tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-27 07:44:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

upstream: convert auth2.c to new packet API

Browse Source 
OpenBSD-Commit-ID: ed831bb95ad228c6791bc18b60ce7a2edef2c999
This commit is contained in:
Damien Miller 2019-01-20 09:44:53 +11:00
parent 172a592a53
commit 5ebce136a6
3 changed files with 64 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
auth.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth.h,v 1.96 2018/04/10 00:10:49 djm Exp $ */ /* $OpenBSD: auth.h,v 1.97 2019/01/19 21:38:24 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -166,15 +166,13 @@ int auth_shadow_pwexpired(Authctxt *);
#include "audit.h" #include "audit.h"
void remove_kbdint_device(const char *); void remove_kbdint_device(const char *);
void do_authentication2(Authctxt *); void do_authentication2(struct ssh *);
void auth_log(Authctxt *, int, int, const char *, const char *); void auth_log(Authctxt *, int, int, const char *, const char *);
void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn)); void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn));
void userauth_finish(struct ssh *, int, const char *, const char *); void userauth_finish(struct ssh *, int, const char *, const char *);
int auth_root_allowed(struct ssh *, const char *); int auth_root_allowed(struct ssh *, const char *);
void userauth_send_banner(const char *);
char *auth2_read_banner(void); char *auth2_read_banner(void);
int auth2_methods_valid(const char *, int); int auth2_methods_valid(const char *, int);
int auth2_update_methods_lists(Authctxt *, const char *, const char *); int auth2_update_methods_lists(Authctxt *, const char *, const char *);

106
auth2.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2.c,v 1.152 2019/01/19 21:31:32 djm Exp $ */ /* $OpenBSD: auth2.c,v 1.153 2019/01/19 21:38:24 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
* *
@ -61,9 +61,6 @@
#include "ssherr.h" #include "ssherr.h"
#include "digest.h" #include "digest.h"
#include "opacket.h" /* XXX */
extern struct ssh *active_state; /* XXX */
/* import */ /* import */
extern ServerOptions options; extern ServerOptions options;
extern u_char *session_id2; extern u_char *session_id2;
@ -141,18 +138,21 @@ auth2_read_banner(void)
return (banner); return (banner);
} }
void static void
userauth_send_banner(const char *msg) userauth_send_banner(struct ssh *ssh, const char *msg)
{ {
packet_start(SSH2_MSG_USERAUTH_BANNER); int r;
packet_put_cstring(msg);
packet_put_cstring(""); /* language, unused */ if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_BANNER)) != 0 ||
packet_send(); (r = sshpkt_put_cstring(ssh, msg)) != 0 ||
(r = sshpkt_put_cstring(ssh, "")) != 0 || /* language, unused */
(r = sshpkt_send(ssh)) != 0)
fatal("%s: %s", __func__, ssh_err(r));
debug("%s: sent", __func__); debug("%s: sent", __func__);
} }
static void static void
userauth_banner(void) userauth_banner(struct ssh *ssh)
{ {
char *banner = NULL; char *banner = NULL;
@ -161,7 +161,7 @@ userauth_banner(void)
if ((banner = PRIVSEP(auth2_read_banner())) == NULL) if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
goto done; goto done;
userauth_send_banner(banner); userauth_send_banner(ssh, banner);
done: done:
free(banner); free(banner);
@ -171,10 +171,10 @@ done:
* loop until authctxt->success == TRUE * loop until authctxt->success == TRUE
*/ */
void void
do_authentication2(Authctxt *authctxt) do_authentication2(struct ssh *ssh)
{ {
struct ssh *ssh = active_state; /* XXX */ Authctxt *authctxt = ssh->authctxt;
ssh->authctxt = authctxt; /* XXX move to caller */
ssh_dispatch_init(ssh, &dispatch_protocol_error); ssh_dispatch_init(ssh, &dispatch_protocol_error);
ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_REQUEST, &input_service_request); ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_REQUEST, &input_service_request);
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt->success); ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt->success);
@ -186,10 +186,12 @@ static int
input_service_request(int type, u_int32_t seq, struct ssh *ssh) input_service_request(int type, u_int32_t seq, struct ssh *ssh)
{ {
Authctxt *authctxt = ssh->authctxt; Authctxt *authctxt = ssh->authctxt;
u_int len; char *service = NULL;
int acceptit = 0; int r, acceptit = 0;
char *service = packet_get_cstring(&len);
packet_check_eom(); if ((r = sshpkt_get_cstring(ssh, &service, NULL)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
goto out;
if (authctxt == NULL) if (authctxt == NULL)
fatal("input_service_request: no authctxt"); fatal("input_service_request: no authctxt");
@ -198,20 +200,24 @@ input_service_request(int type, u_int32_t seq, struct ssh *ssh)
if (!authctxt->success) { if (!authctxt->success) {
acceptit = 1; acceptit = 1;
/* now we can handle user-auth requests */ /* now we can handle user-auth requests */
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request); ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_REQUEST,
&input_userauth_request);
} }
} }
/* XXX all other service requests are denied */ /* XXX all other service requests are denied */
if (acceptit) { if (acceptit) {
packet_start(SSH2_MSG_SERVICE_ACCEPT); if ((r = sshpkt_start(ssh, SSH2_MSG_SERVICE_ACCEPT)) != 0 ||
packet_put_cstring(service); (r = sshpkt_put_cstring(ssh, service)) != 0 ||
packet_send(); (r = sshpkt_send(ssh)) != 0 ||
packet_write_wait(); (r = ssh_packet_write_wait(ssh)) != 0)
goto out;
} else { } else {
debug("bad service request %s", service); debug("bad service request %s", service);
packet_disconnect("bad service request %s", service); ssh_packet_disconnect(ssh, "bad service request %s", service);
} }
r = 0;
out:
free(service); free(service);
return 0; return 0;
} }
@ -259,16 +265,17 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
{ {
Authctxt *authctxt = ssh->authctxt; Authctxt *authctxt = ssh->authctxt;
Authmethod *m = NULL; Authmethod *m = NULL;
char *user, *service, *method, *style = NULL; char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
int authenticated = 0; int r, authenticated = 0;
double tstart = monotime_double(); double tstart = monotime_double();
if (authctxt == NULL) if (authctxt == NULL)
fatal("input_userauth_request: no authctxt"); fatal("input_userauth_request: no authctxt");
user = packet_get_cstring(NULL); if ((r = sshpkt_get_cstring(ssh, &user, NULL)) != 0 ||
service = packet_get_cstring(NULL); (r = sshpkt_get_cstring(ssh, &service, NULL)) != 0 ||
method = packet_get_cstring(NULL); (r = sshpkt_get_cstring(ssh, &method, NULL)) != 0)
goto out;
debug("userauth-request for user %s service %s method %s", user, service, method); debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@ -302,13 +309,14 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
authctxt->style = style ? xstrdup(style) : NULL; authctxt->style = style ? xstrdup(style) : NULL;
if (use_privsep) if (use_privsep)
mm_inform_authserv(service, style); mm_inform_authserv(service, style);
userauth_banner(); userauth_banner(ssh);
if (auth2_setup_methods_lists(authctxt) != 0) if (auth2_setup_methods_lists(authctxt) != 0)
packet_disconnect("no authentication methods enabled"); ssh_packet_disconnect(ssh,
"no authentication methods enabled");
} else if (strcmp(user, authctxt->user) != 0 || } else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) { strcmp(service, authctxt->service) != 0) {
packet_disconnect("Change of username or service not allowed: " ssh_packet_disconnect(ssh, "Change of username or service "
"(%s,%s) -> (%s,%s)", "not allowed: (%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service); authctxt->user, authctxt->service, user, service);
} }
/* reset state */ /* reset state */
@ -334,11 +342,12 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
ensure_minimum_time_since(tstart, ensure_minimum_time_since(tstart,
user_specific_delay(authctxt->user)); user_specific_delay(authctxt->user));
userauth_finish(ssh, authenticated, method, NULL); userauth_finish(ssh, authenticated, method, NULL);
r = 0;
out:
free(service); free(service);
free(user); free(user);
free(method); free(method);
return 0; return r;
} }
void void
@ -347,7 +356,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
{ {
Authctxt *authctxt = ssh->authctxt; Authctxt *authctxt = ssh->authctxt;
char *methods; char *methods;
int partial = 0; int r, partial = 0;
if (!authctxt->valid && authenticated) if (!authctxt->valid && authenticated)
fatal("INTERNAL ERROR: authenticated invalid user %s", fatal("INTERNAL ERROR: authenticated invalid user %s",
@ -391,7 +400,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
if ((r = sshbuf_put(loginmsg, "\0", 1)) != 0) if ((r = sshbuf_put(loginmsg, "\0", 1)) != 0)
fatal("%s: buffer error: %s", fatal("%s: buffer error: %s",
__func__, ssh_err(r)); __func__, ssh_err(r));
userauth_send_banner(sshbuf_ptr(loginmsg)); userauth_send_banner(ssh, sshbuf_ptr(loginmsg));
packet_write_wait(); packet_write_wait();
} }
fatal("Access denied for user %s by PAM account " fatal("Access denied for user %s by PAM account "
@ -402,10 +411,12 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
if (authenticated == 1) { if (authenticated == 1) {
/* turn off userauth */ /* turn off userauth */
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_REQUEST,
packet_start(SSH2_MSG_USERAUTH_SUCCESS); &dispatch_protocol_ignore);
packet_send(); if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_SUCCESS)) != 0 ||
packet_write_wait(); (r = sshpkt_send(ssh)) != 0 ||
(r = ssh_packet_write_wait(ssh)) != 0)
fatal("%s: %s", __func__, ssh_err(r));
/* now we can break out */ /* now we can break out */
authctxt->success = 1; authctxt->success = 1;
ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user); ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user);
@ -423,11 +434,12 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
methods = authmethods_get(authctxt); methods = authmethods_get(authctxt);
debug3("%s: failure partial=%d next methods=\"%s\"", __func__, debug3("%s: failure partial=%d next methods=\"%s\"", __func__,
partial, methods); partial, methods);
packet_start(SSH2_MSG_USERAUTH_FAILURE); if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_FAILURE)) != 0 ||
packet_put_cstring(methods); (r = sshpkt_put_cstring(ssh, methods)) != 0 ||
packet_put_char(partial); (r = sshpkt_put_u8(ssh, partial)) != 0 ||
packet_send(); (r = sshpkt_send(ssh)) != 0 ||
packet_write_wait(); (r = ssh_packet_write_wait(ssh)) != 0)
fatal("%s: %s", __func__, ssh_err(r));
free(methods); free(methods);
} }
} }

5
sshd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshd.c,v 1.523 2019/01/19 21:37:48 djm Exp $ */ /* $OpenBSD: sshd.c,v 1.524 2019/01/19 21:38:24 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -2044,7 +2044,8 @@ main(int ac, char **av)
/* perform the key exchange */ /* perform the key exchange */
/* authenticate user and start session */ /* authenticate user and start session */
do_ssh2_kex(); do_ssh2_kex();
do_authentication2(authctxt); ssh->authctxt = authctxt;
do_authentication2(ssh);
/* /*
* If we use privilege separation, the unprivileged child transfers * If we use privilege separation, the unprivileged child transfers