diff options
Diffstat (limited to 'crypto/openssh/auth1.c')
-rw-r--r-- | crypto/openssh/auth1.c | 128 |
1 files changed, 29 insertions, 99 deletions
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c index 423c8d4..2ebc8d0 100644 --- a/crypto/openssh/auth1.c +++ b/crypto/openssh/auth1.c @@ -11,7 +11,6 @@ #include "includes.h" RCSID("$OpenBSD: auth1.c,v 1.41 2002/06/19 00:27:55 deraadt Exp $"); -RCSID("$FreeBSD$"); #include "xmalloc.h" #include "rsa.h" @@ -25,14 +24,9 @@ RCSID("$FreeBSD$"); #include "auth.h" #include "channels.h" #include "session.h" -#include "canohost.h" #include "uidswap.h" #include "monitor_wrap.h" -#include <login_cap.h> -#include "auth-pam.h" -#include <security/pam_appl.h> - /* import */ extern ServerOptions options; @@ -81,16 +75,6 @@ do_authloop(Authctxt *authctxt) u_int ulen; int type = 0; struct passwd *pw = authctxt->pw; -#ifdef HAVE_LOGIN_CAP - login_cap_t *lc; -#endif /* HAVE_LOGIN_CAP */ -#ifdef USE_PAM - struct inverted_pam_cookie *pam_cookie; -#endif /* USE_PAM */ - const char *from_host, *from_ip; - - from_host = get_canonical_hostname(options.verify_reverse_mapping); - from_ip = get_remote_ipaddr(); debug("Attempting authentication for %s%.100s.", authctxt->valid ? "" : "illegal user ", authctxt->user); @@ -100,11 +84,7 @@ do_authloop(Authctxt *authctxt) #if defined(KRB4) || defined(KRB5) (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif -#ifdef USE_PAM - /* XXX PRIVSEP */ auth_pam_password(authctxt, "")) { -#else PRIVSEP(auth_password(authctxt, ""))) { -#endif auth_log(authctxt, 1, "without authentication", ""); return; } @@ -149,7 +129,6 @@ do_authloop(Authctxt *authctxt) snprintf(info, sizeof(info), " tktuser %.100s", client_user); - xfree(client_user); } #endif /* KRB4 */ } else { @@ -163,7 +142,6 @@ do_authloop(Authctxt *authctxt) snprintf(info, sizeof(info), " tktuser %.100s", client_user); - xfree(client_user); } #endif /* KRB5 */ } @@ -262,49 +240,13 @@ do_authloop(Authctxt *authctxt) password = packet_get_string(&dlen); packet_check_eom(); -#ifdef USE_PAM - /* Do PAM auth with password */ - authenticated = /* XXX PRIVSEP */ auth_pam_password(authctxt, password); -#else /* !USE_PAM */ /* Try authentication with the password. */ authenticated = PRIVSEP(auth_password(authctxt, password)); -#endif /* USE_PAM */ memset(password, 0, strlen(password)); xfree(password); break; -#ifdef USE_PAM - case SSH_CMSG_AUTH_TIS: - debug("rcvd SSH_CMSG_AUTH_TIS: Trying PAM"); - pam_cookie = ipam_start_auth("sshd", pw->pw_name); - /* We now have data available to send as a challenge */ - if (pam_cookie->num_msg != 1 || - (pam_cookie->msg[0]->msg_style != PAM_PROMPT_ECHO_OFF && - pam_cookie->msg[0]->msg_style != PAM_PROMPT_ECHO_ON)) { - /* We got several challenges or an unknown challenge type */ - ipam_free_cookie(pam_cookie); - pam_cookie = NULL; - break; - } - packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); - packet_put_string(pam_cookie->msg[0]->msg, strlen(pam_cookie->msg[0]->msg)); - packet_send(); - packet_write_wait(); - continue; - case SSH_CMSG_AUTH_TIS_RESPONSE: - debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE"); - if (pam_cookie != NULL) { - char *response = packet_get_string(&dlen); - - pam_cookie->resp[0]->resp = strdup(response); - xfree(response); - authenticated = ipam_complete_auth(pam_cookie); - ipam_free_cookie(pam_cookie); - pam_cookie = NULL; - } - break; -#elif defined(SKEY) case SSH_CMSG_AUTH_TIS: debug("rcvd SSH_CMSG_AUTH_TIS"); if (options.challenge_response_authentication == 1) { @@ -331,12 +273,6 @@ do_authloop(Authctxt *authctxt) xfree(response); } break; -#else - case SSH_CMSG_AUTH_TIS: - /* TIS Authentication is unsupported */ - log("TIS authentication unsupported."); - break; -#endif default: /* @@ -346,26 +282,6 @@ do_authloop(Authctxt *authctxt) log("Unknown message during authentication: type %d", type); break; } - -#ifdef HAVE_LOGIN_CAP - if (pw != NULL) { - lc = login_getpwclass(pw); - if (lc == NULL) - lc = login_getclassbyname(NULL, pw); - if (!auth_hostok(lc, from_host, from_ip)) { - log("Denied connection for %.200s from %.200s [%.200s].", - pw->pw_name, from_host, from_ip); - packet_disconnect("Sorry, you are not allowed to connect."); - } - if (!auth_timeok(lc, time(NULL))) { - log("LOGIN %.200s REFUSED (TIME) FROM %.200s", - pw->pw_name, from_host); - packet_disconnect("Logins not available right now."); - } - login_close(lc); - lc = NULL; - } -#endif /* HAVE_LOGIN_CAP */ #ifdef BSD_AUTH if (authctxt->as) { auth_close(authctxt->as); @@ -376,23 +292,28 @@ do_authloop(Authctxt *authctxt) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); +#ifdef HAVE_CYGWIN + if (authenticated && + !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, pw)) { + packet_disconnect("Authentication rejected for uid %d.", + pw == NULL ? -1 : pw->pw_uid); + authenticated = 0; + } +#else /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(get_authname(type))) authenticated = 0; - - if (pw != NULL && pw->pw_uid == 0) - log("ROOT LOGIN as '%.100s' from %.100s", - pw->pw_name, from_host ); - - /* Log before sending the reply */ - auth_log(authctxt, authenticated, get_authname(type), info); - +#endif #ifdef USE_PAM - if (authenticated && !do_pam_account(pw->pw_name, client_user)) + if (!use_privsep && authenticated && + !do_pam_account(pw->pw_name, client_user)) authenticated = 0; #endif + /* Log before sending the reply */ + auth_log(authctxt, authenticated, get_authname(type), info); + if (client_user != NULL) { xfree(client_user); client_user = NULL; @@ -401,8 +322,15 @@ do_authloop(Authctxt *authctxt) if (authenticated) return; - if (authctxt->failures++ > AUTH_FAIL_MAX) + if (authctxt->failures++ > AUTH_FAIL_MAX) { +#ifdef WITH_AIXAUTHENTICATE + /* XXX: privsep */ + loginfailed(authctxt->user, + get_canonical_hostname(options.verify_reverse_mapping), + "ssh"); +#endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, authctxt->user); + } packet_start(SSH_SMSG_FAILURE); packet_send(); @@ -451,20 +379,22 @@ do_authentication(void) else debug("do_authentication: illegal user %s", user); -#ifdef USE_PAM - if (authctxt->pw != NULL) - start_pam(authctxt->pw); -#endif setproctitle("%s%s", authctxt->pw ? user : "unknown", use_privsep ? " [net]" : ""); +#ifdef USE_PAM + PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user)); +#endif + /* * If we are not running as root, the user must have the same uid as - * the server. + * the server. (Unless you are running Windows) */ +#ifndef HAVE_CYGWIN if (!use_privsep && getuid() != 0 && authctxt->pw && authctxt->pw->pw_uid != getuid()) packet_disconnect("Cannot change user when server not running as root."); +#endif /* * Loop until the user has been authenticated or the connection is |