Mercurial > dropbear
annotate svr-auth.c @ 1802:19b28d2fbe30
fuzz: handle errors from wrapfd_new_dummy()
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Sat, 06 Mar 2021 22:58:57 +0800 |
parents | 8dc43b30c6bf |
children |
rev | line source |
---|---|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
1 /* |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
2 * Dropbear - a SSH2 server |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
3 * |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
4 * Copyright (c) 2002,2003 Matt Johnston |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
5 * All rights reserved. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
6 * |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
7 * Permission is hereby granted, free of charge, to any person obtaining a copy |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
8 * of this software and associated documentation files (the "Software"), to deal |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
9 * in the Software without restriction, including without limitation the rights |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
11 * copies of the Software, and to permit persons to whom the Software is |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
12 * furnished to do so, subject to the following conditions: |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
13 * |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
14 * The above copyright notice and this permission notice shall be included in |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
15 * all copies or substantial portions of the Software. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
16 * |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
23 * SOFTWARE. */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
24 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
25 /* This file (auth.c) handles authentication requests, passing it to the |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
26 * particular type (auth-passwd, auth-pubkey). */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
27 |
1534
ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents:
1459
diff
changeset
|
28 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
29 #include "includes.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
30 #include "dbutil.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
31 #include "session.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
32 #include "buffer.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
33 #include "ssh.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
34 #include "packet.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
35 #include "auth.h" |
24 | 36 #include "runopts.h" |
858
220f55d540ae
rename random.h to dbrandom.h since some OSes have a system random.h
Matt Johnston <matt@ucc.asn.au>
parents:
852
diff
changeset
|
37 #include "dbrandom.h" |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
38 |
1538
f20038b513a5
more linting (#58)
François Perrad <francois.perrad@gadz.org>
parents:
1537
diff
changeset
|
39 static int checkusername(const char *username, unsigned int userlen); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
40 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
41 /* initialise the first time for a session, resetting all parameters */ |
33 | 42 void svr_authinitialise() { |
43 memset(&ses.authstate, 0, sizeof(ses.authstate)); | |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
44 #if DROPBEAR_SVR_PUBKEY_AUTH |
33 | 45 ses.authstate.authtypes |= AUTH_TYPE_PUBKEY; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
46 #endif |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
47 #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH |
35
0ad5fb979f42
set the isserver flag (oops)
Matt Johnston <matt@ucc.asn.au>
parents:
33
diff
changeset
|
48 if (!svr_opts.noauthpass) { |
33 | 49 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
50 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
51 #endif |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
52 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
53 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
54 /* Send a banner message if specified to the client. The client might |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
55 * ignore this, but possibly serves as a legal "no trespassing" sign */ |
1459
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1442
diff
changeset
|
56 void send_msg_userauth_banner(const buffer *banner) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
57 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
58 TRACE(("enter send_msg_userauth_banner")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
59 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
60 CHECKCLEARTOWRITE(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
61 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
62 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER); |
835
4095b6d7c9fc
Merge in changes from the past couple of releases
Matt Johnston <matt@ucc.asn.au>
diff
changeset
|
63 buf_putbufstring(ses.writepayload, banner); |
1122
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1100
diff
changeset
|
64 buf_putstring(ses.writepayload, "en", 2); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
65 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
66 encrypt_packet(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
67 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
68 TRACE(("leave send_msg_userauth_banner")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
69 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
70 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
71 /* handle a userauth request, check validity, pass to password or pubkey |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
72 * checking, and handle success or failure */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
73 void recv_msg_userauth_request() { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
74 |
1100
7b84c3492a95
Turn username, servicename and methodname local variables into char *
Gaël PORTAY <gael.portay@gmail.com>
parents:
1094
diff
changeset
|
75 char *username = NULL, *servicename = NULL, *methodname = NULL; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
76 unsigned int userlen, servicelen, methodlen; |
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
77 int valid_user = 0; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
78 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
79 TRACE(("enter recv_msg_userauth_request")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
80 |
1622
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
81 /* for compensating failure delay */ |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
82 gettime_wrapper(&ses.authstate.auth_starttime); |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
83 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
84 /* ignore packets if auth is already done */ |
33 | 85 if (ses.authstate.authdone == 1) { |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
86 TRACE(("leave recv_msg_userauth_request: authdone already")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
87 return; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
88 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
89 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
90 /* send the banner if it exists, it will only exist once */ |
24 | 91 if (svr_opts.banner) { |
818
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
808
diff
changeset
|
92 send_msg_userauth_banner(svr_opts.banner); |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
808
diff
changeset
|
93 buf_free(svr_opts.banner); |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
808
diff
changeset
|
94 svr_opts.banner = NULL; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
95 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
96 |
1122
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1100
diff
changeset
|
97 username = buf_getstring(ses.payload, &userlen); |
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1100
diff
changeset
|
98 servicename = buf_getstring(ses.payload, &servicelen); |
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1100
diff
changeset
|
99 methodname = buf_getstring(ses.payload, &methodlen); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
100 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
101 /* only handle 'ssh-connection' currently */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
102 if (servicelen != SSH_SERVICE_CONNECTION_LEN |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
103 && (strncmp(servicename, SSH_SERVICE_CONNECTION, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
104 SSH_SERVICE_CONNECTION_LEN) != 0)) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
105 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
106 /* TODO - disconnect here */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
107 m_free(username); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
108 m_free(servicename); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
109 m_free(methodname); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
110 dropbear_exit("unknown service in auth"); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
111 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
112 |
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
113 /* check username is good before continuing. |
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
114 * the 'incrfail' varies depending on the auth method to |
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
115 * avoid giving away which users exist on the system through |
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
116 * the time delay. */ |
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
117 if (checkusername(username, userlen) == DROPBEAR_SUCCESS) { |
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
118 valid_user = 1; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
119 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
120 |
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
121 /* user wants to know what methods are supported */ |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
122 if (methodlen == AUTH_METHOD_NONE_LEN && |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
123 strncmp(methodname, AUTH_METHOD_NONE, |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
124 AUTH_METHOD_NONE_LEN) == 0) { |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
125 TRACE(("recv_msg_userauth_request: 'none' request")) |
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
126 if (valid_user |
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
127 && svr_opts.allowblankpass |
692
c58a15983808
Allow configuring "allow blank password option" at runtime
Paul Eggleton <paul.eggleton@linux.intel.com>
parents:
678
diff
changeset
|
128 && !svr_opts.noauthpass |
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
129 && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) |
677
55b84e59aaad
Fix empty password immediate login
Matt Johnston <matt@ucc.asn.au>
parents:
676
diff
changeset
|
130 && ses.authstate.pw_passwd[0] == '\0') |
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
131 { |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
132 dropbear_log(LOG_NOTICE, |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
133 "Auth succeeded with blank password for '%s' from %s", |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
134 ses.authstate.pw_name, |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
135 svr_ses.addrstring); |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
136 send_msg_userauth_success(); |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
137 goto out; |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
138 } |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
139 else |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
140 { |
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
141 /* 'none' has no failure delay */ |
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
142 send_msg_userauth_failure(0, 0); |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
143 goto out; |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
144 } |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
145 } |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
146 |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
147 #if DROPBEAR_SVR_PASSWORD_AUTH |
24 | 148 if (!svr_opts.noauthpass && |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
149 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
150 /* user wants to try password auth */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
151 if (methodlen == AUTH_METHOD_PASSWORD_LEN && |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
152 strncmp(methodname, AUTH_METHOD_PASSWORD, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
153 AUTH_METHOD_PASSWORD_LEN) == 0) { |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
154 svr_auth_password(valid_user); |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
155 goto out; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
156 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
157 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
158 #endif |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
159 |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
160 #if DROPBEAR_SVR_PAM_AUTH |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
161 if (!svr_opts.noauthpass && |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
162 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) { |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
163 /* user wants to try password auth */ |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
164 if (methodlen == AUTH_METHOD_PASSWORD_LEN && |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
165 strncmp(methodname, AUTH_METHOD_PASSWORD, |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
166 AUTH_METHOD_PASSWORD_LEN) == 0) { |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
167 svr_auth_pam(valid_user); |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
168 goto out; |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
169 } |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
170 } |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
171 #endif |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
172 |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
173 #if DROPBEAR_SVR_PUBKEY_AUTH |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
174 /* user wants to try pubkey auth */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
175 if (methodlen == AUTH_METHOD_PUBKEY_LEN && |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
176 strncmp(methodname, AUTH_METHOD_PUBKEY, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
177 AUTH_METHOD_PUBKEY_LEN) == 0) { |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
178 svr_auth_pubkey(valid_user); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
179 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
180 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
181 #endif |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
182 |
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
183 /* nothing matched, we just fail with a delay */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
184 send_msg_userauth_failure(0, 1); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
185 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
186 out: |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
187 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
188 m_free(username); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
189 m_free(servicename); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
190 m_free(methodname); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
191 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
192 |
1551
1acbdf64088e
add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents:
1539
diff
changeset
|
193 #ifdef HAVE_GETGROUPLIST |
1537
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
194 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
195 static int check_group_membership(gid_t check_gid, const char* username, gid_t user_gid) { |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
196 int ngroups, i, ret; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
197 gid_t *grouplist = NULL; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
198 int match = DROPBEAR_FAILURE; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
199 |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
200 for (ngroups = 32; ngroups <= DROPBEAR_NGROUP_MAX; ngroups *= 2) { |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
201 grouplist = m_malloc(sizeof(gid_t) * ngroups); |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
202 |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
203 /* BSD returns ret==0 on success. Linux returns ret==ngroups on success */ |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
204 ret = getgrouplist(username, user_gid, grouplist, &ngroups); |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
205 if (ret >= 0) { |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
206 break; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
207 } |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
208 m_free(grouplist); |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
209 grouplist = NULL; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
210 } |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
211 |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
212 if (!grouplist) { |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
213 dropbear_log(LOG_ERR, "Too many groups for user '%s'", username); |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
214 return DROPBEAR_FAILURE; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
215 } |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
216 |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
217 for (i = 0; i < ngroups; i++) { |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
218 if (grouplist[i] == check_gid) { |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
219 match = DROPBEAR_SUCCESS; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
220 break; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
221 } |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
222 } |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
223 m_free(grouplist); |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
224 |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
225 return match; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
226 } |
1551
1acbdf64088e
add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents:
1539
diff
changeset
|
227 #endif |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
228 |
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
229 /* Check that the username exists and isn't disallowed (root), and has a valid shell. |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
230 * returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */ |
1538
f20038b513a5
more linting (#58)
François Perrad <francois.perrad@gadz.org>
parents:
1537
diff
changeset
|
231 static int checkusername(const char *username, unsigned int userlen) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
232 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
233 char* listshell = NULL; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
234 char* usershell = NULL; |
852
7540c0822374
Various cleanups and fixes for warnings
Matt Johnston <matt@ucc.asn.au>
parents:
835
diff
changeset
|
235 uid_t uid; |
1534
ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents:
1459
diff
changeset
|
236 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
237 TRACE(("enter checkusername")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
238 if (userlen > MAX_USERNAME_LEN) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
239 return DROPBEAR_FAILURE; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
240 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
241 |
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
242 if (strlen(username) != userlen) { |
1665
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
243 dropbear_exit("Attempted username with a null byte"); |
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
244 } |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
245 |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
246 if (ses.authstate.username == NULL) { |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
247 /* first request */ |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
248 fill_passwd(username); |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
249 ses.authstate.username = m_strdup(username); |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
250 } else { |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
251 /* check username hasn't changed */ |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
252 if (strcmp(username, ses.authstate.username) != 0) { |
1665
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
253 dropbear_exit("Client trying multiple usernames"); |
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
254 } |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
255 } |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
256 |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
257 /* avoids cluttering logs with repeated failure messages from |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
258 consecutive authentication requests in a sesssion */ |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
259 if (ses.authstate.checkusername_failed) { |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
260 TRACE(("checkusername: returning cached failure")) |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
261 return DROPBEAR_FAILURE; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
262 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
263 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
264 /* check that user exists */ |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
265 if (!ses.authstate.pw_name) { |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
266 TRACE(("leave checkusername: user '%s' doesn't exist", username)) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
267 dropbear_log(LOG_WARNING, |
1665
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
268 "Login attempt for nonexistent user"); |
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
269 ses.authstate.checkusername_failed = 1; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
270 return DROPBEAR_FAILURE; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
271 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
272 |
782
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
273 /* check if we are running as non-root, and login user is different from the server */ |
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
274 uid = geteuid(); |
1633
592a18dac250
Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents:
1622
diff
changeset
|
275 if (!(DROPBEAR_SVR_MULTIUSER && uid == 0) && uid != ses.authstate.pw_uid) { |
782
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
276 TRACE(("running as nonroot, only server uid is allowed")) |
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
277 dropbear_log(LOG_WARNING, |
1665
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
278 "Login attempt with wrong user %s", |
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
279 ses.authstate.pw_name); |
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
280 ses.authstate.checkusername_failed = 1; |
782
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
281 return DROPBEAR_FAILURE; |
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
282 } |
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
283 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
284 /* check for non-root if desired */ |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
285 if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) { |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
286 TRACE(("leave checkusername: root login disabled")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
287 dropbear_log(LOG_WARNING, "root login rejected"); |
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
288 ses.authstate.checkusername_failed = 1; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
289 return DROPBEAR_FAILURE; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
290 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
291 |
1537
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
292 /* check for login restricted to certain group if desired */ |
1551
1acbdf64088e
add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents:
1539
diff
changeset
|
293 #ifdef HAVE_GETGROUPLIST |
1537
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
294 if (svr_opts.restrict_group) { |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
295 if (check_group_membership(svr_opts.restrict_group_gid, |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
296 ses.authstate.pw_name, ses.authstate.pw_gid) == DROPBEAR_FAILURE) { |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
297 dropbear_log(LOG_WARNING, |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
298 "Logins are restricted to the group %s but user '%s' is not a member", |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
299 svr_opts.restrict_group, ses.authstate.pw_name); |
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
300 ses.authstate.checkusername_failed = 1; |
1537
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
301 return DROPBEAR_FAILURE; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
302 } |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
303 } |
1560
f5026f7486de
fix #endif (#59)
François Perrad <francois.perrad@gadz.org>
parents:
1551
diff
changeset
|
304 #endif /* HAVE_GETGROUPLIST */ |
1534
ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents:
1459
diff
changeset
|
305 |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
306 TRACE(("shell is %s", ses.authstate.pw_shell)) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
307 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
308 /* check that the shell is set */ |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
309 usershell = ses.authstate.pw_shell; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
310 if (usershell[0] == '\0') { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
311 /* empty shell in /etc/passwd means /bin/sh according to passwd(5) */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
312 usershell = "/bin/sh"; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
313 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
314 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
315 /* check the shell is valid. If /etc/shells doesn't exist, getusershell() |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
316 * should return some standard shells like "/bin/sh" and "/bin/csh" (this |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
317 * is platform-specific) */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
318 setusershell(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
319 while ((listshell = getusershell()) != NULL) { |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
320 TRACE(("test shell is '%s'", listshell)) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
321 if (strcmp(listshell, usershell) == 0) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
322 /* have a match */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
323 goto goodshell; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
324 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
325 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
326 /* no matching shell */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
327 endusershell(); |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
328 TRACE(("no matching shell")) |
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
329 ses.authstate.checkusername_failed = 1; |
594
a98a2138364a
Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents:
573
diff
changeset
|
330 dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected", |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
331 ses.authstate.pw_name); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
332 return DROPBEAR_FAILURE; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
333 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
334 goodshell: |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
335 endusershell(); |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
336 TRACE(("matching shell")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
337 |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
338 TRACE(("uid = %d", ses.authstate.pw_uid)) |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
339 TRACE(("leave checkusername")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
340 return DROPBEAR_SUCCESS; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
341 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
342 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
343 /* Send a failure message to the client, in responds to a userauth_request. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
344 * Partial indicates whether to set the "partial success" flag, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
345 * incrfail is whether to count this failure in the failure count (which |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
346 * is limited. This function also handles disconnection after too many |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
347 * failures */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
348 void send_msg_userauth_failure(int partial, int incrfail) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
349 |
70
b0316ce64e4b
Merging in the changes from 0.41-0.43 main Dropbear tree
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
350 buffer *typebuf = NULL; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
351 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
352 TRACE(("enter send_msg_userauth_failure")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
353 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
354 CHECKCLEARTOWRITE(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
355 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
356 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_FAILURE); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
357 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
358 /* put a list of allowed types */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
359 typebuf = buf_new(30); /* long enough for PUBKEY and PASSWORD */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
360 |
33 | 361 if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) { |
1094
c45d65392c1a
Fix pointer differ in signess warnings [-Werror=pointer-sign]
Gaël PORTAY <gael.portay@gmail.com>
parents:
940
diff
changeset
|
362 buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN); |
33 | 363 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
364 buf_putbyte(typebuf, ','); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
365 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
366 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
367 |
33 | 368 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { |
1094
c45d65392c1a
Fix pointer differ in signess warnings [-Werror=pointer-sign]
Gaël PORTAY <gael.portay@gmail.com>
parents:
940
diff
changeset
|
369 buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
370 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
371 |
761
ac2158e3e403
ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
372 buf_putbufstring(ses.writepayload, typebuf); |
300
baea1d43e7eb
Some cleanups/fixes for various TRACE statements
Matt Johnston <matt@ucc.asn.au>
parents:
165
diff
changeset
|
373 |
761
ac2158e3e403
ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
374 TRACE(("auth fail: methods %d, '%.*s'", ses.authstate.authtypes, |
762
a78a38e402d1
- Fix various hardcoded uses of SHA1
Matt Johnston <matt@ucc.asn.au>
parents:
761
diff
changeset
|
375 typebuf->len, typebuf->data)) |
300
baea1d43e7eb
Some cleanups/fixes for various TRACE statements
Matt Johnston <matt@ucc.asn.au>
parents:
165
diff
changeset
|
376 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
377 buf_free(typebuf); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
378 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
379 buf_putbyte(ses.writepayload, partial ? 1 : 0); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
380 encrypt_packet(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
381 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
382 if (incrfail) { |
1622
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
383 /* The SSH_MSG_AUTH_FAILURE response is delayed to attempt to |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
384 avoid user enumeration and slow brute force attempts. |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
385 The delay is adjusted by the time already spent in processing |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
386 authentication (ses.authstate.auth_starttime timestamp). */ |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
387 |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
388 /* Desired total delay 300ms +-50ms (in nanoseconds). |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
389 Beware of integer overflow if increasing these values */ |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
390 const unsigned int mindelay = 250000000; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
391 const unsigned int vardelay = 100000000; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
392 unsigned int rand_delay; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
393 struct timespec delay; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
394 |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
395 gettime_wrapper(&delay); |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
396 delay.tv_sec -= ses.authstate.auth_starttime.tv_sec; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
397 delay.tv_nsec -= ses.authstate.auth_starttime.tv_nsec; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
398 |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
399 /* carry */ |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
400 if (delay.tv_nsec < 0) { |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
401 delay.tv_nsec += 1000000000; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
402 delay.tv_sec -= 1; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
403 } |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
404 |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
405 genrandom((unsigned char*)&rand_delay, sizeof(rand_delay)); |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
406 rand_delay = mindelay + (rand_delay % vardelay); |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
407 |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
408 if (delay.tv_sec == 0 && delay.tv_nsec <= mindelay) { |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
409 /* Compensate for elapsed time */ |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
410 delay.tv_nsec = rand_delay - delay.tv_nsec; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
411 } else { |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
412 /* No time left or time went backwards, just delay anyway */ |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
413 delay.tv_sec = 0; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
414 delay.tv_nsec = rand_delay; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
415 } |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
416 |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
417 |
1558
2f64cb3d3007
- #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents:
1557
diff
changeset
|
418 #if DROPBEAR_FUZZ |
1561
02b226c2675e
clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
419 if (!fuzz.fuzzing) |
02b226c2675e
clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
420 #endif |
02b226c2675e
clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
421 { |
1622
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
422 while (nanosleep(&delay, &delay) == -1 && errno == EINTR) { /* Go back to sleep */ } |
1347
b28624698130
copy over some fuzzing code from AFL branch
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
423 } |
1622
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
424 |
33 | 425 ses.authstate.failcount++; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
426 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
427 |
1442
517c67cbcd31
dropbear server: support -T max auth tries
Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
parents:
1295
diff
changeset
|
428 if (ses.authstate.failcount >= svr_opts.maxauthtries) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
429 char * userstr; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
430 /* XXX - send disconnect ? */ |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
431 TRACE(("Max auth tries reached, exiting")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
432 |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
433 if (ses.authstate.pw_name == NULL) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
434 userstr = "is invalid"; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
435 } else { |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
436 userstr = ses.authstate.pw_name; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
437 } |
1665
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
438 dropbear_exit("Max auth tries reached - user '%s'", |
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
439 userstr); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
440 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
441 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
442 TRACE(("leave send_msg_userauth_failure")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
443 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
444 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
445 /* Send a success message to the user, and set the "authdone" flag */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
446 void send_msg_userauth_success() { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
447 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
448 TRACE(("enter send_msg_userauth_success")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
449 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
450 CHECKCLEARTOWRITE(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
451 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
452 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_SUCCESS); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
453 encrypt_packet(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
454 |
501
d58c478bd399
Add support for [email protected] delayed compression.
Matt Johnston <matt@ucc.asn.au>
parents:
483
diff
changeset
|
455 /* authdone must be set after encrypt_packet() for |
d58c478bd399
Add support for [email protected] delayed compression.
Matt Johnston <matt@ucc.asn.au>
parents:
483
diff
changeset
|
456 * delayed-zlib mode */ |
33 | 457 ses.authstate.authdone = 1; |
1139
43a8ea69b24c
Fix problem where auth timeout wasn't checked when waiting for ident
Matt Johnston <matt@ucc.asn.au>
parents:
1122
diff
changeset
|
458 ses.connect_time = 0; |
43a8ea69b24c
Fix problem where auth timeout wasn't checked when waiting for ident
Matt Johnston <matt@ucc.asn.au>
parents:
1122
diff
changeset
|
459 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
460 |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
461 if (ses.authstate.pw_uid == 0) { |
21
d7cc5b484a2e
- Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents:
11
diff
changeset
|
462 ses.allowprivport = 1; |
d7cc5b484a2e
- Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents:
11
diff
changeset
|
463 } |
d7cc5b484a2e
- Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents:
11
diff
changeset
|
464 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
465 /* Remove from the list of pre-auth sockets. Should be m_close(), since if |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
466 * we fail, we might end up leaking connection slots, and disallow new |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
467 * logins - a nasty situation. */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
468 m_close(svr_ses.childpipe); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
469 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
470 TRACE(("leave send_msg_userauth_success")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
471 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
472 } |