1 1.2 christos /* $NetBSD: auth2-methods.c,v 1.2 2024/07/08 22:33:43 christos Exp $ */ 2 1.2 christos 3 1.1 christos /* 4 1.1 christos * Copyright (c) 2012,2023 Damien Miller <djm (at) mindrot.org> 5 1.1 christos * 6 1.1 christos * Permission to use, copy, modify, and distribute this software for any 7 1.1 christos * purpose with or without fee is hereby granted, provided that the above 8 1.1 christos * copyright notice and this permission notice appear in all copies. 9 1.1 christos * 10 1.1 christos * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 1.1 christos * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 1.1 christos * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 1.1 christos * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 1.1 christos * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 1.1 christos * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 1.1 christos * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 1.1 christos */ 18 1.1 christos 19 1.2 christos #include "includes.h" 20 1.2 christos __RCSID("$NetBSD: auth2-methods.c,v 1.2 2024/07/08 22:33:43 christos Exp $"); 21 1.2 christos 22 1.1 christos #include <sys/types.h> 23 1.1 christos 24 1.1 christos #include <stdlib.h> 25 1.1 christos #include <string.h> 26 1.1 christos 27 1.1 christos #include "log.h" 28 1.1 christos #include "misc.h" 29 1.1 christos #include "servconf.h" 30 1.1 christos #include "xmalloc.h" 31 1.1 christos #include "hostfile.h" 32 1.1 christos #include "auth.h" 33 1.1 christos 34 1.1 christos extern ServerOptions options; 35 1.1 christos 36 1.1 christos /* 37 1.1 christos * Configuration of enabled authentication methods. Separate from the rest of 38 1.1 christos * auth2-*.c because we want to query it during server configuration validity 39 1.1 christos * checking in the sshd listener process without pulling all the auth code in 40 1.1 christos * too. 41 1.1 christos */ 42 1.1 christos 43 1.1 christos /* "none" is allowed only one time and it is cleared by userauth_none() later */ 44 1.1 christos int none_enabled = 1; 45 1.1 christos struct authmethod_cfg methodcfg_none = { 46 1.1 christos "none", 47 1.1 christos NULL, 48 1.1 christos &none_enabled 49 1.1 christos }; 50 1.1 christos struct authmethod_cfg methodcfg_pubkey = { 51 1.1 christos "publickey", 52 1.1 christos "publickey-hostbound-v00 (at) openssh.com", 53 1.1 christos &options.pubkey_authentication 54 1.1 christos }; 55 1.1 christos #ifdef GSSAPI 56 1.1 christos struct authmethod_cfg methodcfg_gssapi = { 57 1.1 christos "gssapi-with-mic", 58 1.1 christos NULL, 59 1.1 christos &options.gss_authentication 60 1.1 christos }; 61 1.1 christos #endif 62 1.2 christos #ifdef KRB5 63 1.2 christos struct authmethod_cfg methodcfg_krb5 = { 64 1.2 christos "kerberos-2 (at) ssh.com", 65 1.2 christos NULL, 66 1.2 christos &options.kerberos_authentication 67 1.2 christos }; 68 1.2 christos #endif 69 1.1 christos struct authmethod_cfg methodcfg_passwd = { 70 1.1 christos "password", 71 1.1 christos NULL, 72 1.1 christos &options.password_authentication 73 1.1 christos }; 74 1.1 christos struct authmethod_cfg methodcfg_kbdint = { 75 1.1 christos "keyboard-interactive", 76 1.1 christos NULL, 77 1.1 christos &options.kbd_interactive_authentication 78 1.1 christos }; 79 1.1 christos struct authmethod_cfg methodcfg_hostbased = { 80 1.1 christos "hostbased", 81 1.1 christos NULL, 82 1.1 christos &options.hostbased_authentication 83 1.1 christos }; 84 1.1 christos 85 1.1 christos static struct authmethod_cfg *authmethod_cfgs[] = { 86 1.1 christos &methodcfg_none, 87 1.1 christos &methodcfg_pubkey, 88 1.1 christos #ifdef GSSAPI 89 1.1 christos &methodcfg_gssapi, 90 1.1 christos #endif 91 1.1 christos &methodcfg_passwd, 92 1.1 christos &methodcfg_kbdint, 93 1.1 christos &methodcfg_hostbased, 94 1.1 christos NULL 95 1.1 christos }; 96 1.1 christos 97 1.1 christos /* 98 1.1 christos * Check a comma-separated list of methods for validity. If need_enable is 99 1.1 christos * non-zero, then also require that the methods are enabled. 100 1.1 christos * Returns 0 on success or -1 if the methods list is invalid. 101 1.1 christos */ 102 1.1 christos int 103 1.1 christos auth2_methods_valid(const char *_methods, int need_enable) 104 1.1 christos { 105 1.1 christos char *methods, *omethods, *method, *p; 106 1.1 christos u_int i, found; 107 1.1 christos int ret = -1; 108 1.1 christos const struct authmethod_cfg *cfg; 109 1.1 christos 110 1.1 christos if (*_methods == '\0') { 111 1.1 christos error("empty authentication method list"); 112 1.1 christos return -1; 113 1.1 christos } 114 1.1 christos omethods = methods = xstrdup(_methods); 115 1.1 christos while ((method = strsep(&methods, ",")) != NULL) { 116 1.1 christos for (found = i = 0; !found && authmethod_cfgs[i] != NULL; i++) { 117 1.1 christos cfg = authmethod_cfgs[i]; 118 1.1 christos if ((p = strchr(method, ':')) != NULL) 119 1.1 christos *p = '\0'; 120 1.1 christos if (strcmp(method, cfg->name) != 0) 121 1.1 christos continue; 122 1.1 christos if (need_enable) { 123 1.1 christos if (cfg->enabled == NULL || 124 1.1 christos *(cfg->enabled) == 0) { 125 1.1 christos error("Disabled method \"%s\" in " 126 1.1 christos "AuthenticationMethods list \"%s\"", 127 1.1 christos method, _methods); 128 1.1 christos goto out; 129 1.1 christos } 130 1.1 christos } 131 1.1 christos found = 1; 132 1.1 christos break; 133 1.1 christos } 134 1.1 christos if (!found) { 135 1.1 christos error("Unknown authentication method \"%s\" in list", 136 1.1 christos method); 137 1.1 christos goto out; 138 1.1 christos } 139 1.1 christos } 140 1.1 christos ret = 0; 141 1.1 christos out: 142 1.1 christos free(omethods); 143 1.1 christos return ret; 144 1.1 christos } 145
Indexes created Wed Mar 04 05:31:52 UTC 2026