xref: /titanic_44/usr/src/cmd/ssh/sshd/auth2-hostbased.c (revision 2917a9c9c3eee6fcaedb239f5f68da01f4ed0da9)
1 /*
2  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23  */
24 /*
25  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
26  * Use is subject to license terms.
27  */
28 
29 #include "includes.h"
30 RCSID("$OpenBSD: auth2-hostbased.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
31 
32 #pragma ident	"%Z%%M%	%I%	%E% SMI"
33 
34 #include "ssh2.h"
35 #include "xmalloc.h"
36 #include "packet.h"
37 #include "buffer.h"
38 #include "log.h"
39 #include "servconf.h"
40 #include "compat.h"
41 #include "bufaux.h"
42 #include "auth.h"
43 
44 #ifdef USE_PAM
45 #include "auth-pam.h"
46 #endif /* USE_PAM */
47 
48 #include "key.h"
49 #include "canohost.h"
50 #include "monitor_wrap.h"
51 #include "pathnames.h"
52 
53 /* import */
54 extern ServerOptions options;
55 extern u_char *session_id2;
56 extern int session_id2_len;
57 
58 static void
59 userauth_hostbased(Authctxt *authctxt)
60 {
61 	Buffer b;
62 	Key *key = NULL;
63 	char *pkalg, *cuser, *chost, *service;
64 	u_char *pkblob, *sig;
65 	u_int alen, blen, slen;
66 	int pktype;
67 	int authenticated = 0;
68 
69 	if (!authctxt || !authctxt->method)
70 		fatal("%s: missing context", __func__);
71 
72 	pkalg = packet_get_string(&alen);
73 	pkblob = packet_get_string(&blen);
74 	chost = packet_get_string(NULL);
75 	cuser = packet_get_string(NULL);
76 	sig = packet_get_string(&slen);
77 
78 	debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d",
79 	    cuser, chost, pkalg, slen);
80 #ifdef DEBUG_PK
81 	debug("signature:");
82 	buffer_init(&b);
83 	buffer_append(&b, sig, slen);
84 	buffer_dump(&b);
85 	buffer_free(&b);
86 #endif
87 	pktype = key_type_from_name(pkalg);
88 	if (pktype == KEY_UNSPEC) {
89 		/* this is perfectly legal */
90 		log("userauth_hostbased: unsupported "
91 		    "public key algorithm: %s", pkalg);
92 		goto done;
93 	}
94 	key = key_from_blob(pkblob, blen);
95 	if (key == NULL) {
96 		error("userauth_hostbased: cannot decode key: %s", pkalg);
97 		goto done;
98 	}
99 	if (key->type != pktype) {
100 		error("userauth_hostbased: type mismatch for decoded key "
101 		    "(received %d, expected %d)", key->type, pktype);
102 		goto done;
103 	}
104 	service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
105 	    authctxt->service;
106 	buffer_init(&b);
107 	buffer_put_string(&b, session_id2, session_id2_len);
108 	/* reconstruct packet */
109 	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
110 	buffer_put_cstring(&b, authctxt->user);
111 	buffer_put_cstring(&b, service);
112 	buffer_put_cstring(&b, "hostbased");
113 	buffer_put_string(&b, pkalg, alen);
114 	buffer_put_string(&b, pkblob, blen);
115 	buffer_put_cstring(&b, chost);
116 	buffer_put_cstring(&b, cuser);
117 #ifdef DEBUG_PK
118 	buffer_dump(&b);
119 #endif
120 	/* test for allowed key and correct signature */
121 	authenticated = 0;
122 	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
123 	    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
124 			buffer_len(&b))) == 1)
125 		authenticated = 1;
126 
127 	buffer_clear(&b);
128 done:
129 	/*
130 	 * XXX TODO: Add config options for specifying users for whom
131 	 *           this userauth is insufficient and what userauths
132 	 *           may continue.
133 	 *
134 	 *           NOTE: do_pam_non_initial_userauth() does this for
135 	 *                 users with expired passwords.
136 	 */
137 #ifdef USE_PAM
138 	if (authenticated) {
139 		authctxt->cuser = cuser;
140 		if (!do_pam_non_initial_userauth(authctxt))
141 			authenticated = 0;
142 		/* Make sure nobody else will use this pointer since we are
143 		 * going to free that string. */
144 		authctxt->cuser = NULL;
145 	}
146 #endif /* USE_PAM */
147 
148 	if (authenticated)
149 		authctxt->method->authenticated = 1;
150 
151 	debug2("userauth_hostbased: authenticated %d", authenticated);
152 	if (key != NULL)
153 		key_free(key);
154 	xfree(pkalg);
155 	xfree(pkblob);
156 	xfree(cuser);
157 	xfree(chost);
158 	xfree(sig);
159 	return;
160 }
161 
162 /* return 1 if given hostkey is allowed */
163 int
164 hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
165     Key *key)
166 {
167 	const char *resolvedname, *ipaddr, *lookup;
168 	HostStatus host_status;
169 	int len;
170 
171 	resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
172 	ipaddr = get_remote_ipaddr();
173 
174 	debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
175 	    chost, resolvedname, ipaddr);
176 
177 	if (pw == NULL)
178 		return 0;
179 
180 	if (options.hostbased_uses_name_from_packet_only) {
181 		if (auth_rhosts2(pw, cuser, chost, chost) == 0)
182 			return 0;
183 		lookup = chost;
184 	} else {
185 		if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
186 			debug2("stripping trailing dot from chost %s", chost);
187 			chost[len - 1] = '\0';
188 		}
189 		if (strcasecmp(resolvedname, chost) != 0)
190 			log("userauth_hostbased mismatch: "
191 			    "client sends %s, but we resolve %s to %s",
192 			    chost, ipaddr, resolvedname);
193 		if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0)
194 			return 0;
195 		lookup = resolvedname;
196 	}
197 	debug2("userauth_hostbased: access allowed by auth_rhosts2");
198 
199 	host_status = check_key_in_hostfiles(pw, key, lookup,
200 	    _PATH_SSH_SYSTEM_HOSTFILE,
201 	    options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
202 
203 	/* backward compat if no key has been found. */
204 	if (host_status == HOST_NEW)
205 		host_status = check_key_in_hostfiles(pw, key, lookup,
206 		    _PATH_SSH_SYSTEM_HOSTFILE2,
207 		    options.ignore_user_known_hosts ? NULL :
208 		    _PATH_SSH_USER_HOSTFILE2);
209 
210 	return (host_status == HOST_OK);
211 }
212 
213 Authmethod method_hostbased = {
214 	"hostbased",
215 	&options.hostbased_authentication,
216 	userauth_hostbased,
217 	NULL,		    /* no abandon function */
218 	NULL, NULL,	    /* method data and hist data */
219 	0,		    /* is not initial userauth */
220 	0, 0, 0,	    /* counters */
221 	0, 0, 0, 0, 0, 0    /* state */
222 };
223