auth2.c revision 1.9
1 1.8 christos /* $NetBSD: auth2.c,v 1.9 2014/10/19 16:30:58 christos Exp $ */ 2 1.9 christos /* $OpenBSD: auth2.c,v 1.132 2014/07/15 15:54:14 millert Exp $ */ 3 1.1 christos /* 4 1.1 christos * Copyright (c) 2000 Markus Friedl. All rights reserved. 5 1.1 christos * 6 1.1 christos * Redistribution and use in source and binary forms, with or without 7 1.1 christos * modification, are permitted provided that the following conditions 8 1.1 christos * are met: 9 1.1 christos * 1. Redistributions of source code must retain the above copyright 10 1.1 christos * notice, this list of conditions and the following disclaimer. 11 1.1 christos * 2. Redistributions in binary form must reproduce the above copyright 12 1.1 christos * notice, this list of conditions and the following disclaimer in the 13 1.1 christos * documentation and/or other materials provided with the distribution. 14 1.1 christos * 15 1.1 christos * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 1.1 christos * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 1.1 christos * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 1.1 christos * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 1.1 christos * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 1.1 christos * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 1.1 christos * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 1.1 christos * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 1.1 christos * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 1.1 christos * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 1.1 christos */ 26 1.1 christos 27 1.2 christos #include "includes.h" 28 1.8 christos __RCSID("$NetBSD: auth2.c,v 1.9 2014/10/19 16:30:58 christos Exp $"); 29 1.1 christos #include <sys/types.h> 30 1.1 christos #include <sys/stat.h> 31 1.1 christos #include <sys/uio.h> 32 1.1 christos 33 1.1 christos #include <fcntl.h> 34 1.1 christos #include <pwd.h> 35 1.3 christos #include <stdarg.h> 36 1.1 christos #include <string.h> 37 1.1 christos #include <unistd.h> 38 1.1 christos 39 1.1 christos #include "atomicio.h" 40 1.1 christos #include "xmalloc.h" 41 1.1 christos #include "ssh2.h" 42 1.1 christos #include "packet.h" 43 1.1 christos #include "log.h" 44 1.1 christos #include "buffer.h" 45 1.9 christos #include "misc.h" 46 1.1 christos #include "servconf.h" 47 1.1 christos #include "compat.h" 48 1.1 christos #include "key.h" 49 1.1 christos #include "hostfile.h" 50 1.1 christos #include "auth.h" 51 1.1 christos #include "dispatch.h" 52 1.1 christos #include "pathnames.h" 53 1.2 christos #include "buffer.h" 54 1.2 christos #include "canohost.h" 55 1.2 christos 56 1.1 christos #ifdef GSSAPI 57 1.1 christos #include "ssh-gss.h" 58 1.1 christos #endif 59 1.2 christos 60 1.1 christos #include "monitor_wrap.h" 61 1.1 christos 62 1.1 christos /* import */ 63 1.1 christos extern ServerOptions options; 64 1.1 christos extern u_char *session_id2; 65 1.1 christos extern u_int session_id2_len; 66 1.2 christos extern Buffer loginmsg; 67 1.1 christos 68 1.1 christos /* methods */ 69 1.1 christos 70 1.1 christos extern Authmethod method_none; 71 1.1 christos extern Authmethod method_pubkey; 72 1.1 christos extern Authmethod method_passwd; 73 1.1 christos extern Authmethod method_kbdint; 74 1.1 christos extern Authmethod method_hostbased; 75 1.2 christos #ifdef KRB5 76 1.2 christos extern Authmethod method_kerberos; 77 1.2 christos #endif 78 1.1 christos #ifdef GSSAPI 79 1.1 christos extern Authmethod method_gssapi; 80 1.1 christos #endif 81 1.1 christos 82 1.2 christos static int log_flag = 0; 83 1.2 christos 84 1.1 christos Authmethod *authmethods[] = { 85 1.1 christos &method_none, 86 1.1 christos &method_pubkey, 87 1.1 christos #ifdef GSSAPI 88 1.1 christos &method_gssapi, 89 1.1 christos #endif 90 1.1 christos &method_passwd, 91 1.1 christos &method_kbdint, 92 1.1 christos &method_hostbased, 93 1.2 christos #ifdef KRB5 94 1.2 christos &method_kerberos, 95 1.2 christos #endif 96 1.1 christos NULL 97 1.1 christos }; 98 1.1 christos 99 1.1 christos /* protocol */ 100 1.1 christos 101 1.1 christos static void input_service_request(int, u_int32_t, void *); 102 1.1 christos static void input_userauth_request(int, u_int32_t, void *); 103 1.1 christos 104 1.1 christos /* helper */ 105 1.7 christos static Authmethod *authmethod_lookup(Authctxt *, const char *); 106 1.7 christos static char *authmethods_get(Authctxt *authctxt); 107 1.8 christos 108 1.8 christos #define MATCH_NONE 0 /* method or submethod mismatch */ 109 1.8 christos #define MATCH_METHOD 1 /* method matches (no submethod specified) */ 110 1.8 christos #define MATCH_BOTH 2 /* method and submethod match */ 111 1.8 christos #define MATCH_PARTIAL 3 /* method matches, submethod can't be checked */ 112 1.8 christos static int list_starts_with(const char *, const char *, const char *); 113 1.1 christos 114 1.1 christos char * 115 1.1 christos auth2_read_banner(void) 116 1.1 christos { 117 1.1 christos struct stat st; 118 1.1 christos char *banner = NULL; 119 1.1 christos size_t len, n; 120 1.1 christos int fd; 121 1.1 christos 122 1.1 christos if ((fd = open(options.banner, O_RDONLY)) == -1) 123 1.1 christos return (NULL); 124 1.1 christos if (fstat(fd, &st) == -1) { 125 1.1 christos close(fd); 126 1.1 christos return (NULL); 127 1.1 christos } 128 1.6 christos if (st.st_size <= 0 || st.st_size > 1*1024*1024) { 129 1.1 christos close(fd); 130 1.1 christos return (NULL); 131 1.1 christos } 132 1.1 christos 133 1.1 christos len = (size_t)st.st_size; /* truncate */ 134 1.1 christos banner = xmalloc(len + 1); 135 1.1 christos n = atomicio(read, fd, banner, len); 136 1.1 christos close(fd); 137 1.1 christos 138 1.1 christos if (n != len) { 139 1.8 christos free(banner); 140 1.1 christos return (NULL); 141 1.1 christos } 142 1.1 christos banner[n] = '\0'; 143 1.1 christos 144 1.1 christos return (banner); 145 1.1 christos } 146 1.1 christos 147 1.7 christos static void 148 1.2 christos userauth_send_banner(const char *msg) 149 1.2 christos { 150 1.2 christos if (datafellows & SSH_BUG_BANNER) 151 1.2 christos return; 152 1.2 christos 153 1.2 christos packet_start(SSH2_MSG_USERAUTH_BANNER); 154 1.2 christos packet_put_cstring(msg); 155 1.2 christos packet_put_cstring(""); /* language, unused */ 156 1.2 christos packet_send(); 157 1.2 christos debug("%s: sent", __func__); 158 1.2 christos } 159 1.2 christos 160 1.1 christos static void 161 1.1 christos userauth_banner(void) 162 1.1 christos { 163 1.1 christos char *banner = NULL; 164 1.1 christos 165 1.1 christos if (options.banner == NULL || 166 1.1 christos strcasecmp(options.banner, "none") == 0 || 167 1.1 christos (datafellows & SSH_BUG_BANNER) != 0) 168 1.1 christos return; 169 1.1 christos 170 1.1 christos if ((banner = PRIVSEP(auth2_read_banner())) == NULL) 171 1.1 christos goto done; 172 1.1 christos 173 1.2 christos userauth_send_banner(banner); 174 1.1 christos done: 175 1.8 christos free(banner); 176 1.1 christos } 177 1.1 christos 178 1.1 christos /* 179 1.1 christos * loop until authctxt->success == TRUE 180 1.1 christos */ 181 1.1 christos void 182 1.1 christos do_authentication2(Authctxt *authctxt) 183 1.1 christos { 184 1.1 christos dispatch_init(&dispatch_protocol_error); 185 1.1 christos dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); 186 1.1 christos dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); 187 1.1 christos } 188 1.1 christos 189 1.1 christos /*ARGSUSED*/ 190 1.1 christos static void 191 1.1 christos input_service_request(int type, u_int32_t seq, void *ctxt) 192 1.1 christos { 193 1.1 christos Authctxt *authctxt = ctxt; 194 1.1 christos u_int len; 195 1.1 christos int acceptit = 0; 196 1.4 christos char *service = packet_get_cstring(&len); 197 1.1 christos packet_check_eom(); 198 1.1 christos 199 1.1 christos if (authctxt == NULL) 200 1.1 christos fatal("input_service_request: no authctxt"); 201 1.1 christos 202 1.1 christos if (strcmp(service, "ssh-userauth") == 0) { 203 1.1 christos if (!authctxt->success) { 204 1.1 christos acceptit = 1; 205 1.1 christos /* now we can handle user-auth requests */ 206 1.1 christos dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request); 207 1.1 christos } 208 1.1 christos } 209 1.1 christos /* XXX all other service requests are denied */ 210 1.1 christos 211 1.1 christos if (acceptit) { 212 1.1 christos packet_start(SSH2_MSG_SERVICE_ACCEPT); 213 1.1 christos packet_put_cstring(service); 214 1.1 christos packet_send(); 215 1.1 christos packet_write_wait(); 216 1.1 christos } else { 217 1.1 christos debug("bad service request %s", service); 218 1.1 christos packet_disconnect("bad service request %s", service); 219 1.1 christos } 220 1.8 christos free(service); 221 1.1 christos } 222 1.1 christos 223 1.1 christos /*ARGSUSED*/ 224 1.1 christos static void 225 1.1 christos input_userauth_request(int type, u_int32_t seq, void *ctxt) 226 1.1 christos { 227 1.1 christos Authctxt *authctxt = ctxt; 228 1.1 christos Authmethod *m = NULL; 229 1.1 christos char *user, *service, *method, *style = NULL; 230 1.1 christos int authenticated = 0; 231 1.1 christos 232 1.1 christos if (authctxt == NULL) 233 1.1 christos fatal("input_userauth_request: no authctxt"); 234 1.1 christos 235 1.4 christos user = packet_get_cstring(NULL); 236 1.4 christos service = packet_get_cstring(NULL); 237 1.4 christos method = packet_get_cstring(NULL); 238 1.1 christos debug("userauth-request for user %s service %s method %s", user, service, method); 239 1.2 christos if (!log_flag) { 240 1.2 christos logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s", 241 1.2 christos get_remote_ipaddr(), get_remote_port(), user); 242 1.2 christos log_flag = 1; 243 1.2 christos } 244 1.1 christos debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 245 1.1 christos 246 1.1 christos if ((style = strchr(user, ':')) != NULL) 247 1.1 christos *style++ = 0; 248 1.1 christos 249 1.1 christos if (authctxt->attempt++ == 0) { 250 1.1 christos /* setup auth context */ 251 1.1 christos authctxt->pw = PRIVSEP(getpwnamallow(user)); 252 1.2 christos authctxt->user = xstrdup(user); 253 1.1 christos if (authctxt->pw && strcmp(service, "ssh-connection")==0) { 254 1.1 christos authctxt->valid = 1; 255 1.1 christos debug2("input_userauth_request: setting up authctxt for %s", user); 256 1.1 christos } else { 257 1.1 christos logit("input_userauth_request: invalid user %s", user); 258 1.1 christos authctxt->pw = fakepw(); 259 1.1 christos } 260 1.2 christos #ifdef USE_PAM 261 1.2 christos if (options.use_pam) 262 1.2 christos PRIVSEP(start_pam(authctxt)); 263 1.2 christos #endif 264 1.1 christos setproctitle("%s%s", authctxt->valid ? user : "unknown", 265 1.1 christos use_privsep ? " [net]" : ""); 266 1.1 christos authctxt->service = xstrdup(service); 267 1.1 christos authctxt->style = style ? xstrdup(style) : NULL; 268 1.1 christos if (use_privsep) 269 1.1 christos mm_inform_authserv(service, style); 270 1.1 christos userauth_banner(); 271 1.7 christos if (auth2_setup_methods_lists(authctxt) != 0) 272 1.7 christos packet_disconnect("no authentication methods enabled"); 273 1.1 christos } else if (strcmp(user, authctxt->user) != 0 || 274 1.1 christos strcmp(service, authctxt->service) != 0) { 275 1.1 christos packet_disconnect("Change of username or service not allowed: " 276 1.1 christos "(%s,%s) -> (%s,%s)", 277 1.1 christos authctxt->user, authctxt->service, user, service); 278 1.1 christos } 279 1.1 christos /* reset state */ 280 1.1 christos auth2_challenge_stop(authctxt); 281 1.1 christos 282 1.1 christos #ifdef GSSAPI 283 1.1 christos /* XXX move to auth2_gssapi_stop() */ 284 1.1 christos dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 285 1.1 christos dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 286 1.1 christos #endif 287 1.1 christos 288 1.1 christos authctxt->postponed = 0; 289 1.5 christos authctxt->server_caused_failure = 0; 290 1.1 christos 291 1.1 christos /* try to authenticate user */ 292 1.7 christos m = authmethod_lookup(authctxt, method); 293 1.1 christos if (m != NULL && authctxt->failures < options.max_authtries) { 294 1.1 christos debug2("input_userauth_request: try method %s", method); 295 1.1 christos authenticated = m->userauth(authctxt); 296 1.1 christos } 297 1.7 christos userauth_finish(authctxt, authenticated, method, NULL); 298 1.1 christos 299 1.8 christos free(service); 300 1.8 christos free(user); 301 1.8 christos free(method); 302 1.1 christos } 303 1.1 christos 304 1.1 christos void 305 1.7 christos userauth_finish(Authctxt *authctxt, int authenticated, const char *method, 306 1.7 christos const char *submethod) 307 1.1 christos { 308 1.1 christos char *methods; 309 1.7 christos int partial = 0; 310 1.1 christos 311 1.1 christos if (!authctxt->valid && authenticated) 312 1.1 christos fatal("INTERNAL ERROR: authenticated invalid user %s", 313 1.1 christos authctxt->user); 314 1.7 christos if (authenticated && authctxt->postponed) 315 1.7 christos fatal("INTERNAL ERROR: authenticated and postponed"); 316 1.1 christos 317 1.1 christos /* Special handling for root */ 318 1.1 christos if (authenticated && authctxt->pw->pw_uid == 0 && 319 1.2 christos !auth_root_allowed(method)) { 320 1.1 christos authenticated = 0; 321 1.2 christos #ifdef SSH_AUDIT_EVENTS 322 1.2 christos PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); 323 1.2 christos #endif 324 1.2 christos } 325 1.2 christos 326 1.2 christos #ifdef USE_PAM 327 1.2 christos if (options.use_pam && authenticated) { 328 1.2 christos if (!PRIVSEP(do_pam_account())) { 329 1.2 christos /* if PAM returned a message, send it to the user */ 330 1.2 christos if (buffer_len(&loginmsg) > 0) { 331 1.2 christos buffer_append(&loginmsg, "\0", 1); 332 1.9 christos userauth_send_banner((const char *)buffer_ptr(&loginmsg)); 333 1.2 christos packet_write_wait(); 334 1.2 christos } 335 1.2 christos fatal("Access denied for user %s by PAM account " 336 1.2 christos "configuration", authctxt->user); 337 1.2 christos } 338 1.2 christos } 339 1.2 christos #endif 340 1.1 christos 341 1.7 christos if (authenticated && options.num_auth_methods != 0) { 342 1.8 christos if (!auth2_update_methods_lists(authctxt, method, submethod)) { 343 1.7 christos authenticated = 0; 344 1.7 christos partial = 1; 345 1.7 christos } 346 1.7 christos } 347 1.7 christos 348 1.1 christos /* Log before sending the reply */ 349 1.8 christos auth_log(authctxt, authenticated, partial, method, submethod); 350 1.1 christos 351 1.1 christos if (authctxt->postponed) 352 1.1 christos return; 353 1.1 christos 354 1.1 christos if (authenticated == 1) { 355 1.1 christos /* turn off userauth */ 356 1.1 christos dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 357 1.1 christos packet_start(SSH2_MSG_USERAUTH_SUCCESS); 358 1.1 christos packet_send(); 359 1.1 christos packet_write_wait(); 360 1.1 christos /* now we can break out */ 361 1.1 christos authctxt->success = 1; 362 1.1 christos } else { 363 1.1 christos /* Allow initial try of "none" auth without failure penalty */ 364 1.5 christos if (!authctxt->server_caused_failure && 365 1.5 christos (authctxt->attempt > 1 || strcmp(method, "none") != 0)) 366 1.1 christos authctxt->failures++; 367 1.9 christos if (authctxt->failures >= options.max_authtries) 368 1.9 christos auth_maxtries_exceeded(authctxt); 369 1.7 christos methods = authmethods_get(authctxt); 370 1.7 christos debug3("%s: failure partial=%d next methods=\"%s\"", __func__, 371 1.7 christos partial, methods); 372 1.1 christos packet_start(SSH2_MSG_USERAUTH_FAILURE); 373 1.1 christos packet_put_cstring(methods); 374 1.7 christos packet_put_char(partial); 375 1.1 christos packet_send(); 376 1.1 christos packet_write_wait(); 377 1.8 christos free(methods); 378 1.1 christos } 379 1.1 christos } 380 1.1 christos 381 1.7 christos /* 382 1.7 christos * Checks whether method is allowed by at least one AuthenticationMethods 383 1.7 christos * methods list. Returns 1 if allowed, or no methods lists configured. 384 1.7 christos * 0 otherwise. 385 1.7 christos */ 386 1.8 christos int 387 1.8 christos auth2_method_allowed(Authctxt *authctxt, const char *method, 388 1.8 christos const char *submethod) 389 1.7 christos { 390 1.7 christos u_int i; 391 1.7 christos 392 1.7 christos /* 393 1.7 christos * NB. authctxt->num_auth_methods might be zero as a result of 394 1.7 christos * auth2_setup_methods_lists(), so check the configuration. 395 1.7 christos */ 396 1.7 christos if (options.num_auth_methods == 0) 397 1.7 christos return 1; 398 1.7 christos for (i = 0; i < authctxt->num_auth_methods; i++) { 399 1.8 christos if (list_starts_with(authctxt->auth_methods[i], method, 400 1.8 christos submethod) != MATCH_NONE) 401 1.7 christos return 1; 402 1.7 christos } 403 1.7 christos return 0; 404 1.7 christos } 405 1.7 christos 406 1.1 christos static char * 407 1.7 christos authmethods_get(Authctxt *authctxt) 408 1.1 christos { 409 1.1 christos Buffer b; 410 1.1 christos char *list; 411 1.7 christos u_int i; 412 1.1 christos 413 1.1 christos buffer_init(&b); 414 1.1 christos for (i = 0; authmethods[i] != NULL; i++) { 415 1.1 christos if (strcmp(authmethods[i]->name, "none") == 0) 416 1.1 christos continue; 417 1.7 christos if (authmethods[i]->enabled == NULL || 418 1.7 christos *(authmethods[i]->enabled) == 0) 419 1.7 christos continue; 420 1.8 christos if (!auth2_method_allowed(authctxt, authmethods[i]->name, 421 1.8 christos NULL)) 422 1.7 christos continue; 423 1.7 christos if (buffer_len(&b) > 0) 424 1.7 christos buffer_append(&b, ",", 1); 425 1.7 christos buffer_append(&b, authmethods[i]->name, 426 1.7 christos strlen(authmethods[i]->name)); 427 1.1 christos } 428 1.1 christos buffer_append(&b, "\0", 1); 429 1.9 christos list = xstrdup((const char *)buffer_ptr(&b)); 430 1.1 christos buffer_free(&b); 431 1.1 christos return list; 432 1.1 christos } 433 1.1 christos 434 1.1 christos static Authmethod * 435 1.7 christos authmethod_lookup(Authctxt *authctxt, const char *name) 436 1.1 christos { 437 1.1 christos int i; 438 1.1 christos 439 1.1 christos if (name != NULL) 440 1.1 christos for (i = 0; authmethods[i] != NULL; i++) 441 1.1 christos if (authmethods[i]->enabled != NULL && 442 1.1 christos *(authmethods[i]->enabled) != 0 && 443 1.7 christos strcmp(name, authmethods[i]->name) == 0 && 444 1.8 christos auth2_method_allowed(authctxt, 445 1.8 christos authmethods[i]->name, NULL)) 446 1.1 christos return authmethods[i]; 447 1.1 christos debug2("Unrecognized authentication method name: %s", 448 1.1 christos name ? name : "NULL"); 449 1.1 christos return NULL; 450 1.1 christos } 451 1.1 christos 452 1.7 christos /* 453 1.7 christos * Check a comma-separated list of methods for validity. Is need_enable is 454 1.7 christos * non-zero, then also require that the methods are enabled. 455 1.7 christos * Returns 0 on success or -1 if the methods list is invalid. 456 1.7 christos */ 457 1.7 christos int 458 1.7 christos auth2_methods_valid(const char *_methods, int need_enable) 459 1.7 christos { 460 1.8 christos char *methods, *omethods, *method, *p; 461 1.7 christos u_int i, found; 462 1.7 christos int ret = -1; 463 1.7 christos 464 1.7 christos if (*_methods == '\0') { 465 1.7 christos error("empty authentication method list"); 466 1.7 christos return -1; 467 1.7 christos } 468 1.7 christos omethods = methods = xstrdup(_methods); 469 1.7 christos while ((method = strsep(&methods, ",")) != NULL) { 470 1.7 christos for (found = i = 0; !found && authmethods[i] != NULL; i++) { 471 1.8 christos if ((p = strchr(method, ':')) != NULL) 472 1.8 christos *p = '\0'; 473 1.7 christos if (strcmp(method, authmethods[i]->name) != 0) 474 1.7 christos continue; 475 1.7 christos if (need_enable) { 476 1.7 christos if (authmethods[i]->enabled == NULL || 477 1.7 christos *(authmethods[i]->enabled) == 0) { 478 1.7 christos error("Disabled method \"%s\" in " 479 1.7 christos "AuthenticationMethods list \"%s\"", 480 1.7 christos method, _methods); 481 1.7 christos goto out; 482 1.7 christos } 483 1.7 christos } 484 1.7 christos found = 1; 485 1.7 christos break; 486 1.7 christos } 487 1.7 christos if (!found) { 488 1.7 christos error("Unknown authentication method \"%s\" in list", 489 1.7 christos method); 490 1.7 christos goto out; 491 1.7 christos } 492 1.7 christos } 493 1.7 christos ret = 0; 494 1.7 christos out: 495 1.7 christos free(omethods); 496 1.7 christos return ret; 497 1.7 christos } 498 1.7 christos 499 1.7 christos /* 500 1.7 christos * Prune the AuthenticationMethods supplied in the configuration, removing 501 1.7 christos * any methods lists that include disabled methods. Note that this might 502 1.7 christos * leave authctxt->num_auth_methods == 0, even when multiple required auth 503 1.7 christos * has been requested. For this reason, all tests for whether multiple is 504 1.7 christos * enabled should consult options.num_auth_methods directly. 505 1.7 christos */ 506 1.7 christos int 507 1.7 christos auth2_setup_methods_lists(Authctxt *authctxt) 508 1.7 christos { 509 1.7 christos u_int i; 510 1.7 christos 511 1.7 christos if (options.num_auth_methods == 0) 512 1.7 christos return 0; 513 1.7 christos debug3("%s: checking methods", __func__); 514 1.7 christos authctxt->auth_methods = xcalloc(options.num_auth_methods, 515 1.7 christos sizeof(*authctxt->auth_methods)); 516 1.7 christos authctxt->num_auth_methods = 0; 517 1.7 christos for (i = 0; i < options.num_auth_methods; i++) { 518 1.7 christos if (auth2_methods_valid(options.auth_methods[i], 1) != 0) { 519 1.7 christos logit("Authentication methods list \"%s\" contains " 520 1.7 christos "disabled method, skipping", 521 1.7 christos options.auth_methods[i]); 522 1.7 christos continue; 523 1.7 christos } 524 1.7 christos debug("authentication methods list %d: %s", 525 1.7 christos authctxt->num_auth_methods, options.auth_methods[i]); 526 1.7 christos authctxt->auth_methods[authctxt->num_auth_methods++] = 527 1.7 christos xstrdup(options.auth_methods[i]); 528 1.7 christos } 529 1.7 christos if (authctxt->num_auth_methods == 0) { 530 1.7 christos error("No AuthenticationMethods left after eliminating " 531 1.7 christos "disabled methods"); 532 1.7 christos return -1; 533 1.7 christos } 534 1.7 christos return 0; 535 1.7 christos } 536 1.7 christos 537 1.7 christos static int 538 1.8 christos list_starts_with(const char *methods, const char *method, 539 1.8 christos const char *submethod) 540 1.7 christos { 541 1.7 christos size_t l = strlen(method); 542 1.8 christos int match; 543 1.8 christos const char *p; 544 1.7 christos 545 1.7 christos if (strncmp(methods, method, l) != 0) 546 1.8 christos return MATCH_NONE; 547 1.8 christos p = methods + l; 548 1.8 christos match = MATCH_METHOD; 549 1.8 christos if (*p == ':') { 550 1.8 christos if (!submethod) 551 1.8 christos return MATCH_PARTIAL; 552 1.8 christos l = strlen(submethod); 553 1.8 christos p += 1; 554 1.8 christos if (strncmp(submethod, p, l)) 555 1.8 christos return MATCH_NONE; 556 1.8 christos p += l; 557 1.8 christos match = MATCH_BOTH; 558 1.8 christos } 559 1.8 christos if (*p != ',' && *p != '\0') 560 1.8 christos return MATCH_NONE; 561 1.8 christos return match; 562 1.7 christos } 563 1.7 christos 564 1.7 christos /* 565 1.7 christos * Remove method from the start of a comma-separated list of methods. 566 1.7 christos * Returns 0 if the list of methods did not start with that method or 1 567 1.7 christos * if it did. 568 1.7 christos */ 569 1.7 christos static int 570 1.8 christos remove_method(char **methods, const char *method, const char *submethod) 571 1.7 christos { 572 1.8 christos char *omethods = *methods, *p; 573 1.7 christos size_t l = strlen(method); 574 1.8 christos int match; 575 1.7 christos 576 1.8 christos match = list_starts_with(omethods, method, submethod); 577 1.8 christos if (match != MATCH_METHOD && match != MATCH_BOTH) 578 1.7 christos return 0; 579 1.8 christos p = omethods + l; 580 1.8 christos if (submethod && match == MATCH_BOTH) 581 1.8 christos p += 1 + strlen(submethod); /* include colon */ 582 1.8 christos if (*p == ',') 583 1.8 christos p++; 584 1.8 christos *methods = xstrdup(p); 585 1.7 christos free(omethods); 586 1.7 christos return 1; 587 1.7 christos } 588 1.7 christos 589 1.7 christos /* 590 1.7 christos * Called after successful authentication. Will remove the successful method 591 1.7 christos * from the start of each list in which it occurs. If it was the last method 592 1.7 christos * in any list, then authentication is deemed successful. 593 1.7 christos * Returns 1 if the method completed any authentication list or 0 otherwise. 594 1.7 christos */ 595 1.7 christos int 596 1.8 christos auth2_update_methods_lists(Authctxt *authctxt, const char *method, 597 1.8 christos const char *submethod) 598 1.7 christos { 599 1.7 christos u_int i, found = 0; 600 1.7 christos 601 1.7 christos debug3("%s: updating methods list after \"%s\"", __func__, method); 602 1.7 christos for (i = 0; i < authctxt->num_auth_methods; i++) { 603 1.8 christos if (!remove_method(&(authctxt->auth_methods[i]), method, 604 1.8 christos submethod)) 605 1.7 christos continue; 606 1.7 christos found = 1; 607 1.7 christos if (*authctxt->auth_methods[i] == '\0') { 608 1.7 christos debug2("authentication methods list %d complete", i); 609 1.7 christos return 1; 610 1.7 christos } 611 1.7 christos debug3("authentication methods list %d remaining: \"%s\"", 612 1.7 christos i, authctxt->auth_methods[i]); 613 1.7 christos } 614 1.7 christos /* This should not happen, but would be bad if it did */ 615 1.7 christos if (!found) 616 1.7 christos fatal("%s: method not in AuthenticationMethods", __func__); 617 1.7 christos return 0; 618 1.7 christos } 619 1.7 christos 620 1.7 christos 621
Indexes created Wed May 13 00:24:45 UTC 2026