search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
- stevesk@cvs.openbsd.org 2006/07/02 22:45:59
[openssh-git.git] / auth1.c
blob6a6cff862aa6dcd21ee933668021297984ca24f2
1 /* $OpenBSD: auth1.c,v 1.66 2006/03/25 13:17:01 djm Exp $ */
2 /*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
5 *
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
11 */
12
13 #include "includes.h"
14
15 #include "xmalloc.h"
16 #include "rsa.h"
17 #include "ssh1.h"
18 #include "packet.h"
19 #include "buffer.h"
20 #include "log.h"
21 #include "servconf.h"
22 #include "compat.h"
23 #include "auth.h"
24 #include "channels.h"
25 #include "session.h"
26 #include "uidswap.h"
27 #include "monitor_wrap.h"
28 #include "buffer.h"
29
30 /* import */
31 extern ServerOptions options;
32 extern Buffer loginmsg;
33
34 static int auth1_process_password(Authctxt *, char *, size_t);
35 static int auth1_process_rsa(Authctxt *, char *, size_t);
36 static int auth1_process_rhosts_rsa(Authctxt *, char *, size_t);
37 static int auth1_process_tis_challenge(Authctxt *, char *, size_t);
38 static int auth1_process_tis_response(Authctxt *, char *, size_t);
39
40 static char *client_user = NULL; /* Used to fill in remote user for PAM */
41
42 struct AuthMethod1 {
43 int type;
44 char *name;
45 int *enabled;
46 int (*method)(Authctxt *, char *, size_t);
47 };
48
49 const struct AuthMethod1 auth1_methods[] = {
50 {
51 SSH_CMSG_AUTH_PASSWORD, "password",
52 &options.password_authentication, auth1_process_password
53 },
54 {
55 SSH_CMSG_AUTH_RSA, "rsa",
56 &options.rsa_authentication, auth1_process_rsa
57 },
58 {
59 SSH_CMSG_AUTH_RHOSTS_RSA, "rhosts-rsa",
60 &options.rhosts_rsa_authentication, auth1_process_rhosts_rsa
61 },
62 {
63 SSH_CMSG_AUTH_TIS, "challenge-response",
64 &options.challenge_response_authentication,
65 auth1_process_tis_challenge
66 },
67 {
68 SSH_CMSG_AUTH_TIS_RESPONSE, "challenge-response",
69 &options.challenge_response_authentication,
70 auth1_process_tis_response
71 },
72 { -1, NULL, NULL, NULL}
73 };
74
75 static const struct AuthMethod1
76 *lookup_authmethod1(int type)
77 {
78 int i;
79
80 for (i = 0; auth1_methods[i].name != NULL; i++)
81 if (auth1_methods[i].type == type)
82 return (&(auth1_methods[i]));
83
84 return (NULL);
85 }
86
87 static char *
88 get_authname(int type)
89 {
90 const struct AuthMethod1 *a;
91 static char buf[64];
92
93 if ((a = lookup_authmethod1(type)) != NULL)
94 return (a->name);
95 snprintf(buf, sizeof(buf), "bad-auth-msg-%d", type);
96 return (buf);
97 }
98
99 /*ARGSUSED*/
100 static int
101 auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
102 {
103 int authenticated = 0;
104 char *password;
105 u_int dlen;
106
107 /*
108 * Read user password. It is in plain text, but was
109 * transmitted over the encrypted channel so it is
110 * not visible to an outside observer.
111 */
112 password = packet_get_string(&dlen);
113 packet_check_eom();
114
115 /* Try authentication with the password. */
116 authenticated = PRIVSEP(auth_password(authctxt, password));
117
118 memset(password, 0, dlen);
119 xfree(password);
120
121 return (authenticated);
122 }
123
124 /*ARGSUSED*/
125 static int
126 auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
127 {
128 int authenticated = 0;
129 BIGNUM *n;
130
131 /* RSA authentication requested. */
132 if ((n = BN_new()) == NULL)
133 fatal("do_authloop: BN_new failed");
134 packet_get_bignum(n);
135 packet_check_eom();
136 authenticated = auth_rsa(authctxt, n);
137 BN_clear_free(n);
138
139 return (authenticated);
140 }
141
142 /*ARGSUSED*/
143 static int
144 auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
145 {
146 int keybits, authenticated = 0;
147 u_int bits;
148 Key *client_host_key;
149 u_int ulen;
150
151 /*
152 * Get client user name. Note that we just have to
153 * trust the client; root on the client machine can
154 * claim to be any user.
155 */
156 client_user = packet_get_string(&ulen);
157
158 /* Get the client host key. */
159 client_host_key = key_new(KEY_RSA1);
160 bits = packet_get_int();
161 packet_get_bignum(client_host_key->rsa->e);
162 packet_get_bignum(client_host_key->rsa->n);
163
164 keybits = BN_num_bits(client_host_key->rsa->n);
165 if (keybits < 0 || bits != (u_int)keybits) {
166 verbose("Warning: keysize mismatch for client_host_key: "
167 "actual %d, announced %d",
168 BN_num_bits(client_host_key->rsa->n), bits);
169 }
170 packet_check_eom();
171
172 authenticated = auth_rhosts_rsa(authctxt, client_user,
173 client_host_key);
174 key_free(client_host_key);
175
176 snprintf(info, infolen, " ruser %.100s", client_user);
177
178 return (authenticated);
179 }
180
181 /*ARGSUSED*/
182 static int
183 auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
184 {
185 char *challenge;
186
187 if ((challenge = get_challenge(authctxt)) == NULL)
188 return (0);
189
190 debug("sending challenge '%s'", challenge);
191 packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
192 packet_put_cstring(challenge);
193 xfree(challenge);
194 packet_send();
195 packet_write_wait();
196
197 return (-1);
198 }
199
200 /*ARGSUSED*/
201 static int
202 auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen)
203 {
204 int authenticated = 0;
205 char *response;
206 u_int dlen;
207
208 response = packet_get_string(&dlen);
209 packet_check_eom();
210 authenticated = verify_response(authctxt, response);
211 memset(response, 'r', dlen);
212 xfree(response);
213
214 return (authenticated);
215 }
216
217 /*
218 * read packets, try to authenticate the user and
219 * return only if authentication is successful
220 */
221 static void
222 do_authloop(Authctxt *authctxt)
223 {
224 int authenticated = 0;
225 char info[1024];
226 int prev = 0, type = 0;
227 const struct AuthMethod1 *meth;
228
229 debug("Attempting authentication for %s%.100s.",
230 authctxt->valid ? "" : "invalid user ", authctxt->user);
231
232 /* If the user has no password, accept authentication immediately. */
233 if (options.password_authentication &&
234 #ifdef KRB5
235 (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
236 #endif
237 PRIVSEP(auth_password(authctxt, ""))) {
238 #ifdef USE_PAM
239 if (options.use_pam && (PRIVSEP(do_pam_account())))
240 #endif
241 {
242 auth_log(authctxt, 1, "without authentication", "");
243 return;
244 }
245 }
246
247 /* Indicate that authentication is needed. */
248 packet_start(SSH_SMSG_FAILURE);
249 packet_send();
250 packet_write_wait();
251
252 for (;;) {
253 /* default to fail */
254 authenticated = 0;
255
256 info[0] = '\0';
257
258 /* Get a packet from the client. */
259 prev = type;
260 type = packet_read();
261
262 /*
263 * If we started challenge-response authentication but the
264 * next packet is not a response to our challenge, release
265 * the resources allocated by get_challenge() (which would
266 * normally have been released by verify_response() had we
267 * received such a response)
268 */
269 if (prev == SSH_CMSG_AUTH_TIS &&
270 type != SSH_CMSG_AUTH_TIS_RESPONSE)
271 abandon_challenge_response(authctxt);
272
273 if ((meth = lookup_authmethod1(type)) == NULL) {
274 logit("Unknown message during authentication: "
275 "type %d", type);
276 goto skip;
277 }
278
279 if (!*(meth->enabled)) {
280 verbose("%s authentication disabled.", meth->name);
281 goto skip;
282 }
283
284 authenticated = meth->method(authctxt, info, sizeof(info));
285 if (authenticated == -1)
286 continue; /* "postponed" */
287
288 #ifdef BSD_AUTH
289 if (authctxt->as) {
290 auth_close(authctxt->as);
291 authctxt->as = NULL;
292 }
293 #endif
294 if (!authctxt->valid && authenticated)
295 fatal("INTERNAL ERROR: authenticated invalid user %s",
296 authctxt->user);
297
298 #ifdef _UNICOS
299 if (authenticated && cray_access_denied(authctxt->user)) {
300 authenticated = 0;
301 fatal("Access denied for user %s.",authctxt->user);
302 }
303 #endif /* _UNICOS */
304
305 #ifdef HAVE_CYGWIN
306 if (authenticated &&
307 !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
308 authctxt->pw)) {
309 packet_disconnect("Authentication rejected for uid %d.",
310 authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
311 authenticated = 0;
312 }
313 #else
314 /* Special handling for root */
315 if (authenticated && authctxt->pw->pw_uid == 0 &&
316 !auth_root_allowed(meth->name)) {
317 authenticated = 0;
318 # ifdef SSH_AUDIT_EVENTS
319 PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
320 # endif
321 }
322 #endif
323
324 #ifdef USE_PAM
325 if (options.use_pam && authenticated &&
326 !PRIVSEP(do_pam_account())) {
327 char *msg;
328 size_t len;
329
330 error("Access denied for user %s by PAM account "
331 "configuration", authctxt->user);
332 len = buffer_len(&loginmsg);
333 buffer_append(&loginmsg, "\0", 1);
334 msg = buffer_ptr(&loginmsg);
335 /* strip trailing newlines */
336 if (len > 0)
337 while (len > 0 && msg[--len] == '\n')
338 msg[len] = '\0';
339 else
340 msg = "Access denied.";
341 packet_disconnect(msg);
342 }
343 #endif
344
345 skip:
346 /* Log before sending the reply */
347 auth_log(authctxt, authenticated, get_authname(type), info);
348
349 if (client_user != NULL) {
350 xfree(client_user);
351 client_user = NULL;
352 }
353
354 if (authenticated)
355 return;
356
357 if (authctxt->failures++ > options.max_authtries) {
358 #ifdef SSH_AUDIT_EVENTS
359 PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
360 #endif
361 packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
362 }
363
364 packet_start(SSH_SMSG_FAILURE);
365 packet_send();
366 packet_write_wait();
367 }
368 }
369
370 /*
371 * Performs authentication of an incoming connection. Session key has already
372 * been exchanged and encryption is enabled.
373 */
374 void
375 do_authentication(Authctxt *authctxt)
376 {
377 u_int ulen;
378 char *user, *style = NULL;
379
380 /* Get the name of the user that we wish to log in as. */
381 packet_read_expect(SSH_CMSG_USER);
382
383 /* Get the user name. */
384 user = packet_get_string(&ulen);
385 packet_check_eom();
386
387 if ((style = strchr(user, ':')) != NULL)
388 *style++ = '\0';
389
390 authctxt->user = user;
391 authctxt->style = style;
392
393 /* Verify that the user is a valid user. */
394 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
395 authctxt->valid = 1;
396 else {
397 debug("do_authentication: invalid user %s", user);
398 authctxt->pw = fakepw();
399 }
400
401 setproctitle("%s%s", authctxt->valid ? user : "unknown",
402 use_privsep ? " [net]" : "");
403
404 #ifdef USE_PAM
405 if (options.use_pam)
406 PRIVSEP(start_pam(authctxt));
407 #endif
408
409 /*
410 * If we are not running as root, the user must have the same uid as
411 * the server.
412 */
413 #ifndef HAVE_CYGWIN
414 if (!use_privsep && getuid() != 0 && authctxt->pw &&
415 authctxt->pw->pw_uid != getuid())
416 packet_disconnect("Cannot change user when server not running as root.");
417 #endif
418
419 /*
420 * Loop until the user has been authenticated or the connection is
421 * closed, do_authloop() returns only if authentication is successful
422 */
423 do_authloop(authctxt);
424
425 /* The user has been authenticated and accepted. */
426 packet_start(SSH_SMSG_SUCCESS);
427 packet_send();
428 packet_write_wait();
429 }
A clone of openssh git repository