diff options
Diffstat (limited to 'crypto/openssh/monitor.c')
| -rw-r--r-- | crypto/openssh/monitor.c | 63 |
1 files changed, 46 insertions, 17 deletions
diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c index 59281be..0fda0df 100644 --- a/crypto/openssh/monitor.c +++ b/crypto/openssh/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.49 2003/08/28 12:54:34 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.55 2004/02/05 05:37:17 dtucker Exp $"); RCSID("$FreeBSD$"); #include <openssl/dh.h> @@ -143,6 +143,7 @@ int mm_answer_pam_free_ctx(int, Buffer *); int mm_answer_gss_setup_ctx(int, Buffer *); int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); +int mm_answer_gss_checkmic(int, Buffer *); #endif static Authctxt *authctxt; @@ -202,6 +203,7 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, + {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, #endif {0, 0, NULL} }; @@ -281,14 +283,17 @@ monitor_permit_authentications(int permit) } } -Authctxt * -monitor_child_preauth(struct monitor *pmonitor) +void +monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) { struct mon_table *ent; int authenticated = 0; debug3("preauth child monitor started"); + authctxt = _authctxt; + memset(authctxt, 0, sizeof(*authctxt)); + if (compat20) { mon_dispatch = mon_dispatch_proto20; @@ -301,8 +306,6 @@ monitor_child_preauth(struct monitor *pmonitor) monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1); } - authctxt = authctxt_new(); - /* The first few requests do not require asynchronous access */ while (!authenticated) { authenticated = monitor_read(pmonitor, mon_dispatch, &ent); @@ -315,11 +318,11 @@ monitor_child_preauth(struct monitor *pmonitor) authenticated = 0; #ifdef USE_PAM /* PAM needs to perform account checks after auth */ - if (options.use_pam) { + if (options.use_pam && authenticated) { Buffer m; buffer_init(&m); - mm_request_receive_expect(pmonitor->m_sendfd, + mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_PAM_ACCOUNT, &m); authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m); buffer_free(&m); @@ -342,8 +345,6 @@ monitor_child_preauth(struct monitor *pmonitor) __func__, authctxt->user); mm_get_keystate(pmonitor); - - return (authctxt); } static void @@ -575,6 +576,7 @@ mm_answer_pwnamallow(int socket, Buffer *m) if (pwent == NULL) { buffer_put_char(m, 0); + authctxt->pw = fakepw(); goto out; } @@ -790,7 +792,7 @@ int mm_answer_pam_start(int socket, Buffer *m) { char *user; - + if (!options.use_pam) fatal("UsePAM not set, but ended up in %s anyway", __func__); @@ -809,7 +811,7 @@ int mm_answer_pam_account(int socket, Buffer *m) { u_int ret; - + if (!options.use_pam) fatal("UsePAM not set, but ended up in %s anyway", __func__); @@ -956,7 +958,7 @@ mm_answer_keyallowed(int socket, Buffer *m) debug3("%s: key_from_blob: %p", __func__, key); - if (key != NULL && authctxt->pw != NULL) { + if (key != NULL && authctxt->valid) { switch(type) { case MM_USERKEY: allowed = options.pubkey_authentication && @@ -1194,7 +1196,7 @@ mm_record_login(Session *s, struct passwd *pw) if (getpeername(packet_get_connection_in(), (struct sockaddr *) & from, &fromlen) < 0) { debug("getpeername: %.100s", strerror(errno)); - fatal_cleanup(); + cleanup_exit(255); } } /* Record that there was a login on that tty from the remote host. */ @@ -1209,7 +1211,6 @@ mm_session_close(Session *s) debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid); if (s->ttyfd != -1) { debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); - fatal_remove_cleanup(session_pty_cleanup2, (void *)s); session_pty_cleanup2(s); } s->used = 0; @@ -1234,7 +1235,6 @@ mm_answer_pty(int socket, Buffer *m) res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); if (res == 0) goto error; - fatal_add_cleanup(session_pty_cleanup2, (void *)s); pty_setowner(authctxt->pw, s->tty); buffer_put_int(m, 1); @@ -1717,6 +1717,7 @@ monitor_init(void) mon = xmalloc(sizeof(*mon)); + mon->m_pid = 0; monitor_socketpair(pair); mon->m_recvfd = pair[0]; @@ -1793,15 +1794,43 @@ mm_answer_gss_accept_ctx(int socket, Buffer *m) gss_release_buffer(&minor, &out); - /* Complete - now we can do signing */ if (major==GSS_S_COMPLETE) { monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); } return (0); } int +mm_answer_gss_checkmic(int socket, Buffer *m) +{ + gss_buffer_desc gssbuf, mic; + OM_uint32 ret; + u_int len; + + gssbuf.value = buffer_get_string(m, &len); + gssbuf.length = len; + mic.value = buffer_get_string(m, &len); + mic.length = len; + + ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); + + xfree(gssbuf.value); + xfree(mic.value); + + buffer_clear(m); + buffer_put_int(m, ret); + + mm_request_send(socket, MONITOR_ANS_GSSCHECKMIC, m); + + if (!GSS_ERROR(ret)) + monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); + + return (0); +} + +int mm_answer_gss_userok(int socket, Buffer *m) { int authenticated; @@ -1814,7 +1843,7 @@ mm_answer_gss_userok(int socket, Buffer *m) debug3("%s: sending result %d", __func__, authenticated); mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m); - auth_method="gssapi"; + auth_method="gssapi-with-mic"; /* Monitor loop will terminate if authenticated */ return (authenticated); |
