1 /* $NetBSD: auth2-methods.c,v 1.2 2024/07/08 22:33:43 christos Exp $ */ 2 3 /* 4 * Copyright (c) 2012,2023 Damien Miller <djm@mindrot.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include "includes.h" 20 __RCSID("$NetBSD: auth2-methods.c,v 1.2 2024/07/08 22:33:43 christos Exp $"); 21 22 #include <sys/types.h> 23 24 #include <stdlib.h> 25 #include <string.h> 26 27 #include "log.h" 28 #include "misc.h" 29 #include "servconf.h" 30 #include "xmalloc.h" 31 #include "hostfile.h" 32 #include "auth.h" 33 34 extern ServerOptions options; 35 36 /* 37 * Configuration of enabled authentication methods. Separate from the rest of 38 * auth2-*.c because we want to query it during server configuration validity 39 * checking in the sshd listener process without pulling all the auth code in 40 * too. 41 */ 42 43 /* "none" is allowed only one time and it is cleared by userauth_none() later */ 44 int none_enabled = 1; 45 struct authmethod_cfg methodcfg_none = { 46 "none", 47 NULL, 48 &none_enabled 49 }; 50 struct authmethod_cfg methodcfg_pubkey = { 51 "publickey", 52 "publickey-hostbound-v00@openssh.com", 53 &options.pubkey_authentication 54 }; 55 #ifdef GSSAPI 56 struct authmethod_cfg methodcfg_gssapi = { 57 "gssapi-with-mic", 58 NULL, 59 &options.gss_authentication 60 }; 61 #endif 62 #ifdef KRB5 63 struct authmethod_cfg methodcfg_krb5 = { 64 "kerberos-2@ssh.com", 65 NULL, 66 &options.kerberos_authentication 67 }; 68 #endif 69 struct authmethod_cfg methodcfg_passwd = { 70 "password", 71 NULL, 72 &options.password_authentication 73 }; 74 struct authmethod_cfg methodcfg_kbdint = { 75 "keyboard-interactive", 76 NULL, 77 &options.kbd_interactive_authentication 78 }; 79 struct authmethod_cfg methodcfg_hostbased = { 80 "hostbased", 81 NULL, 82 &options.hostbased_authentication 83 }; 84 85 static struct authmethod_cfg *authmethod_cfgs[] = { 86 &methodcfg_none, 87 &methodcfg_pubkey, 88 #ifdef GSSAPI 89 &methodcfg_gssapi, 90 #endif 91 &methodcfg_passwd, 92 &methodcfg_kbdint, 93 &methodcfg_hostbased, 94 NULL 95 }; 96 97 /* 98 * Check a comma-separated list of methods for validity. If need_enable is 99 * non-zero, then also require that the methods are enabled. 100 * Returns 0 on success or -1 if the methods list is invalid. 101 */ 102 int 103 auth2_methods_valid(const char *_methods, int need_enable) 104 { 105 char *methods, *omethods, *method, *p; 106 u_int i, found; 107 int ret = -1; 108 const struct authmethod_cfg *cfg; 109 110 if (*_methods == '\0') { 111 error("empty authentication method list"); 112 return -1; 113 } 114 omethods = methods = xstrdup(_methods); 115 while ((method = strsep(&methods, ",")) != NULL) { 116 for (found = i = 0; !found && authmethod_cfgs[i] != NULL; i++) { 117 cfg = authmethod_cfgs[i]; 118 if ((p = strchr(method, ':')) != NULL) 119 *p = '\0'; 120 if (strcmp(method, cfg->name) != 0) 121 continue; 122 if (need_enable) { 123 if (cfg->enabled == NULL || 124 *(cfg->enabled) == 0) { 125 error("Disabled method \"%s\" in " 126 "AuthenticationMethods list \"%s\"", 127 method, _methods); 128 goto out; 129 } 130 } 131 found = 1; 132 break; 133 } 134 if (!found) { 135 error("Unknown authentication method \"%s\" in list", 136 method); 137 goto out; 138 } 139 } 140 ret = 0; 141 out: 142 free(omethods); 143 return ret; 144 } 145