1 /* $OpenBSD: auth2.c,v 1.121 2009/06/22 05:39:28 dtucker Exp $ */
3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 #include <sys/types.h>
50 #include "pathnames.h"
57 #include "monitor_wrap.h"
60 extern ServerOptions options
;
61 extern u_char
*session_id2
;
62 extern u_int session_id2_len
;
63 extern Buffer loginmsg
;
67 extern Authmethod method_none
;
68 extern Authmethod method_pubkey
;
69 extern Authmethod method_passwd
;
70 extern Authmethod method_kbdint
;
71 extern Authmethod method_hostbased
;
73 extern Authmethod method_gssapi
;
76 extern Authmethod method_jpake
;
79 static int log_flag
= 0;
82 Authmethod
*authmethods
[] = {
99 static void input_service_request(int, u_int32_t
, void *);
100 static void input_userauth_request(int, u_int32_t
, void *);
103 static Authmethod
*authmethod_lookup(const char *);
104 static char *authmethods_get(void);
107 auth2_read_banner(void)
114 if ((fd
= open(options
.banner
, O_RDONLY
)) == -1)
116 if (fstat(fd
, &st
) == -1) {
120 if (st
.st_size
> 1*1024*1024) {
125 len
= (size_t)st
.st_size
; /* truncate */
126 banner
= xmalloc(len
+ 1);
127 n
= atomicio(read
, fd
, banner
, len
);
140 userauth_send_banner(const char *msg
)
142 if (datafellows
& SSH_BUG_BANNER
)
145 packet_start(SSH2_MSG_USERAUTH_BANNER
);
146 packet_put_cstring(msg
);
147 packet_put_cstring(""); /* language, unused */
149 debug("%s: sent", __func__
);
153 userauth_banner(void)
157 if (options
.banner
== NULL
||
158 strcasecmp(options
.banner
, "none") == 0 ||
159 (datafellows
& SSH_BUG_BANNER
) != 0)
162 if ((banner
= PRIVSEP(auth2_read_banner())) == NULL
)
164 userauth_send_banner(banner
);
172 * loop until authctxt->success == TRUE
175 do_authentication2(Authctxt
*authctxt
)
177 dispatch_init(&dispatch_protocol_error
);
178 dispatch_set(SSH2_MSG_SERVICE_REQUEST
, &input_service_request
);
179 dispatch_run(DISPATCH_BLOCK
, &authctxt
->success
, authctxt
);
184 input_service_request(int type
, u_int32_t seq
, void *ctxt
)
186 Authctxt
*authctxt
= ctxt
;
189 char *service
= packet_get_string(&len
);
192 if (authctxt
== NULL
)
193 fatal("input_service_request: no authctxt");
195 if (strcmp(service
, "ssh-userauth") == 0) {
196 if (!authctxt
->success
) {
198 /* now we can handle user-auth requests */
199 dispatch_set(SSH2_MSG_USERAUTH_REQUEST
, &input_userauth_request
);
202 /* XXX all other service requests are denied */
205 packet_start(SSH2_MSG_SERVICE_ACCEPT
);
206 packet_put_cstring(service
);
210 debug("bad service request %s", service
);
211 packet_disconnect("bad service request %s", service
);
218 input_userauth_request(int type
, u_int32_t seq
, void *ctxt
)
220 Authctxt
*authctxt
= ctxt
;
221 Authmethod
*m
= NULL
;
222 char *user
, *service
, *method
, *style
= NULL
;
223 int authenticated
= 0;
224 #ifdef HAVE_LOGIN_CAP
226 const char *from_host
, *from_ip
;
228 from_host
= get_canonical_hostname(options
.use_dns
);
229 from_ip
= get_remote_ipaddr();
232 if (authctxt
== NULL
)
233 fatal("input_userauth_request: no authctxt");
235 user
= packet_get_string(NULL
);
236 service
= packet_get_string(NULL
);
237 method
= packet_get_string(NULL
);
238 debug("userauth-request for user %s service %s method %s", user
, service
, method
);
240 logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s",
241 get_remote_ipaddr(), get_remote_port(), user
);
244 debug("attempt %d failures %d", authctxt
->attempt
, authctxt
->failures
);
246 if ((style
= strchr(user
, ':')) != NULL
)
249 if (authctxt
->attempt
++ == 0) {
250 /* setup auth context */
251 authctxt
->pw
= PRIVSEP(getpwnamallow(user
));
252 authctxt
->user
= xstrdup(user
);
253 if (authctxt
->pw
&& strcmp(service
, "ssh-connection")==0) {
255 debug2("input_userauth_request: setting up authctxt for %s", user
);
257 logit("input_userauth_request: invalid user %s", user
);
258 authctxt
->pw
= fakepw();
259 #ifdef SSH_AUDIT_EVENTS
260 PRIVSEP(audit_event(SSH_INVALID_USER
));
265 PRIVSEP(start_pam(authctxt
));
267 setproctitle("%s%s", authctxt
->valid
? user
: "unknown",
268 use_privsep
? " [net]" : "");
269 authctxt
->service
= xstrdup(service
);
270 authctxt
->style
= style
? xstrdup(style
) : NULL
;
272 mm_inform_authserv(service
, style
);
274 } else if (strcmp(user
, authctxt
->user
) != 0 ||
275 strcmp(service
, authctxt
->service
) != 0) {
276 packet_disconnect("Change of username or service not allowed: "
277 "(%s,%s) -> (%s,%s)",
278 authctxt
->user
, authctxt
->service
, user
, service
);
281 #ifdef HAVE_LOGIN_CAP
282 if (authctxt
->pw
!= NULL
) {
283 lc
= login_getpwclass(authctxt
->pw
);
285 lc
= login_getclassbyname(NULL
, authctxt
->pw
);
286 if (!auth_hostok(lc
, from_host
, from_ip
)) {
287 logit("Denied connection for %.200s from %.200s [%.200s].",
288 authctxt
->pw
->pw_name
, from_host
, from_ip
);
289 packet_disconnect("Sorry, you are not allowed to connect.");
291 if (!auth_timeok(lc
, time(NULL
))) {
292 logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
293 authctxt
->pw
->pw_name
, from_host
);
294 packet_disconnect("Logins not available right now.");
299 #endif /* HAVE_LOGIN_CAP */
302 auth2_challenge_stop(authctxt
);
304 auth2_jpake_stop(authctxt
);
308 /* XXX move to auth2_gssapi_stop() */
309 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN
, NULL
);
310 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE
, NULL
);
313 authctxt
->postponed
= 0;
315 /* try to authenticate user */
316 m
= authmethod_lookup(method
);
317 if (m
!= NULL
&& authctxt
->failures
< options
.max_authtries
) {
318 debug2("input_userauth_request: try method %s", method
);
319 authenticated
= m
->userauth(authctxt
);
321 userauth_finish(authctxt
, authenticated
, method
);
329 userauth_finish(Authctxt
*authctxt
, int authenticated
, char *method
)
333 if (!authctxt
->valid
&& authenticated
)
334 fatal("INTERNAL ERROR: authenticated invalid user %s",
337 /* Special handling for root */
338 if (authenticated
&& authctxt
->pw
->pw_uid
== 0 &&
339 !auth_root_allowed(method
)) {
341 #ifdef SSH_AUDIT_EVENTS
342 PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED
));
347 if (options
.use_pam
&& authenticated
) {
348 if (!PRIVSEP(do_pam_account())) {
349 /* if PAM returned a message, send it to the user */
350 if (buffer_len(&loginmsg
) > 0) {
351 buffer_append(&loginmsg
, "\0", 1);
352 userauth_send_banner(buffer_ptr(&loginmsg
));
355 fatal("Access denied for user %s by PAM account "
356 "configuration", authctxt
->user
);
362 if (authenticated
&& cray_access_denied(authctxt
->user
)) {
364 fatal("Access denied for user %s.",authctxt
->user
);
368 /* Log before sending the reply */
369 auth_log(authctxt
, authenticated
, method
, " ssh2");
371 if (authctxt
->postponed
)
374 /* XXX todo: check if multiple auth methods are needed */
375 if (authenticated
== 1) {
376 /* turn off userauth */
377 dispatch_set(SSH2_MSG_USERAUTH_REQUEST
, &dispatch_protocol_ignore
);
378 packet_start(SSH2_MSG_USERAUTH_SUCCESS
);
381 /* now we can break out */
382 authctxt
->success
= 1;
385 /* Allow initial try of "none" auth without failure penalty */
386 if (authctxt
->attempt
> 1 || strcmp(method
, "none") != 0)
387 authctxt
->failures
++;
388 if (authctxt
->failures
>= options
.max_authtries
) {
389 #ifdef SSH_AUDIT_EVENTS
390 PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES
));
392 packet_disconnect(AUTH_FAIL_MSG
, authctxt
->user
);
394 methods
= authmethods_get();
395 packet_start(SSH2_MSG_USERAUTH_FAILURE
);
396 packet_put_cstring(methods
);
397 packet_put_char(0); /* XXX partial success, unused */
405 authmethods_get(void)
412 for (i
= 0; authmethods
[i
] != NULL
; i
++) {
413 if (strcmp(authmethods
[i
]->name
, "none") == 0)
415 if (authmethods
[i
]->enabled
!= NULL
&&
416 *(authmethods
[i
]->enabled
) != 0) {
417 if (buffer_len(&b
) > 0)
418 buffer_append(&b
, ",", 1);
419 buffer_append(&b
, authmethods
[i
]->name
,
420 strlen(authmethods
[i
]->name
));
423 buffer_append(&b
, "\0", 1);
424 list
= xstrdup(buffer_ptr(&b
));
430 authmethod_lookup(const char *name
)
435 for (i
= 0; authmethods
[i
] != NULL
; i
++)
436 if (authmethods
[i
]->enabled
!= NULL
&&
437 *(authmethods
[i
]->enabled
) != 0 &&
438 strcmp(name
, authmethods
[i
]->name
) == 0)
439 return authmethods
[i
];
440 debug2("Unrecognized authentication method name: %s",
441 name
? name
: "NULL");