Changeset View
Changeset View
Standalone View
Standalone View
crypto/openssh/auth2.c
Show All 18 Lines | |||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||||
*/ | */ | ||||
#include "includes.h" | #include "includes.h" | ||||
__RCSID("$FreeBSD$"); | |||||
#include <sys/types.h> | #include <sys/types.h> | ||||
#include <sys/stat.h> | #include <sys/stat.h> | ||||
#include <sys/uio.h> | #include <sys/uio.h> | ||||
#include <fcntl.h> | #include <fcntl.h> | ||||
#include <limits.h> | #include <limits.h> | ||||
#include <pwd.h> | #include <pwd.h> | ||||
Show All 13 Lines | |||||
#include "compat.h" | #include "compat.h" | ||||
#include "sshkey.h" | #include "sshkey.h" | ||||
#include "hostfile.h" | #include "hostfile.h" | ||||
#include "auth.h" | #include "auth.h" | ||||
#include "dispatch.h" | #include "dispatch.h" | ||||
#include "pathnames.h" | #include "pathnames.h" | ||||
#include "sshbuf.h" | #include "sshbuf.h" | ||||
#include "ssherr.h" | #include "ssherr.h" | ||||
#include "blacklist_client.h" | |||||
#ifdef GSSAPI | #ifdef GSSAPI | ||||
#include "ssh-gss.h" | #include "ssh-gss.h" | ||||
#endif | #endif | ||||
#include "monitor_wrap.h" | #include "monitor_wrap.h" | ||||
#include "ssherr.h" | #include "ssherr.h" | ||||
#include "digest.h" | #include "digest.h" | ||||
▲ Show 20 Lines • Show All 199 Lines • ▼ Show 20 Lines | |||||
static int | static int | ||||
input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | ||||
{ | { | ||||
Authctxt *authctxt = ssh->authctxt; | Authctxt *authctxt = ssh->authctxt; | ||||
Authmethod *m = NULL; | Authmethod *m = NULL; | ||||
char *user = NULL, *service = NULL, *method = NULL, *style = NULL; | char *user = NULL, *service = NULL, *method = NULL, *style = NULL; | ||||
int r, authenticated = 0; | int r, authenticated = 0; | ||||
double tstart = monotime_double(); | double tstart = monotime_double(); | ||||
#ifdef HAVE_LOGIN_CAP | |||||
login_cap_t *lc; | |||||
const char *from_host, *from_ip; | |||||
#endif | |||||
if (authctxt == NULL) | if (authctxt == NULL) | ||||
fatal("input_userauth_request: no authctxt"); | fatal("input_userauth_request: no authctxt"); | ||||
if ((r = sshpkt_get_cstring(ssh, &user, NULL)) != 0 || | if ((r = sshpkt_get_cstring(ssh, &user, NULL)) != 0 || | ||||
(r = sshpkt_get_cstring(ssh, &service, NULL)) != 0 || | (r = sshpkt_get_cstring(ssh, &service, NULL)) != 0 || | ||||
(r = sshpkt_get_cstring(ssh, &method, NULL)) != 0) | (r = sshpkt_get_cstring(ssh, &method, NULL)) != 0) | ||||
goto out; | goto out; | ||||
Show All 35 Lines | if (auth2_setup_methods_lists(authctxt) != 0) | ||||
ssh_packet_disconnect(ssh, | ssh_packet_disconnect(ssh, | ||||
"no authentication methods enabled"); | "no authentication methods enabled"); | ||||
} else if (strcmp(user, authctxt->user) != 0 || | } else if (strcmp(user, authctxt->user) != 0 || | ||||
strcmp(service, authctxt->service) != 0) { | strcmp(service, authctxt->service) != 0) { | ||||
ssh_packet_disconnect(ssh, "Change of username or service " | ssh_packet_disconnect(ssh, "Change of username or service " | ||||
"not allowed: (%s,%s) -> (%s,%s)", | "not allowed: (%s,%s) -> (%s,%s)", | ||||
authctxt->user, authctxt->service, user, service); | authctxt->user, authctxt->service, user, service); | ||||
} | } | ||||
#ifdef HAVE_LOGIN_CAP | |||||
if (authctxt->pw != NULL && | |||||
(lc = PRIVSEP(login_getpwclass(authctxt->pw))) != NULL) { | |||||
from_host = auth_get_canonical_hostname(ssh, options.use_dns); | |||||
from_ip = ssh_remote_ipaddr(ssh); | |||||
if (!auth_hostok(lc, from_host, from_ip)) { | |||||
logit("Denied connection for %.200s from %.200s [%.200s].", | |||||
authctxt->pw->pw_name, from_host, from_ip); | |||||
ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect."); | |||||
} | |||||
if (!auth_timeok(lc, time(NULL))) { | |||||
logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", | |||||
authctxt->pw->pw_name, from_host); | |||||
ssh_packet_disconnect(ssh, "Logins not available right now."); | |||||
} | |||||
PRIVSEP(login_close(lc)); | |||||
} | |||||
#endif /* HAVE_LOGIN_CAP */ | |||||
/* reset state */ | /* reset state */ | ||||
auth2_challenge_stop(ssh); | auth2_challenge_stop(ssh); | ||||
#ifdef GSSAPI | #ifdef GSSAPI | ||||
/* XXX move to auth2_gssapi_stop() */ | /* XXX move to auth2_gssapi_stop() */ | ||||
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | ||||
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); | ||||
#endif | #endif | ||||
▲ Show 20 Lines • Show All 91 Lines • ▼ Show 20 Lines | if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_SUCCESS)) != 0 || | ||||
(r = ssh_packet_write_wait(ssh)) != 0) | (r = ssh_packet_write_wait(ssh)) != 0) | ||||
fatal("%s: %s", __func__, ssh_err(r)); | fatal("%s: %s", __func__, ssh_err(r)); | ||||
/* now we can break out */ | /* now we can break out */ | ||||
authctxt->success = 1; | authctxt->success = 1; | ||||
ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user); | ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user); | ||||
} else { | } else { | ||||
/* Allow initial try of "none" auth without failure penalty */ | /* Allow initial try of "none" auth without failure penalty */ | ||||
if (!partial && !authctxt->server_caused_failure && | if (!partial && !authctxt->server_caused_failure && | ||||
(authctxt->attempt > 1 || strcmp(method, "none") != 0)) | (authctxt->attempt > 1 || strcmp(method, "none") != 0)) { | ||||
authctxt->failures++; | authctxt->failures++; | ||||
BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh"); | |||||
} | |||||
if (authctxt->failures >= options.max_authtries) { | if (authctxt->failures >= options.max_authtries) { | ||||
#ifdef SSH_AUDIT_EVENTS | #ifdef SSH_AUDIT_EVENTS | ||||
PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES)); | PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES)); | ||||
#endif | #endif | ||||
auth_maxtries_exceeded(ssh); | auth_maxtries_exceeded(ssh); | ||||
} | } | ||||
methods = authmethods_get(authctxt); | methods = authmethods_get(authctxt); | ||||
debug3("%s: failure partial=%d next methods=\"%s\"", __func__, | debug3("%s: failure partial=%d next methods=\"%s\"", __func__, | ||||
▲ Show 20 Lines • Show All 383 Lines • Show Last 20 Lines |