annotate svr-auth.c @ 1802:19b28d2fbe30

fuzz: handle errors from wrapfd_new_dummy()
author Matt Johnston <matt@ucc.asn.au>
date Sat, 06 Mar 2021 22:58:57 +0800
parents 8dc43b30c6bf
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
1 /*
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
2 * Dropbear - a SSH2 server
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
3 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
4 * Copyright (c) 2002,2003 Matt Johnston
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
5 * All rights reserved.
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
6 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
8 * of this software and associated documentation files (the "Software"), to deal
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
9 * in the Software without restriction, including without limitation the rights
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
11 * copies of the Software, and to permit persons to whom the Software is
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
12 * furnished to do so, subject to the following conditions:
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
13 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
14 * The above copyright notice and this permission notice shall be included in
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
15 * all copies or substantial portions of the Software.
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
16 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
23 * SOFTWARE. */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
24
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
25 /* This file (auth.c) handles authentication requests, passing it to the
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
26 * particular type (auth-passwd, auth-pubkey). */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
27
1534
ed930fd6f60f Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents: 1459
diff changeset
28
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
29 #include "includes.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
30 #include "dbutil.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
31 #include "session.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
32 #include "buffer.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
33 #include "ssh.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
34 #include "packet.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
35 #include "auth.h"
24
469950e86d0f switching to global vars
Matt Johnston <matt@ucc.asn.au>
parents: 22
diff changeset
36 #include "runopts.h"
858
220f55d540ae rename random.h to dbrandom.h since some OSes have a system random.h
Matt Johnston <matt@ucc.asn.au>
parents: 852
diff changeset
37 #include "dbrandom.h"
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
38
1538
f20038b513a5 more linting (#58)
François Perrad <francois.perrad@gadz.org>
parents: 1537
diff changeset
39 static int checkusername(const char *username, unsigned int userlen);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
40
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
41 /* initialise the first time for a session, resetting all parameters */
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
42 void svr_authinitialise() {
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
43 memset(&ses.authstate, 0, sizeof(ses.authstate));
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
44 #if DROPBEAR_SVR_PUBKEY_AUTH
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
45 ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
46 #endif
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
47 #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
35
0ad5fb979f42 set the isserver flag (oops)
Matt Johnston <matt@ucc.asn.au>
parents: 33
diff changeset
48 if (!svr_opts.noauthpass) {
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
49 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
50 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
51 #endif
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
52 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
53
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
54 /* Send a banner message if specified to the client. The client might
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
55 * ignore this, but possibly serves as a legal "no trespassing" sign */
1459
06d52bcb8094 Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents: 1442
diff changeset
56 void send_msg_userauth_banner(const buffer *banner) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
57
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
58 TRACE(("enter send_msg_userauth_banner"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
59
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
60 CHECKCLEARTOWRITE();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
61
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
62 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER);
835
4095b6d7c9fc Merge in changes from the past couple of releases
Matt Johnston <matt@ucc.asn.au>
parents: 801 818
diff changeset
63 buf_putbufstring(ses.writepayload, banner);
1122
aaf576b27a10 Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents: 1100
diff changeset
64 buf_putstring(ses.writepayload, "en", 2);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
65
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
66 encrypt_packet();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
67
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
68 TRACE(("leave send_msg_userauth_banner"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
69 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
70
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
71 /* handle a userauth request, check validity, pass to password or pubkey
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
72 * checking, and handle success or failure */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
73 void recv_msg_userauth_request() {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
74
1100
7b84c3492a95 Turn username, servicename and methodname local variables into char *
Gaël PORTAY <gael.portay@gmail.com>
parents: 1094
diff changeset
75 char *username = NULL, *servicename = NULL, *methodname = NULL;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
76 unsigned int userlen, servicelen, methodlen;
808
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
77 int valid_user = 0;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
78
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
79 TRACE(("enter recv_msg_userauth_request"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
80
1622
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
81 /* for compensating failure delay */
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
82 gettime_wrapper(&ses.authstate.auth_starttime);
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
83
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
84 /* ignore packets if auth is already done */
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
85 if (ses.authstate.authdone == 1) {
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
86 TRACE(("leave recv_msg_userauth_request: authdone already"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
87 return;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
88 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
89
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
90 /* send the banner if it exists, it will only exist once */
24
469950e86d0f switching to global vars
Matt Johnston <matt@ucc.asn.au>
parents: 22
diff changeset
91 if (svr_opts.banner) {
818
8fe36617bf4e Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents: 808
diff changeset
92 send_msg_userauth_banner(svr_opts.banner);
8fe36617bf4e Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents: 808
diff changeset
93 buf_free(svr_opts.banner);
8fe36617bf4e Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents: 808
diff changeset
94 svr_opts.banner = NULL;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
95 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
96
1122
aaf576b27a10 Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents: 1100
diff changeset
97 username = buf_getstring(ses.payload, &userlen);
aaf576b27a10 Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents: 1100
diff changeset
98 servicename = buf_getstring(ses.payload, &servicelen);
aaf576b27a10 Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents: 1100
diff changeset
99 methodname = buf_getstring(ses.payload, &methodlen);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
100
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
101 /* only handle 'ssh-connection' currently */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
102 if (servicelen != SSH_SERVICE_CONNECTION_LEN
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
103 && (strncmp(servicename, SSH_SERVICE_CONNECTION,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
104 SSH_SERVICE_CONNECTION_LEN) != 0)) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
105
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
106 /* TODO - disconnect here */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
107 m_free(username);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
108 m_free(servicename);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
109 m_free(methodname);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
110 dropbear_exit("unknown service in auth");
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
111 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
112
808
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
113 /* check username is good before continuing.
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
114 * the 'incrfail' varies depending on the auth method to
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
115 * avoid giving away which users exist on the system through
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
116 * the time delay. */
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
117 if (checkusername(username, userlen) == DROPBEAR_SUCCESS) {
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
118 valid_user = 1;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
119 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
120
676
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
121 /* user wants to know what methods are supported */
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
122 if (methodlen == AUTH_METHOD_NONE_LEN &&
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
123 strncmp(methodname, AUTH_METHOD_NONE,
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
124 AUTH_METHOD_NONE_LEN) == 0) {
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
125 TRACE(("recv_msg_userauth_request: 'none' request"))
808
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
126 if (valid_user
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
127 && svr_opts.allowblankpass
692
c58a15983808 Allow configuring "allow blank password option" at runtime
Paul Eggleton <paul.eggleton@linux.intel.com>
parents: 678
diff changeset
128 && !svr_opts.noauthpass
676
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
129 && !(svr_opts.norootpass && ses.authstate.pw_uid == 0)
677
55b84e59aaad Fix empty password immediate login
Matt Johnston <matt@ucc.asn.au>
parents: 676
diff changeset
130 && ses.authstate.pw_passwd[0] == '\0')
676
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
131 {
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
132 dropbear_log(LOG_NOTICE,
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
133 "Auth succeeded with blank password for '%s' from %s",
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
134 ses.authstate.pw_name,
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
135 svr_ses.addrstring);
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
136 send_msg_userauth_success();
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
137 goto out;
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
138 }
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
139 else
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
140 {
808
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
141 /* 'none' has no failure delay */
676
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
142 send_msg_userauth_failure(0, 0);
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
143 goto out;
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
144 }
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
145 }
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
146
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
147 #if DROPBEAR_SVR_PASSWORD_AUTH
24
469950e86d0f switching to global vars
Matt Johnston <matt@ucc.asn.au>
parents: 22
diff changeset
148 if (!svr_opts.noauthpass &&
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
149 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
150 /* user wants to try password auth */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
151 if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
152 strncmp(methodname, AUTH_METHOD_PASSWORD,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
153 AUTH_METHOD_PASSWORD_LEN) == 0) {
1616
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1560
diff changeset
154 svr_auth_password(valid_user);
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1560
diff changeset
155 goto out;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
156 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
157 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
158 #endif
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
159
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
160 #if DROPBEAR_SVR_PAM_AUTH
57
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
161 if (!svr_opts.noauthpass &&
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
162 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) {
57
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
163 /* user wants to try password auth */
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
164 if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
165 strncmp(methodname, AUTH_METHOD_PASSWORD,
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
166 AUTH_METHOD_PASSWORD_LEN) == 0) {
1616
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1560
diff changeset
167 svr_auth_pam(valid_user);
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1560
diff changeset
168 goto out;
57
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
169 }
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
170 }
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
171 #endif
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
172
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
173 #if DROPBEAR_SVR_PUBKEY_AUTH
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
174 /* user wants to try pubkey auth */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
175 if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
176 strncmp(methodname, AUTH_METHOD_PUBKEY,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
177 AUTH_METHOD_PUBKEY_LEN) == 0) {
1616
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1560
diff changeset
178 svr_auth_pubkey(valid_user);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
179 goto out;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
180 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
181 #endif
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
182
808
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
183 /* nothing matched, we just fail with a delay */
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
184 send_msg_userauth_failure(0, 1);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
185
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
186 out:
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
187
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
188 m_free(username);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
189 m_free(servicename);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
190 m_free(methodname);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
191 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
192
1551
1acbdf64088e add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents: 1539
diff changeset
193 #ifdef HAVE_GETGROUPLIST
1537
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
194 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
195 static int check_group_membership(gid_t check_gid, const char* username, gid_t user_gid) {
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
196 int ngroups, i, ret;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
197 gid_t *grouplist = NULL;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
198 int match = DROPBEAR_FAILURE;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
199
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
200 for (ngroups = 32; ngroups <= DROPBEAR_NGROUP_MAX; ngroups *= 2) {
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
201 grouplist = m_malloc(sizeof(gid_t) * ngroups);
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
202
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
203 /* BSD returns ret==0 on success. Linux returns ret==ngroups on success */
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
204 ret = getgrouplist(username, user_gid, grouplist, &ngroups);
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
205 if (ret >= 0) {
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
206 break;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
207 }
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
208 m_free(grouplist);
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
209 grouplist = NULL;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
210 }
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
211
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
212 if (!grouplist) {
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
213 dropbear_log(LOG_ERR, "Too many groups for user '%s'", username);
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
214 return DROPBEAR_FAILURE;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
215 }
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
216
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
217 for (i = 0; i < ngroups; i++) {
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
218 if (grouplist[i] == check_gid) {
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
219 match = DROPBEAR_SUCCESS;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
220 break;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
221 }
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
222 }
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
223 m_free(grouplist);
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
224
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
225 return match;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
226 }
1551
1acbdf64088e add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents: 1539
diff changeset
227 #endif
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
228
676
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
229 /* Check that the username exists and isn't disallowed (root), and has a valid shell.
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
230 * returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */
1538
f20038b513a5 more linting (#58)
François Perrad <francois.perrad@gadz.org>
parents: 1537
diff changeset
231 static int checkusername(const char *username, unsigned int userlen) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
232
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
233 char* listshell = NULL;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
234 char* usershell = NULL;
852
7540c0822374 Various cleanups and fixes for warnings
Matt Johnston <matt@ucc.asn.au>
parents: 835
diff changeset
235 uid_t uid;
1534
ed930fd6f60f Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents: 1459
diff changeset
236
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
237 TRACE(("enter checkusername"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
238 if (userlen > MAX_USERNAME_LEN) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
239 return DROPBEAR_FAILURE;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
240 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
241
1539
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
242 if (strlen(username) != userlen) {
1665
7c17995bcdfb Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents: 1633
diff changeset
243 dropbear_exit("Attempted username with a null byte");
1539
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
244 }
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
245
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
246 if (ses.authstate.username == NULL) {
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
247 /* first request */
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
248 fill_passwd(username);
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
249 ses.authstate.username = m_strdup(username);
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
250 } else {
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
251 /* check username hasn't changed */
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
252 if (strcmp(username, ses.authstate.username) != 0) {
1665
7c17995bcdfb Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents: 1633
diff changeset
253 dropbear_exit("Client trying multiple usernames");
1539
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
254 }
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
255 }
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
256
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
257 /* avoids cluttering logs with repeated failure messages from
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
258 consecutive authentication requests in a sesssion */
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
259 if (ses.authstate.checkusername_failed) {
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
260 TRACE(("checkusername: returning cached failure"))
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
261 return DROPBEAR_FAILURE;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
262 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
263
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
264 /* check that user exists */
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
265 if (!ses.authstate.pw_name) {
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
266 TRACE(("leave checkusername: user '%s' doesn't exist", username))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
267 dropbear_log(LOG_WARNING,
1665
7c17995bcdfb Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents: 1633
diff changeset
268 "Login attempt for nonexistent user");
1539
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
269 ses.authstate.checkusername_failed = 1;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
270 return DROPBEAR_FAILURE;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
271 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
272
782
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
273 /* check if we are running as non-root, and login user is different from the server */
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
274 uid = geteuid();
1633
592a18dac250 Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents: 1622
diff changeset
275 if (!(DROPBEAR_SVR_MULTIUSER && uid == 0) && uid != ses.authstate.pw_uid) {
782
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
276 TRACE(("running as nonroot, only server uid is allowed"))
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
277 dropbear_log(LOG_WARNING,
1665
7c17995bcdfb Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents: 1633
diff changeset
278 "Login attempt with wrong user %s",
7c17995bcdfb Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents: 1633
diff changeset
279 ses.authstate.pw_name);
1539
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
280 ses.authstate.checkusername_failed = 1;
782
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
281 return DROPBEAR_FAILURE;
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
282 }
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
283
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
284 /* check for non-root if desired */
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
285 if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) {
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
286 TRACE(("leave checkusername: root login disabled"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
287 dropbear_log(LOG_WARNING, "root login rejected");
1539
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
288 ses.authstate.checkusername_failed = 1;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
289 return DROPBEAR_FAILURE;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
290 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
291
1537
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
292 /* check for login restricted to certain group if desired */
1551
1acbdf64088e add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents: 1539
diff changeset
293 #ifdef HAVE_GETGROUPLIST
1537
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
294 if (svr_opts.restrict_group) {
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
295 if (check_group_membership(svr_opts.restrict_group_gid,
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
296 ses.authstate.pw_name, ses.authstate.pw_gid) == DROPBEAR_FAILURE) {
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
297 dropbear_log(LOG_WARNING,
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
298 "Logins are restricted to the group %s but user '%s' is not a member",
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
299 svr_opts.restrict_group, ses.authstate.pw_name);
1539
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
300 ses.authstate.checkusername_failed = 1;
1537
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
301 return DROPBEAR_FAILURE;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
302 }
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
303 }
1560
f5026f7486de fix #endif (#59)
François Perrad <francois.perrad@gadz.org>
parents: 1551
diff changeset
304 #endif /* HAVE_GETGROUPLIST */
1534
ed930fd6f60f Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents: 1459
diff changeset
305
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
306 TRACE(("shell is %s", ses.authstate.pw_shell))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
307
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
308 /* check that the shell is set */
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
309 usershell = ses.authstate.pw_shell;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
310 if (usershell[0] == '\0') {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
311 /* empty shell in /etc/passwd means /bin/sh according to passwd(5) */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
312 usershell = "/bin/sh";
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
313 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
314
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
315 /* check the shell is valid. If /etc/shells doesn't exist, getusershell()
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
316 * should return some standard shells like "/bin/sh" and "/bin/csh" (this
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
317 * is platform-specific) */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
318 setusershell();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
319 while ((listshell = getusershell()) != NULL) {
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
320 TRACE(("test shell is '%s'", listshell))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
321 if (strcmp(listshell, usershell) == 0) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
322 /* have a match */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
323 goto goodshell;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
324 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
325 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
326 /* no matching shell */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
327 endusershell();
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
328 TRACE(("no matching shell"))
1539
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
329 ses.authstate.checkusername_failed = 1;
594
a98a2138364a Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents: 573
diff changeset
330 dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected",
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
331 ses.authstate.pw_name);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
332 return DROPBEAR_FAILURE;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
333
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
334 goodshell:
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
335 endusershell();
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
336 TRACE(("matching shell"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
337
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
338 TRACE(("uid = %d", ses.authstate.pw_uid))
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
339 TRACE(("leave checkusername"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
340 return DROPBEAR_SUCCESS;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
341 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
342
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
343 /* Send a failure message to the client, in responds to a userauth_request.
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
344 * Partial indicates whether to set the "partial success" flag,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
345 * incrfail is whether to count this failure in the failure count (which
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
346 * is limited. This function also handles disconnection after too many
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
347 * failures */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
348 void send_msg_userauth_failure(int partial, int incrfail) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
349
70
b0316ce64e4b Merging in the changes from 0.41-0.43 main Dropbear tree
Matt Johnston <matt@ucc.asn.au>
parents: 68
diff changeset
350 buffer *typebuf = NULL;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
351
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
352 TRACE(("enter send_msg_userauth_failure"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
353
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
354 CHECKCLEARTOWRITE();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
355
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
356 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_FAILURE);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
357
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
358 /* put a list of allowed types */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
359 typebuf = buf_new(30); /* long enough for PUBKEY and PASSWORD */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
360
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
361 if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) {
1094
c45d65392c1a Fix pointer differ in signess warnings [-Werror=pointer-sign]
Gaël PORTAY <gael.portay@gmail.com>
parents: 940
diff changeset
362 buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN);
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
363 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
364 buf_putbyte(typebuf, ',');
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
365 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
366 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
367
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
368 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) {
1094
c45d65392c1a Fix pointer differ in signess warnings [-Werror=pointer-sign]
Gaël PORTAY <gael.portay@gmail.com>
parents: 940
diff changeset
369 buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
370 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
371
761
ac2158e3e403 ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
372 buf_putbufstring(ses.writepayload, typebuf);
300
baea1d43e7eb Some cleanups/fixes for various TRACE statements
Matt Johnston <matt@ucc.asn.au>
parents: 165
diff changeset
373
761
ac2158e3e403 ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
374 TRACE(("auth fail: methods %d, '%.*s'", ses.authstate.authtypes,
762
a78a38e402d1 - Fix various hardcoded uses of SHA1
Matt Johnston <matt@ucc.asn.au>
parents: 761
diff changeset
375 typebuf->len, typebuf->data))
300
baea1d43e7eb Some cleanups/fixes for various TRACE statements
Matt Johnston <matt@ucc.asn.au>
parents: 165
diff changeset
376
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
377 buf_free(typebuf);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
378
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
379 buf_putbyte(ses.writepayload, partial ? 1 : 0);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
380 encrypt_packet();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
381
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
382 if (incrfail) {
1622
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
383 /* The SSH_MSG_AUTH_FAILURE response is delayed to attempt to
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
384 avoid user enumeration and slow brute force attempts.
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
385 The delay is adjusted by the time already spent in processing
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
386 authentication (ses.authstate.auth_starttime timestamp). */
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
387
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
388 /* Desired total delay 300ms +-50ms (in nanoseconds).
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
389 Beware of integer overflow if increasing these values */
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
390 const unsigned int mindelay = 250000000;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
391 const unsigned int vardelay = 100000000;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
392 unsigned int rand_delay;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
393 struct timespec delay;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
394
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
395 gettime_wrapper(&delay);
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
396 delay.tv_sec -= ses.authstate.auth_starttime.tv_sec;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
397 delay.tv_nsec -= ses.authstate.auth_starttime.tv_nsec;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
398
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
399 /* carry */
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
400 if (delay.tv_nsec < 0) {
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
401 delay.tv_nsec += 1000000000;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
402 delay.tv_sec -= 1;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
403 }
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
404
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
405 genrandom((unsigned char*)&rand_delay, sizeof(rand_delay));
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
406 rand_delay = mindelay + (rand_delay % vardelay);
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
407
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
408 if (delay.tv_sec == 0 && delay.tv_nsec <= mindelay) {
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
409 /* Compensate for elapsed time */
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
410 delay.tv_nsec = rand_delay - delay.tv_nsec;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
411 } else {
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
412 /* No time left or time went backwards, just delay anyway */
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
413 delay.tv_sec = 0;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
414 delay.tv_nsec = rand_delay;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
415 }
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
416
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
417
1558
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1557
diff changeset
418 #if DROPBEAR_FUZZ
1561
02b226c2675e clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents: 1558
diff changeset
419 if (!fuzz.fuzzing)
02b226c2675e clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents: 1558
diff changeset
420 #endif
02b226c2675e clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents: 1558
diff changeset
421 {
1622
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
422 while (nanosleep(&delay, &delay) == -1 && errno == EINTR) { /* Go back to sleep */ }
1347
b28624698130 copy over some fuzzing code from AFL branch
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
423 }
1622
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
424
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
425 ses.authstate.failcount++;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
426 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
427
1442
517c67cbcd31 dropbear server: support -T max auth tries
Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
parents: 1295
diff changeset
428 if (ses.authstate.failcount >= svr_opts.maxauthtries) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
429 char * userstr;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
430 /* XXX - send disconnect ? */
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
431 TRACE(("Max auth tries reached, exiting"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
432
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
433 if (ses.authstate.pw_name == NULL) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
434 userstr = "is invalid";
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
435 } else {
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
436 userstr = ses.authstate.pw_name;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
437 }
1665
7c17995bcdfb Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents: 1633
diff changeset
438 dropbear_exit("Max auth tries reached - user '%s'",
7c17995bcdfb Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents: 1633
diff changeset
439 userstr);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
440 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
441
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
442 TRACE(("leave send_msg_userauth_failure"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
443 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
444
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
445 /* Send a success message to the user, and set the "authdone" flag */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
446 void send_msg_userauth_success() {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
447
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
448 TRACE(("enter send_msg_userauth_success"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
449
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
450 CHECKCLEARTOWRITE();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
451
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
452 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_SUCCESS);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
453 encrypt_packet();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
454
501
d58c478bd399 Add support for [email protected] delayed compression.
Matt Johnston <matt@ucc.asn.au>
parents: 483
diff changeset
455 /* authdone must be set after encrypt_packet() for
d58c478bd399 Add support for [email protected] delayed compression.
Matt Johnston <matt@ucc.asn.au>
parents: 483
diff changeset
456 * delayed-zlib mode */
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
457 ses.authstate.authdone = 1;
1139
43a8ea69b24c Fix problem where auth timeout wasn't checked when waiting for ident
Matt Johnston <matt@ucc.asn.au>
parents: 1122
diff changeset
458 ses.connect_time = 0;
43a8ea69b24c Fix problem where auth timeout wasn't checked when waiting for ident
Matt Johnston <matt@ucc.asn.au>
parents: 1122
diff changeset
459
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
460
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
461 if (ses.authstate.pw_uid == 0) {
21
d7cc5b484a2e - Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents: 11
diff changeset
462 ses.allowprivport = 1;
d7cc5b484a2e - Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents: 11
diff changeset
463 }
d7cc5b484a2e - Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents: 11
diff changeset
464
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
465 /* Remove from the list of pre-auth sockets. Should be m_close(), since if
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
466 * we fail, we might end up leaking connection slots, and disallow new
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
467 * logins - a nasty situation. */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
468 m_close(svr_ses.childpipe);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
469
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
470 TRACE(("leave send_msg_userauth_success"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
471
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
472 }