1 /* $NetBSD: auth2.c,v 1.5 2011/09/07 17:49:19 christos Exp $ */ 2 /* $OpenBSD: auth2.c,v 1.123 2011/03/10 02:52:57 djm Exp $ */ 3 /* 4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include "includes.h" 28 __RCSID("$NetBSD: auth2.c,v 1.5 2011/09/07 17:49:19 christos Exp $"); 29 #include <sys/types.h> 30 #include <sys/stat.h> 31 #include <sys/uio.h> 32 33 #include <fcntl.h> 34 #include <pwd.h> 35 #include <stdarg.h> 36 #include <string.h> 37 #include <unistd.h> 38 39 #include "atomicio.h" 40 #include "xmalloc.h" 41 #include "ssh2.h" 42 #include "packet.h" 43 #include "log.h" 44 #include "buffer.h" 45 #include "servconf.h" 46 #include "compat.h" 47 #include "key.h" 48 #include "hostfile.h" 49 #include "auth.h" 50 #include "dispatch.h" 51 #include "pathnames.h" 52 #include "buffer.h" 53 #include "canohost.h" 54 55 #ifdef GSSAPI 56 #include "ssh-gss.h" 57 #endif 58 59 #include "monitor_wrap.h" 60 61 /* import */ 62 extern ServerOptions options; 63 extern u_char *session_id2; 64 extern u_int session_id2_len; 65 extern Buffer loginmsg; 66 67 /* methods */ 68 69 extern Authmethod method_none; 70 extern Authmethod method_pubkey; 71 extern Authmethod method_passwd; 72 extern Authmethod method_kbdint; 73 extern Authmethod method_hostbased; 74 #ifdef KRB5 75 extern Authmethod method_kerberos; 76 #endif 77 #ifdef GSSAPI 78 extern Authmethod method_gssapi; 79 #endif 80 #ifdef JPAKE 81 extern Authmethod method_jpake; 82 #endif 83 84 static int log_flag = 0; 85 86 Authmethod *authmethods[] = { 87 &method_none, 88 &method_pubkey, 89 #ifdef GSSAPI 90 &method_gssapi, 91 #endif 92 #ifdef JPAKE 93 &method_jpake, 94 #endif 95 &method_passwd, 96 &method_kbdint, 97 &method_hostbased, 98 #ifdef KRB5 99 &method_kerberos, 100 #endif 101 NULL 102 }; 103 104 /* protocol */ 105 106 static void input_service_request(int, u_int32_t, void *); 107 static void input_userauth_request(int, u_int32_t, void *); 108 109 /* helper */ 110 static Authmethod *authmethod_lookup(const char *); 111 static char *authmethods_get(void); 112 113 char * 114 auth2_read_banner(void) 115 { 116 struct stat st; 117 char *banner = NULL; 118 size_t len, n; 119 int fd; 120 121 if ((fd = open(options.banner, O_RDONLY)) == -1) 122 return (NULL); 123 if (fstat(fd, &st) == -1) { 124 close(fd); 125 return (NULL); 126 } 127 if (st.st_size > 1*1024*1024) { 128 close(fd); 129 return (NULL); 130 } 131 132 len = (size_t)st.st_size; /* truncate */ 133 banner = xmalloc(len + 1); 134 n = atomicio(read, fd, banner, len); 135 close(fd); 136 137 if (n != len) { 138 xfree(banner); 139 return (NULL); 140 } 141 banner[n] = '\0'; 142 143 return (banner); 144 } 145 146 void 147 userauth_send_banner(const char *msg) 148 { 149 if (datafellows & SSH_BUG_BANNER) 150 return; 151 152 packet_start(SSH2_MSG_USERAUTH_BANNER); 153 packet_put_cstring(msg); 154 packet_put_cstring(""); /* language, unused */ 155 packet_send(); 156 debug("%s: sent", __func__); 157 } 158 159 static void 160 userauth_banner(void) 161 { 162 char *banner = NULL; 163 164 if (options.banner == NULL || 165 strcasecmp(options.banner, "none") == 0 || 166 (datafellows & SSH_BUG_BANNER) != 0) 167 return; 168 169 if ((banner = PRIVSEP(auth2_read_banner())) == NULL) 170 goto done; 171 172 userauth_send_banner(banner); 173 done: 174 if (banner) 175 xfree(banner); 176 } 177 178 /* 179 * loop until authctxt->success == TRUE 180 */ 181 void 182 do_authentication2(Authctxt *authctxt) 183 { 184 dispatch_init(&dispatch_protocol_error); 185 dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); 186 dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); 187 } 188 189 /*ARGSUSED*/ 190 static void 191 input_service_request(int type, u_int32_t seq, void *ctxt) 192 { 193 Authctxt *authctxt = ctxt; 194 u_int len; 195 int acceptit = 0; 196 char *service = packet_get_cstring(&len); 197 packet_check_eom(); 198 199 if (authctxt == NULL) 200 fatal("input_service_request: no authctxt"); 201 202 if (strcmp(service, "ssh-userauth") == 0) { 203 if (!authctxt->success) { 204 acceptit = 1; 205 /* now we can handle user-auth requests */ 206 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request); 207 } 208 } 209 /* XXX all other service requests are denied */ 210 211 if (acceptit) { 212 packet_start(SSH2_MSG_SERVICE_ACCEPT); 213 packet_put_cstring(service); 214 packet_send(); 215 packet_write_wait(); 216 } else { 217 debug("bad service request %s", service); 218 packet_disconnect("bad service request %s", service); 219 } 220 xfree(service); 221 } 222 223 /*ARGSUSED*/ 224 static void 225 input_userauth_request(int type, u_int32_t seq, void *ctxt) 226 { 227 Authctxt *authctxt = ctxt; 228 Authmethod *m = NULL; 229 char *user, *service, *method, *style = NULL; 230 int authenticated = 0; 231 232 if (authctxt == NULL) 233 fatal("input_userauth_request: no authctxt"); 234 235 user = packet_get_cstring(NULL); 236 service = packet_get_cstring(NULL); 237 method = packet_get_cstring(NULL); 238 debug("userauth-request for user %s service %s method %s", user, service, method); 239 if (!log_flag) { 240 logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s", 241 get_remote_ipaddr(), get_remote_port(), user); 242 log_flag = 1; 243 } 244 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 245 246 if ((style = strchr(user, ':')) != NULL) 247 *style++ = 0; 248 249 if (authctxt->attempt++ == 0) { 250 /* setup auth context */ 251 authctxt->pw = PRIVSEP(getpwnamallow(user)); 252 authctxt->user = xstrdup(user); 253 if (authctxt->pw && strcmp(service, "ssh-connection")==0) { 254 authctxt->valid = 1; 255 debug2("input_userauth_request: setting up authctxt for %s", user); 256 } else { 257 logit("input_userauth_request: invalid user %s", user); 258 authctxt->pw = fakepw(); 259 } 260 #ifdef USE_PAM 261 if (options.use_pam) 262 PRIVSEP(start_pam(authctxt)); 263 #endif 264 setproctitle("%s%s", authctxt->valid ? user : "unknown", 265 use_privsep ? " [net]" : ""); 266 authctxt->service = xstrdup(service); 267 authctxt->style = style ? xstrdup(style) : NULL; 268 if (use_privsep) 269 mm_inform_authserv(service, style); 270 userauth_banner(); 271 } else if (strcmp(user, authctxt->user) != 0 || 272 strcmp(service, authctxt->service) != 0) { 273 packet_disconnect("Change of username or service not allowed: " 274 "(%s,%s) -> (%s,%s)", 275 authctxt->user, authctxt->service, user, service); 276 } 277 /* reset state */ 278 auth2_challenge_stop(authctxt); 279 #ifdef JPAKE 280 auth2_jpake_stop(authctxt); 281 #endif 282 283 #ifdef GSSAPI 284 /* XXX move to auth2_gssapi_stop() */ 285 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 286 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 287 #endif 288 289 authctxt->postponed = 0; 290 authctxt->server_caused_failure = 0; 291 292 /* try to authenticate user */ 293 m = authmethod_lookup(method); 294 if (m != NULL && authctxt->failures < options.max_authtries) { 295 debug2("input_userauth_request: try method %s", method); 296 authenticated = m->userauth(authctxt); 297 } 298 userauth_finish(authctxt, authenticated, method); 299 300 xfree(service); 301 xfree(user); 302 xfree(method); 303 } 304 305 void 306 userauth_finish(Authctxt *authctxt, int authenticated, const char *method) 307 { 308 char *methods; 309 310 if (!authctxt->valid && authenticated) 311 fatal("INTERNAL ERROR: authenticated invalid user %s", 312 authctxt->user); 313 314 /* Special handling for root */ 315 if (authenticated && authctxt->pw->pw_uid == 0 && 316 !auth_root_allowed(method)) { 317 authenticated = 0; 318 #ifdef SSH_AUDIT_EVENTS 319 PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); 320 #endif 321 } 322 323 #ifdef USE_PAM 324 if (options.use_pam && authenticated) { 325 if (!PRIVSEP(do_pam_account())) { 326 /* if PAM returned a message, send it to the user */ 327 if (buffer_len(&loginmsg) > 0) { 328 buffer_append(&loginmsg, "\0", 1); 329 userauth_send_banner(buffer_ptr(&loginmsg)); 330 packet_write_wait(); 331 } 332 fatal("Access denied for user %s by PAM account " 333 "configuration", authctxt->user); 334 } 335 } 336 #endif 337 338 /* Log before sending the reply */ 339 auth_log(authctxt, authenticated, method, " ssh2"); 340 341 if (authctxt->postponed) 342 return; 343 344 /* XXX todo: check if multiple auth methods are needed */ 345 if (authenticated == 1) { 346 /* turn off userauth */ 347 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 348 packet_start(SSH2_MSG_USERAUTH_SUCCESS); 349 packet_send(); 350 packet_write_wait(); 351 /* now we can break out */ 352 authctxt->success = 1; 353 } else { 354 /* Allow initial try of "none" auth without failure penalty */ 355 if (!authctxt->server_caused_failure && 356 (authctxt->attempt > 1 || strcmp(method, "none") != 0)) 357 authctxt->failures++; 358 if (authctxt->failures >= options.max_authtries) { 359 packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 360 #ifdef SSH_AUDIT_EVENTS 361 PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); 362 #endif 363 } 364 methods = authmethods_get(); 365 packet_start(SSH2_MSG_USERAUTH_FAILURE); 366 packet_put_cstring(methods); 367 packet_put_char(0); /* XXX partial success, unused */ 368 packet_send(); 369 packet_write_wait(); 370 xfree(methods); 371 } 372 } 373 374 static char * 375 authmethods_get(void) 376 { 377 Buffer b; 378 char *list; 379 int i; 380 381 buffer_init(&b); 382 for (i = 0; authmethods[i] != NULL; i++) { 383 if (strcmp(authmethods[i]->name, "none") == 0) 384 continue; 385 if (authmethods[i]->enabled != NULL && 386 *(authmethods[i]->enabled) != 0) { 387 if (buffer_len(&b) > 0) 388 buffer_append(&b, ",", 1); 389 buffer_append(&b, authmethods[i]->name, 390 strlen(authmethods[i]->name)); 391 } 392 } 393 buffer_append(&b, "\0", 1); 394 list = xstrdup(buffer_ptr(&b)); 395 buffer_free(&b); 396 return list; 397 } 398 399 static Authmethod * 400 authmethod_lookup(const char *name) 401 { 402 int i; 403 404 if (name != NULL) 405 for (i = 0; authmethods[i] != NULL; i++) 406 if (authmethods[i]->enabled != NULL && 407 *(authmethods[i]->enabled) != 0 && 408 strcmp(name, authmethods[i]->name) == 0) 409 return authmethods[i]; 410 debug2("Unrecognized authentication method name: %s", 411 name ? name : "NULL"); 412 return NULL; 413 } 414 415