- (bal) Refixed auth2.c. It was never fully commited while spliting out

authentication to different files.
2002-06-07 02:05:25 +00:00 · 2002-06-07 02:05:25 +00:00 · b85ab30a6e
parent 4eeccc79f6
commit b85ab30a6e
2 changed files with 3 additions and 322 deletions
--- a/4
+++ b/4
@ -133,6 +133,8 @@
 - (bal) Missed msg.[ch] in merge.  Required for ssh-keysign.
 - (bal) Forgot to add msg.c Makefile.in.
 - (bal) monitor_mm.c typos.
 - (bal) Refixed auth2.c.  It was never fully commited while spliting out
 	authentication to different files.
 20020604
 - (stevesk) [channels.c] bug #164 patch from YOSHIFUJI Hideaki (changed
@ -817,4 +819,4 @@
 - (stevesk) entropy.c: typo in debug message
 - (djm) ssh-keygen -i needs seeded RNG; report from markus@
-$Id: ChangeLog,v 1.2182 2002/06/07 01:57:25 mouring Exp $
+$Id: ChangeLog,v 1.2183 2002/06/07 02:05:25 mouring Exp $
--- a/auth2.c
+++ b/auth2.c
@ -249,327 +249,6 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 	}
 }
 char *
 auth2_read_banner(void)
 {
 	struct stat st;
 	char *banner = NULL;
 	off_t len, n;
 	int fd;
 	if ((fd = open(options.banner, O_RDONLY)) == -1)
 		return (NULL);
 	if (fstat(fd, &st) == -1) {
 		close(fd);
 		return (NULL);
 	}
 	len = st.st_size;
 	banner = xmalloc(len + 1);
 	n = atomicio(read, fd, banner, len);
 	close(fd);
 	if (n != len) {
 		free(banner);
 		return (NULL);
 	}
 	banner[n] = '\0';
 	return (banner);
 }
 static void
 userauth_banner(void)
 {
 	char *banner = NULL;
 	if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
 		return;
 	if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
 		goto done;
 	packet_start(SSH2_MSG_USERAUTH_BANNER);
 	packet_put_cstring(banner);
 	packet_put_cstring("");		/* language, unused */
 	packet_send();
 	debug("userauth_banner: sent");
 done:
 	if (banner)
 		xfree(banner);
 	return;
 }
 static int
 userauth_none(Authctxt *authctxt)
 {
 	/* disable method "none", only allowed one time */
 	Authmethod *m = authmethod_lookup("none");
 	if (m != NULL)
 		m->enabled = NULL;
 	packet_check_eom();
 	userauth_banner();
 	if (authctxt->valid == 0)
 		return(0);
 #ifdef HAVE_CYGWIN
 	if (check_nt_auth(1, authctxt->pw) == 0)
 		return(0);
 #endif
 	return PRIVSEP(auth_password(authctxt, ""));
 }
 static int
 userauth_passwd(Authctxt *authctxt)
 {
 	char *password;
 	int authenticated = 0;
 	int change;
 	u_int len;
 	change = packet_get_char();
 	if (change)
 		log("password change not supported");
 	password = packet_get_string(&len);
 	packet_check_eom();
 	if (authctxt->valid &&
 #ifdef HAVE_CYGWIN
 	    check_nt_auth(1, authctxt->pw) &&
 #endif
 	    PRIVSEP(auth_password(authctxt, password)) == 1)
 		authenticated = 1;
 	memset(password, 0, len);
 	xfree(password);
 	return authenticated;
 }
 static int
 userauth_kbdint(Authctxt *authctxt)
 {
 	int authenticated = 0;
 	char *lang, *devs;
 	lang = packet_get_string(NULL);
 	devs = packet_get_string(NULL);
 	packet_check_eom();
 	debug("keyboard-interactive devs %s", devs);
 	if (options.challenge_response_authentication)
 		authenticated = auth2_challenge(authctxt, devs);
 #ifdef USE_PAM
 	if (authenticated == 0 && options.pam_authentication_via_kbd_int)
 		authenticated = auth2_pam(authctxt);
 #endif
 	xfree(devs);
 	xfree(lang);
 #ifdef HAVE_CYGWIN
 	if (check_nt_auth(0, authctxt->pw) == 0)
 		return(0);
 #endif
 	return authenticated;
 }
 static int
 userauth_pubkey(Authctxt *authctxt)
 {
 	Buffer b;
 	Key *key = NULL;
 	char *pkalg;
 	u_char *pkblob, *sig;
 	u_int alen, blen, slen;
 	int have_sig, pktype;
 	int authenticated = 0;
 	if (!authctxt->valid) {
 		debug2("userauth_pubkey: disabled because of invalid user");
 		return 0;
 	}
 	have_sig = packet_get_char();
 	if (datafellows & SSH_BUG_PKAUTH) {
 		debug2("userauth_pubkey: SSH_BUG_PKAUTH");
 		/* no explicit pkalg given */
 		pkblob = packet_get_string(&blen);
 		buffer_init(&b);
 		buffer_append(&b, pkblob, blen);
 		/* so we have to extract the pkalg from the pkblob */
 		pkalg = buffer_get_string(&b, &alen);
 		buffer_free(&b);
 	} else {
 		pkalg = packet_get_string(&alen);
 		pkblob = packet_get_string(&blen);
 	}
 	pktype = key_type_from_name(pkalg);
 	if (pktype == KEY_UNSPEC) {
 		/* this is perfectly legal */
 		log("userauth_pubkey: unsupported public key algorithm: %s",
 		    pkalg);
 		goto done;
 	}
 	key = key_from_blob(pkblob, blen);
 	if (key == NULL) {
 		error("userauth_pubkey: cannot decode key: %s", pkalg);
 		goto done;
 	}
 	if (key->type != pktype) {
 		error("userauth_pubkey: type mismatch for decoded key "
 		    "(received %d, expected %d)", key->type, pktype);
 		goto done;
 	}
 	if (have_sig) {
 		sig = packet_get_string(&slen);
 		packet_check_eom();
 		buffer_init(&b);
 		if (datafellows & SSH_OLD_SESSIONID) {
 			buffer_append(&b, session_id2, session_id2_len);
 		} else {
 			buffer_put_string(&b, session_id2, session_id2_len);
 		}
 		/* reconstruct packet */
 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
 		buffer_put_cstring(&b, authctxt->user);
 		buffer_put_cstring(&b,
 		    datafellows & SSH_BUG_PKSERVICE ?
 		    "ssh-userauth" :
 		    authctxt->service);
 		if (datafellows & SSH_BUG_PKAUTH) {
 			buffer_put_char(&b, have_sig);
 		} else {
 			buffer_put_cstring(&b, "publickey");
 			buffer_put_char(&b, have_sig);
 			buffer_put_cstring(&b, pkalg);
 		}
 		buffer_put_string(&b, pkblob, blen);
 #ifdef DEBUG_PK
 		buffer_dump(&b);
 #endif
 		/* test for correct signature */
 		authenticated = 0;
 		if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
 		    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
 				buffer_len(&b))) == 1)
 			authenticated = 1;
 		buffer_clear(&b);
 		xfree(sig);
 	} else {
 		debug("test whether pkalg/pkblob are acceptable");
 		packet_check_eom();
 		/* XXX fake reply and always send PK_OK ? */
 		/*
 		 * XXX this allows testing whether a user is allowed
 		 * to login: if you happen to have a valid pubkey this
 		 * message is sent. the message is NEVER sent at all
 		 * if a user is not allowed to login. is this an
 		 * issue? -markus
 		 */
 		if (PRIVSEP(user_key_allowed(authctxt->pw, key))) {
 			packet_start(SSH2_MSG_USERAUTH_PK_OK);
 			packet_put_string(pkalg, alen);
 			packet_put_string(pkblob, blen);
 			packet_send();
 			packet_write_wait();
 			authctxt->postponed = 1;
 		}
 	}
 	if (authenticated != 1)
 		auth_clear_options();
 done:
 	debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
 	if (key != NULL)
 		key_free(key);
 	xfree(pkalg);
 	xfree(pkblob);
 #ifdef HAVE_CYGWIN
 	if (check_nt_auth(0, authctxt->pw) == 0)
 		return(0);
 #endif
 	return authenticated;
 }
 static int
 userauth_hostbased(Authctxt *authctxt)
 {
 	Buffer b;
 	Key *key = NULL;
 	char *pkalg, *cuser, *chost, *service;
 	u_char *pkblob, *sig;
 	u_int alen, blen, slen;
 	int pktype;
 	int authenticated = 0;
 	if (!authctxt->valid) {
 		debug2("userauth_hostbased: disabled because of invalid user");
 		return 0;
 	}
 	pkalg = packet_get_string(&alen);
 	pkblob = packet_get_string(&blen);
 	chost = packet_get_string(NULL);
 	cuser = packet_get_string(NULL);
 	sig = packet_get_string(&slen);
 	debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d",
 	    cuser, chost, pkalg, slen);
 #ifdef DEBUG_PK
 	debug("signature:");
 	buffer_init(&b);
 	buffer_append(&b, sig, slen);
 	buffer_dump(&b);
 	buffer_free(&b);
 #endif
 	pktype = key_type_from_name(pkalg);
 	if (pktype == KEY_UNSPEC) {
 		/* this is perfectly legal */
 		log("userauth_hostbased: unsupported "
 		    "public key algorithm: %s", pkalg);
 		goto done;
 	}
 	key = key_from_blob(pkblob, blen);
 	if (key == NULL) {
 		error("userauth_hostbased: cannot decode key: %s", pkalg);
 		goto done;
 	}
 	if (key->type != pktype) {
 		error("userauth_hostbased: type mismatch for decoded key "
 		    "(received %d, expected %d)", key->type, pktype);
 		goto done;
 	}
 	service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
 	    authctxt->service;
 	buffer_init(&b);
 	buffer_put_string(&b, session_id2, session_id2_len);
 	/* reconstruct packet */
 	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
 	buffer_put_cstring(&b, authctxt->user);
 	buffer_put_cstring(&b, service);
 	buffer_put_cstring(&b, "hostbased");
 	buffer_put_string(&b, pkalg, alen);
 	buffer_put_string(&b, pkblob, blen);
 	buffer_put_cstring(&b, chost);
 	buffer_put_cstring(&b, cuser);
 #ifdef DEBUG_PK
 	buffer_dump(&b);
 #endif
 	/* test for allowed key and correct signature */
 	authenticated = 0;
 	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
 	    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
 			buffer_len(&b))) == 1)
 		authenticated = 1;
 	buffer_clear(&b);
 done:
 	debug2("userauth_hostbased: authenticated %d", authenticated);
 	if (key != NULL)
 		key_free(key);
 	xfree(pkalg);
 	xfree(pkblob);
 	xfree(cuser);
 	xfree(chost);
 	xfree(sig);
 	return authenticated;
 }
 /* get current user */
 struct passwd*