1*ba1276acSMatthew Dillon /* $OpenBSD: auth.h,v 1.108 2024/05/17 06:42:04 jsg Exp $ */ 218de8d7fSPeter Avalos 318de8d7fSPeter Avalos /* 418de8d7fSPeter Avalos * Copyright (c) 2000 Markus Friedl. All rights reserved. 518de8d7fSPeter Avalos * 618de8d7fSPeter Avalos * Redistribution and use in source and binary forms, with or without 718de8d7fSPeter Avalos * modification, are permitted provided that the following conditions 818de8d7fSPeter Avalos * are met: 918de8d7fSPeter Avalos * 1. Redistributions of source code must retain the above copyright 1018de8d7fSPeter Avalos * notice, this list of conditions and the following disclaimer. 1118de8d7fSPeter Avalos * 2. Redistributions in binary form must reproduce the above copyright 1218de8d7fSPeter Avalos * notice, this list of conditions and the following disclaimer in the 1318de8d7fSPeter Avalos * documentation and/or other materials provided with the distribution. 1418de8d7fSPeter Avalos * 1518de8d7fSPeter Avalos * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 1618de8d7fSPeter Avalos * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 1718de8d7fSPeter Avalos * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 1818de8d7fSPeter Avalos * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 1918de8d7fSPeter Avalos * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 2018de8d7fSPeter Avalos * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 2118de8d7fSPeter Avalos * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 2218de8d7fSPeter Avalos * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 2318de8d7fSPeter Avalos * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 2418de8d7fSPeter Avalos * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 2518de8d7fSPeter Avalos * 2618de8d7fSPeter Avalos */ 2718de8d7fSPeter Avalos 2818de8d7fSPeter Avalos #ifndef AUTH_H 2918de8d7fSPeter Avalos #define AUTH_H 3018de8d7fSPeter Avalos 3118de8d7fSPeter Avalos #include <signal.h> 32ee116499SAntonio Huete Jimenez #include <stdio.h> 3318de8d7fSPeter Avalos 3418de8d7fSPeter Avalos #ifdef HAVE_LOGIN_CAP 3518de8d7fSPeter Avalos #include <login_cap.h> 3618de8d7fSPeter Avalos #endif 3718de8d7fSPeter Avalos #ifdef BSD_AUTH 3818de8d7fSPeter Avalos #include <bsd_auth.h> 3918de8d7fSPeter Avalos #endif 4018de8d7fSPeter Avalos #ifdef KRB5 4118de8d7fSPeter Avalos #include <krb5.h> 4218de8d7fSPeter Avalos #endif 4318de8d7fSPeter Avalos 44664f4763Szrj struct passwd; 45e9778795SPeter Avalos struct ssh; 46ce74bacaSMatthew Dillon struct sshbuf; 47664f4763Szrj struct sshkey; 48ee116499SAntonio Huete Jimenez struct sshkey_cert; 49664f4763Szrj struct sshauthopt; 50e9778795SPeter Avalos 5118de8d7fSPeter Avalos typedef struct Authctxt Authctxt; 5218de8d7fSPeter Avalos typedef struct Authmethod Authmethod; 5318de8d7fSPeter Avalos typedef struct KbdintDevice KbdintDevice; 5418de8d7fSPeter Avalos 5518de8d7fSPeter Avalos struct Authctxt { 5618de8d7fSPeter Avalos sig_atomic_t success; 5718de8d7fSPeter Avalos int authenticated; /* authenticated and alarms cancelled */ 5818de8d7fSPeter Avalos int postponed; /* authentication needs another step */ 5918de8d7fSPeter Avalos int valid; /* user exists and is allowed to login */ 6018de8d7fSPeter Avalos int attempt; 6118de8d7fSPeter Avalos int failures; 621c188a7fSPeter Avalos int server_caused_failure; 6318de8d7fSPeter Avalos int force_pwchange; 6418de8d7fSPeter Avalos char *user; /* username sent by the client */ 6518de8d7fSPeter Avalos char *service; 6618de8d7fSPeter Avalos struct passwd *pw; /* set if 'valid' */ 6718de8d7fSPeter Avalos char *style; 68ce74bacaSMatthew Dillon 69ce74bacaSMatthew Dillon /* Method lists for multiple authentication */ 70ce74bacaSMatthew Dillon char **auth_methods; /* modified from server config */ 71ce74bacaSMatthew Dillon u_int num_auth_methods; 72ce74bacaSMatthew Dillon 73ce74bacaSMatthew Dillon /* Authentication method-specific data */ 74ce74bacaSMatthew Dillon void *methoddata; 7518de8d7fSPeter Avalos void *kbdintctxt; 7618de8d7fSPeter Avalos #ifdef BSD_AUTH 7718de8d7fSPeter Avalos auth_session_t *as; 7818de8d7fSPeter Avalos #endif 7918de8d7fSPeter Avalos #ifdef KRB5 8018de8d7fSPeter Avalos krb5_context krb5_ctx; 8118de8d7fSPeter Avalos krb5_ccache krb5_fwd_ccache; 8218de8d7fSPeter Avalos krb5_principal krb5_user; 8318de8d7fSPeter Avalos char *krb5_ticket_file; 8418de8d7fSPeter Avalos char *krb5_ccname; 8518de8d7fSPeter Avalos #endif 86ce74bacaSMatthew Dillon struct sshbuf *loginmsg; 87e9778795SPeter Avalos 88ce74bacaSMatthew Dillon /* Authentication keys already used; these will be refused henceforth */ 89ce74bacaSMatthew Dillon struct sshkey **prev_keys; 90ce74bacaSMatthew Dillon u_int nprev_keys; 91ce74bacaSMatthew Dillon 92664f4763Szrj /* Last used key and ancillary information from active auth method */ 93ce74bacaSMatthew Dillon struct sshkey *auth_method_key; 94ce74bacaSMatthew Dillon char *auth_method_info; 95ce74bacaSMatthew Dillon 96ce74bacaSMatthew Dillon /* Information exposed to session */ 97ce74bacaSMatthew Dillon struct sshbuf *session_info; /* Auth info for environment */ 9818de8d7fSPeter Avalos }; 99ce74bacaSMatthew Dillon 10018de8d7fSPeter Avalos /* 10118de8d7fSPeter Avalos * Every authentication method has to handle authentication requests for 10218de8d7fSPeter Avalos * non-existing users, or for users that are not allowed to login. In this 10318de8d7fSPeter Avalos * case 'valid' is set to 0, but 'user' points to the username requested by 10418de8d7fSPeter Avalos * the client. 10518de8d7fSPeter Avalos */ 10618de8d7fSPeter Avalos 107*ba1276acSMatthew Dillon struct authmethod_cfg { 108*ba1276acSMatthew Dillon const char *name; 109*ba1276acSMatthew Dillon const char *synonym; 11018de8d7fSPeter Avalos int *enabled; 11118de8d7fSPeter Avalos }; 11218de8d7fSPeter Avalos 113*ba1276acSMatthew Dillon struct Authmethod { 114*ba1276acSMatthew Dillon struct authmethod_cfg *cfg; 115*ba1276acSMatthew Dillon int (*userauth)(struct ssh *, const char *); 116*ba1276acSMatthew Dillon }; 117*ba1276acSMatthew Dillon 11818de8d7fSPeter Avalos /* 11918de8d7fSPeter Avalos * Keyboard interactive device: 12018de8d7fSPeter Avalos * init_ctx returns: non NULL upon success 12118de8d7fSPeter Avalos * query returns: 0 - success, otherwise failure 12218de8d7fSPeter Avalos * respond returns: 0 - success, 1 - need further interaction, 12318de8d7fSPeter Avalos * otherwise - failure 12418de8d7fSPeter Avalos */ 12518de8d7fSPeter Avalos struct KbdintDevice 12618de8d7fSPeter Avalos { 12718de8d7fSPeter Avalos const char *name; 12818de8d7fSPeter Avalos void* (*init_ctx)(Authctxt*); 12918de8d7fSPeter Avalos int (*query)(void *ctx, char **name, char **infotxt, 13018de8d7fSPeter Avalos u_int *numprompts, char ***prompts, u_int **echo_on); 13118de8d7fSPeter Avalos int (*respond)(void *ctx, u_int numresp, char **responses); 13218de8d7fSPeter Avalos void (*free_ctx)(void *ctx); 13318de8d7fSPeter Avalos }; 13418de8d7fSPeter Avalos 13518de8d7fSPeter Avalos int 13618de8d7fSPeter Avalos auth_rhosts2(struct passwd *, const char *, const char *, const char *); 13718de8d7fSPeter Avalos 138664f4763Szrj int auth_password(struct ssh *, const char *); 13918de8d7fSPeter Avalos 140664f4763Szrj int hostbased_key_allowed(struct ssh *, struct passwd *, 141664f4763Szrj const char *, char *, struct sshkey *); 142ee116499SAntonio Huete Jimenez int user_key_allowed(struct ssh *ssh, struct passwd *, struct sshkey *, 143ee116499SAntonio Huete Jimenez int, struct sshauthopt **); 144ce74bacaSMatthew Dillon int auth2_key_already_used(Authctxt *, const struct sshkey *); 14536e94dc5SPeter Avalos 146ce74bacaSMatthew Dillon /* 147ce74bacaSMatthew Dillon * Handling auth method-specific information for logging and prevention 148ce74bacaSMatthew Dillon * of key reuse during multiple authentication. 149ce74bacaSMatthew Dillon */ 150ce74bacaSMatthew Dillon void auth2_authctxt_reset_info(Authctxt *); 151ce74bacaSMatthew Dillon void auth2_record_key(Authctxt *, int, const struct sshkey *); 152ce74bacaSMatthew Dillon void auth2_record_info(Authctxt *authctxt, const char *, ...) 153ce74bacaSMatthew Dillon __attribute__((__format__ (printf, 2, 3))) 154ce74bacaSMatthew Dillon __attribute__((__nonnull__ (2))); 155ce74bacaSMatthew Dillon void auth2_update_session_info(Authctxt *, const char *, const char *); 15618de8d7fSPeter Avalos 15718de8d7fSPeter Avalos #ifdef KRB5 15818de8d7fSPeter Avalos int auth_krb5_password(Authctxt *authctxt, const char *password); 15918de8d7fSPeter Avalos void krb5_cleanup_proc(Authctxt *authctxt); 16018de8d7fSPeter Avalos #endif /* KRB5 */ 16118de8d7fSPeter Avalos 16218de8d7fSPeter Avalos #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) 16318de8d7fSPeter Avalos #include <shadow.h> 16418de8d7fSPeter Avalos int auth_shadow_acctexpired(struct spwd *); 16518de8d7fSPeter Avalos int auth_shadow_pwexpired(Authctxt *); 16618de8d7fSPeter Avalos #endif 16718de8d7fSPeter Avalos 16818de8d7fSPeter Avalos #include "auth-pam.h" 16918de8d7fSPeter Avalos #include "audit.h" 17018de8d7fSPeter Avalos void remove_kbdint_device(const char *); 17118de8d7fSPeter Avalos 172664f4763Szrj void do_authentication2(struct ssh *); 17318de8d7fSPeter Avalos 174664f4763Szrj void auth_log(struct ssh *, int, int, const char *, const char *); 175664f4763Szrj void auth_maxtries_exceeded(struct ssh *) __attribute__((noreturn)); 176ce74bacaSMatthew Dillon void userauth_finish(struct ssh *, int, const char *, const char *); 177664f4763Szrj int auth_root_allowed(struct ssh *, const char *); 17818de8d7fSPeter Avalos 17918de8d7fSPeter Avalos char *auth2_read_banner(void); 18036e94dc5SPeter Avalos int auth2_methods_valid(const char *, int); 18136e94dc5SPeter Avalos int auth2_update_methods_lists(Authctxt *, const char *, const char *); 18236e94dc5SPeter Avalos int auth2_setup_methods_lists(Authctxt *); 18336e94dc5SPeter Avalos int auth2_method_allowed(Authctxt *, const char *, const char *); 18418de8d7fSPeter Avalos 18518de8d7fSPeter Avalos void privsep_challenge_enable(void); 18618de8d7fSPeter Avalos 187ce74bacaSMatthew Dillon int auth2_challenge(struct ssh *, char *); 188ce74bacaSMatthew Dillon void auth2_challenge_stop(struct ssh *); 18918de8d7fSPeter Avalos int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **); 19018de8d7fSPeter Avalos int bsdauth_respond(void *, u_int, char **); 19118de8d7fSPeter Avalos 192664f4763Szrj int allowed_user(struct ssh *, struct passwd *); 193664f4763Szrj struct passwd * getpwnamallow(struct ssh *, const char *user); 19418de8d7fSPeter Avalos 1951c188a7fSPeter Avalos char *expand_authorized_keys(const char *, struct passwd *pw); 196856ea928SPeter Avalos char *authorized_principals_file(struct passwd *); 19718de8d7fSPeter Avalos 198ce74bacaSMatthew Dillon int auth_key_is_revoked(struct sshkey *); 19918de8d7fSPeter Avalos 200e9778795SPeter Avalos const char *auth_get_canonical_hostname(struct ssh *, int); 201e9778795SPeter Avalos 20218de8d7fSPeter Avalos HostStatus 203ce74bacaSMatthew Dillon check_key_in_hostfiles(struct passwd *, struct sshkey *, const char *, 20418de8d7fSPeter Avalos const char *, const char *); 20518de8d7fSPeter Avalos 20618de8d7fSPeter Avalos /* hostkey handling */ 207ce74bacaSMatthew Dillon struct sshkey *get_hostkey_by_index(int); 208ce74bacaSMatthew Dillon struct sshkey *get_hostkey_public_by_index(int, struct ssh *); 209ce74bacaSMatthew Dillon struct sshkey *get_hostkey_public_by_type(int, int, struct ssh *); 210ce74bacaSMatthew Dillon struct sshkey *get_hostkey_private_by_type(int, int, struct ssh *); 211ce74bacaSMatthew Dillon int get_hostkey_index(struct sshkey *, int, struct ssh *); 212664f4763Szrj int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *, 213664f4763Szrj u_char **, size_t *, const u_char *, size_t, const char *); 214664f4763Szrj 215664f4763Szrj /* Key / cert options linkage to auth layer */ 216664f4763Szrj int auth_activate_options(struct ssh *, struct sshauthopt *); 217664f4763Szrj void auth_restrict_session(struct ssh *); 218664f4763Szrj void auth_log_authopts(const char *, const struct sshauthopt *, int); 21918de8d7fSPeter Avalos 22018de8d7fSPeter Avalos /* debug messages during authentication */ 221664f4763Szrj void auth_debug_add(const char *fmt,...) 222664f4763Szrj __attribute__((format(printf, 1, 2))); 223664f4763Szrj void auth_debug_send(struct ssh *); 22418de8d7fSPeter Avalos void auth_debug_reset(void); 22518de8d7fSPeter Avalos 22618de8d7fSPeter Avalos struct passwd *fakepw(void); 22718de8d7fSPeter Avalos 228ee116499SAntonio Huete Jimenez /* auth2-pubkeyfile.c */ 229ee116499SAntonio Huete Jimenez int auth_authorise_keyopts(struct passwd *, struct sshauthopt *, int, 230ee116499SAntonio Huete Jimenez const char *, const char *, const char *); 231ee116499SAntonio Huete Jimenez int auth_check_principals_line(char *, const struct sshkey_cert *, 232ee116499SAntonio Huete Jimenez const char *, struct sshauthopt **); 233ee116499SAntonio Huete Jimenez int auth_process_principals(FILE *, const char *, 234ee116499SAntonio Huete Jimenez const struct sshkey_cert *, struct sshauthopt **); 235ee116499SAntonio Huete Jimenez int auth_check_authkey_line(struct passwd *, struct sshkey *, 236ee116499SAntonio Huete Jimenez char *, const char *, const char *, const char *, struct sshauthopt **); 237ee116499SAntonio Huete Jimenez int auth_check_authkeys_file(struct passwd *, FILE *, char *, 238ee116499SAntonio Huete Jimenez struct sshkey *, const char *, const char *, struct sshauthopt **); 239ee116499SAntonio Huete Jimenez FILE *auth_openkeyfile(const char *, struct passwd *, int); 240ee116499SAntonio Huete Jimenez FILE *auth_openprincipals(const char *, struct passwd *, int); 241ee116499SAntonio Huete Jimenez 242664f4763Szrj int sys_auth_passwd(struct ssh *, const char *); 24318de8d7fSPeter Avalos 24418de8d7fSPeter Avalos #if defined(KRB5) && !defined(HEIMDAL) 24518de8d7fSPeter Avalos krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *); 24618de8d7fSPeter Avalos #endif 2470cbfa66cSDaniel Fojt 2480cbfa66cSDaniel Fojt #endif /* AUTH_H */ 249