search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
- stevesk@cvs.openbsd.org 2006/08/01 23:36:12
[openssh-git.git] / auth1.c
blob2c5585768884852f8987dc35d82700353125ae7f
1 /* $OpenBSD: auth1.c,v 1.69 2006/08/01 23:22:47 stevesk Exp $ */
2 /*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
5 *
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
11 */
12
13 #include "includes.h"
14
15 #include <sys/types.h>
16
17 #include <stdio.h>
18 #include <string.h>
19 #include <unistd.h>
20
21 #include "xmalloc.h"
22 #include "rsa.h"
23 #include "ssh1.h"
24 #include "packet.h"
25 #include "buffer.h"
26 #include "log.h"
27 #include "servconf.h"
28 #include "compat.h"
29 #include "auth.h"
30 #include "channels.h"
31 #include "session.h"
32 #include "uidswap.h"
33 #include "monitor_wrap.h"
34 #include "buffer.h"
35
36 /* import */
37 extern ServerOptions options;
38 extern Buffer loginmsg;
39
40 static int auth1_process_password(Authctxt *, char *, size_t);
41 static int auth1_process_rsa(Authctxt *, char *, size_t);
42 static int auth1_process_rhosts_rsa(Authctxt *, char *, size_t);
43 static int auth1_process_tis_challenge(Authctxt *, char *, size_t);
44 static int auth1_process_tis_response(Authctxt *, char *, size_t);
45
46 static char *client_user = NULL; /* Used to fill in remote user for PAM */
47
48 struct AuthMethod1 {
49 int type;
50 char *name;
51 int *enabled;
52 int (*method)(Authctxt *, char *, size_t);
53 };
54
55 const struct AuthMethod1 auth1_methods[] = {
56 {
57 SSH_CMSG_AUTH_PASSWORD, "password",
58 &options.password_authentication, auth1_process_password
59 },
60 {
61 SSH_CMSG_AUTH_RSA, "rsa",
62 &options.rsa_authentication, auth1_process_rsa
63 },
64 {
65 SSH_CMSG_AUTH_RHOSTS_RSA, "rhosts-rsa",
66 &options.rhosts_rsa_authentication, auth1_process_rhosts_rsa
67 },
68 {
69 SSH_CMSG_AUTH_TIS, "challenge-response",
70 &options.challenge_response_authentication,
71 auth1_process_tis_challenge
72 },
73 {
74 SSH_CMSG_AUTH_TIS_RESPONSE, "challenge-response",
75 &options.challenge_response_authentication,
76 auth1_process_tis_response
77 },
78 { -1, NULL, NULL, NULL}
79 };
80
81 static const struct AuthMethod1
82 *lookup_authmethod1(int type)
83 {
84 int i;
85
86 for (i = 0; auth1_methods[i].name != NULL; i++)
87 if (auth1_methods[i].type == type)
88 return (&(auth1_methods[i]));
89
90 return (NULL);
91 }
92
93 static char *
94 get_authname(int type)
95 {
96 const struct AuthMethod1 *a;
97 static char buf[64];
98
99 if ((a = lookup_authmethod1(type)) != NULL)
100 return (a->name);
101 snprintf(buf, sizeof(buf), "bad-auth-msg-%d", type);
102 return (buf);
103 }
104
105 /*ARGSUSED*/
106 static int
107 auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
108 {
109 int authenticated = 0;
110 char *password;
111 u_int dlen;
112
113 /*
114 * Read user password. It is in plain text, but was
115 * transmitted over the encrypted channel so it is
116 * not visible to an outside observer.
117 */
118 password = packet_get_string(&dlen);
119 packet_check_eom();
120
121 /* Try authentication with the password. */
122 authenticated = PRIVSEP(auth_password(authctxt, password));
123
124 memset(password, 0, dlen);
125 xfree(password);
126
127 return (authenticated);
128 }
129
130 /*ARGSUSED*/
131 static int
132 auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
133 {
134 int authenticated = 0;
135 BIGNUM *n;
136
137 /* RSA authentication requested. */
138 if ((n = BN_new()) == NULL)
139 fatal("do_authloop: BN_new failed");
140 packet_get_bignum(n);
141 packet_check_eom();
142 authenticated = auth_rsa(authctxt, n);
143 BN_clear_free(n);
144
145 return (authenticated);
146 }
147
148 /*ARGSUSED*/
149 static int
150 auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
151 {
152 int keybits, authenticated = 0;
153 u_int bits;
154 Key *client_host_key;
155 u_int ulen;
156
157 /*
158 * Get client user name. Note that we just have to
159 * trust the client; root on the client machine can
160 * claim to be any user.
161 */
162 client_user = packet_get_string(&ulen);
163
164 /* Get the client host key. */
165 client_host_key = key_new(KEY_RSA1);
166 bits = packet_get_int();
167 packet_get_bignum(client_host_key->rsa->e);
168 packet_get_bignum(client_host_key->rsa->n);
169
170 keybits = BN_num_bits(client_host_key->rsa->n);
171 if (keybits < 0 || bits != (u_int)keybits) {
172 verbose("Warning: keysize mismatch for client_host_key: "
173 "actual %d, announced %d",
174 BN_num_bits(client_host_key->rsa->n), bits);
175 }
176 packet_check_eom();
177
178 authenticated = auth_rhosts_rsa(authctxt, client_user,
179 client_host_key);
180 key_free(client_host_key);
181
182 snprintf(info, infolen, " ruser %.100s", client_user);
183
184 return (authenticated);
185 }
186
187 /*ARGSUSED*/
188 static int
189 auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
190 {
191 char *challenge;
192
193 if ((challenge = get_challenge(authctxt)) == NULL)
194 return (0);
195
196 debug("sending challenge '%s'", challenge);
197 packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
198 packet_put_cstring(challenge);
199 xfree(challenge);
200 packet_send();
201 packet_write_wait();
202
203 return (-1);
204 }
205
206 /*ARGSUSED*/
207 static int
208 auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen)
209 {
210 int authenticated = 0;
211 char *response;
212 u_int dlen;
213
214 response = packet_get_string(&dlen);
215 packet_check_eom();
216 authenticated = verify_response(authctxt, response);
217 memset(response, 'r', dlen);
218 xfree(response);
219
220 return (authenticated);
221 }
222
223 /*
224 * read packets, try to authenticate the user and
225 * return only if authentication is successful
226 */
227 static void
228 do_authloop(Authctxt *authctxt)
229 {
230 int authenticated = 0;
231 char info[1024];
232 int prev = 0, type = 0;
233 const struct AuthMethod1 *meth;
234
235 debug("Attempting authentication for %s%.100s.",
236 authctxt->valid ? "" : "invalid user ", authctxt->user);
237
238 /* If the user has no password, accept authentication immediately. */
239 if (options.password_authentication &&
240 #ifdef KRB5
241 (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
242 #endif
243 PRIVSEP(auth_password(authctxt, ""))) {
244 #ifdef USE_PAM
245 if (options.use_pam && (PRIVSEP(do_pam_account())))
246 #endif
247 {
248 auth_log(authctxt, 1, "without authentication", "");
249 return;
250 }
251 }
252
253 /* Indicate that authentication is needed. */
254 packet_start(SSH_SMSG_FAILURE);
255 packet_send();
256 packet_write_wait();
257
258 for (;;) {
259 /* default to fail */
260 authenticated = 0;
261
262 info[0] = '\0';
263
264 /* Get a packet from the client. */
265 prev = type;
266 type = packet_read();
267
268 /*
269 * If we started challenge-response authentication but the
270 * next packet is not a response to our challenge, release
271 * the resources allocated by get_challenge() (which would
272 * normally have been released by verify_response() had we
273 * received such a response)
274 */
275 if (prev == SSH_CMSG_AUTH_TIS &&
276 type != SSH_CMSG_AUTH_TIS_RESPONSE)
277 abandon_challenge_response(authctxt);
278
279 if ((meth = lookup_authmethod1(type)) == NULL) {
280 logit("Unknown message during authentication: "
281 "type %d", type);
282 goto skip;
283 }
284
285 if (!*(meth->enabled)) {
286 verbose("%s authentication disabled.", meth->name);
287 goto skip;
288 }
289
290 authenticated = meth->method(authctxt, info, sizeof(info));
291 if (authenticated == -1)
292 continue; /* "postponed" */
293
294 #ifdef BSD_AUTH
295 if (authctxt->as) {
296 auth_close(authctxt->as);
297 authctxt->as = NULL;
298 }
299 #endif
300 if (!authctxt->valid && authenticated)
301 fatal("INTERNAL ERROR: authenticated invalid user %s",
302 authctxt->user);
303
304 #ifdef _UNICOS
305 if (authenticated && cray_access_denied(authctxt->user)) {
306 authenticated = 0;
307 fatal("Access denied for user %s.",authctxt->user);
308 }
309 #endif /* _UNICOS */
310
311 #ifdef HAVE_CYGWIN
312 if (authenticated &&
313 !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
314 authctxt->pw)) {
315 packet_disconnect("Authentication rejected for uid %d.",
316 authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
317 authenticated = 0;
318 }
319 #else
320 /* Special handling for root */
321 if (authenticated && authctxt->pw->pw_uid == 0 &&
322 !auth_root_allowed(meth->name)) {
323 authenticated = 0;
324 # ifdef SSH_AUDIT_EVENTS
325 PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
326 # endif
327 }
328 #endif
329
330 #ifdef USE_PAM
331 if (options.use_pam && authenticated &&
332 !PRIVSEP(do_pam_account())) {
333 char *msg;
334 size_t len;
335
336 error("Access denied for user %s by PAM account "
337 "configuration", authctxt->user);
338 len = buffer_len(&loginmsg);
339 buffer_append(&loginmsg, "\0", 1);
340 msg = buffer_ptr(&loginmsg);
341 /* strip trailing newlines */
342 if (len > 0)
343 while (len > 0 && msg[--len] == '\n')
344 msg[len] = '\0';
345 else
346 msg = "Access denied.";
347 packet_disconnect(msg);
348 }
349 #endif
350
351 skip:
352 /* Log before sending the reply */
353 auth_log(authctxt, authenticated, get_authname(type), info);
354
355 if (client_user != NULL) {
356 xfree(client_user);
357 client_user = NULL;
358 }
359
360 if (authenticated)
361 return;
362
363 if (authctxt->failures++ > options.max_authtries) {
364 #ifdef SSH_AUDIT_EVENTS
365 PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
366 #endif
367 packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
368 }
369
370 packet_start(SSH_SMSG_FAILURE);
371 packet_send();
372 packet_write_wait();
373 }
374 }
375
376 /*
377 * Performs authentication of an incoming connection. Session key has already
378 * been exchanged and encryption is enabled.
379 */
380 void
381 do_authentication(Authctxt *authctxt)
382 {
383 u_int ulen;
384 char *user, *style = NULL;
385
386 /* Get the name of the user that we wish to log in as. */
387 packet_read_expect(SSH_CMSG_USER);
388
389 /* Get the user name. */
390 user = packet_get_string(&ulen);
391 packet_check_eom();
392
393 if ((style = strchr(user, ':')) != NULL)
394 *style++ = '\0';
395
396 authctxt->user = user;
397 authctxt->style = style;
398
399 /* Verify that the user is a valid user. */
400 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
401 authctxt->valid = 1;
402 else {
403 debug("do_authentication: invalid user %s", user);
404 authctxt->pw = fakepw();
405 }
406
407 setproctitle("%s%s", authctxt->valid ? user : "unknown",
408 use_privsep ? " [net]" : "");
409
410 #ifdef USE_PAM
411 if (options.use_pam)
412 PRIVSEP(start_pam(authctxt));
413 #endif
414
415 /*
416 * If we are not running as root, the user must have the same uid as
417 * the server.
418 */
419 #ifndef HAVE_CYGWIN
420 if (!use_privsep && getuid() != 0 && authctxt->pw &&
421 authctxt->pw->pw_uid != getuid())
422 packet_disconnect("Cannot change user when server not running as root.");
423 #endif
424
425 /*
426 * Loop until the user has been authenticated or the connection is
427 * closed, do_authloop() returns only if authentication is successful
428 */
429 do_authloop(authctxt);
430
431 /* The user has been authenticated and accepted. */
432 packet_start(SSH_SMSG_SUCCESS);
433 packet_send();
434 packet_write_wait();
435 }
A clone of openssh git repository