-gate /* Log before sending the reply */ 3497c478bd9Sstevel@tonic-gate auth_log(authctxt, authenticated, method, " ssh2"); 3507c478bd9Sstevel@tonic-gate 3517c478bd9Sstevel@tonic-gate if (authenticated && !partial) { 3527c478bd9Sstevel@tonic-gate 3537c478bd9Sstevel@tonic-gate /* turn off userauth */ 3547c478bd9Sstevel@tonic-gate dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 3557c478bd9Sstevel@tonic-gate packet_start(SSH2_MSG_USERAUTH_SUCCESS); 3567c478bd9Sstevel@tonic-gate packet_send(); 3577c478bd9Sstevel@tonic-gate packet_write_wait(); 3587c478bd9Sstevel@tonic-gate /* now we can break out */ 3597c478bd9Sstevel@tonic-gate authctxt->success = 1; 3607c478bd9Sstevel@tonic-gate } else { 3617c478bd9Sstevel@tonic-gate char *methods; 3627c478bd9Sstevel@tonic-gate 3637c478bd9Sstevel@tonic-gate if (authctxt->method && authctxt->method->is_initial) 3647c478bd9Sstevel@tonic-gate authctxt->init_failures++; 3657c478bd9Sstevel@tonic-gate 3667c478bd9Sstevel@tonic-gate authctxt->method = NULL; 3677c478bd9Sstevel@tonic-gate 3687c478bd9Sstevel@tonic-gate #ifdef USE_PAM 3697c478bd9Sstevel@tonic-gate /* 3707c478bd9Sstevel@tonic-gate * Keep track of last PAM error (or PERM_DENIED) for BSM 3717c478bd9Sstevel@tonic-gate * login failure auditing, which may run after the PAM 3727c478bd9Sstevel@tonic-gate * state has been cleaned up. 3737c478bd9Sstevel@tonic-gate */ 3747c478bd9Sstevel@tonic-gate authctxt->pam_retval = AUTHPAM_ERROR(authctxt, PAM_PERM_DENIED); 3757c478bd9Sstevel@tonic-gate #endif /* USE_PAM */ 3767c478bd9Sstevel@tonic-gate 3777c478bd9Sstevel@tonic-gate if (authctxt->failures++ > options.max_auth_tries) { 3787c478bd9Sstevel@tonic-gate #ifdef HAVE_BSM 3797c478bd9Sstevel@tonic-gate fatal_remove_cleanup(audit_failed_login_cleanup, 3807c478bd9Sstevel@tonic-gate authctxt); 381bca3984eSBrent Paulson audit_sshd_login_failure(&ah, PAM_MAXTRIES, 382bca3984eSBrent Paulson authctxt->user); 3837c478bd9Sstevel@tonic-gate #endif /* HAVE_BSM */ 3847c478bd9Sstevel@tonic-gate packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 3857c478bd9Sstevel@tonic-gate } 3867c478bd9Sstevel@tonic-gate 3877c478bd9Sstevel@tonic-gate #ifdef _UNICOS 3887c478bd9Sstevel@tonic-gate if (strcmp(method, "password") == 0) 3897c478bd9Sstevel@tonic-gate cray_login_failure(authctxt->user, IA_UDBERR); 3907c478bd9Sstevel@tonic-gate #endif /* _UNICOS */ 3917c478bd9Sstevel@tonic-gate packet_start(SSH2_MSG_USERAUTH_FAILURE); 3927c478bd9Sstevel@tonic-gate 3937c478bd9Sstevel@tonic-gate /* 3947c478bd9Sstevel@tonic-gate * If (partial) then authmethods_get() will return only 3957c478bd9Sstevel@tonic-gate * required methods, likely only "keyboard-interactive;" 3967c478bd9Sstevel@tonic-gate * (methods == NULL) implies failure, even if (partial == 1) 3977c478bd9Sstevel@tonic-gate */ 3987c478bd9Sstevel@tonic-gate methods = authmethods_get(); 3997c478bd9Sstevel@tonic-gate packet_put_cstring(methods); 4007c478bd9Sstevel@tonic-gate packet_put_char((authenticated && partial && methods) ? 1 : 0); 4017c478bd9Sstevel@tonic-gate if (methods) 4027c478bd9Sstevel@tonic-gate xfree(methods); 4037c478bd9Sstevel@tonic-gate packet_send(); 4047c478bd9Sstevel@tonic-gate packet_write_wait(); 4057c478bd9Sstevel@tonic-gate } 4067c478bd9Sstevel@tonic-gate } 4077c478bd9Sstevel@tonic-gate 4087c478bd9Sstevel@tonic-gate /* get current user */ 4097c478bd9Sstevel@tonic-gate 4107c478bd9Sstevel@tonic-gate struct passwd* 4117c478bd9Sstevel@tonic-gate auth_get_user(void) 4127c478bd9Sstevel@tonic-gate { 4137c478bd9Sstevel@tonic-gate return (x_authctxt != NULL && x_authctxt->valid) ? x_authctxt->pw : NULL; 4147c478bd9Sstevel@tonic-gate } 4157c478bd9Sstevel@tonic-gate 4167c478bd9Sstevel@tonic-gate #define DELIM "," 4177c478bd9Sstevel@tonic-gate 4187c478bd9Sstevel@tonic-gate #if 0 4197c478bd9Sstevel@tonic-gate static char * 4207c478bd9Sstevel@tonic-gate authmethods_get_kbdint(void) 4217c478bd9Sstevel@tonic-gate { 4227c478bd9Sstevel@tonic-gate Buffer b; 4237c478bd9Sstevel@tonic-gate int i; 4247c478bd9Sstevel@tonic-gate 4257c478bd9Sstevel@tonic-gate for (i = 0; authmethods[i] != NULL; i++) { 4267c478bd9Sstevel@tonic-gate if (strcmp(authmethods[i]->name, "keyboard-interactive") != 0) 4277c478bd9Sstevel@tonic-gate continue; 4287c478bd9Sstevel@tonic-gate return xstrdup(authmethods[i]->name); 4297c478bd9Sstevel@tonic-gate } 4307c478bd9Sstevel@tonic-gate return NULL; 4317c478bd9Sstevel@tonic-gate } 4327c478bd9Sstevel@tonic-gate #endif 4337c478bd9Sstevel@tonic-gate 4347c478bd9Sstevel@tonic-gate void 4357c478bd9Sstevel@tonic-gate userauth_user_svc_change(Authctxt *authctxt, char *user, char *service) 4367c478bd9Sstevel@tonic-gate { 4377c478bd9Sstevel@tonic-gate /* 4387c478bd9Sstevel@tonic-gate * NOTE: 4397c478bd9Sstevel@tonic-gate * 4407c478bd9Sstevel@tonic-gate * SSHv2 services should be abstracted and service changes during 4417c478bd9Sstevel@tonic-gate * userauth should be supported as per the userauth draft. In the PAM 4427c478bd9Sstevel@tonic-gate * case, support for multiple SSHv2 services means that we have to 4437c478bd9Sstevel@tonic-gate * format the PAM service name according to the SSHv2 service *and* the 4447c478bd9Sstevel@tonic-gate * SSHv2 userauth being attempted ("passwd", "kbdint" and "other"). 4457c478bd9Sstevel@tonic-gate * 4467c478bd9Sstevel@tonic-gate * We'll cross that bridge when we come to it. For now disallow service 4477c478bd9Sstevel@tonic-gate * changes during userauth if using PAM, but allow username changes. 4487c478bd9Sstevel@tonic-gate */ 4497c478bd9Sstevel@tonic-gate 4507c478bd9Sstevel@tonic-gate /* authctxt->service must == ssh-connection here */ 4517c478bd9Sstevel@tonic-gate if (service != NULL && strcmp(service, authctxt->service) != 0) { 4527c478bd9Sstevel@tonic-gate packet_disconnect("Change of service not " 4537c478bd9Sstevel@tonic-gate "allowed: %s and %s", 4547c478bd9Sstevel@tonic-gate authctxt->service, service); 4557c478bd9Sstevel@tonic-gate } 4567c478bd9Sstevel@tonic-gate if (user != NULL && authctxt->user != NULL && 4577c478bd9Sstevel@tonic-gate strcmp(user, authctxt->user) == 0) 4587c478bd9Sstevel@tonic-gate return; 4597c478bd9Sstevel@tonic-gate 4607c478bd9Sstevel@tonic-gate /* All good; update authctxt */ 4617c478bd9Sstevel@tonic-gate xfree(authctxt->user); 4627c478bd9Sstevel@tonic-gate authctxt->user = xstrdup(user); 4637c478bd9Sstevel@tonic-gate pwfree(&authctxt->pw); 4649a8058b5Sjp161948 authctxt->pw = getpwnamallow(user); 4657c478bd9Sstevel@tonic-gate authctxt->valid = (authctxt->pw != NULL); 4667c478bd9Sstevel@tonic-gate 4677c478bd9Sstevel@tonic-gate /* Forget method state; abandon postponed userauths */ 4687c478bd9Sstevel@tonic-gate userauth_reset_methods(); 4697c478bd9Sstevel@tonic-gate } 4707c478bd9Sstevel@tonic-gate 4717c478bd9Sstevel@tonic-gate int 4727c478bd9Sstevel@tonic-gate userauth_check_partial_failure(Authctxt *authctxt) 4737c478bd9Sstevel@tonic-gate { 4747c478bd9Sstevel@tonic-gate int i; 4757c478bd9Sstevel@tonic-gate int required = 0; 4767c478bd9Sstevel@tonic-gate int sufficient = 0; 4777c478bd9Sstevel@tonic-gate 4787c478bd9Sstevel@tonic-gate /* 4797c478bd9Sstevel@tonic-gate * v1 does not set authctxt->method 4807c478bd9Sstevel@tonic-gate * partial userauth failure is a v2 concept 4817c478bd9Sstevel@tonic-gate */ 4827c478bd9Sstevel@tonic-gate if (authctxt->method == NULL) 4837c478bd9Sstevel@tonic-gate return 0; 4847c478bd9Sstevel@tonic-gate 4857c478bd9Sstevel@tonic-gate for (i = 0; authmethods[i] != NULL; i++) { 4867c478bd9Sstevel@tonic-gate if (authmethods[i]->required) 4877c478bd9Sstevel@tonic-gate required++; 4887c478bd9Sstevel@tonic-gate if (authmethods[i]->sufficient) 4897c478bd9Sstevel@tonic-gate sufficient++; 4907c478bd9Sstevel@tonic-gate } 4917c478bd9Sstevel@tonic-gate 4927c478bd9Sstevel@tonic-gate if (required == 0 && sufficient == 0) 4937c478bd9Sstevel@tonic-gate return !authctxt->method->authenticated; 4947c478bd9Sstevel@tonic-gate 4957c478bd9Sstevel@tonic-gate if (required == 1 && authctxt->method->required) 4967c478bd9Sstevel@tonic-gate return !authctxt->method->authenticated; 4977c478bd9Sstevel@tonic-gate 4987c478bd9Sstevel@tonic-gate if (sufficient && authctxt->method->sufficient) 4997c478bd9Sstevel@tonic-gate return !authctxt->method->authenticated; 5007c478bd9Sstevel@tonic-gate 5017c478bd9Sstevel@tonic-gate return 1; 5027c478bd9Sstevel@tonic-gate } 5037c478bd9Sstevel@tonic-gate 5047c478bd9Sstevel@tonic-gate int 5057c478bd9Sstevel@tonic-gate userauth_method_can_run(Authmethod *method) 5067c478bd9Sstevel@tonic-gate { 5077c478bd9Sstevel@tonic-gate if (method->not_again) 5087c478bd9Sstevel@tonic-gate return 0; 5097c478bd9Sstevel@tonic-gate 5107c478bd9Sstevel@tonic-gate return 1; 5117c478bd9Sstevel@tonic-gate } 5127c478bd9Sstevel@tonic-gate 5137c478bd9Sstevel@tonic-gate static 5147c478bd9Sstevel@tonic-gate void 5157c478bd9Sstevel@tonic-gate userauth_reset_methods(void) 5167c478bd9Sstevel@tonic-gate { 5177c478bd9Sstevel@tonic-gate int i; 5187c478bd9Sstevel@tonic-gate 5197c478bd9Sstevel@tonic-gate for (i = 0; authmethods[i] != NULL; i++) { 5207c478bd9Sstevel@tonic-gate /* note: counters not reset */ 5217c478bd9Sstevel@tonic-gate authmethods[i]->required = 0; 5227c478bd9Sstevel@tonic-gate authmethods[i]->sufficient = 0; 5237c478bd9Sstevel@tonic-gate authmethods[i]->authenticated = 0; 5247c478bd9Sstevel@tonic-gate authmethods[i]->not_again = 0; 5257c478bd9Sstevel@tonic-gate authmethods[i]->postponed = 0; 5267c478bd9Sstevel@tonic-gate authmethods[i]->abandoned = 0; 5277c478bd9Sstevel@tonic-gate } 5287c478bd9Sstevel@tonic-gate } 5297c478bd9Sstevel@tonic-gate 5307c478bd9Sstevel@tonic-gate void 5317c478bd9Sstevel@tonic-gate userauth_force_kbdint(void) 5327c478bd9Sstevel@tonic-gate { 5337c478bd9Sstevel@tonic-gate int i; 5347c478bd9Sstevel@tonic-gate 5357c478bd9Sstevel@tonic-gate for (i = 0; authmethods[i] != NULL; i++) { 5367c478bd9Sstevel@tonic-gate authmethods[i]->required = 0; 5377c478bd9Sstevel@tonic-gate authmethods[i]->sufficient = 0; 5387c478bd9Sstevel@tonic-gate } 5397c478bd9Sstevel@tonic-gate method_kbdint.required = 1; 5407c478bd9Sstevel@tonic-gate } 5417c478bd9Sstevel@tonic-gate 5427c478bd9Sstevel@tonic-gate /* 5437c478bd9Sstevel@tonic-gate * Check to see if a previously run multi-round trip userauth method has 5447c478bd9Sstevel@tonic-gate * been abandoned and call its cleanup function. 5457c478bd9Sstevel@tonic-gate * 5467c478bd9Sstevel@tonic-gate * Abandoned userauth method invocations are counted as userauth failures. 5477c478bd9Sstevel@tonic-gate */ 5487c478bd9Sstevel@tonic-gate static 5497c478bd9Sstevel@tonic-gate char * 5507c478bd9Sstevel@tonic-gate authmethods_check_abandonment(Authctxt *authctxt, Authmethod *method) 5517c478bd9Sstevel@tonic-gate { 5527c478bd9Sstevel@tonic-gate int i; 5537c478bd9Sstevel@tonic-gate 5547c478bd9Sstevel@tonic-gate /* optimization: check current method first */ 5557c478bd9Sstevel@tonic-gate if (method && method->postponed) { 5567c478bd9Sstevel@tonic-gate method->postponed = 0; 5577c478bd9Sstevel@tonic-gate if (method->abandon) 5587c478bd9Sstevel@tonic-gate method->abandon(authctxt, method); 5597c478bd9Sstevel@tonic-gate else 5607c478bd9Sstevel@tonic-gate method->abandons++; 5617c478bd9Sstevel@tonic-gate authctxt->failures++; /* abandonment -> failure */ 5627c478bd9Sstevel@tonic-gate if (method->is_initial) 5637c478bd9Sstevel@tonic-gate authctxt->init_failures++; 5647c478bd9Sstevel@tonic-gate 5657c478bd9Sstevel@tonic-gate /* 5667c478bd9Sstevel@tonic-gate * Since we check for abandonment whenever a userauth is 5677c478bd9Sstevel@tonic-gate * requested we know only one method could have been 5687c478bd9Sstevel@tonic-gate * in postponed state, so we can return now. 5697c478bd9Sstevel@tonic-gate */ 5707c478bd9Sstevel@tonic-gate return (method->name); 5717c478bd9Sstevel@tonic-gate } 5727c478bd9Sstevel@tonic-gate for (i = 0; authmethods[i] != NULL; i++) { 5737c478bd9Sstevel@tonic-gate if (!authmethods[i]->postponed) 5747c478bd9Sstevel@tonic-gate continue; 5757c478bd9Sstevel@tonic-gate 5767c478bd9Sstevel@tonic-gate /* some method was postponed and a diff one is being started */ 5777c478bd9Sstevel@tonic-gate if (method != authmethods[i]) { 5787c478bd9Sstevel@tonic-gate authmethods[i]->postponed = 0; 5797c478bd9Sstevel@tonic-gate if (authmethods[i]->abandon) 5807c478bd9Sstevel@tonic-gate authmethods[i]->abandon(authctxt, 5817c478bd9Sstevel@tonic-gate authmethods[i]); 5827c478bd9Sstevel@tonic-gate else 5837c478bd9Sstevel@tonic-gate authmethods[i]->abandons++; 5847c478bd9Sstevel@tonic-gate authctxt->failures++; 5857c478bd9Sstevel@tonic-gate if (authmethods[i]->is_initial) 5867c478bd9Sstevel@tonic-gate authctxt->init_failures++; 5877c478bd9Sstevel@tonic-gate return (authmethods[i]->name); /* see above */ 5887c478bd9Sstevel@tonic-gate } 5897c478bd9Sstevel@tonic-gate } 5907c478bd9Sstevel@tonic-gate 5917c478bd9Sstevel@tonic-gate return NULL; 5927c478bd9Sstevel@tonic-gate } 5937c478bd9Sstevel@tonic-gate 5947c478bd9Sstevel@tonic-gate static char * 5957c478bd9Sstevel@tonic-gate authmethods_get(void) 5967c478bd9Sstevel@tonic-gate { 5977c478bd9Sstevel@tonic-gate Buffer b; 5987c478bd9Sstevel@tonic-gate char *list; 5997c478bd9Sstevel@tonic-gate int i; 6007c478bd9Sstevel@tonic-gate int sufficient = 0; 6017c478bd9Sstevel@tonic-gate int required = 0; 6027c478bd9Sstevel@tonic-gate int authenticated = 0; 6037c478bd9Sstevel@tonic-gate int partial = 0; 6047c478bd9Sstevel@tonic-gate 6057c478bd9Sstevel@tonic-gate /* 6067c478bd9Sstevel@tonic-gate * If at least one method succeeded partially then at least one 6077c478bd9Sstevel@tonic-gate * authmethod will be required and only required methods should 6087c478bd9Sstevel@tonic-gate * continue. 6097c478bd9Sstevel@tonic-gate */ 6107c478bd9Sstevel@tonic-gate for (i = 0; authmethods[i] != NULL; i++) { 6117c478bd9Sstevel@tonic-gate if (authmethods[i]->authenticated) 6127c478bd9Sstevel@tonic-gate authenticated++; 6137c478bd9Sstevel@tonic-gate if (authmethods[i]->required) 6147c478bd9Sstevel@tonic-gate required++; 6157c478bd9Sstevel@tonic-gate if (authmethods[i]->sufficient) 6167c478bd9Sstevel@tonic-gate sufficient++; 6177c478bd9Sstevel@tonic-gate } 6187c478bd9Sstevel@tonic-gate 6197c478bd9Sstevel@tonic-gate partial = (required + sufficient) > 0; 6207c478bd9Sstevel@tonic-gate 6217c478bd9Sstevel@tonic-gate buffer_init(&b); 6227c478bd9Sstevel@tonic-gate for (i = 0; authmethods[i] != NULL; i++) { 6237c478bd9Sstevel@tonic-gate if (strcmp(authmethods[i]->name, "none") == 0) 6247c478bd9Sstevel@tonic-gate continue; 6257c478bd9Sstevel@tonic-gate if (required && !authmethods[i]->required) 6267c478bd9Sstevel@tonic-gate continue; 6277c478bd9Sstevel@tonic-gate if (sufficient && !required && !authmethods[i]->sufficient) 6287c478bd9Sstevel@tonic-gate continue; 6297c478bd9Sstevel@tonic-gate if (authmethods[i]->not_again) 6307c478bd9Sstevel@tonic-gate continue; 6317c478bd9Sstevel@tonic-gate 6327c478bd9Sstevel@tonic-gate if (authmethods[i]->required) { 6337c478bd9Sstevel@tonic-gate if (buffer_len(&b) > 0) 6347c478bd9Sstevel@tonic-gate buffer_append(&b, ",", 1); 6357c478bd9Sstevel@tonic-gate buffer_append(&b, authmethods[i]->name, 6367c478bd9Sstevel@tonic-gate strlen(authmethods[i]->name)); 6377c478bd9Sstevel@tonic-gate continue; 6387c478bd9Sstevel@tonic-gate } 6397c478bd9Sstevel@tonic-gate 6407c478bd9Sstevel@tonic-gate /* 6417c478bd9Sstevel@tonic-gate * A method can be enabled (marked sufficient) 6427c478bd9Sstevel@tonic-gate * dynamically provided that at least one other method 6437c478bd9Sstevel@tonic-gate * has succeeded partially. 6447c478bd9Sstevel@tonic-gate */ 6457c478bd9Sstevel@tonic-gate if ((partial && authmethods[i]->sufficient) || 6467c478bd9Sstevel@tonic-gate (authmethods[i]->enabled != NULL && 6477c478bd9Sstevel@tonic-gate *(authmethods[i]->enabled) != 0)) { 6487c478bd9Sstevel@tonic-gate if (buffer_len(&b) > 0) 6497c478bd9Sstevel@tonic-gate buffer_append(&b, ",", 1); 6507c478bd9Sstevel@tonic-gate buffer_append(&b, authmethods[i]->name, 6517c478bd9Sstevel@tonic-gate strlen(authmethods[i]->name)); 6527c478bd9Sstevel@tonic-gate } 6537c478bd9Sstevel@tonic-gate } 6547c478bd9Sstevel@tonic-gate buffer_append(&b, "\0", 1); 6557c478bd9Sstevel@tonic-gate list = xstrdup(buffer_ptr(&b)); 6567c478bd9Sstevel@tonic-gate buffer_free(&b); 6577c478bd9Sstevel@tonic-gate return list; 6587c478bd9Sstevel@tonic-gate } 6597c478bd9Sstevel@tonic-gate 6607c478bd9Sstevel@tonic-gate static Authmethod * 6617c478bd9Sstevel@tonic-gate authmethod_lookup(const char *name) 6627c478bd9Sstevel@tonic-gate { 6637c478bd9Sstevel@tonic-gate int i; 6647c478bd9Sstevel@tonic-gate 6657c478bd9Sstevel@tonic-gate /* 6667c478bd9Sstevel@tonic-gate * Method must be sufficient, required or enabled and must not 6677c478bd9Sstevel@tonic-gate * be marked as not able to run again 6687c478bd9Sstevel@tonic-gate */ 6697c478bd9Sstevel@tonic-gate if (name != NULL) 6707c478bd9Sstevel@tonic-gate for (i = 0; authmethods[i] != NULL; i++) 6717c478bd9Sstevel@tonic-gate if (((authmethods[i]->sufficient || 6727c478bd9Sstevel@tonic-gate authmethods[i]->required) || 6737c478bd9Sstevel@tonic-gate (authmethods[i]->enabled != NULL && 6747c478bd9Sstevel@tonic-gate *(authmethods[i]->enabled) != 0)) && 6757c478bd9Sstevel@tonic-gate !authmethods[i]->not_again && 6767c478bd9Sstevel@tonic-gate strcmp(name, authmethods[i]->name) == 0) 6777c478bd9Sstevel@tonic-gate return authmethods[i]; 6787c478bd9Sstevel@tonic-gate debug2("Unrecognized authentication method name: %s", 6797c478bd9Sstevel@tonic-gate name ? name : "NULL"); 6807c478bd9Sstevel@tonic-gate return NULL; 6817c478bd9Sstevel@tonic-gate } 6827c478bd9Sstevel@tonic-gate 6837c478bd9Sstevel@tonic-gate static void 6847c478bd9Sstevel@tonic-gate authmethod_count_attempt(Authmethod *method) 6857c478bd9Sstevel@tonic-gate { 6867c478bd9Sstevel@tonic-gate if (!method) 6877c478bd9Sstevel@tonic-gate fatal("Internal error in authmethod_count_attempt()"); 6887c478bd9Sstevel@tonic-gate 6897c478bd9Sstevel@tonic-gate if (method->postponed) 6907c478bd9Sstevel@tonic-gate return; 6917c478bd9Sstevel@tonic-gate 6927c478bd9Sstevel@tonic-gate method->attempts++; 6937c478bd9Sstevel@tonic-gate 6947c478bd9Sstevel@tonic-gate if (method->abandoned) 6957c478bd9Sstevel@tonic-gate method->abandons++; 6967c478bd9Sstevel@tonic-gate else if (method->authenticated) 6977c478bd9Sstevel@tonic-gate method->successes++; 6987c478bd9Sstevel@tonic-gate else 6997c478bd9Sstevel@tonic-gate method->failures++; 7007c478bd9Sstevel@tonic-gate 7017c478bd9Sstevel@tonic-gate return; 7027c478bd9Sstevel@tonic-gate } 703