diff options
| author | gjb <gjb@FreeBSD.org> | 2016-01-20 09:50:54 +0000 |
|---|---|---|
| committer | gjb <gjb@FreeBSD.org> | 2016-01-20 09:50:54 +0000 |
| commit | 37e4197e4f1c5dfdc9f6f47c3e2eaa08db678932 (patch) | |
| tree | b62bad40f6761e8b139ebb94b63befbbbfc84604 /crypto/openssh/auth.c | |
| parent | 97d822085265f5640a3640a45f0df10d55dad4b1 (diff) | |
| parent | 698583cc5f183065a9346fa8f3ded4bb29671987 (diff) | |
| download | FreeBSD-src-37e4197e4f1c5dfdc9f6f47c3e2eaa08db678932.zip FreeBSD-src-37e4197e4f1c5dfdc9f6f47c3e2eaa08db678932.tar.gz | |
MFH
Sponsored by: The FreeBSD Foundation
Diffstat (limited to 'crypto/openssh/auth.c')
| -rw-r--r-- | crypto/openssh/auth.c | 85 |
1 files changed, 50 insertions, 35 deletions
diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c index a085de4..5f72416 100644 --- a/crypto/openssh/auth.c +++ b/crypto/openssh/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.111 2015/05/01 04:17:51 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -28,7 +28,6 @@ __RCSID("$FreeBSD$"); #include <sys/types.h> #include <sys/stat.h> -#include <sys/param.h> #include <netinet/in.h> @@ -51,12 +50,14 @@ __RCSID("$FreeBSD$"); #include <stdio.h> #include <string.h> #include <unistd.h> +#include <limits.h> #include "xmalloc.h" #include "match.h" #include "groupaccess.h" #include "log.h" #include "buffer.h" +#include "misc.h" #include "servconf.h" #include "key.h" #include "hostfile.h" @@ -64,7 +65,6 @@ __RCSID("$FreeBSD$"); #include "auth-options.h" #include "canohost.h" #include "uidswap.h" -#include "misc.h" #include "packet.h" #include "loginrec.h" #ifdef GSSAPI @@ -72,7 +72,8 @@ __RCSID("$FreeBSD$"); #endif #include "authfile.h" #include "monitor_wrap.h" -#include "krl.h" +#include "authfile.h" +#include "ssherr.h" #include "compat.h" /* import */ @@ -327,6 +328,21 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, #endif } + +void +auth_maxtries_exceeded(Authctxt *authctxt) +{ + error("maximum authentication attempts exceeded for " + "%s%.100s from %.200s port %d %s", + authctxt->valid ? "" : "invalid user ", + authctxt->user, + get_remote_ipaddr(), + get_remote_port(), + compat20 ? "ssh2" : "ssh1"); + packet_disconnect("Too many authentication failures"); + /* NOTREACHED */ +} + /* * Check whether root logins are disallowed. */ @@ -362,7 +378,7 @@ auth_root_allowed(const char *method) char * expand_authorized_keys(const char *filename, struct passwd *pw) { - char *file, ret[MAXPATHLEN]; + char *file, ret[PATH_MAX]; int i; file = percent_expand(filename, "h", pw->pw_dir, @@ -385,8 +401,7 @@ expand_authorized_keys(const char *filename, struct passwd *pw) char * authorized_principals_file(struct passwd *pw) { - if (options.authorized_principals_file == NULL || - strcasecmp(options.authorized_principals_file, "none") == 0) + if (options.authorized_principals_file == NULL) return NULL; return expand_authorized_keys(options.authorized_principals_file, pw); } @@ -454,7 +469,7 @@ int auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, uid_t uid, char *err, size_t errlen) { - char buf[MAXPATHLEN], homedir[MAXPATHLEN]; + char buf[PATH_MAX], homedir[PATH_MAX]; char *cp; int comparehome = 0; struct stat st; @@ -660,39 +675,39 @@ getpwnamallow(const char *user) int auth_key_is_revoked(Key *key) { - char *key_fp; + char *fp = NULL; + int r; if (options.revoked_keys_file == NULL) return 0; - switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) { - case 0: - return 0; /* Not revoked */ - case -2: - break; /* Not a KRL */ - default: - goto revoked; + if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, + SSH_FP_DEFAULT)) == NULL) { + r = SSH_ERR_ALLOC_FAIL; + error("%s: fingerprint key: %s", __func__, ssh_err(r)); + goto out; } - debug3("%s: treating %s as a key list", __func__, - options.revoked_keys_file); - switch (key_in_file(key, options.revoked_keys_file, 0)) { + + r = sshkey_check_revoked(key, options.revoked_keys_file); + switch (r) { case 0: - /* key not revoked */ - return 0; - case -1: - /* Error opening revoked_keys_file: refuse all keys */ - error("Revoked keys file is unreadable: refusing public key " - "authentication"); - return 1; - case 1: - revoked: - /* Key revoked */ - key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); - error("WARNING: authentication attempt with a revoked " - "%s key %s ", key_type(key), key_fp); - free(key_fp); - return 1; + break; /* not revoked */ + case SSH_ERR_KEY_REVOKED: + error("Authentication key %s %s revoked by file %s", + sshkey_type(key), fp, options.revoked_keys_file); + goto out; + default: + error("Error checking authentication key %s %s in " + "revoked keys file %s: %s", sshkey_type(key), fp, + options.revoked_keys_file, ssh_err(r)); + goto out; } - fatal("key_in_file returned junk"); + + /* Success */ + r = 0; + + out: + free(fp); + return r == 0 ? 0 : 1; } void |
