crypto/openssh-3.9p1/auth1.c

   1 /*
   2  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
   3  *                    All rights reserved
   4  *
   5  * As far as I am concerned, the code I have written for this software
   6  * can be used freely for any purpose.  Any derived versions of this
   7  * software must be clearly marked as such, and if the derived work is
   8  * incompatible with the protocol description in the RFC file, it must be
   9  * called by a name other than "ssh" or "Secure Shell".
  10  */
  11
  12 #include "includes.h"
  13 RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $");
  14
  15 #include "xmalloc.h"
  16 #include "rsa.h"
  17 #include "ssh1.h"
  18 #include "packet.h"
  19 #include "buffer.h"
  20 #include "log.h"
  21 #include "servconf.h"
  22 #include "compat.h"
  23 #include "auth.h"
  24 #include "channels.h"
  25 #include "session.h"
  26 #include "uidswap.h"
  27 #include "monitor_wrap.h"
  28
  29 /* import */
  30 extern ServerOptions options;
  31
  32 /*
  33  * convert ssh auth msg type into description
  34  */
  35 static char *
  36 get_authname(int type)
  37 {
  38         static char buf[1024];
  39         switch (type) {
  40         case SSH_CMSG_AUTH_PASSWORD:
  41                 return "password";
  42         case SSH_CMSG_AUTH_RSA:
  43                 return "rsa";
  44         case SSH_CMSG_AUTH_RHOSTS_RSA:
  45                 return "rhosts-rsa";
  46         case SSH_CMSG_AUTH_RHOSTS:
  47                 return "rhosts";
  48         case SSH_CMSG_AUTH_TIS:
  49         case SSH_CMSG_AUTH_TIS_RESPONSE:
  50                 return "challenge-response";
  51         }
  52         snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
  53         return buf;
  54 }
  55
  56 /*
  57  * read packets, try to authenticate the user and
  58  * return only if authentication is successful
  59  */
  60 static void
  61 do_authloop(Authctxt *authctxt)
  62 {
  63         int authenticated = 0;
  64         u_int bits;
  65         Key *client_host_key;
  66         BIGNUM *n;
  67         char *client_user, *password;
  68         char info[1024];
  69         u_int dlen;
  70         u_int ulen;
  71         int prev, type = 0;
  72
  73         debug("Attempting authentication for %s%.100s.",
  74             authctxt->valid ? "" : "invalid user ", authctxt->user);
  75
  76         /* If the user has no password, accept authentication immediately. */
  77         if (options.password_authentication &&
  78 #ifdef KRB5
  79             (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
  80 #endif
  81             PRIVSEP(auth_password(authctxt, ""))) {
  82 #ifdef USE_PAM
  83                 if (options.use_pam && (PRIVSEP(do_pam_account())))
  84 #endif
  85                 {
  86                         auth_log(authctxt, 1, "without authentication", "");
  87                         return;
  88                 }
  89         }
  90
  91         /* Indicate that authentication is needed. */
  92         packet_start(SSH_SMSG_FAILURE);
  93         packet_send();
  94         packet_write_wait();
  95
  96         client_user = NULL;
  97
  98         for (;;) {
  99                 /* default to fail */
 100                 authenticated = 0;
 101
 102                 info[0] = '\0';
 103
 104                 /* Get a packet from the client. */
 105                 prev = type;
 106                 type = packet_read();
 107
 108                 /*
 109                  * If we started challenge-response authentication but the
 110                  * next packet is not a response to our challenge, release
 111                  * the resources allocated by get_challenge() (which would
 112                  * normally have been released by verify_response() had we
 113                  * received such a response)
 114                  */
 115                 if (prev == SSH_CMSG_AUTH_TIS &&
 116                     type != SSH_CMSG_AUTH_TIS_RESPONSE)
 117                         abandon_challenge_response(authctxt);
 118
 119                 /* Process the packet. */
 120                 switch (type) {
 121                 case SSH_CMSG_AUTH_RHOSTS_RSA:
 122                         if (!options.rhosts_rsa_authentication) {
 123                                 verbose("Rhosts with RSA authentication disabled.");
 124                                 break;
 125                         }
 126                         /*
 127                          * Get client user name.  Note that we just have to
 128                          * trust the client; root on the client machine can
 129                          * claim to be any user.
 130                          */
 131                         client_user = packet_get_string(&ulen);
 132
 133                         /* Get the client host key. */
 134                         client_host_key = key_new(KEY_RSA1);
 135                         bits = packet_get_int();
 136                         packet_get_bignum(client_host_key->rsa->e);
 137                         packet_get_bignum(client_host_key->rsa->n);
 138
 139                         if (bits != BN_num_bits(client_host_key->rsa->n))
 140                                 verbose("Warning: keysize mismatch for client_host_key: "
 141                                     "actual %d, announced %d",
 142                                     BN_num_bits(client_host_key->rsa->n), bits);
 143                         packet_check_eom();
 144
 145                         authenticated = auth_rhosts_rsa(authctxt, client_user,
 146                             client_host_key);
 147                         key_free(client_host_key);
 148
 149                         snprintf(info, sizeof info, " ruser %.100s", client_user);
 150                         break;
 151
 152                 case SSH_CMSG_AUTH_RSA:
 153                         if (!options.rsa_authentication) {
 154                                 verbose("RSA authentication disabled.");
 155                                 break;
 156                         }
 157                         /* RSA authentication requested. */
 158                         if ((n = BN_new()) == NULL)
 159                                 fatal("do_authloop: BN_new failed");
 160                         packet_get_bignum(n);
 161                         packet_check_eom();
 162                         authenticated = auth_rsa(authctxt, n);
 163                         BN_clear_free(n);
 164                         break;
 165
 166                 case SSH_CMSG_AUTH_PASSWORD:
 167                         if (!options.password_authentication) {
 168                                 verbose("Password authentication disabled.");
 169                                 break;
 170                         }
 171                         /*
 172                          * Read user password.  It is in plain text, but was
 173                          * transmitted over the encrypted channel so it is
 174                          * not visible to an outside observer.
 175                          */
 176                         password = packet_get_string(&dlen);
 177                         packet_check_eom();
 178
 179                         /* Try authentication with the password. */
 180                         authenticated = PRIVSEP(auth_password(authctxt, password));
 181
 182                         memset(password, 0, strlen(password));
 183                         xfree(password);
 184                         break;
 185
 186                 case SSH_CMSG_AUTH_TIS:
 187                         debug("rcvd SSH_CMSG_AUTH_TIS");
 188                         if (options.challenge_response_authentication == 1) {
 189                                 char *challenge = get_challenge(authctxt);
 190                                 if (challenge != NULL) {
 191                                         debug("sending challenge '%s'", challenge);
 192                                         packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
 193                                         packet_put_cstring(challenge);
 194                                         xfree(challenge);
 195                                         packet_send();
 196                                         packet_write_wait();
 197                                         continue;
 198                                 }
 199                         }
 200                         break;
 201                 case SSH_CMSG_AUTH_TIS_RESPONSE:
 202                         debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
 203                         if (options.challenge_response_authentication == 1) {
 204                                 char *response = packet_get_string(&dlen);
 205                                 packet_check_eom();
 206                                 authenticated = verify_response(authctxt, response);
 207                                 memset(response, 'r', dlen);
 208                                 xfree(response);
 209                         }
 210                         break;
 211
 212                 default:
 213                         /*
 214                          * Any unknown messages will be ignored (and failure
 215                          * returned) during authentication.
 216                          */
 217                         logit("Unknown message during authentication: type %d", type);
 218                         break;
 219                 }
 220 #ifdef BSD_AUTH
 221                 if (authctxt->as) {
 222                         auth_close(authctxt->as);
 223                         authctxt->as = NULL;
 224                 }
 225 #endif
 226                 if (!authctxt->valid && authenticated)
 227                         fatal("INTERNAL ERROR: authenticated invalid user %s",
 228                             authctxt->user);
 229
 230 #ifdef _UNICOS
 231                 if (authenticated && cray_access_denied(authctxt->user)) {
 232                         authenticated = 0;
 233                         fatal("Access denied for user %s.",authctxt->user);
 234                 }
 235 #endif /* _UNICOS */
 236
 237 #ifdef HAVE_CYGWIN
 238                 if (authenticated &&
 239                     !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
 240                     authctxt->pw)) {
 241                         packet_disconnect("Authentication rejected for uid %d.",
 242                             authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
 243                         authenticated = 0;
 244                 }
 245 #else
 246                 /* Special handling for root */
 247                 if (authenticated && authctxt->pw->pw_uid == 0 &&
 248                     !auth_root_allowed(get_authname(type)))
 249                         authenticated = 0;
 250 #endif
 251
 252 #ifdef USE_PAM
 253                 if (options.use_pam && authenticated &&
 254                     !PRIVSEP(do_pam_account()))
 255                         authenticated = 0;
 256 #endif
 257
 258                 /* Log before sending the reply */
 259                 auth_log(authctxt, authenticated, get_authname(type), info);
 260
 261                 if (client_user != NULL) {
 262                         xfree(client_user);
 263                         client_user = NULL;
 264                 }
 265
 266                 if (authenticated)
 267                         return;
 268
 269                 if (authctxt->failures++ > options.max_authtries)
 270                         packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
 271
 272                 packet_start(SSH_SMSG_FAILURE);
 273                 packet_send();
 274                 packet_write_wait();
 275         }
 276 }
 277
 278 /*
 279  * Performs authentication of an incoming connection.  Session key has already
 280  * been exchanged and encryption is enabled.
 281  */
 282 void
 283 do_authentication(Authctxt *authctxt)
 284 {
 285         u_int ulen;
 286         char *user, *style = NULL;
 287
 288         /* Get the name of the user that we wish to log in as. */
 289         packet_read_expect(SSH_CMSG_USER);
 290
 291         /* Get the user name. */
 292         user = packet_get_string(&ulen);
 293         packet_check_eom();
 294
 295         if ((style = strchr(user, ':')) != NULL)
 296                 *style++ = '\0';
 297
 298         authctxt->user = user;
 299         authctxt->style = style;
 300
 301         /* Verify that the user is a valid user. */
 302         if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
 303                 authctxt->valid = 1;
 304         else {
 305                 debug("do_authentication: invalid user %s", user);
 306                 authctxt->pw = fakepw();
 307         }
 308
 309         setproctitle("%s%s", authctxt->valid ? user : "unknown",
 310             use_privsep ? " [net]" : "");
 311
 312 #ifdef USE_PAM
 313         if (options.use_pam)
 314                 PRIVSEP(start_pam(authctxt));
 315 #endif
 316
 317         /*
 318          * If we are not running as root, the user must have the same uid as
 319          * the server. (Unless you are running Windows)
 320          */
 321 #ifndef HAVE_CYGWIN
 322         if (!use_privsep && getuid() != 0 && authctxt->pw &&
 323             authctxt->pw->pw_uid != getuid())
 324                 packet_disconnect("Cannot change user when server not running as root.");
 325 #endif
 326
 327         /*
 328          * Loop until the user has been authenticated or the connection is
 329          * closed, do_authloop() returns only if authentication is successful
 330          */
 331         do_authloop(authctxt);
 332
 333         /* The user has been authenticated and accepted. */
 334         packet_start(SSH_SMSG_SUCCESS);
 335         packet_send();
 336         packet_write_wait();
 337 }