1 /* 2 * Copyright (c) 2012,2023 Damien Miller <djm@mindrot.org> 3 * 4 * Permission to use, copy, modify, and distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15 */ 16 17 #include "includes.h" 18 19 #include <sys/types.h> 20 21 #include <stdlib.h> 22 #include <string.h> 23 24 #include "log.h" 25 #include "misc.h" 26 #include "servconf.h" 27 #include "xmalloc.h" 28 #include "hostfile.h" 29 #include "auth.h" 30 31 extern ServerOptions options; 32 33 /* 34 * Configuration of enabled authentication methods. Separate from the rest of 35 * auth2-*.c because we want to query it during server configuration validity 36 * checking in the sshd listener process without pulling all the auth code in 37 * too. 38 */ 39 40 /* "none" is allowed only one time and it is cleared by userauth_none() later */ 41 int none_enabled = 1; 42 struct authmethod_cfg methodcfg_none = { 43 "none", 44 NULL, 45 &none_enabled 46 }; 47 struct authmethod_cfg methodcfg_pubkey = { 48 "publickey", 49 "publickey-hostbound-v00@openssh.com", 50 &options.pubkey_authentication 51 }; 52 #ifdef GSSAPI 53 struct authmethod_cfg methodcfg_gssapi = { 54 "gssapi-with-mic", 55 NULL, 56 &options.gss_authentication 57 }; 58 #endif 59 struct authmethod_cfg methodcfg_passwd = { 60 "password", 61 NULL, 62 &options.password_authentication 63 }; 64 struct authmethod_cfg methodcfg_kbdint = { 65 "keyboard-interactive", 66 NULL, 67 &options.kbd_interactive_authentication 68 }; 69 struct authmethod_cfg methodcfg_hostbased = { 70 "hostbased", 71 NULL, 72 &options.hostbased_authentication 73 }; 74 75 static struct authmethod_cfg *authmethod_cfgs[] = { 76 &methodcfg_none, 77 &methodcfg_pubkey, 78 #ifdef GSSAPI 79 &methodcfg_gssapi, 80 #endif 81 &methodcfg_passwd, 82 &methodcfg_kbdint, 83 &methodcfg_hostbased, 84 NULL 85 }; 86 87 /* 88 * Check a comma-separated list of methods for validity. If need_enable is 89 * non-zero, then also require that the methods are enabled. 90 * Returns 0 on success or -1 if the methods list is invalid. 91 */ 92 int 93 auth2_methods_valid(const char *_methods, int need_enable) 94 { 95 char *methods, *omethods, *method, *p; 96 u_int i, found; 97 int ret = -1; 98 const struct authmethod_cfg *cfg; 99 100 if (*_methods == '\0') { 101 error("empty authentication method list"); 102 return -1; 103 } 104 omethods = methods = xstrdup(_methods); 105 while ((method = strsep(&methods, ",")) != NULL) { 106 for (found = i = 0; !found && authmethod_cfgs[i] != NULL; i++) { 107 cfg = authmethod_cfgs[i]; 108 if ((p = strchr(method, ':')) != NULL) 109 *p = '\0'; 110 if (strcmp(method, cfg->name) != 0) 111 continue; 112 if (need_enable) { 113 if (cfg->enabled == NULL || 114 *(cfg->enabled) == 0) { 115 error("Disabled method \"%s\" in " 116 "AuthenticationMethods list \"%s\"", 117 method, _methods); 118 goto out; 119 } 120 } 121 found = 1; 122 break; 123 } 124 if (!found) { 125 error("Unknown authentication method \"%s\" in list", 126 method); 127 goto out; 128 } 129 } 130 ret = 0; 131 out: 132 free(omethods); 133 return ret; 134 } 135