1 /* $NetBSD: auth2-methods.c,v 1.2 2024/07/08 22:33:43 christos Exp $ */
2
3 /*
4 * Copyright (c) 2012,2023 Damien Miller <djm@mindrot.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include "includes.h"
20 __RCSID("$NetBSD: auth2-methods.c,v 1.2 2024/07/08 22:33:43 christos Exp $");
21
22 #include <sys/types.h>
23
24 #include <stdlib.h>
25 #include <string.h>
26
27 #include "log.h"
28 #include "misc.h"
29 #include "servconf.h"
30 #include "xmalloc.h"
31 #include "hostfile.h"
32 #include "auth.h"
33
34 extern ServerOptions options;
35
36 /*
37 * Configuration of enabled authentication methods. Separate from the rest of
38 * auth2-*.c because we want to query it during server configuration validity
39 * checking in the sshd listener process without pulling all the auth code in
40 * too.
41 */
42
43 /* "none" is allowed only one time and it is cleared by userauth_none() later */
44 int none_enabled = 1;
45 struct authmethod_cfg methodcfg_none = {
46 "none",
47 NULL,
48 &none_enabled
49 };
50 struct authmethod_cfg methodcfg_pubkey = {
51 "publickey",
52 "publickey-hostbound-v00@openssh.com",
53 &options.pubkey_authentication
54 };
55 #ifdef GSSAPI
56 struct authmethod_cfg methodcfg_gssapi = {
57 "gssapi-with-mic",
58 NULL,
59 &options.gss_authentication
60 };
61 #endif
62 #ifdef KRB5
63 struct authmethod_cfg methodcfg_krb5 = {
64 "kerberos-2@ssh.com",
65 NULL,
66 &options.kerberos_authentication
67 };
68 #endif
69 struct authmethod_cfg methodcfg_passwd = {
70 "password",
71 NULL,
72 &options.password_authentication
73 };
74 struct authmethod_cfg methodcfg_kbdint = {
75 "keyboard-interactive",
76 NULL,
77 &options.kbd_interactive_authentication
78 };
79 struct authmethod_cfg methodcfg_hostbased = {
80 "hostbased",
81 NULL,
82 &options.hostbased_authentication
83 };
84
85 static struct authmethod_cfg *authmethod_cfgs[] = {
86 &methodcfg_none,
87 &methodcfg_pubkey,
88 #ifdef GSSAPI
89 &methodcfg_gssapi,
90 #endif
91 &methodcfg_passwd,
92 &methodcfg_kbdint,
93 &methodcfg_hostbased,
94 NULL
95 };
96
97 /*
98 * Check a comma-separated list of methods for validity. If need_enable is
99 * non-zero, then also require that the methods are enabled.
100 * Returns 0 on success or -1 if the methods list is invalid.
101 */
102 int
auth2_methods_valid(const char * _methods,int need_enable)103 auth2_methods_valid(const char *_methods, int need_enable)
104 {
105 char *methods, *omethods, *method, *p;
106 u_int i, found;
107 int ret = -1;
108 const struct authmethod_cfg *cfg;
109
110 if (*_methods == '\0') {
111 error("empty authentication method list");
112 return -1;
113 }
114 omethods = methods = xstrdup(_methods);
115 while ((method = strsep(&methods, ",")) != NULL) {
116 for (found = i = 0; !found && authmethod_cfgs[i] != NULL; i++) {
117 cfg = authmethod_cfgs[i];
118 if ((p = strchr(method, ':')) != NULL)
119 *p = '\0';
120 if (strcmp(method, cfg->name) != 0)
121 continue;
122 if (need_enable) {
123 if (cfg->enabled == NULL ||
124 *(cfg->enabled) == 0) {
125 error("Disabled method \"%s\" in "
126 "AuthenticationMethods list \"%s\"",
127 method, _methods);
128 goto out;
129 }
130 }
131 found = 1;
132 break;
133 }
134 if (!found) {
135 error("Unknown authentication method \"%s\" in list",
136 method);
137 goto out;
138 }
139 }
140 ret = 0;
141 out:
142 free(omethods);
143 return ret;
144 }
145