xref: /titanic_44/usr/src/cmd/ssh/sshd/auth2-hostbased.c (revision 18c2aff776a775d34a4c9893a4c72e0434d68e36)
1 /*
2  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23  */
24 /*
25  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
26  * Use is subject to license terms.
27  */
28 
29 #include "includes.h"
30 RCSID("$OpenBSD: auth2-hostbased.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
31 
32 #pragma ident	"%Z%%M%	%I%	%E% SMI"
33 
34 #include "ssh2.h"
35 #include "xmalloc.h"
36 #include "packet.h"
37 #include "buffer.h"
38 #include "log.h"
39 #include "servconf.h"
40 #include "compat.h"
41 #include "bufaux.h"
42 #include "auth.h"
43 
44 #ifdef USE_PAM
45 #include "auth-pam.h"
46 #endif /* USE_PAM */
47 
48 #include "key.h"
49 #include "canohost.h"
50 #include "monitor_wrap.h"
51 #include "pathnames.h"
52 
53 /* import */
54 extern ServerOptions options;
55 extern u_char *session_id2;
56 extern int session_id2_len;
57 
58 static void
59 userauth_hostbased(Authctxt *authctxt)
60 {
61 	Buffer b;
62 	Key *key = NULL;
63 	char *pkalg, *cuser, *chost, *service;
64 	u_char *pkblob, *sig;
65 	u_int alen, blen, slen;
66 	int pktype;
67 	int authenticated = 0;
68 
69 	if (!authctxt || !authctxt->method)
70 		fatal("%s: missing context", __func__);
71 
72 	pkalg = packet_get_string(&alen);
73 	pkblob = packet_get_string(&blen);
74 	chost = packet_get_string(NULL);
75 	cuser = packet_get_string(NULL);
76 	sig = packet_get_string(&slen);
77 
78 	debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d",
79 	    cuser, chost, pkalg, slen);
80 #ifdef DEBUG_PK
81 	debug("signature:");
82 	buffer_init(&b);
83 	buffer_append(&b, sig, slen);
84 	buffer_dump(&b);
85 	buffer_free(&b);
86 #endif
87 	pktype = key_type_from_name(pkalg);
88 	if (pktype == KEY_UNSPEC) {
89 		/* this is perfectly legal */
90 		log("userauth_hostbased: unsupported "
91 		    "public key algorithm: %s", pkalg);
92 		goto done;
93 	}
94 	key = key_from_blob(pkblob, blen);
95 	if (key == NULL) {
96 		error("userauth_hostbased: cannot decode key: %s", pkalg);
97 		goto done;
98 	}
99 	if (key->type != pktype) {
100 		error("userauth_hostbased: type mismatch for decoded key "
101 		    "(received %d, expected %d)", key->type, pktype);
102 		goto done;
103 	}
104 	service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
105 	    authctxt->service;
106 	buffer_init(&b);
107 	buffer_put_string(&b, session_id2, session_id2_len);
108 	/* reconstruct packet */
109 	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
110 	buffer_put_cstring(&b, authctxt->user);
111 	buffer_put_cstring(&b, service);
112 	buffer_put_cstring(&b, "hostbased");
113 	buffer_put_string(&b, pkalg, alen);
114 	buffer_put_string(&b, pkblob, blen);
115 	buffer_put_cstring(&b, chost);
116 	buffer_put_cstring(&b, cuser);
117 #ifdef DEBUG_PK
118 	buffer_dump(&b);
119 #endif
120 	/* test for allowed key and correct signature */
121 	authenticated = 0;
122 	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
123 	    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
124 			buffer_len(&b))) == 1)
125 		authenticated = 1;
126 
127 	buffer_clear(&b);
128 done:
129 	/*
130 	 * XXX TODO: Add config options for specifying users for whom
131 	 *           this userauth is insufficient and what userauths
132 	 *           may continue.
133 	 *
134 	 *           NOTE: do_pam_non_initial_userauth() does this for
135 	 *                 users with expired passwords.
136 	 */
137 #ifdef USE_PAM
138 	if (authenticated) {
139 		if (!do_pam_non_initial_userauth(authctxt))
140 			authenticated = 0;
141 	}
142 #endif /* USE_PAM */
143 
144 	if (authenticated)
145 		authctxt->method->authenticated = 1;
146 
147 	debug2("userauth_hostbased: authenticated %d", authenticated);
148 	if (key != NULL)
149 		key_free(key);
150 	xfree(pkalg);
151 	xfree(pkblob);
152 	xfree(cuser);
153 	xfree(chost);
154 	xfree(sig);
155 	return;
156 }
157 
158 /* return 1 if given hostkey is allowed */
159 int
160 hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
161     Key *key)
162 {
163 	const char *resolvedname, *ipaddr, *lookup;
164 	HostStatus host_status;
165 	int len;
166 
167 	resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
168 	ipaddr = get_remote_ipaddr();
169 
170 	debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
171 	    chost, resolvedname, ipaddr);
172 
173 	if (pw == NULL)
174 		return 0;
175 
176 	if (options.hostbased_uses_name_from_packet_only) {
177 		if (auth_rhosts2(pw, cuser, chost, chost) == 0)
178 			return 0;
179 		lookup = chost;
180 	} else {
181 		if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
182 			debug2("stripping trailing dot from chost %s", chost);
183 			chost[len - 1] = '\0';
184 		}
185 		if (strcasecmp(resolvedname, chost) != 0)
186 			log("userauth_hostbased mismatch: "
187 			    "client sends %s, but we resolve %s to %s",
188 			    chost, ipaddr, resolvedname);
189 		if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0)
190 			return 0;
191 		lookup = resolvedname;
192 	}
193 	debug2("userauth_hostbased: access allowed by auth_rhosts2");
194 
195 	host_status = check_key_in_hostfiles(pw, key, lookup,
196 	    _PATH_SSH_SYSTEM_HOSTFILE,
197 	    options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
198 
199 	/* backward compat if no key has been found. */
200 	if (host_status == HOST_NEW)
201 		host_status = check_key_in_hostfiles(pw, key, lookup,
202 		    _PATH_SSH_SYSTEM_HOSTFILE2,
203 		    options.ignore_user_known_hosts ? NULL :
204 		    _PATH_SSH_USER_HOSTFILE2);
205 
206 	return (host_status == HOST_OK);
207 }
208 
209 Authmethod method_hostbased = {
210 	"hostbased",
211 	&options.hostbased_authentication,
212 	userauth_hostbased,
213 	NULL,		    /* no abandon function */
214 	NULL, NULL,	    /* method data and hist data */
215 	0,		    /* is not initial userauth */
216 	0, 0, 0,	    /* counters */
217 	0, 0, 0, 0, 0, 0    /* state */
218 };
219