freebsd-skq/crypto/openssh/auth1.c

444 lines
10 KiB
C
Raw Normal View History

2006-09-30 13:38:06 +00:00
/* $OpenBSD: auth1.c,v 1.70 2006/08/03 03:34:41 deraadt Exp $ */
2000-05-15 04:37:24 +00:00
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
* software must be clearly marked as such, and if the derived work is
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
2000-05-15 04:37:24 +00:00
*/
#include "includes.h"
2006-09-30 13:38:06 +00:00
__RCSID("$FreeBSD$");
#include <sys/types.h>
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <pwd.h>
2000-05-15 04:37:24 +00:00
#include "xmalloc.h"
#include "rsa.h"
2001-05-04 04:14:23 +00:00
#include "ssh1.h"
2000-05-15 04:37:24 +00:00
#include "packet.h"
#include "buffer.h"
2001-05-04 04:14:23 +00:00
#include "log.h"
2000-05-15 04:37:24 +00:00
#include "servconf.h"
#include "compat.h"
2006-09-30 13:38:06 +00:00
#include "key.h"
#include "hostfile.h"
2000-05-15 04:37:24 +00:00
#include "auth.h"
2002-03-18 10:09:43 +00:00
#include "channels.h"
2000-05-15 04:37:24 +00:00
#include "session.h"
2002-03-18 10:09:43 +00:00
#include "uidswap.h"
2006-09-30 13:38:06 +00:00
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
2005-06-05 15:46:09 +00:00
#include "buffer.h"
2002-03-18 10:09:43 +00:00
2000-05-15 04:37:24 +00:00
/* import */
extern ServerOptions options;
2005-06-05 15:46:09 +00:00
extern Buffer loginmsg;
2000-05-15 04:37:24 +00:00
2005-09-03 07:04:25 +00:00
static int auth1_process_password(Authctxt *, char *, size_t);
static int auth1_process_rsa(Authctxt *, char *, size_t);
static int auth1_process_rhosts_rsa(Authctxt *, char *, size_t);
static int auth1_process_tis_challenge(Authctxt *, char *, size_t);
static int auth1_process_tis_response(Authctxt *, char *, size_t);
static char *client_user = NULL; /* Used to fill in remote user for PAM */
struct AuthMethod1 {
int type;
char *name;
int *enabled;
int (*method)(Authctxt *, char *, size_t);
};
const struct AuthMethod1 auth1_methods[] = {
{
SSH_CMSG_AUTH_PASSWORD, "password",
&options.password_authentication, auth1_process_password
},
{
SSH_CMSG_AUTH_RSA, "rsa",
&options.rsa_authentication, auth1_process_rsa
},
{
SSH_CMSG_AUTH_RHOSTS_RSA, "rhosts-rsa",
&options.rhosts_rsa_authentication, auth1_process_rhosts_rsa
},
{
SSH_CMSG_AUTH_TIS, "challenge-response",
&options.challenge_response_authentication,
auth1_process_tis_challenge
},
{
SSH_CMSG_AUTH_TIS_RESPONSE, "challenge-response",
&options.challenge_response_authentication,
auth1_process_tis_response
},
{ -1, NULL, NULL, NULL}
};
static const struct AuthMethod1
*lookup_authmethod1(int type)
{
int i;
2006-09-30 13:38:06 +00:00
for (i = 0; auth1_methods[i].name != NULL; i++)
2005-09-03 07:04:25 +00:00
if (auth1_methods[i].type == type)
return (&(auth1_methods[i]));
return (NULL);
}
2002-03-18 10:09:43 +00:00
static char *
2000-05-15 04:37:24 +00:00
get_authname(int type)
{
2005-09-03 07:04:25 +00:00
const struct AuthMethod1 *a;
static char buf[64];
if ((a = lookup_authmethod1(type)) != NULL)
return (a->name);
snprintf(buf, sizeof(buf), "bad-auth-msg-%d", type);
return (buf);
}
2006-09-30 13:38:06 +00:00
/*ARGSUSED*/
2005-09-03 07:04:25 +00:00
static int
auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
{
int authenticated = 0;
char *password;
u_int dlen;
/*
* Read user password. It is in plain text, but was
* transmitted over the encrypted channel so it is
* not visible to an outside observer.
*/
password = packet_get_string(&dlen);
packet_check_eom();
/* Try authentication with the password. */
authenticated = PRIVSEP(auth_password(authctxt, password));
memset(password, 0, dlen);
xfree(password);
return (authenticated);
}
2006-09-30 13:38:06 +00:00
/*ARGSUSED*/
2005-09-03 07:04:25 +00:00
static int
auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
{
int authenticated = 0;
BIGNUM *n;
/* RSA authentication requested. */
if ((n = BN_new()) == NULL)
fatal("do_authloop: BN_new failed");
packet_get_bignum(n);
packet_check_eom();
authenticated = auth_rsa(authctxt, n);
BN_clear_free(n);
return (authenticated);
}
2006-09-30 13:38:06 +00:00
/*ARGSUSED*/
2005-09-03 07:04:25 +00:00
static int
auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
{
int keybits, authenticated = 0;
u_int bits;
Key *client_host_key;
u_int ulen;
/*
* Get client user name. Note that we just have to
* trust the client; root on the client machine can
* claim to be any user.
*/
client_user = packet_get_string(&ulen);
/* Get the client host key. */
client_host_key = key_new(KEY_RSA1);
bits = packet_get_int();
packet_get_bignum(client_host_key->rsa->e);
packet_get_bignum(client_host_key->rsa->n);
keybits = BN_num_bits(client_host_key->rsa->n);
if (keybits < 0 || bits != (u_int)keybits) {
verbose("Warning: keysize mismatch for client_host_key: "
"actual %d, announced %d",
BN_num_bits(client_host_key->rsa->n), bits);
2000-05-15 04:37:24 +00:00
}
2005-09-03 07:04:25 +00:00
packet_check_eom();
authenticated = auth_rhosts_rsa(authctxt, client_user,
client_host_key);
key_free(client_host_key);
snprintf(info, infolen, " ruser %.100s", client_user);
return (authenticated);
}
2006-09-30 13:38:06 +00:00
/*ARGSUSED*/
2005-09-03 07:04:25 +00:00
static int
auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
{
char *challenge;
if ((challenge = get_challenge(authctxt)) == NULL)
return (0);
debug("sending challenge '%s'", challenge);
packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
packet_put_cstring(challenge);
xfree(challenge);
packet_send();
packet_write_wait();
return (-1);
}
2006-09-30 13:38:06 +00:00
/*ARGSUSED*/
2005-09-03 07:04:25 +00:00
static int
auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen)
{
int authenticated = 0;
char *response;
u_int dlen;
response = packet_get_string(&dlen);
packet_check_eom();
authenticated = verify_response(authctxt, response);
memset(response, 'r', dlen);
xfree(response);
return (authenticated);
2000-05-15 04:37:24 +00:00
}
/*
2001-05-04 04:14:23 +00:00
* read packets, try to authenticate the user and
* return only if authentication is successful
2000-05-15 04:37:24 +00:00
*/
2002-03-18 10:09:43 +00:00
static void
2001-05-04 04:14:23 +00:00
do_authloop(Authctxt *authctxt)
2000-05-15 04:37:24 +00:00
{
int authenticated = 0;
2001-05-04 04:14:23 +00:00
char info[1024];
2005-09-03 07:04:25 +00:00
int prev = 0, type = 0;
const struct AuthMethod1 *meth;
2000-05-15 04:37:24 +00:00
2001-05-04 04:14:23 +00:00
debug("Attempting authentication for %s%.100s.",
2004-10-28 16:11:31 +00:00
authctxt->valid ? "" : "invalid user ", authctxt->user);
2001-05-04 04:14:23 +00:00
/* If the user has no password, accept authentication immediately. */
if (options.password_authentication &&
#ifdef KRB5
2002-03-18 10:09:43 +00:00
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
2001-05-04 04:14:23 +00:00
#endif
PRIVSEP(auth_password(authctxt, ""))) {
2004-10-28 16:11:31 +00:00
#ifdef USE_PAM
if (options.use_pam && (PRIVSEP(do_pam_account())))
#endif
{
auth_log(authctxt, 1, "without authentication", "");
return;
}
2001-05-04 04:14:23 +00:00
}
2000-05-15 04:37:24 +00:00
/* Indicate that authentication is needed. */
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
2001-05-04 04:14:23 +00:00
for (;;) {
/* default to fail */
authenticated = 0;
2001-05-04 04:14:23 +00:00
info[0] = '\0';
2000-05-15 04:37:24 +00:00
/* Get a packet from the client. */
prev = type;
2002-03-18 10:09:43 +00:00
type = packet_read();
2000-05-15 04:37:24 +00:00
/*
* If we started challenge-response authentication but the
* next packet is not a response to our challenge, release
* the resources allocated by get_challenge() (which would
* normally have been released by verify_response() had we
* received such a response)
*/
if (prev == SSH_CMSG_AUTH_TIS &&
type != SSH_CMSG_AUTH_TIS_RESPONSE)
abandon_challenge_response(authctxt);
2005-09-03 07:04:25 +00:00
if ((meth = lookup_authmethod1(type)) == NULL) {
logit("Unknown message during authentication: "
"type %d", type);
goto skip;
}
if (!*(meth->enabled)) {
verbose("%s authentication disabled.", meth->name);
goto skip;
2000-05-15 04:37:24 +00:00
}
2005-09-03 07:04:25 +00:00
authenticated = meth->method(authctxt, info, sizeof(info));
if (authenticated == -1)
continue; /* "postponed" */
2001-05-04 04:14:23 +00:00
#ifdef BSD_AUTH
if (authctxt->as) {
auth_close(authctxt->as);
authctxt->as = NULL;
}
#endif
if (!authctxt->valid && authenticated)
fatal("INTERNAL ERROR: authenticated invalid user %s",
authctxt->user);
2002-10-29 10:16:02 +00:00
#ifdef _UNICOS
if (authenticated && cray_access_denied(authctxt->user)) {
authenticated = 0;
fatal("Access denied for user %s.",authctxt->user);
}
#endif /* _UNICOS */
2002-06-27 22:42:11 +00:00
#ifdef HAVE_CYGWIN
if (authenticated &&
2005-09-03 07:04:25 +00:00
!check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
2004-10-28 16:11:31 +00:00
authctxt->pw)) {
2002-06-27 22:42:11 +00:00
packet_disconnect("Authentication rejected for uid %d.",
2004-10-28 16:11:31 +00:00
authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
2002-06-27 22:42:11 +00:00
authenticated = 0;
}
#else
2001-05-04 04:14:23 +00:00
/* Special handling for root */
2003-04-23 17:13:13 +00:00
if (authenticated && authctxt->pw->pw_uid == 0 &&
2005-09-03 07:04:25 +00:00
!auth_root_allowed(meth->name)) {
authenticated = 0;
2005-06-05 15:46:09 +00:00
# ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
# endif
}
2002-06-27 22:42:11 +00:00
#endif
#ifdef USE_PAM
2004-02-26 10:52:33 +00:00
if (options.use_pam && authenticated &&
2005-06-05 15:46:09 +00:00
!PRIVSEP(do_pam_account())) {
char *msg;
size_t len;
error("Access denied for user %s by PAM account "
2005-09-03 07:04:25 +00:00
"configuration", authctxt->user);
2005-06-05 15:46:09 +00:00
len = buffer_len(&loginmsg);
buffer_append(&loginmsg, "\0", 1);
msg = buffer_ptr(&loginmsg);
/* strip trailing newlines */
if (len > 0)
while (len > 0 && msg[--len] == '\n')
msg[len] = '\0';
else
msg = "Access denied.";
packet_disconnect(msg);
}
#endif
2005-09-03 07:04:25 +00:00
skip:
2002-06-27 22:42:11 +00:00
/* Log before sending the reply */
auth_log(authctxt, authenticated, get_authname(type), info);
if (client_user != NULL) {
xfree(client_user);
client_user = NULL;
}
2001-05-04 04:14:23 +00:00
if (authenticated)
return;
2005-06-05 15:46:09 +00:00
if (authctxt->failures++ > options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
#endif
2001-05-04 04:14:23 +00:00
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
2005-06-05 15:46:09 +00:00
}
2000-05-15 04:37:24 +00:00
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
}
}
/*
* Performs authentication of an incoming connection. Session key has already
* been exchanged and encryption is enabled.
*/
2004-02-26 10:52:33 +00:00
void
do_authentication(Authctxt *authctxt)
2000-05-15 04:37:24 +00:00
{
2001-05-04 04:14:23 +00:00
u_int ulen;
char *user, *style = NULL;
2000-05-15 04:37:24 +00:00
/* Get the name of the user that we wish to log in as. */
2002-03-18 10:09:43 +00:00
packet_read_expect(SSH_CMSG_USER);
2000-05-15 04:37:24 +00:00
/* Get the user name. */
user = packet_get_string(&ulen);
2002-03-18 10:09:43 +00:00
packet_check_eom();
2000-05-15 04:37:24 +00:00
2001-05-04 04:14:23 +00:00
if ((style = strchr(user, ':')) != NULL)
2002-03-18 10:09:43 +00:00
*style++ = '\0';
2001-05-04 04:14:23 +00:00
authctxt->user = user;
authctxt->style = style;
2000-05-15 04:37:24 +00:00
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
2001-05-04 04:14:23 +00:00
authctxt->valid = 1;
else {
2004-10-28 16:11:31 +00:00
debug("do_authentication: invalid user %s", user);
authctxt->pw = fakepw();
}
2000-05-15 04:37:24 +00:00
2004-10-28 16:11:31 +00:00
setproctitle("%s%s", authctxt->valid ? user : "unknown",
use_privsep ? " [net]" : "");
2001-05-04 04:14:23 +00:00
2002-06-27 22:42:11 +00:00
#ifdef USE_PAM
if (options.use_pam)
2004-04-20 09:46:41 +00:00
PRIVSEP(start_pam(authctxt));
2002-06-27 22:42:11 +00:00
#endif
2000-05-15 04:37:24 +00:00
/*
* If we are not running as root, the user must have the same uid as
2005-09-03 07:04:25 +00:00
* the server.
2000-05-15 04:37:24 +00:00
*/
2002-06-27 22:42:11 +00:00
#ifndef HAVE_CYGWIN
if (!use_privsep && getuid() != 0 && authctxt->pw &&
authctxt->pw->pw_uid != getuid())
2000-05-15 04:37:24 +00:00
packet_disconnect("Cannot change user when server not running as root.");
2002-06-27 22:42:11 +00:00
#endif
2000-05-15 04:37:24 +00:00
2001-05-04 04:14:23 +00:00
/*
* Loop until the user has been authenticated or the connection is
* closed, do_authloop() returns only if authentication is successful
*/
do_authloop(authctxt);
2000-05-15 04:37:24 +00:00
/* The user has been authenticated and accepted. */
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
}