1 /* 2 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 /* 25 * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 26 * Use is subject to license terms. 27 */ 28 29 #include "includes.h" 30 RCSID("$OpenBSD: auth2.c,v 1.95 2002/08/22 21:33:58 markus Exp $"); 31 32 #pragma ident "%Z%%M% %I% %E% SMI" 33 34 #include "ssh2.h" 35 #include "xmalloc.h" 36 #include "packet.h" 37 #include "log.h" 38 #include "servconf.h" 39 #include "compat.h" 40 #include "misc.h" 41 #include "auth.h" 42 #include "dispatch.h" 43 #include "sshlogin.h" 44 #include "pathnames.h" 45 #include "monitor_wrap.h" 46 47 #ifdef HAVE_BSM 48 #include "bsmaudit.h" 49 extern adt_session_data_t *ah; 50 #endif /* HAVE_BSM */ 51 52 #ifdef GSSAPI 53 #include "ssh-gss.h" 54 #endif 55 56 /* import */ 57 extern ServerOptions options; 58 extern u_char *session_id2; 59 extern int session_id2_len; 60 61 Authctxt *x_authctxt = NULL; 62 63 /* methods */ 64 65 extern Authmethod method_none; 66 extern Authmethod method_pubkey; 67 extern Authmethod method_passwd; 68 extern Authmethod method_kbdint; 69 extern Authmethod method_hostbased; 70 extern Authmethod method_external; 71 extern Authmethod method_gssapi; 72 73 static Authmethod *authmethods[] = { 74 &method_none, 75 #ifdef GSSAPI 76 &method_external, 77 &method_gssapi, 78 #endif 79 &method_pubkey, 80 &method_passwd, 81 &method_kbdint, 82 &method_hostbased, 83 NULL 84 }; 85 86 /* protocol */ 87 88 static void input_service_request(int, u_int32_t, void *); 89 static void input_userauth_request(int, u_int32_t, void *); 90 91 /* helper */ 92 static Authmethod *authmethod_lookup(const char *); 93 static char *authmethods_get(void); 94 static char *authmethods_check_abandonment(Authctxt *authctxt, 95 Authmethod *method); 96 static void authmethod_count_attempt(Authmethod *method); 97 /*static char *authmethods_get_kbdint(void);*/ 98 int user_key_allowed(struct passwd *, Key *); 99 int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); 100 static int userauth_method_can_run(Authmethod *method); 101 static void userauth_reset_methods(void); 102 103 /* 104 * loop until authctxt->success == TRUE 105 */ 106 107 Authctxt * 108 do_authentication2(void) 109 { 110 Authctxt *authctxt = authctxt_new(); 111 112 x_authctxt = authctxt; /*XXX*/ 113 114 #ifdef HAVE_BSM 115 fatal_add_cleanup(audit_failed_login_cleanup, authctxt); 116 #endif /* HAVE_BSM */ 117 118 /* challenge-response is implemented via keyboard interactive */ 119 if (options.challenge_response_authentication) 120 options.kbd_interactive_authentication = 1; 121 if (options.pam_authentication_via_kbd_int) 122 options.kbd_interactive_authentication = 1; 123 if (use_privsep) 124 options.pam_authentication_via_kbd_int = 0; 125 126 dispatch_init(&dispatch_protocol_error); 127 dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); 128 dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); 129 130 return (authctxt); 131 } 132 133 static void 134 input_service_request(int type, u_int32_t seq, void *ctxt) 135 { 136 Authctxt *authctxt = ctxt; 137 u_int len; 138 int acceptit = 0; 139 char *service = packet_get_string(&len); 140 packet_check_eom(); 141 142 if (authctxt == NULL) 143 fatal("input_service_request: no authctxt"); 144 145 if (strcmp(service, "ssh-userauth") == 0) { 146 if (!authctxt->success) { 147 acceptit = 1; 148 /* now we can handle user-auth requests */ 149 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request); 150 } 151 } 152 /* XXX all other service requests are denied */ 153 154 if (acceptit) { 155 packet_start(SSH2_MSG_SERVICE_ACCEPT); 156 packet_put_cstring(service); 157 packet_send(); 158 packet_write_wait(); 159 } else { 160 debug("bad service request %s", service); 161 packet_disconnect("bad service request %s", service); 162 } 163 xfree(service); 164 } 165 166 static void 167 input_userauth_request(int type, u_int32_t seq, void *ctxt) 168 { 169 Authctxt *authctxt = ctxt; 170 Authmethod *m = NULL; 171 char *user, *service, *method, *style = NULL; 172 173 if (authctxt == NULL) 174 fatal("input_userauth_request: no authctxt"); 175 176 user = packet_get_string(NULL); 177 service = packet_get_string(NULL); 178 method = packet_get_string(NULL); 179 debug("userauth-request for user %s service %s method %s", user, 180 service, method); 181 debug("attempt %d initial attempt %d failures %d initial failures %d", 182 authctxt->attempt, authctxt->init_attempt, 183 authctxt->failures, authctxt->init_failures); 184 185 m = authmethod_lookup(method); 186 187 if ((style = strchr(user, ':')) != NULL) 188 *style++ = 0; 189 190 authctxt->attempt++; 191 if (m != NULL && m->is_initial) 192 authctxt->init_attempt++; 193 194 if (authctxt->attempt == 1) { 195 /* setup auth context */ 196 authctxt->pw = PRIVSEP(getpwnamallow(user)); 197 /* May want to abstract SSHv2 services someday */ 198 if (authctxt->pw && strcmp(service, "ssh-connection")==0) { 199 /* enforced in userauth_finish() below */ 200 authctxt->valid = 1; 201 debug2("input_userauth_request: setting up authctxt for %s", user); 202 } else { 203 log("input_userauth_request: illegal user %s", user); 204 } 205 setproctitle("%s%s", authctxt->pw ? user : "unknown", 206 use_privsep ? " [net]" : ""); 207 authctxt->user = xstrdup(user); 208 authctxt->service = xstrdup(service); 209 authctxt->style = style ? xstrdup(style) : NULL; 210 userauth_reset_methods(); 211 if (use_privsep) 212 mm_inform_authserv(service, style); 213 } else { 214 char *abandoned; 215 216 /* 217 * Check for abandoned [multi-round-trip] userauths 218 * methods (e.g., kbdint). Userauth method abandonment 219 * should be treated as userauth method failure and 220 * counted against max_auth_tries. 221 */ 222 abandoned = authmethods_check_abandonment(authctxt, m); 223 224 if (abandoned != NULL && 225 authctxt->failures > options.max_auth_tries) { 226 /* userauth_finish() will now packet_disconnect() */ 227 userauth_finish(authctxt, abandoned); 228 /* NOTREACHED */ 229 } 230 231 /* Handle user|service changes, possibly packet_disconnect() */ 232 userauth_user_svc_change(authctxt, user, service); 233 } 234 235 authctxt->method = m; 236 237 /* run userauth method, try to authenticate user */ 238 if (m != NULL && userauth_method_can_run(m)) { 239 debug2("input_userauth_request: try method %s", method); 240 241 m->postponed = 0; 242 m->abandoned = 0; 243 m->authenticated = 0; 244 245 if (!m->is_initial || 246 authctxt->init_failures < options.max_init_auth_tries) 247 m->userauth(authctxt); 248 249 authmethod_count_attempt(m); 250 251 if (authctxt->unwind_dispatch_loop) { 252 /* 253 * Method ran nested dispatch loop but was 254 * abandoned. Cleanup and return without doing 255 * anything else; we're just unwinding the stack. 256 */ 257 authctxt->unwind_dispatch_loop = 0; 258 goto done; 259 } 260 261 if (m->postponed) 262 goto done; /* multi-round trip userauth not finished */ 263 264 if (m->abandoned) { 265 /* multi-round trip userauth abandoned, log failure */ 266 auth_log(authctxt, 0, method, " ssh2"); 267 goto done; 268 } 269 } 270 271 userauth_finish(authctxt, method); 272 273 done: 274 xfree(service); 275 xfree(user); 276 xfree(method); 277 } 278 279 void 280 userauth_finish(Authctxt *authctxt, char *method) 281 { 282 int authenticated, partial; 283 284 if (authctxt == NULL) 285 fatal("%s: missing context", __func__); 286 287 /* unknown method handling -- must elicit userauth failure msg */ 288 if (authctxt->method == NULL) { 289 authenticated = 0; 290 partial = 0; 291 goto done_checking; 292 } 293 294 #ifndef USE_PAM 295 /* Special handling for root (done elsewhere for PAM) */ 296 if (!use_privsep && 297 authctxt->method->authenticated && 298 authctxt->pw != NULL && authctxt->pw->pw_uid == 0 && 299 !auth_root_allowed(method)) 300 authctxt->method->authenticated = 0; 301 #endif /* USE_PAM */ 302 303 #ifdef _UNICOS 304 if (authctxt->method->authenticated && 305 cray_access_denied(authctxt->user)) { 306 authctxt->method->authenticated = 0; 307 fatal("Access denied for user %s.",authctxt->user); 308 } 309 #endif /* _UNICOS */ 310 311 partial = userauth_check_partial_failure(authctxt); 312 authenticated = authctxt->method->authenticated; 313 314 #ifdef USE_PAM 315 /* 316 * If the userauth method failed to complete PAM work then force 317 * partial failure. 318 */ 319 if (authenticated && !AUTHPAM_DONE(authctxt)) 320 partial = 1; 321 #endif /* USE_PAM */ 322 323 /* 324 * To properly support invalid userauth method names we set 325 * authenticated=0, partial=0 above and know that 326 * authctxt->method == NULL. 327 * 328 * No unguarded reference to authctxt->method allowed from here. 329 * Checking authenticated != 0 is a valid guard; authctxt->method 330 * MUST NOT be NULL if authenticated. 331 */ 332 done_checking: 333 if (!authctxt->valid && authenticated) { 334 /* 335 * Should never happen -- if it does PAM's at fault 336 * but we need not panic, just treat as a failure. 337 */ 338 authctxt->method->authenticated = 0; 339 authenticated = 0; 340 log("Ignoring authenticated invalid user %s", 341 authctxt->user); 342 auth_log(authctxt, 0, method, " ssh2"); 343 } 344 345 /* Log before sending the reply */ 346 auth_log(authctxt, authenticated, method, " ssh2"); 347 348 if (authenticated && !partial) { 349 350 /* turn off userauth */ 351 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 352 packet_start(SSH2_MSG_USERAUTH_SUCCESS); 353 packet_send(); 354 packet_write_wait(); 355 /* now we can break out */ 356 authctxt->success = 1; 357 } else { 358 char *methods; 359 360 if (authctxt->method && authctxt->method->is_initial) 361 authctxt->init_failures++; 362 363 authctxt->method = NULL; 364 365 #ifdef USE_PAM 366 /* 367 * Keep track of last PAM error (or PERM_DENIED) for BSM 368 * login failure auditing, which may run after the PAM 369 * state has been cleaned up. 370 */ 371 authctxt->pam_retval = AUTHPAM_ERROR(authctxt, PAM_PERM_DENIED); 372 #endif /* USE_PAM */ 373 374 if (authctxt->failures++ > options.max_auth_tries) { 375 #ifdef HAVE_BSM 376 fatal_remove_cleanup(audit_failed_login_cleanup, 377 authctxt); 378 audit_sshd_login_failure(&ah, PAM_MAXTRIES); 379 #endif /* HAVE_BSM */ 380 packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 381 } 382 383 #ifdef _UNICOS 384 if (strcmp(method, "password") == 0) 385 cray_login_failure(authctxt->user, IA_UDBERR); 386 #endif /* _UNICOS */ 387 packet_start(SSH2_MSG_USERAUTH_FAILURE); 388 389 /* 390 * If (partial) then authmethods_get() will return only 391 * required methods, likely only "keyboard-interactive;" 392 * (methods == NULL) implies failure, even if (partial == 1) 393 */ 394 methods = authmethods_get(); 395 packet_put_cstring(methods); 396 packet_put_char((authenticated && partial && methods) ? 1 : 0); 397 if (methods) 398 xfree(methods); 399 packet_send(); 400 packet_write_wait(); 401 } 402 } 403 404 /* get current user */ 405 406 struct passwd* 407 auth_get_user(void) 408 { 409 return (x_authctxt != NULL && x_authctxt->valid) ? x_authctxt->pw : NULL; 410 } 411 412 #define DELIM "," 413 414 #if 0 415 static char * 416 authmethods_get_kbdint(void) 417 { 418 Buffer b; 419 int i; 420 421 for (i = 0; authmethods[i] != NULL; i++) { 422 if (strcmp(authmethods[i]->name, "keyboard-interactive") != 0) 423 continue; 424 return xstrdup(authmethods[i]->name); 425 } 426 return NULL; 427 } 428 #endif 429 430 void 431 userauth_user_svc_change(Authctxt *authctxt, char *user, char *service) 432 { 433 /* 434 * NOTE: 435 * 436 * SSHv2 services should be abstracted and service changes during 437 * userauth should be supported as per the userauth draft. In the PAM 438 * case, support for multiple SSHv2 services means that we have to 439 * format the PAM service name according to the SSHv2 service *and* the 440 * SSHv2 userauth being attempted ("passwd", "kbdint" and "other"). 441 * 442 * We'll cross that bridge when we come to it. For now disallow service 443 * changes during userauth if using PAM, but allow username changes. 444 */ 445 446 /* authctxt->service must == ssh-connection here */ 447 if (service != NULL && strcmp(service, authctxt->service) != 0) { 448 packet_disconnect("Change of service not " 449 "allowed: %s and %s", 450 authctxt->service, service); 451 } 452 if (user != NULL && authctxt->user != NULL && 453 strcmp(user, authctxt->user) == 0) 454 return; 455 456 /* All good; update authctxt */ 457 xfree(authctxt->user); 458 authctxt->user = xstrdup(user); 459 pwfree(&authctxt->pw); 460 authctxt->pw = PRIVSEP(getpwnamallow(user)); 461 authctxt->valid = (authctxt->pw != NULL); 462 463 /* Forget method state; abandon postponed userauths */ 464 userauth_reset_methods(); 465 } 466 467 int 468 userauth_check_partial_failure(Authctxt *authctxt) 469 { 470 int i; 471 int required = 0; 472 int sufficient = 0; 473 474 /* 475 * v1 does not set authctxt->method 476 * partial userauth failure is a v2 concept 477 */ 478 if (authctxt->method == NULL) 479 return 0; 480 481 for (i = 0; authmethods[i] != NULL; i++) { 482 if (authmethods[i]->required) 483 required++; 484 if (authmethods[i]->sufficient) 485 sufficient++; 486 } 487 488 if (required == 0 && sufficient == 0) 489 return !authctxt->method->authenticated; 490 491 if (required == 1 && authctxt->method->required) 492 return !authctxt->method->authenticated; 493 494 if (sufficient && authctxt->method->sufficient) 495 return !authctxt->method->authenticated; 496 497 return 1; 498 } 499 500 int 501 userauth_method_can_run(Authmethod *method) 502 { 503 if (method->not_again) 504 return 0; 505 506 return 1; 507 } 508 509 static 510 void 511 userauth_reset_methods(void) 512 { 513 int i; 514 515 for (i = 0; authmethods[i] != NULL; i++) { 516 /* note: counters not reset */ 517 authmethods[i]->required = 0; 518 authmethods[i]->sufficient = 0; 519 authmethods[i]->authenticated = 0; 520 authmethods[i]->not_again = 0; 521 authmethods[i]->postponed = 0; 522 authmethods[i]->abandoned = 0; 523 } 524 } 525 526 void 527 userauth_force_kbdint(void) 528 { 529 int i; 530 531 for (i = 0; authmethods[i] != NULL; i++) { 532 authmethods[i]->required = 0; 533 authmethods[i]->sufficient = 0; 534 } 535 method_kbdint.required = 1; 536 } 537 538 /* 539 * Check to see if a previously run multi-round trip userauth method has 540 * been abandoned and call its cleanup function. 541 * 542 * Abandoned userauth method invocations are counted as userauth failures. 543 */ 544 static 545 char * 546 authmethods_check_abandonment(Authctxt *authctxt, Authmethod *method) 547 { 548 int i; 549 550 /* optimization: check current method first */ 551 if (method && method->postponed) { 552 method->postponed = 0; 553 if (method->abandon) 554 method->abandon(authctxt, method); 555 else 556 method->abandons++; 557 authctxt->failures++; /* abandonment -> failure */ 558 if (method->is_initial) 559 authctxt->init_failures++; 560 561 /* 562 * Since we check for abandonment whenever a userauth is 563 * requested we know only one method could have been 564 * in postponed state, so we can return now. 565 */ 566 return (method->name); 567 } 568 for (i = 0; authmethods[i] != NULL; i++) { 569 if (!authmethods[i]->postponed) 570 continue; 571 572 /* some method was postponed and a diff one is being started */ 573 if (method != authmethods[i]) { 574 authmethods[i]->postponed = 0; 575 if (authmethods[i]->abandon) 576 authmethods[i]->abandon(authctxt, 577 authmethods[i]); 578 else 579 authmethods[i]->abandons++; 580 authctxt->failures++; 581 if (authmethods[i]->is_initial) 582 authctxt->init_failures++; 583 return (authmethods[i]->name); /* see above */ 584 } 585 } 586 587 return NULL; 588 } 589 590 static char * 591 authmethods_get(void) 592 { 593 Buffer b; 594 char *list; 595 int i; 596 int sufficient = 0; 597 int required = 0; 598 int authenticated = 0; 599 int partial = 0; 600 601 /* 602 * If at least one method succeeded partially then at least one 603 * authmethod will be required and only required methods should 604 * continue. 605 */ 606 for (i = 0; authmethods[i] != NULL; i++) { 607 if (authmethods[i]->authenticated) 608 authenticated++; 609 if (authmethods[i]->required) 610 required++; 611 if (authmethods[i]->sufficient) 612 sufficient++; 613 } 614 615 partial = (required + sufficient) > 0; 616 617 buffer_init(&b); 618 for (i = 0; authmethods[i] != NULL; i++) { 619 if (strcmp(authmethods[i]->name, "none") == 0) 620 continue; 621 if (required && !authmethods[i]->required) 622 continue; 623 if (sufficient && !required && !authmethods[i]->sufficient) 624 continue; 625 if (authmethods[i]->not_again) 626 continue; 627 628 if (authmethods[i]->required) { 629 if (buffer_len(&b) > 0) 630 buffer_append(&b, ",", 1); 631 buffer_append(&b, authmethods[i]->name, 632 strlen(authmethods[i]->name)); 633 continue; 634 } 635 636 /* 637 * A method can be enabled (marked sufficient) 638 * dynamically provided that at least one other method 639 * has succeeded partially. 640 */ 641 if ((partial && authmethods[i]->sufficient) || 642 (authmethods[i]->enabled != NULL && 643 *(authmethods[i]->enabled) != 0)) { 644 if (buffer_len(&b) > 0) 645 buffer_append(&b, ",", 1); 646 buffer_append(&b, authmethods[i]->name, 647 strlen(authmethods[i]->name)); 648 } 649 } 650 buffer_append(&b, "\0", 1); 651 list = xstrdup(buffer_ptr(&b)); 652 buffer_free(&b); 653 return list; 654 } 655 656 static Authmethod * 657 authmethod_lookup(const char *name) 658 { 659 int i; 660 661 /* 662 * Method must be sufficient, required or enabled and must not 663 * be marked as not able to run again 664 */ 665 if (name != NULL) 666 for (i = 0; authmethods[i] != NULL; i++) 667 if (((authmethods[i]->sufficient || 668 authmethods[i]->required) || 669 (authmethods[i]->enabled != NULL && 670 *(authmethods[i]->enabled) != 0)) && 671 !authmethods[i]->not_again && 672 strcmp(name, authmethods[i]->name) == 0) 673 return authmethods[i]; 674 debug2("Unrecognized authentication method name: %s", 675 name ? name : "NULL"); 676 return NULL; 677 } 678 679 static void 680 authmethod_count_attempt(Authmethod *method) 681 { 682 if (!method) 683 fatal("Internal error in authmethod_count_attempt()"); 684 685 if (method->postponed) 686 return; 687 688 method->attempts++; 689 690 if (method->abandoned) 691 method->abandons++; 692 else if (method->authenticated) 693 method->successes++; 694 else 695 method->failures++; 696 697 return; 698 } 699