1 /* $OpenBSD: auth.c,v 1.106 2014/07/15 15:54:14 millert Exp $ */
3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 #include <sys/types.h>
30 #include <sys/param.h>
32 #include <netinet/in.h>
56 #include "groupaccess.h"
64 #include "auth-options.h"
73 #include "monitor_wrap.h"
78 extern ServerOptions options
;
79 extern int use_privsep
;
80 extern Buffer loginmsg
;
81 extern struct passwd
*privsep_pw
;
83 /* Debugging messages */
88 * Check if the user is allowed to log in via ssh. If user is listed
89 * in DenyUsers or one of user's groups is listed in DenyGroups, false
90 * will be returned. If AllowUsers isn't empty and user isn't listed
91 * there, or if AllowGroups isn't empty and one of user's groups isn't
92 * listed there, false will be returned.
93 * If the user's shell is not executable, false will be returned.
94 * Otherwise true is returned.
97 allowed_user(struct passwd
* pw
)
100 const char *hostname
= NULL
, *ipaddr
= NULL
, *passwd
= NULL
;
103 struct spwd
*spw
= NULL
;
106 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
107 if (!pw
|| !pw
->pw_name
)
111 if (!options
.use_pam
)
112 spw
= getspnam(pw
->pw_name
);
113 #ifdef HAS_SHADOW_EXPIRE
114 if (!options
.use_pam
&& spw
!= NULL
&& auth_shadow_acctexpired(spw
))
116 #endif /* HAS_SHADOW_EXPIRE */
117 #endif /* USE_SHADOW */
119 /* grab passwd field for locked account check */
120 passwd
= pw
->pw_passwd
;
124 passwd
= get_iaf_password(pw
);
126 passwd
= spw
->sp_pwdp
;
127 #endif /* USE_LIBIAF */
130 /* check for locked account */
131 if (!options
.use_pam
&& passwd
&& *passwd
) {
134 #ifdef LOCKED_PASSWD_STRING
135 if (strcmp(passwd
, LOCKED_PASSWD_STRING
) == 0)
138 #ifdef LOCKED_PASSWD_PREFIX
139 if (strncmp(passwd
, LOCKED_PASSWD_PREFIX
,
140 strlen(LOCKED_PASSWD_PREFIX
)) == 0)
143 #ifdef LOCKED_PASSWD_SUBSTR
144 if (strstr(passwd
, LOCKED_PASSWD_SUBSTR
))
148 free((void *) passwd
);
149 #endif /* USE_LIBIAF */
151 logit("User %.100s not allowed because account is locked",
158 * Deny if shell does not exist or is not executable unless we
161 if (options
.chroot_directory
== NULL
||
162 strcasecmp(options
.chroot_directory
, "none") == 0) {
163 char *shell
= xstrdup((pw
->pw_shell
[0] == '\0') ?
164 _PATH_BSHELL
: pw
->pw_shell
); /* empty = /bin/sh */
166 if (stat(shell
, &st
) != 0) {
167 logit("User %.100s not allowed because shell %.100s "
168 "does not exist", pw
->pw_name
, shell
);
172 if (S_ISREG(st
.st_mode
) == 0 ||
173 (st
.st_mode
& (S_IXOTH
|S_IXUSR
|S_IXGRP
)) == 0) {
174 logit("User %.100s not allowed because shell %.100s "
175 "is not executable", pw
->pw_name
, shell
);
182 if (options
.num_deny_users
> 0 || options
.num_allow_users
> 0 ||
183 options
.num_deny_groups
> 0 || options
.num_allow_groups
> 0) {
184 hostname
= get_canonical_hostname(options
.use_dns
);
185 ipaddr
= get_remote_ipaddr();
188 /* Return false if user is listed in DenyUsers */
189 if (options
.num_deny_users
> 0) {
190 for (i
= 0; i
< options
.num_deny_users
; i
++)
191 if (match_user(pw
->pw_name
, hostname
, ipaddr
,
192 options
.deny_users
[i
])) {
193 logit("User %.100s from %.100s not allowed "
194 "because listed in DenyUsers",
195 pw
->pw_name
, hostname
);
199 /* Return false if AllowUsers isn't empty and user isn't listed there */
200 if (options
.num_allow_users
> 0) {
201 for (i
= 0; i
< options
.num_allow_users
; i
++)
202 if (match_user(pw
->pw_name
, hostname
, ipaddr
,
203 options
.allow_users
[i
]))
205 /* i < options.num_allow_users iff we break for loop */
206 if (i
>= options
.num_allow_users
) {
207 logit("User %.100s from %.100s not allowed because "
208 "not listed in AllowUsers", pw
->pw_name
, hostname
);
212 if (options
.num_deny_groups
> 0 || options
.num_allow_groups
> 0) {
213 /* Get the user's group access list (primary and supplementary) */
214 if (ga_init(pw
->pw_name
, pw
->pw_gid
) == 0) {
215 logit("User %.100s from %.100s not allowed because "
216 "not in any group", pw
->pw_name
, hostname
);
220 /* Return false if one of user's groups is listed in DenyGroups */
221 if (options
.num_deny_groups
> 0)
222 if (ga_match(options
.deny_groups
,
223 options
.num_deny_groups
)) {
225 logit("User %.100s from %.100s not allowed "
226 "because a group is listed in DenyGroups",
227 pw
->pw_name
, hostname
);
231 * Return false if AllowGroups isn't empty and one of user's groups
234 if (options
.num_allow_groups
> 0)
235 if (!ga_match(options
.allow_groups
,
236 options
.num_allow_groups
)) {
238 logit("User %.100s from %.100s not allowed "
239 "because none of user's groups are listed "
240 "in AllowGroups", pw
->pw_name
, hostname
);
246 #ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
247 if (!sys_auth_allowed_user(pw
, &loginmsg
))
251 /* We found no reason not to let this user try to log on... */
256 auth_info(Authctxt
*authctxt
, const char *fmt
, ...)
261 free(authctxt
->info
);
262 authctxt
->info
= NULL
;
265 i
= vasprintf(&authctxt
->info
, fmt
, ap
);
268 if (i
< 0 || authctxt
->info
== NULL
)
269 fatal("vasprintf failed");
273 auth_log(Authctxt
*authctxt
, int authenticated
, int partial
,
274 const char *method
, const char *submethod
)
276 void (*authlog
) (const char *fmt
,...) = verbose
;
279 if (use_privsep
&& !mm_is_monitor() && !authctxt
->postponed
)
282 /* Raise logging level */
283 if (authenticated
== 1 ||
285 authctxt
->failures
>= options
.max_authtries
/ 2 ||
286 strcmp(method
, "password") == 0)
289 if (authctxt
->postponed
)
290 authmsg
= "Postponed";
294 authmsg
= authenticated
? "Accepted" : "Failed";
296 authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
299 submethod
!= NULL
? "/" : "", submethod
== NULL
? "" : submethod
,
300 authctxt
->valid
? "" : "invalid user ",
304 compat20
? "ssh2" : "ssh1",
305 authctxt
->info
!= NULL
? ": " : "",
306 authctxt
->info
!= NULL
? authctxt
->info
: "");
307 free(authctxt
->info
);
308 authctxt
->info
= NULL
;
310 #ifdef CUSTOM_FAILED_LOGIN
311 if (authenticated
== 0 && !authctxt
->postponed
&&
312 (strcmp(method
, "password") == 0 ||
313 strncmp(method
, "keyboard-interactive", 20) == 0 ||
314 strcmp(method
, "challenge-response") == 0))
315 record_failed_login(authctxt
->user
,
316 get_canonical_hostname(options
.use_dns
), "ssh");
317 # ifdef WITH_AIXAUTHENTICATE
319 sys_auth_record_login(authctxt
->user
,
320 get_canonical_hostname(options
.use_dns
), "ssh", &loginmsg
);
323 #ifdef SSH_AUDIT_EVENTS
324 if (authenticated
== 0 && !authctxt
->postponed
)
325 audit_event(audit_classify_auth(method
));
331 auth_maxtries_exceeded(Authctxt
*authctxt
)
333 packet_disconnect("Too many authentication failures for "
334 "%s%.100s from %.200s port %d %s",
335 authctxt
->valid
? "" : "invalid user ",
339 compat20
? "ssh2" : "ssh1");
344 * Check whether root logins are disallowed.
347 auth_root_allowed(const char *method
)
349 switch (options
.permit_root_login
) {
352 case PERMIT_NO_PASSWD
:
353 if (strcmp(method
, "password") != 0)
356 case PERMIT_FORCED_ONLY
:
357 if (forced_command
) {
358 logit("Root login accepted for forced command.");
363 logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
369 * Given a template and a passwd structure, build a filename
370 * by substituting % tokenised options. Currently, %% becomes '%',
371 * %h becomes the home directory and %u the username.
373 * This returns a buffer allocated by xmalloc.
376 expand_authorized_keys(const char *filename
, struct passwd
*pw
)
378 char *file
, ret
[MAXPATHLEN
];
381 file
= percent_expand(filename
, "h", pw
->pw_dir
,
382 "u", pw
->pw_name
, (char *)NULL
);
385 * Ensure that filename starts anchored. If not, be backward
386 * compatible and prepend the '%h/'
391 i
= snprintf(ret
, sizeof(ret
), "%s/%s", pw
->pw_dir
, file
);
392 if (i
< 0 || (size_t)i
>= sizeof(ret
))
393 fatal("expand_authorized_keys: path too long");
395 return (xstrdup(ret
));
399 authorized_principals_file(struct passwd
*pw
)
401 if (options
.authorized_principals_file
== NULL
||
402 strcasecmp(options
.authorized_principals_file
, "none") == 0)
404 return expand_authorized_keys(options
.authorized_principals_file
, pw
);
407 /* return ok if key exists in sysfile or userfile */
409 check_key_in_hostfiles(struct passwd
*pw
, Key
*key
, const char *host
,
410 const char *sysfile
, const char *userfile
)
414 HostStatus host_status
;
415 struct hostkeys
*hostkeys
;
416 const struct hostkey_entry
*found
;
418 hostkeys
= init_hostkeys();
419 load_hostkeys(hostkeys
, host
, sysfile
);
420 if (userfile
!= NULL
) {
421 user_hostfile
= tilde_expand_filename(userfile
, pw
->pw_uid
);
422 if (options
.strict_modes
&&
423 (stat(user_hostfile
, &st
) == 0) &&
424 ((st
.st_uid
!= 0 && st
.st_uid
!= pw
->pw_uid
) ||
425 (st
.st_mode
& 022) != 0)) {
426 logit("Authentication refused for %.100s: "
427 "bad owner or modes for %.200s",
428 pw
->pw_name
, user_hostfile
);
429 auth_debug_add("Ignored %.200s: bad ownership or modes",
432 temporarily_use_uid(pw
);
433 load_hostkeys(hostkeys
, host
, user_hostfile
);
438 host_status
= check_key_in_hostkeys(hostkeys
, key
, &found
);
439 if (host_status
== HOST_REVOKED
)
440 error("WARNING: revoked key for %s attempted authentication",
442 else if (host_status
== HOST_OK
)
443 debug("%s: key for %s found at %s:%ld", __func__
,
444 found
->host
, found
->file
, found
->line
);
446 debug("%s: key for host %s not found", __func__
, host
);
448 free_hostkeys(hostkeys
);
454 * Check a given path for security. This is defined as all components
455 * of the path to the file must be owned by either the owner of
456 * of the file or root and no directories must be group or world writable.
458 * XXX Should any specific check be done for sym links ?
460 * Takes a file name, its stat information (preferably from fstat() to
461 * avoid races), the uid of the expected owner, their home directory and an
462 * error buffer plus max size as arguments.
464 * Returns 0 on success and -1 on failure
467 auth_secure_path(const char *name
, struct stat
*stp
, const char *pw_dir
,
468 uid_t uid
, char *err
, size_t errlen
)
470 char buf
[MAXPATHLEN
], homedir
[MAXPATHLEN
];
475 if (realpath(name
, buf
) == NULL
) {
476 snprintf(err
, errlen
, "realpath %s failed: %s", name
,
480 if (pw_dir
!= NULL
&& realpath(pw_dir
, homedir
) != NULL
)
483 if (!S_ISREG(stp
->st_mode
)) {
484 snprintf(err
, errlen
, "%s is not a regular file", buf
);
487 if ((!platform_sys_dir_uid(stp
->st_uid
) && stp
->st_uid
!= uid
) ||
488 (stp
->st_mode
& 022) != 0) {
489 snprintf(err
, errlen
, "bad ownership or modes for file %s",
494 /* for each component of the canonical path, walking upwards */
496 if ((cp
= dirname(buf
)) == NULL
) {
497 snprintf(err
, errlen
, "dirname() failed");
500 strlcpy(buf
, cp
, sizeof(buf
));
502 if (stat(buf
, &st
) < 0 ||
503 (!platform_sys_dir_uid(st
.st_uid
) && st
.st_uid
!= uid
) ||
504 (st
.st_mode
& 022) != 0) {
505 snprintf(err
, errlen
,
506 "bad ownership or modes for directory %s", buf
);
510 /* If are past the homedir then we can stop */
511 if (comparehome
&& strcmp(homedir
, buf
) == 0)
515 * dirname should always complete with a "/" path,
516 * but we can be paranoid and check for "." too
518 if ((strcmp("/", buf
) == 0) || (strcmp(".", buf
) == 0))
525 * Version of secure_path() that accepts an open file descriptor to
528 * Returns 0 on success and -1 on failure
531 secure_filename(FILE *f
, const char *file
, struct passwd
*pw
,
532 char *err
, size_t errlen
)
536 /* check the open file to avoid races */
537 if (fstat(fileno(f
), &st
) < 0) {
538 snprintf(err
, errlen
, "cannot stat file %s: %s",
539 file
, strerror(errno
));
542 return auth_secure_path(file
, &st
, pw
->pw_dir
, pw
->pw_uid
, err
, errlen
);
546 auth_openfile(const char *file
, struct passwd
*pw
, int strict_modes
,
547 int log_missing
, char *file_type
)
554 if ((fd
= open(file
, O_RDONLY
|O_NONBLOCK
)) == -1) {
555 if (log_missing
|| errno
!= ENOENT
)
556 debug("Could not open %s '%s': %s", file_type
, file
,
561 if (fstat(fd
, &st
) < 0) {
565 if (!S_ISREG(st
.st_mode
)) {
566 logit("User %s %s %s is not a regular file",
567 pw
->pw_name
, file_type
, file
);
572 if ((f
= fdopen(fd
, "r")) == NULL
) {
577 secure_filename(f
, file
, pw
, line
, sizeof(line
)) != 0) {
579 logit("Authentication refused: %s", line
);
580 auth_debug_add("Ignored %s: %s", file_type
, line
);
589 auth_openkeyfile(const char *file
, struct passwd
*pw
, int strict_modes
)
591 return auth_openfile(file
, pw
, strict_modes
, 1, "authorized keys");
595 auth_openprincipals(const char *file
, struct passwd
*pw
, int strict_modes
)
597 return auth_openfile(file
, pw
, strict_modes
, 0,
598 "authorized principals");
602 getpwnamallow(const char *user
)
604 #ifdef HAVE_LOGIN_CAP
605 extern login_cap_t
*lc
;
611 struct connection_info
*ci
= get_connection_info(1, options
.use_dns
);
614 parse_server_match_config(&options
, ci
);
616 #if defined(_AIX) && defined(HAVE_SETAUTHDB)
622 #if defined(_AIX) && defined(HAVE_SETAUTHDB)
627 * Windows usernames are case-insensitive. To avoid later problems
628 * when trying to match the username, the user is only allowed to
629 * login if the username is given in the same case as stored in the
632 if (pw
!= NULL
&& strcmp(user
, pw
->pw_name
) != 0) {
633 logit("Login name %.100s does not match stored username %.100s",
639 logit("Invalid user %.100s from %.100s",
640 user
, get_remote_ipaddr());
641 #ifdef CUSTOM_FAILED_LOGIN
642 record_failed_login(user
,
643 get_canonical_hostname(options
.use_dns
), "ssh");
645 #ifdef SSH_AUDIT_EVENTS
646 audit_event(SSH_INVALID_USER
);
647 #endif /* SSH_AUDIT_EVENTS */
650 if (!allowed_user(pw
))
652 #ifdef HAVE_LOGIN_CAP
653 if ((lc
= login_getclass(pw
->pw_class
)) == NULL
) {
654 debug("unable to get login class: %s", user
);
658 if ((as
= auth_open()) == NULL
|| auth_setpwd(as
, pw
) != 0 ||
659 auth_approval(as
, lc
, pw
->pw_name
, "ssh") <= 0) {
660 debug("Approval failure for %s", user
);
672 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
674 auth_key_is_revoked(Key
*key
)
679 if (options
.revoked_keys_file
== NULL
)
681 switch (ssh_krl_file_contains_key(options
.revoked_keys_file
, key
)) {
683 return 0; /* Not revoked */
685 break; /* Not a KRL */
690 debug3("%s: treating %s as a key list", __func__
,
691 options
.revoked_keys_file
);
692 switch (key_in_file(key
, options
.revoked_keys_file
, 0)) {
694 /* key not revoked */
697 /* Error opening revoked_keys_file: refuse all keys */
698 error("Revoked keys file is unreadable: refusing public key "
705 key_fp
= key_fingerprint(key
, SSH_FP_MD5
, SSH_FP_HEX
);
706 error("WARNING: authentication attempt with a revoked "
707 "%s key %s ", key_type(key
), key_fp
);
712 fatal("key_in_file returned junk");
716 auth_debug_add(const char *fmt
,...)
721 if (!auth_debug_init
)
725 vsnprintf(buf
, sizeof(buf
), fmt
, args
);
727 buffer_put_cstring(&auth_debug
, buf
);
731 auth_debug_send(void)
735 if (!auth_debug_init
)
737 while (buffer_len(&auth_debug
)) {
738 msg
= buffer_get_string(&auth_debug
, NULL
);
739 packet_send_debug("%s", msg
);
745 auth_debug_reset(void)
748 buffer_clear(&auth_debug
);
750 buffer_init(&auth_debug
);
758 static struct passwd fake
;
760 memset(&fake
, 0, sizeof(fake
));
761 fake
.pw_name
= "NOUSER";
763 "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
764 #ifdef HAVE_STRUCT_PASSWD_PW_GECOS
765 fake
.pw_gecos
= "NOUSER";
767 fake
.pw_uid
= privsep_pw
== NULL
? (uid_t
)-1 : privsep_pw
->pw_uid
;
768 fake
.pw_gid
= privsep_pw
== NULL
? (gid_t
)-1 : privsep_pw
->pw_gid
;
769 #ifdef HAVE_STRUCT_PASSWD_PW_CLASS
772 fake
.pw_dir
= "/nonexist";
773 fake
.pw_shell
= "/nonexist";