search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dropbear: update to 2015.67
[tomato.git] / release / src-rt-6.x.4708 / router / dropbear / svr-auth.c
blob89760ef9e5db52320acb21f32d4bcf4a23e92394
1 /*
2 * Dropbear - a SSH2 server
3 *
4 * Copyright (c) 2002,2003 Matt Johnston
5 * All rights reserved.
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 * SOFTWARE. */
24
25 /* This file (auth.c) handles authentication requests, passing it to the
26 * particular type (auth-passwd, auth-pubkey). */
27
28 #include "includes.h"
29 #include "dbutil.h"
30 #include "session.h"
31 #include "buffer.h"
32 #include "ssh.h"
33 #include "packet.h"
34 #include "auth.h"
35 #include "runopts.h"
36 #include "dbrandom.h"
37
38 static void authclear();
39 static int checkusername(unsigned char *username, unsigned int userlen);
40
41 /* initialise the first time for a session, resetting all parameters */
42 void svr_authinitialise() {
43
44 ses.authstate.failcount = 0;
45 ses.authstate.pw_name = NULL;
46 ses.authstate.pw_dir = NULL;
47 ses.authstate.pw_shell = NULL;
48 ses.authstate.pw_passwd = NULL;
49 authclear();
50
51 }
52
53 /* Reset the auth state, but don't reset the failcount. This is for if the
54 * user decides to try with a different username etc, and is also invoked
55 * on initialisation */
56 static void authclear() {
57
58 memset(&ses.authstate, 0, sizeof(ses.authstate));
59 #ifdef ENABLE_SVR_PUBKEY_AUTH
60 ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
61 #endif
62 #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
63 if (!svr_opts.noauthpass) {
64 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
65 }
66 #endif
67 if (ses.authstate.pw_name) {
68 m_free(ses.authstate.pw_name);
69 }
70 if (ses.authstate.pw_shell) {
71 m_free(ses.authstate.pw_shell);
72 }
73 if (ses.authstate.pw_dir) {
74 m_free(ses.authstate.pw_dir);
75 }
76 if (ses.authstate.pw_passwd) {
77 m_free(ses.authstate.pw_passwd);
78 }
79
80 }
81
82 /* Send a banner message if specified to the client. The client might
83 * ignore this, but possibly serves as a legal "no trespassing" sign */
84 void send_msg_userauth_banner(buffer *banner) {
85
86 TRACE(("enter send_msg_userauth_banner"))
87
88 CHECKCLEARTOWRITE();
89
90 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER);
91 buf_putbufstring(ses.writepayload, banner);
92 buf_putstring(ses.writepayload, "en", 2);
93
94 encrypt_packet();
95
96 TRACE(("leave send_msg_userauth_banner"))
97 }
98
99 /* handle a userauth request, check validity, pass to password or pubkey
100 * checking, and handle success or failure */
101 void recv_msg_userauth_request() {
102
103 unsigned char *username = NULL, *servicename = NULL, *methodname = NULL;
104 unsigned int userlen, servicelen, methodlen;
105 int valid_user = 0;
106
107 TRACE(("enter recv_msg_userauth_request"))
108
109 /* ignore packets if auth is already done */
110 if (ses.authstate.authdone == 1) {
111 TRACE(("leave recv_msg_userauth_request: authdone already"))
112 return;
113 }
114
115 /* send the banner if it exists, it will only exist once */
116 if (svr_opts.banner) {
117 send_msg_userauth_banner(svr_opts.banner);
118 buf_free(svr_opts.banner);
119 svr_opts.banner = NULL;
120 }
121
122 username = buf_getstring(ses.payload, &userlen);
123 servicename = buf_getstring(ses.payload, &servicelen);
124 methodname = buf_getstring(ses.payload, &methodlen);
125
126 /* only handle 'ssh-connection' currently */
127 if (servicelen != SSH_SERVICE_CONNECTION_LEN
128 && (strncmp(servicename, SSH_SERVICE_CONNECTION,
129 SSH_SERVICE_CONNECTION_LEN) != 0)) {
130
131 /* TODO - disconnect here */
132 m_free(username);
133 m_free(servicename);
134 m_free(methodname);
135 dropbear_exit("unknown service in auth");
136 }
137
138 /* check username is good before continuing.
139 * the 'incrfail' varies depending on the auth method to
140 * avoid giving away which users exist on the system through
141 * the time delay. */
142 if (checkusername(username, userlen) == DROPBEAR_SUCCESS) {
143 valid_user = 1;
144 }
145
146 /* user wants to know what methods are supported */
147 if (methodlen == AUTH_METHOD_NONE_LEN &&
148 strncmp(methodname, AUTH_METHOD_NONE,
149 AUTH_METHOD_NONE_LEN) == 0) {
150 TRACE(("recv_msg_userauth_request: 'none' request"))
151 if (valid_user
152 && svr_opts.allowblankpass
153 && !svr_opts.noauthpass
154 && !(svr_opts.norootpass && ses.authstate.pw_uid == 0)
155 && ses.authstate.pw_passwd[0] == '\0')
156 {
157 dropbear_log(LOG_NOTICE,
158 "Auth succeeded with blank password for '%s' from %s",
159 ses.authstate.pw_name,
160 svr_ses.addrstring);
161 send_msg_userauth_success();
162 goto out;
163 }
164 else
165 {
166 /* 'none' has no failure delay */
167 send_msg_userauth_failure(0, 0);
168 goto out;
169 }
170 }
171
172 #ifdef ENABLE_SVR_PASSWORD_AUTH
173 if (!svr_opts.noauthpass &&
174 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) {
175 /* user wants to try password auth */
176 if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
177 strncmp(methodname, AUTH_METHOD_PASSWORD,
178 AUTH_METHOD_PASSWORD_LEN) == 0) {
179 if (valid_user) {
180 svr_auth_password();
181 goto out;
182 }
183 }
184 }
185 #endif
186
187 #ifdef ENABLE_SVR_PAM_AUTH
188 if (!svr_opts.noauthpass &&
189 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) {
190 /* user wants to try password auth */
191 if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
192 strncmp(methodname, AUTH_METHOD_PASSWORD,
193 AUTH_METHOD_PASSWORD_LEN) == 0) {
194 if (valid_user) {
195 svr_auth_pam();
196 goto out;
197 }
198 }
199 }
200 #endif
201
202 #ifdef ENABLE_SVR_PUBKEY_AUTH
203 /* user wants to try pubkey auth */
204 if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
205 strncmp(methodname, AUTH_METHOD_PUBKEY,
206 AUTH_METHOD_PUBKEY_LEN) == 0) {
207 if (valid_user) {
208 svr_auth_pubkey();
209 } else {
210 /* pubkey has no failure delay */
211 send_msg_userauth_failure(0, 0);
212 }
213 goto out;
214 }
215 #endif
216
217 /* nothing matched, we just fail with a delay */
218 send_msg_userauth_failure(0, 1);
219
220 out:
221
222 m_free(username);
223 m_free(servicename);
224 m_free(methodname);
225 }
226
227
228 /* Check that the username exists and isn't disallowed (root), and has a valid shell.
229 * returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */
230 static int checkusername(unsigned char *username, unsigned int userlen) {
231
232 char* listshell = NULL;
233 char* usershell = NULL;
234 uid_t uid;
235 TRACE(("enter checkusername"))
236 if (userlen > MAX_USERNAME_LEN) {
237 return DROPBEAR_FAILURE;
238 }
239
240 /* new user or username has changed */
241 if (ses.authstate.username == NULL ||
242 strcmp(username, ses.authstate.username) != 0) {
243 /* the username needs resetting */
244 if (ses.authstate.username != NULL) {
245 dropbear_log(LOG_WARNING, "Client trying multiple usernames from %s",
246 svr_ses.addrstring);
247 m_free(ses.authstate.username);
248 }
249 authclear();
250 fill_passwd(username);
251 ses.authstate.username = m_strdup(username);
252 }
253
254 /* check that user exists */
255 if (!ses.authstate.pw_name) {
256 TRACE(("leave checkusername: user '%s' doesn't exist", username))
257 dropbear_log(LOG_WARNING,
258 "Login attempt for nonexistent user from %s",
259 svr_ses.addrstring);
260 return DROPBEAR_FAILURE;
261 }
262
263 /* check if we are running as non-root, and login user is different from the server */
264 uid = geteuid();
265 if (uid != 0 && uid != ses.authstate.pw_uid) {
266 TRACE(("running as nonroot, only server uid is allowed"))
267 dropbear_log(LOG_WARNING,
268 "Login attempt with wrong user %s from %s",
269 ses.authstate.pw_name,
270 svr_ses.addrstring);
271 return DROPBEAR_FAILURE;
272 }
273
274 /* check for non-root if desired */
275 if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) {
276 TRACE(("leave checkusername: root login disabled"))
277 dropbear_log(LOG_WARNING, "root login rejected");
278 return DROPBEAR_FAILURE;
279 }
280
281 TRACE(("shell is %s", ses.authstate.pw_shell))
282
283 /* check that the shell is set */
284 usershell = ses.authstate.pw_shell;
285 if (usershell[0] == '\0') {
286 /* empty shell in /etc/passwd means /bin/sh according to passwd(5) */
287 usershell = "/bin/sh";
288 }
289
290 /* check the shell is valid. If /etc/shells doesn't exist, getusershell()
291 * should return some standard shells like "/bin/sh" and "/bin/csh" (this
292 * is platform-specific) */
293 setusershell();
294 while ((listshell = getusershell()) != NULL) {
295 TRACE(("test shell is '%s'", listshell))
296 if (strcmp(listshell, usershell) == 0) {
297 /* have a match */
298 goto goodshell;
299 }
300 }
301 /* no matching shell */
302 endusershell();
303 TRACE(("no matching shell"))
304 dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected",
305 ses.authstate.pw_name);
306 return DROPBEAR_FAILURE;
307
308 goodshell:
309 endusershell();
310 TRACE(("matching shell"))
311
312 TRACE(("uid = %d", ses.authstate.pw_uid))
313 TRACE(("leave checkusername"))
314 return DROPBEAR_SUCCESS;
315 }
316
317 /* Send a failure message to the client, in responds to a userauth_request.
318 * Partial indicates whether to set the "partial success" flag,
319 * incrfail is whether to count this failure in the failure count (which
320 * is limited. This function also handles disconnection after too many
321 * failures */
322 void send_msg_userauth_failure(int partial, int incrfail) {
323
324 buffer *typebuf = NULL;
325
326 TRACE(("enter send_msg_userauth_failure"))
327
328 CHECKCLEARTOWRITE();
329
330 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_FAILURE);
331
332 /* put a list of allowed types */
333 typebuf = buf_new(30); /* long enough for PUBKEY and PASSWORD */
334
335 if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) {
336 buf_putbytes(typebuf, AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN);
337 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) {
338 buf_putbyte(typebuf, ',');
339 }
340 }
341
342 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) {
343 buf_putbytes(typebuf, AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN);
344 }
345
346 buf_putbufstring(ses.writepayload, typebuf);
347
348 TRACE(("auth fail: methods %d, '%.*s'", ses.authstate.authtypes,
349 typebuf->len, typebuf->data))
350
351 buf_free(typebuf);
352
353 buf_putbyte(ses.writepayload, partial ? 1 : 0);
354 encrypt_packet();
355
356 if (incrfail) {
357 unsigned int delay;
358 genrandom((unsigned char*)&delay, sizeof(delay));
359 /* We delay for 300ms +- 50ms */
360 delay = 250000 + (delay % 100000);
361 usleep(delay);
362 ses.authstate.failcount++;
363 }
364
365 if (ses.authstate.failcount >= MAX_AUTH_TRIES) {
366 char * userstr;
367 /* XXX - send disconnect ? */
368 TRACE(("Max auth tries reached, exiting"))
369
370 if (ses.authstate.pw_name == NULL) {
371 userstr = "is invalid";
372 } else {
373 userstr = ses.authstate.pw_name;
374 }
375 dropbear_exit("Max auth tries reached - user '%s' from %s",
376 userstr, svr_ses.addrstring);
377 }
378
379 TRACE(("leave send_msg_userauth_failure"))
380 }
381
382 /* Send a success message to the user, and set the "authdone" flag */
383 void send_msg_userauth_success() {
384
385 TRACE(("enter send_msg_userauth_success"))
386
387 CHECKCLEARTOWRITE();
388
389 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_SUCCESS);
390 encrypt_packet();
391
392 /* authdone must be set after encrypt_packet() for
393 * delayed-zlib mode */
394 ses.authstate.authdone = 1;
395 svr_ses.connect_time = 0;
396
397 if (ses.authstate.pw_uid == 0) {
398 ses.allowprivport = 1;
399 }
400
401 /* Remove from the list of pre-auth sockets. Should be m_close(), since if
402 * we fail, we might end up leaking connection slots, and disallow new
403 * logins - a nasty situation. */
404 m_close(svr_ses.childpipe);
405
406 TRACE(("leave send_msg_userauth_success"))
407
408 }
Tomato firmware and modifications.