Changeset View
Changeset View
Standalone View
Standalone View
auth2.c
/* $OpenBSD: auth2.c,v 1.155 2019/03/25 22:34:52 djm Exp $ */ | /* $OpenBSD: auth2.c,v 1.158 2020/03/06 18:16:21 markus Exp $ */ | ||||
/* | /* | ||||
* Copyright (c) 2000 Markus Friedl. All rights reserved. | * Copyright (c) 2000 Markus Friedl. All rights reserved. | ||||
* | * | ||||
* Redistribution and use in source and binary forms, with or without | * Redistribution and use in source and binary forms, with or without | ||||
* modification, are permitted provided that the following conditions | * modification, are permitted provided that the following conditions | ||||
* are met: | * are met: | ||||
* 1. Redistributions of source code must retain the above copyright | * 1. Redistributions of source code must retain the above copyright | ||||
* notice, this list of conditions and the following disclaimer. | * notice, this list of conditions and the following disclaimer. | ||||
Show All 22 Lines | |||||
#include <fcntl.h> | #include <fcntl.h> | ||||
#include <limits.h> | #include <limits.h> | ||||
#include <pwd.h> | #include <pwd.h> | ||||
#include <stdarg.h> | #include <stdarg.h> | ||||
#include <string.h> | #include <string.h> | ||||
#include <unistd.h> | #include <unistd.h> | ||||
#include <time.h> | #include <time.h> | ||||
#include "stdlib.h" | |||||
#include "atomicio.h" | #include "atomicio.h" | ||||
#include "xmalloc.h" | #include "xmalloc.h" | ||||
#include "ssh2.h" | #include "ssh2.h" | ||||
#include "packet.h" | #include "packet.h" | ||||
#include "log.h" | #include "log.h" | ||||
#include "sshbuf.h" | #include "sshbuf.h" | ||||
#include "misc.h" | #include "misc.h" | ||||
#include "servconf.h" | #include "servconf.h" | ||||
#include "compat.h" | #include "compat.h" | ||||
#include "sshkey.h" | #include "sshkey.h" | ||||
#include "hostfile.h" | #include "hostfile.h" | ||||
#include "auth.h" | #include "auth.h" | ||||
#include "dispatch.h" | #include "dispatch.h" | ||||
#include "pathnames.h" | #include "pathnames.h" | ||||
#include "sshbuf.h" | |||||
#include "ssherr.h" | #include "ssherr.h" | ||||
#ifdef GSSAPI | #ifdef GSSAPI | ||||
#include "ssh-gss.h" | #include "ssh-gss.h" | ||||
#endif | #endif | ||||
#include "monitor_wrap.h" | #include "monitor_wrap.h" | ||||
#include "ssherr.h" | |||||
#include "digest.h" | #include "digest.h" | ||||
/* import */ | /* import */ | ||||
extern ServerOptions options; | extern ServerOptions options; | ||||
extern u_char *session_id2; | extern u_char *session_id2; | ||||
extern u_int session_id2_len; | extern u_int session_id2_len; | ||||
extern struct sshbuf *loginmsg; | extern struct sshbuf *loginmsg; | ||||
▲ Show 20 Lines • Show All 144 Lines • ▼ Show 20 Lines | if ((r = sshpkt_start(ssh, SSH2_MSG_SERVICE_ACCEPT)) != 0 || | ||||
goto out; | goto out; | ||||
} else { | } else { | ||||
debug("bad service request %s", service); | debug("bad service request %s", service); | ||||
ssh_packet_disconnect(ssh, "bad service request %s", service); | ssh_packet_disconnect(ssh, "bad service request %s", service); | ||||
} | } | ||||
r = 0; | r = 0; | ||||
out: | out: | ||||
free(service); | free(service); | ||||
return 0; | return r; | ||||
} | } | ||||
#define MIN_FAIL_DELAY_SECONDS 0.005 | #define MIN_FAIL_DELAY_SECONDS 0.005 | ||||
static double | static double | ||||
user_specific_delay(const char *user) | user_specific_delay(const char *user) | ||||
{ | { | ||||
char b[512]; | char b[512]; | ||||
size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512); | size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512); | ||||
▲ Show 20 Lines • Show All 156 Lines • ▼ Show 20 Lines | #endif | ||||
if (authenticated || partial) | if (authenticated || partial) | ||||
auth2_update_session_info(authctxt, method, submethod); | auth2_update_session_info(authctxt, method, submethod); | ||||
if (authctxt->postponed) | if (authctxt->postponed) | ||||
return; | return; | ||||
#ifdef USE_PAM | #ifdef USE_PAM | ||||
if (options.use_pam && authenticated) { | if (options.use_pam && authenticated) { | ||||
int r; | int r, success = PRIVSEP(do_pam_account()); | ||||
if (!PRIVSEP(do_pam_account())) { | /* If PAM returned a message, send it to the user. */ | ||||
/* if PAM returned a message, send it to the user */ | |||||
if (sshbuf_len(loginmsg) > 0) { | if (sshbuf_len(loginmsg) > 0) { | ||||
if ((r = sshbuf_put(loginmsg, "\0", 1)) != 0) | if ((r = sshbuf_put(loginmsg, "\0", 1)) != 0) | ||||
fatal("%s: buffer error: %s", | fatal("%s: buffer error: %s", | ||||
__func__, ssh_err(r)); | __func__, ssh_err(r)); | ||||
userauth_send_banner(ssh, sshbuf_ptr(loginmsg)); | userauth_send_banner(ssh, sshbuf_ptr(loginmsg)); | ||||
if ((r = ssh_packet_write_wait(ssh)) != 0) { | if ((r = ssh_packet_write_wait(ssh)) != 0) { | ||||
sshpkt_fatal(ssh, r, | sshpkt_fatal(ssh, r, | ||||
"%s: send PAM banner", __func__); | "%s: send PAM banner", __func__); | ||||
} | } | ||||
} | } | ||||
if (!success) { | |||||
fatal("Access denied for user %s by PAM account " | fatal("Access denied for user %s by PAM account " | ||||
"configuration", authctxt->user); | "configuration", authctxt->user); | ||||
} | } | ||||
} | } | ||||
#endif | #endif | ||||
if (authenticated == 1) { | if (authenticated == 1) { | ||||
/* turn off userauth */ | /* turn off userauth */ | ||||
▲ Show 20 Lines • Show All 295 Lines • ▼ Show 20 Lines | auth2_record_info(Authctxt *authctxt, const char *fmt, ...) | ||||
free(authctxt->auth_method_info); | free(authctxt->auth_method_info); | ||||
authctxt->auth_method_info = NULL; | authctxt->auth_method_info = NULL; | ||||
va_start(ap, fmt); | va_start(ap, fmt); | ||||
i = vasprintf(&authctxt->auth_method_info, fmt, ap); | i = vasprintf(&authctxt->auth_method_info, fmt, ap); | ||||
va_end(ap); | va_end(ap); | ||||
if (i < 0 || authctxt->auth_method_info == NULL) | if (i == -1) | ||||
fatal("%s: vasprintf failed", __func__); | fatal("%s: vasprintf failed", __func__); | ||||
} | } | ||||
/* | /* | ||||
* Records a public key used in authentication. This is used for logging | * Records a public key used in authentication. This is used for logging | ||||
* and to ensure that the same key is not subsequently accepted again for | * and to ensure that the same key is not subsequently accepted again for | ||||
* multiple authentication. | * multiple authentication. | ||||
*/ | */ | ||||
▲ Show 20 Lines • Show All 93 Lines • Show Last 20 Lines |