xref: /netbsd-src/crypto/external/bsd/openssh/dist/auth.h (revision 1c7715dda22cf2bd169e2f84953c050393e8fe9c) 
1*1c7715ddSchristos /*	$NetBSD: auth.h,v 1.24 2024/07/08 22:33:43 christos Exp $	*/
2*1c7715ddSchristos /* $OpenBSD: auth.h,v 1.108 2024/05/17 06:42:04 jsg Exp $ */
3ca32bd8dSchristos 
4ca32bd8dSchristos /*
5ca32bd8dSchristos  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
6ca32bd8dSchristos  *
7ca32bd8dSchristos  * Redistribution and use in source and binary forms, with or without
8ca32bd8dSchristos  * modification, are permitted provided that the following conditions
9ca32bd8dSchristos  * are met:
10ca32bd8dSchristos  * 1. Redistributions of source code must retain the above copyright
11ca32bd8dSchristos  *    notice, this list of conditions and the following disclaimer.
12ca32bd8dSchristos  * 2. Redistributions in binary form must reproduce the above copyright
13ca32bd8dSchristos  *    notice, this list of conditions and the following disclaimer in the
14ca32bd8dSchristos  *    documentation and/or other materials provided with the distribution.
15ca32bd8dSchristos  *
16ca32bd8dSchristos  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17ca32bd8dSchristos  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18ca32bd8dSchristos  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19ca32bd8dSchristos  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20ca32bd8dSchristos  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21ca32bd8dSchristos  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22ca32bd8dSchristos  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23ca32bd8dSchristos  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24ca32bd8dSchristos  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25ca32bd8dSchristos  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26ca32bd8dSchristos  *
27ca32bd8dSchristos  */
28ca32bd8dSchristos 
29ca32bd8dSchristos #ifndef AUTH_H
30ca32bd8dSchristos #define AUTH_H
31ca32bd8dSchristos 
32ca32bd8dSchristos #include <signal.h>
33e160b4e8Schristos #include <stdio.h>
34ca32bd8dSchristos 
35ca32bd8dSchristos #include <openssl/rsa.h>
36ca32bd8dSchristos 
37313c6c94Schristos #ifdef HAVE_LOGIN_CAP
38313c6c94Schristos #include <login_cap.h>
39313c6c94Schristos #endif
40313c6c94Schristos #ifdef BSD_AUTH
41ca32bd8dSchristos #include <bsd_auth.h>
42313c6c94Schristos #endif
43ca32bd8dSchristos #ifdef KRB5
44ca32bd8dSchristos #include <krb5.h>
45ca32bd8dSchristos #endif
46ca32bd8dSchristos 
47ffae97bbSchristos struct passwd;
48e4d43b82Schristos struct ssh;
49ffae97bbSchristos struct sshbuf;
50e4d43b82Schristos struct sshkey;
51e160b4e8Schristos struct sshkey_cert;
52ffae97bbSchristos struct sshauthopt;
53e4d43b82Schristos 
54ca32bd8dSchristos typedef struct Authctxt Authctxt;
55ca32bd8dSchristos typedef struct Authmethod Authmethod;
56ca32bd8dSchristos typedef struct KbdintDevice KbdintDevice;
57ca32bd8dSchristos 
58ca32bd8dSchristos struct Authctxt {
59ca32bd8dSchristos 	sig_atomic_t	 success;
60ca32bd8dSchristos 	int		 authenticated;	/* authenticated and alarms cancelled */
61ca32bd8dSchristos 	int		 postponed;	/* authentication needs another step */
62ca32bd8dSchristos 	int		 valid;		/* user exists and is allowed to login */
63ca32bd8dSchristos 	int		 attempt;
64ca32bd8dSchristos 	int		 failures;
656f47b660Schristos 	int		 server_caused_failure;
66ca32bd8dSchristos 	int		 force_pwchange;
67ca32bd8dSchristos 	char		*user;		/* username sent by the client */
68ca32bd8dSchristos 	char		*service;
69ca32bd8dSchristos 	struct passwd	*pw;		/* set if 'valid' */
70ca32bd8dSchristos 	char		*style;
717a183406Schristos 
727a183406Schristos 	/* Method lists for multiple authentication */
737a183406Schristos 	char		**auth_methods;	/* modified from server config */
747a183406Schristos 	u_int		 num_auth_methods;
757a183406Schristos 
767a183406Schristos 	/* Authentication method-specific data */
777a183406Schristos 	void		*methoddata;
78ca32bd8dSchristos 	void		*kbdintctxt;
79313c6c94Schristos #ifdef BSD_AUTH
80ca32bd8dSchristos 	auth_session_t	*as;
81313c6c94Schristos #endif
82ca32bd8dSchristos #ifdef KRB5
83ca32bd8dSchristos 	krb5_context	 krb5_ctx;
84313c6c94Schristos 	krb5_auth_context krb5_auth_ctx;
85ca32bd8dSchristos 	krb5_ccache	 krb5_fwd_ccache;
86ca32bd8dSchristos 	krb5_principal	 krb5_user;
87ca32bd8dSchristos 	char		*krb5_ticket_file;
88ca32bd8dSchristos #endif
89e4d43b82Schristos 
907a183406Schristos 	/* Authentication keys already used; these will be refused henceforth */
917a183406Schristos 	struct sshkey	**prev_keys;
927a183406Schristos 	u_int		 nprev_keys;
937a183406Schristos 
9455a4608bSchristos 	/* Last used key and ancillary information from active auth method */
957a183406Schristos 	struct sshkey	*auth_method_key;
967a183406Schristos 	char		*auth_method_info;
977a183406Schristos 
987a183406Schristos 	/* Information exposed to session */
997a183406Schristos 	struct sshbuf	*session_info;	/* Auth info for environment */
100ca32bd8dSchristos };
1017a183406Schristos 
102ca32bd8dSchristos /*
103ca32bd8dSchristos  * Every authentication method has to handle authentication requests for
104ca32bd8dSchristos  * non-existing users, or for users that are not allowed to login. In this
105ca32bd8dSchristos  * case 'valid' is set to 0, but 'user' points to the username requested by
106ca32bd8dSchristos  * the client.
107ca32bd8dSchristos  */
108ca32bd8dSchristos 
109313c6c94Schristos #ifdef USE_PAM
110313c6c94Schristos #include "auth-pam.h"
111313c6c94Schristos #endif
112313c6c94Schristos 
113*1c7715ddSchristos struct authmethod_cfg {
114185c8f97Schristos 	const char *name;
115a03ec00cSchristos 	const char *synonym;
116ca32bd8dSchristos 	int *enabled;
117ca32bd8dSchristos };
118ca32bd8dSchristos 
119*1c7715ddSchristos struct Authmethod {
120*1c7715ddSchristos 	struct authmethod_cfg *cfg;
121*1c7715ddSchristos 	int	(*userauth)(struct ssh *, const char *);
122*1c7715ddSchristos };
123*1c7715ddSchristos 
124ca32bd8dSchristos /*
125ca32bd8dSchristos  * Keyboard interactive device:
126ca32bd8dSchristos  * init_ctx	returns: non NULL upon success
127ca32bd8dSchristos  * query	returns: 0 - success, otherwise failure
128ca32bd8dSchristos  * respond	returns: 0 - success, 1 - need further interaction,
129ca32bd8dSchristos  *		otherwise - failure
130ca32bd8dSchristos  */
131ca32bd8dSchristos struct KbdintDevice
132ca32bd8dSchristos {
133ca32bd8dSchristos 	const char *name;
134ca32bd8dSchristos 	void*	(*init_ctx)(Authctxt*);
135ca32bd8dSchristos 	int	(*query)(void *ctx, char **name, char **infotxt,
136ca32bd8dSchristos 		    u_int *numprompts, char ***prompts, u_int **echo_on);
137ca32bd8dSchristos 	int	(*respond)(void *ctx, u_int numresp, char **responses);
138ca32bd8dSchristos 	void	(*free_ctx)(void *ctx);
139ca32bd8dSchristos };
140ca32bd8dSchristos 
141ca32bd8dSchristos int
142ca32bd8dSchristos auth_rhosts2(struct passwd *, const char *, const char *, const char *);
143ca32bd8dSchristos 
144ffae97bbSchristos int      auth_password(struct ssh *, const char *);
145ca32bd8dSchristos 
146aa36fcacSchristos int	 hostbased_key_allowed(struct ssh *, struct passwd *,
147aa36fcacSchristos 	    const char *, char *, struct sshkey *);
148e160b4e8Schristos int	 user_key_allowed(struct ssh *ssh, struct passwd *, struct sshkey *,
149e160b4e8Schristos     int, struct sshauthopt **);
1507a183406Schristos int	 auth2_key_already_used(Authctxt *, const struct sshkey *);
151ca32bd8dSchristos 
1527a183406Schristos /*
1537a183406Schristos  * Handling auth method-specific information for logging and prevention
1547a183406Schristos  * of key reuse during multiple authentication.
1557a183406Schristos  */
1567a183406Schristos void	 auth2_authctxt_reset_info(Authctxt *);
1577a183406Schristos void	 auth2_record_key(Authctxt *, int, const struct sshkey *);
1587a183406Schristos void	 auth2_record_info(Authctxt *authctxt, const char *, ...)
1597a183406Schristos 	    __attribute__((__format__ (printf, 2, 3)))
1607a183406Schristos 	    __attribute__((__nonnull__ (2)));
1617a183406Schristos void	 auth2_update_session_info(Authctxt *, const char *, const char *);
162ce11a51fSchristos 
163ca32bd8dSchristos #ifdef KRB5
164aa36fcacSchristos int	auth_krb5(struct ssh *, krb5_data *auth, char **client, krb5_data *);
165ca32bd8dSchristos int	auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
166ca32bd8dSchristos int	auth_krb5_password(Authctxt *authctxt, const char *password);
167ca32bd8dSchristos void	krb5_cleanup_proc(Authctxt *authctxt);
168ca32bd8dSchristos #endif /* KRB5 */
169ca32bd8dSchristos 
170aa36fcacSchristos void	do_authentication2(struct ssh *);
171ca32bd8dSchristos 
172aa36fcacSchristos void	auth_log(struct ssh *, int, int, const char *, const char *);
173aa36fcacSchristos void	auth_maxtries_exceeded(struct ssh *) __attribute__((noreturn));
1747a183406Schristos void	userauth_finish(struct ssh *, int, const char *, const char *);
175ffae97bbSchristos int	auth_root_allowed(struct ssh *, const char *);
176ca32bd8dSchristos 
177ca32bd8dSchristos char	*auth2_read_banner(void);
178ce11a51fSchristos int	 auth2_methods_valid(const char *, int);
17900a838c4Schristos int	 auth2_update_methods_lists(Authctxt *, const char *, const char *);
180ce11a51fSchristos int	 auth2_setup_methods_lists(Authctxt *);
18100a838c4Schristos int	 auth2_method_allowed(Authctxt *, const char *, const char *);
182ca32bd8dSchristos 
183ca32bd8dSchristos void	privsep_challenge_enable(void);
184ca32bd8dSchristos 
1857a183406Schristos int	auth2_challenge(struct ssh *, char *);
1867a183406Schristos void	auth2_challenge_stop(struct ssh *);
187ca32bd8dSchristos int	bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
188ca32bd8dSchristos int	bsdauth_respond(void *, u_int, char **);
189ca32bd8dSchristos 
190aa36fcacSchristos int	allowed_user(struct ssh *, struct passwd *);
191aa36fcacSchristos struct passwd * getpwnamallow(struct ssh *, const char *user);
192ca32bd8dSchristos 
1936f47b660Schristos char	*expand_authorized_keys(const char *, struct passwd *pw);
19434b27b53Sadam char	*authorized_principals_file(struct passwd *);
195ca32bd8dSchristos 
1967a183406Schristos int	 auth_key_is_revoked(struct sshkey *);
197ca32bd8dSchristos 
1985101d403Schristos const char	*auth_get_canonical_hostname(struct ssh *, int);
1995101d403Schristos 
200ca32bd8dSchristos HostStatus
2017a183406Schristos check_key_in_hostfiles(struct passwd *, struct sshkey *, const char *,
202ca32bd8dSchristos     const char *, const char *);
203ca32bd8dSchristos 
204ca32bd8dSchristos /* hostkey handling */
2057a183406Schristos struct sshkey	*get_hostkey_by_index(int);
2067a183406Schristos struct sshkey	*get_hostkey_public_by_index(int, struct ssh *);
2077a183406Schristos struct sshkey	*get_hostkey_public_by_type(int, int, struct ssh *);
2087a183406Schristos struct sshkey	*get_hostkey_private_by_type(int, int, struct ssh *);
2097a183406Schristos int	 get_hostkey_index(struct sshkey *, int, struct ssh *);
210aa36fcacSchristos int	 sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
211aa36fcacSchristos     u_char **, size_t *, const u_char *, size_t, const char *);
212ca32bd8dSchristos 
213ffae97bbSchristos /* Key / cert options linkage to auth layer */
214ffae97bbSchristos int	 auth_activate_options(struct ssh *, struct sshauthopt *);
215ffae97bbSchristos void	 auth_restrict_session(struct ssh *);
216ffae97bbSchristos void	 auth_log_authopts(const char *, const struct sshauthopt *, int);
217ffae97bbSchristos 
218ca32bd8dSchristos /* debug messages during authentication */
219ffae97bbSchristos void	 auth_debug_add(const char *fmt,...)
220ffae97bbSchristos     __attribute__((format(printf, 1, 2)));
221aa36fcacSchristos void	 auth_debug_send(struct ssh *);
222ca32bd8dSchristos void	 auth_debug_reset(void);
223ca32bd8dSchristos 
224ee85abc4Schristos void	 disable_forwarding(void);
225ee85abc4Schristos 
226ca32bd8dSchristos struct passwd *fakepw(void);
227ca32bd8dSchristos 
228e160b4e8Schristos /* auth2-pubkeyfile.c */
229e160b4e8Schristos int	 auth_authorise_keyopts(struct passwd *, struct sshauthopt *, int,
230e160b4e8Schristos     const char *, const char *, const char *);
231e160b4e8Schristos int	 auth_check_principals_line(char *, const struct sshkey_cert *,
232e160b4e8Schristos     const char *, struct sshauthopt **);
233e160b4e8Schristos int	 auth_process_principals(FILE *, const char *,
234e160b4e8Schristos     const struct sshkey_cert *, struct sshauthopt **);
235e160b4e8Schristos int	 auth_check_authkey_line(struct passwd *, struct sshkey *,
236e160b4e8Schristos     char *, const char *, const char *, const char *, struct sshauthopt **);
237e160b4e8Schristos int	 auth_check_authkeys_file(struct passwd *, FILE *, char *,
238e160b4e8Schristos     struct sshkey *, const char *, const char *, struct sshauthopt **);
239e160b4e8Schristos FILE	*auth_openkeyfile(const char *, struct passwd *, int);
240e160b4e8Schristos FILE	*auth_openprincipals(const char *, struct passwd *, int);
241e160b4e8Schristos 
242ca32bd8dSchristos #endif
243