From 5a18868b2d506b9e2254047d8d9fb9df5b2a8ae0 Mon Sep 17 00:00:00 2001
From: des <des@FreeBSD.org>
Date: Sun, 7 Feb 2016 11:38:54 +0000
Subject: MFH (r265214, r294333, r294407, r294467): misc prop fixes MFH
 (r285975, r287143): register mergeinfo for security fixes MFH (r294497,
 r294498, r295139): internal documentation MFH (r294328): upgrade to openssh
 6.7p1, re-add libwrap MFH (r294332): upgrade to openssh 6.8p1 MFH (r294367):
 update pam_ssh for api changes MFH (r294909): switch usedns back on MFH
 (r294336): upgrade to openssh 6.9p1 MFH (r294495): re-enable dsa keys MFH
 (r294464): upgrade to openssh 7.0p1 MFH (r294496): upgrade to openssh 7.1p2

Approved by:	re (gjb)
Relnotes:	yes
---
 crypto/openssh/auth.c | 89 ++++++++++++++++++++++++++++++---------------------
 1 file changed, 53 insertions(+), 36 deletions(-)

(limited to 'crypto/openssh/auth.c')

diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
index a085de4..ba908801 100644
--- a/crypto/openssh/auth.c
+++ b/crypto/openssh/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.113 2015/08/21 03:42:19 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -28,7 +28,6 @@ __RCSID("$FreeBSD$");
 
 #include <sys/types.h>
 #include <sys/stat.h>
-#include <sys/param.h>
 
 #include <netinet/in.h>
 
@@ -51,12 +50,14 @@ __RCSID("$FreeBSD$");
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
+#include <limits.h>
 
 #include "xmalloc.h"
 #include "match.h"
 #include "groupaccess.h"
 #include "log.h"
 #include "buffer.h"
+#include "misc.h"
 #include "servconf.h"
 #include "key.h"
 #include "hostfile.h"
@@ -64,7 +65,6 @@ __RCSID("$FreeBSD$");
 #include "auth-options.h"
 #include "canohost.h"
 #include "uidswap.h"
-#include "misc.h"
 #include "packet.h"
 #include "loginrec.h"
 #ifdef GSSAPI
@@ -72,7 +72,8 @@ __RCSID("$FreeBSD$");
 #endif
 #include "authfile.h"
 #include "monitor_wrap.h"
-#include "krl.h"
+#include "authfile.h"
+#include "ssherr.h"
 #include "compat.h"
 
 /* import */
@@ -327,6 +328,21 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
 #endif
 }
 
+
+void
+auth_maxtries_exceeded(Authctxt *authctxt)
+{
+	error("maximum authentication attempts exceeded for "
+	    "%s%.100s from %.200s port %d %s",
+	    authctxt->valid ? "" : "invalid user ",
+	    authctxt->user,
+	    get_remote_ipaddr(),
+	    get_remote_port(),
+	    compat20 ? "ssh2" : "ssh1");
+	packet_disconnect("Too many authentication failures");
+	/* NOTREACHED */
+}
+
 /*
  * Check whether root logins are disallowed.
  */
@@ -337,7 +353,9 @@ auth_root_allowed(const char *method)
 	case PERMIT_YES:
 		return 1;
 	case PERMIT_NO_PASSWD:
-		if (strcmp(method, "password") != 0)
+		if (strcmp(method, "publickey") == 0 ||
+		    strcmp(method, "hostbased") == 0 ||
+		    strcmp(method, "gssapi-with-mic") == 0)
 			return 1;
 		break;
 	case PERMIT_FORCED_ONLY:
@@ -362,7 +380,7 @@ auth_root_allowed(const char *method)
 char *
 expand_authorized_keys(const char *filename, struct passwd *pw)
 {
-	char *file, ret[MAXPATHLEN];
+	char *file, ret[PATH_MAX];
 	int i;
 
 	file = percent_expand(filename, "h", pw->pw_dir,
@@ -385,8 +403,7 @@ expand_authorized_keys(const char *filename, struct passwd *pw)
 char *
 authorized_principals_file(struct passwd *pw)
 {
-	if (options.authorized_principals_file == NULL ||
-	    strcasecmp(options.authorized_principals_file, "none") == 0)
+	if (options.authorized_principals_file == NULL)
 		return NULL;
 	return expand_authorized_keys(options.authorized_principals_file, pw);
 }
@@ -454,7 +471,7 @@ int
 auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
     uid_t uid, char *err, size_t errlen)
 {
-	char buf[MAXPATHLEN], homedir[MAXPATHLEN];
+	char buf[PATH_MAX], homedir[PATH_MAX];
 	char *cp;
 	int comparehome = 0;
 	struct stat st;
@@ -660,39 +677,39 @@ getpwnamallow(const char *user)
 int
 auth_key_is_revoked(Key *key)
 {
-	char *key_fp;
+	char *fp = NULL;
+	int r;
 
 	if (options.revoked_keys_file == NULL)
 		return 0;
-	switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) {
-	case 0:
-		return 0;	/* Not revoked */
-	case -2:
-		break;		/* Not a KRL */
-	default:
-		goto revoked;
+	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
+	    SSH_FP_DEFAULT)) == NULL) {
+		r = SSH_ERR_ALLOC_FAIL;
+		error("%s: fingerprint key: %s", __func__, ssh_err(r));
+		goto out;
 	}
-	debug3("%s: treating %s as a key list", __func__,
-	    options.revoked_keys_file);
-	switch (key_in_file(key, options.revoked_keys_file, 0)) {
+
+	r = sshkey_check_revoked(key, options.revoked_keys_file);
+	switch (r) {
 	case 0:
-		/* key not revoked */
-		return 0;
-	case -1:
-		/* Error opening revoked_keys_file: refuse all keys */
-		error("Revoked keys file is unreadable: refusing public key "
-		    "authentication");
-		return 1;
-	case 1:
- revoked:
-		/* Key revoked */
-		key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-		error("WARNING: authentication attempt with a revoked "
-		    "%s key %s ", key_type(key), key_fp);
-		free(key_fp);
-		return 1;
+		break; /* not revoked */
+	case SSH_ERR_KEY_REVOKED:
+		error("Authentication key %s %s revoked by file %s",
+		    sshkey_type(key), fp, options.revoked_keys_file);
+		goto out;
+	default:
+		error("Error checking authentication key %s %s in "
+		    "revoked keys file %s: %s", sshkey_type(key), fp,
+		    options.revoked_keys_file, ssh_err(r));
+		goto out;
 	}
-	fatal("key_in_file returned junk");
+
+	/* Success */
+	r = 0;
+
+ out:
+	free(fp);
+	return r == 0 ? 0 : 1;
 }
 
 void
-- 
cgit v1.1