Changeset View
Changeset View
Standalone View
Standalone View
crypto/openssh/auth.c
Show All 18 Lines | |||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||||
*/ | */ | ||||
#include "includes.h" | #include "includes.h" | ||||
__RCSID("$FreeBSD$"); | |||||
#include <sys/types.h> | #include <sys/types.h> | ||||
#include <sys/stat.h> | #include <sys/stat.h> | ||||
#include <sys/socket.h> | #include <sys/socket.h> | ||||
#include <sys/wait.h> | #include <sys/wait.h> | ||||
#include <netinet/in.h> | #include <netinet/in.h> | ||||
Show All 36 Lines | |||||
#include "ssh-gss.h" | #include "ssh-gss.h" | ||||
#endif | #endif | ||||
#include "authfile.h" | #include "authfile.h" | ||||
#include "monitor_wrap.h" | #include "monitor_wrap.h" | ||||
#include "authfile.h" | #include "authfile.h" | ||||
#include "ssherr.h" | #include "ssherr.h" | ||||
#include "compat.h" | #include "compat.h" | ||||
#include "channels.h" | #include "channels.h" | ||||
#include "blacklist_client.h" | |||||
/* import */ | /* import */ | ||||
extern ServerOptions options; | extern ServerOptions options; | ||||
extern int use_privsep; | extern int use_privsep; | ||||
extern struct sshbuf *loginmsg; | extern struct sshbuf *loginmsg; | ||||
extern struct passwd *privsep_pw; | extern struct passwd *privsep_pw; | ||||
extern struct sshauthopt *auth_opts; | extern struct sshauthopt *auth_opts; | ||||
▲ Show 20 Lines • Show All 238 Lines • ▼ Show 20 Lines | if (authenticated == 1 || | ||||
authctxt->failures >= options.max_authtries / 2 || | authctxt->failures >= options.max_authtries / 2 || | ||||
strcmp(method, "password") == 0) | strcmp(method, "password") == 0) | ||||
level = SYSLOG_LEVEL_INFO; | level = SYSLOG_LEVEL_INFO; | ||||
if (authctxt->postponed) | if (authctxt->postponed) | ||||
authmsg = "Postponed"; | authmsg = "Postponed"; | ||||
else if (partial) | else if (partial) | ||||
authmsg = "Partial"; | authmsg = "Partial"; | ||||
else | else { | ||||
authmsg = authenticated ? "Accepted" : "Failed"; | authmsg = authenticated ? "Accepted" : "Failed"; | ||||
if (authenticated) | |||||
BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK, "ssh"); | |||||
} | |||||
if ((extra = format_method_key(authctxt)) == NULL) { | if ((extra = format_method_key(authctxt)) == NULL) { | ||||
if (authctxt->auth_method_info != NULL) | if (authctxt->auth_method_info != NULL) | ||||
extra = xstrdup(authctxt->auth_method_info); | extra = xstrdup(authctxt->auth_method_info); | ||||
} | } | ||||
do_log2(level, "%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s", | do_log2(level, "%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s", | ||||
authmsg, | authmsg, | ||||
▲ Show 20 Lines • Show All 237 Lines • ▼ Show 20 Lines | |||||
#endif | #endif | ||||
pw = getpwnam(user); | pw = getpwnam(user); | ||||
#if defined(_AIX) && defined(HAVE_SETAUTHDB) | #if defined(_AIX) && defined(HAVE_SETAUTHDB) | ||||
aix_restoreauthdb(); | aix_restoreauthdb(); | ||||
#endif | #endif | ||||
if (pw == NULL) { | if (pw == NULL) { | ||||
BLACKLIST_NOTIFY(ssh, BLACKLIST_BAD_USER, user); | |||||
logit("Invalid user %.100s from %.100s port %d", | logit("Invalid user %.100s from %.100s port %d", | ||||
user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); | user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); | ||||
#ifdef CUSTOM_FAILED_LOGIN | #ifdef CUSTOM_FAILED_LOGIN | ||||
record_failed_login(ssh, user, | record_failed_login(ssh, user, | ||||
auth_get_canonical_hostname(ssh, options.use_dns), "ssh"); | auth_get_canonical_hostname(ssh, options.use_dns), "ssh"); | ||||
#endif | #endif | ||||
#ifdef SSH_AUDIT_EVENTS | #ifdef SSH_AUDIT_EVENTS | ||||
audit_event(ssh, SSH_INVALID_USER); | audit_event(ssh, SSH_INVALID_USER); | ||||
#endif /* SSH_AUDIT_EVENTS */ | #endif /* SSH_AUDIT_EVENTS */ | ||||
return (NULL); | return (NULL); | ||||
} | } | ||||
if (!allowed_user(ssh, pw)) | if (!allowed_user(ssh, pw)) | ||||
return (NULL); | return (NULL); | ||||
#ifdef HAVE_LOGIN_CAP | #ifdef HAVE_LOGIN_CAP | ||||
if ((lc = login_getclass(pw->pw_class)) == NULL) { | if ((lc = login_getpwclass(pw)) == NULL) { | ||||
emaste: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=37416
This change should really be made… | |||||
emasteAuthorUnsubmitted Done Inline Actionslogin_getpwclass now upstream emaste: `login_getpwclass` now upstream | |||||
debug("unable to get login class: %s", user); | debug("unable to get login class: %s", user); | ||||
return (NULL); | return (NULL); | ||||
} | } | ||||
#ifdef BSD_AUTH | #ifdef BSD_AUTH | ||||
if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || | if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || | ||||
auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { | auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { | ||||
debug("Approval failure for %s", user); | debug("Approval failure for %s", user); | ||||
pw = NULL; | pw = NULL; | ||||
▲ Show 20 Lines • Show All 578 Lines • Show Last 20 Lines |
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=37416
This change should really be made upstream, although I think OpenBSD may not have login_getpwclass so we will need an autoconf test and then something like