Mercurial > dropbear
annotate svr-auth.c @ 1861:2b3a8026a6ce
Add re-exec for server
This allows ASLR to re-randomize the address
space for every connection, preventing some
vulnerabilities from being exploitable by
repeated probing.
Overhead (memory and time) is yet to be confirmed.
At present this is only enabled on Linux. Other BSD platforms
with fexecve() would probably also work though have not been tested.
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Sun, 30 Jan 2022 10:14:56 +0800 |
| parents | 8dc43b30c6bf |
| children |
| rev | line source |
|---|---|
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
1 /* |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
2 * Dropbear - a SSH2 server |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
3 * |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
4 * Copyright (c) 2002,2003 Matt Johnston |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
5 * All rights reserved. |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
6 * |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
7 * Permission is hereby granted, free of charge, to any person obtaining a copy |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
8 * of this software and associated documentation files (the "Software"), to deal |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
9 * in the Software without restriction, including without limitation the rights |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
11 * copies of the Software, and to permit persons to whom the Software is |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
12 * furnished to do so, subject to the following conditions: |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
13 * |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
14 * The above copyright notice and this permission notice shall be included in |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
15 * all copies or substantial portions of the Software. |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
16 * |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
23 * SOFTWARE. */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
24 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
25 /* This file (auth.c) handles authentication requests, passing it to the |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
26 * particular type (auth-passwd, auth-pubkey). */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
27 |
|
1534
ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents:
1459
diff
changeset
|
28 |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
29 #include "includes.h" |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
30 #include "dbutil.h" |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
31 #include "session.h" |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
32 #include "buffer.h" |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
33 #include "ssh.h" |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
34 #include "packet.h" |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
35 #include "auth.h" |
| 24 | 36 #include "runopts.h" |
|
858
220f55d540ae
rename random.h to dbrandom.h since some OSes have a system random.h
Matt Johnston <matt@ucc.asn.au>
parents:
852
diff
changeset
|
37 #include "dbrandom.h" |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
38 |
|
1538
f20038b513a5
more linting (#58)
François Perrad <francois.perrad@gadz.org>
parents:
1537
diff
changeset
|
39 static int checkusername(const char *username, unsigned int userlen); |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
40 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
41 /* initialise the first time for a session, resetting all parameters */ |
| 33 | 42 void svr_authinitialise() { |
| 43 memset(&ses.authstate, 0, sizeof(ses.authstate)); | |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
44 #if DROPBEAR_SVR_PUBKEY_AUTH |
| 33 | 45 ses.authstate.authtypes |= AUTH_TYPE_PUBKEY; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
46 #endif |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
47 #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH |
|
35
0ad5fb979f42
set the isserver flag (oops)
Matt Johnston <matt@ucc.asn.au>
parents:
33
diff
changeset
|
48 if (!svr_opts.noauthpass) { |
| 33 | 49 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
50 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
51 #endif |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
52 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
53 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
54 /* Send a banner message if specified to the client. The client might |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
55 * ignore this, but possibly serves as a legal "no trespassing" sign */ |
|
1459
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1442
diff
changeset
|
56 void send_msg_userauth_banner(const buffer *banner) { |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
57 |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
58 TRACE(("enter send_msg_userauth_banner")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
59 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
60 CHECKCLEARTOWRITE(); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
61 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
62 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER); |
|
835
4095b6d7c9fc
Merge in changes from the past couple of releases
Matt Johnston <matt@ucc.asn.au>
diff
changeset
|
63 buf_putbufstring(ses.writepayload, banner); |
|
1122
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1100
diff
changeset
|
64 buf_putstring(ses.writepayload, "en", 2); |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
65 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
66 encrypt_packet(); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
67 |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
68 TRACE(("leave send_msg_userauth_banner")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
69 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
70 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
71 /* handle a userauth request, check validity, pass to password or pubkey |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
72 * checking, and handle success or failure */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
73 void recv_msg_userauth_request() { |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
74 |
|
1100
7b84c3492a95
Turn username, servicename and methodname local variables into char *
Gaël PORTAY <gael.portay@gmail.com>
parents:
1094
diff
changeset
|
75 char *username = NULL, *servicename = NULL, *methodname = NULL; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
76 unsigned int userlen, servicelen, methodlen; |
|
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
77 int valid_user = 0; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
78 |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
79 TRACE(("enter recv_msg_userauth_request")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
80 |
|
1622
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
81 /* for compensating failure delay */ |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
82 gettime_wrapper(&ses.authstate.auth_starttime); |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
83 |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
84 /* ignore packets if auth is already done */ |
| 33 | 85 if (ses.authstate.authdone == 1) { |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
86 TRACE(("leave recv_msg_userauth_request: authdone already")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
87 return; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
88 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
89 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
90 /* send the banner if it exists, it will only exist once */ |
| 24 | 91 if (svr_opts.banner) { |
|
818
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
808
diff
changeset
|
92 send_msg_userauth_banner(svr_opts.banner); |
|
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
808
diff
changeset
|
93 buf_free(svr_opts.banner); |
|
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
808
diff
changeset
|
94 svr_opts.banner = NULL; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
95 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
96 |
|
1122
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1100
diff
changeset
|
97 username = buf_getstring(ses.payload, &userlen); |
|
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1100
diff
changeset
|
98 servicename = buf_getstring(ses.payload, &servicelen); |
|
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1100
diff
changeset
|
99 methodname = buf_getstring(ses.payload, &methodlen); |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
100 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
101 /* only handle 'ssh-connection' currently */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
102 if (servicelen != SSH_SERVICE_CONNECTION_LEN |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
103 && (strncmp(servicename, SSH_SERVICE_CONNECTION, |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
104 SSH_SERVICE_CONNECTION_LEN) != 0)) { |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
105 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
106 /* TODO - disconnect here */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
107 m_free(username); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
108 m_free(servicename); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
109 m_free(methodname); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
110 dropbear_exit("unknown service in auth"); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
111 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
112 |
|
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
113 /* check username is good before continuing. |
|
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
114 * the 'incrfail' varies depending on the auth method to |
|
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
115 * avoid giving away which users exist on the system through |
|
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
116 * the time delay. */ |
|
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
117 if (checkusername(username, userlen) == DROPBEAR_SUCCESS) { |
|
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
118 valid_user = 1; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
119 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
120 |
|
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
121 /* user wants to know what methods are supported */ |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
122 if (methodlen == AUTH_METHOD_NONE_LEN && |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
123 strncmp(methodname, AUTH_METHOD_NONE, |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
124 AUTH_METHOD_NONE_LEN) == 0) { |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
125 TRACE(("recv_msg_userauth_request: 'none' request")) |
|
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
126 if (valid_user |
|
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
127 && svr_opts.allowblankpass |
|
692
c58a15983808
Allow configuring "allow blank password option" at runtime
Paul Eggleton <paul.eggleton@linux.intel.com>
parents:
678
diff
changeset
|
128 && !svr_opts.noauthpass |
|
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
129 && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) |
|
677
55b84e59aaad
Fix empty password immediate login
Matt Johnston <matt@ucc.asn.au>
parents:
676
diff
changeset
|
130 && ses.authstate.pw_passwd[0] == '\0') |
|
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
131 { |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
132 dropbear_log(LOG_NOTICE, |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
133 "Auth succeeded with blank password for '%s' from %s", |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
134 ses.authstate.pw_name, |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
135 svr_ses.addrstring); |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
136 send_msg_userauth_success(); |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
137 goto out; |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
138 } |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
139 else |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
140 { |
|
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
141 /* 'none' has no failure delay */ |
|
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
142 send_msg_userauth_failure(0, 0); |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
143 goto out; |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
144 } |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
145 } |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
146 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
147 #if DROPBEAR_SVR_PASSWORD_AUTH |
| 24 | 148 if (!svr_opts.noauthpass && |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
149 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) { |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
150 /* user wants to try password auth */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
151 if (methodlen == AUTH_METHOD_PASSWORD_LEN && |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
152 strncmp(methodname, AUTH_METHOD_PASSWORD, |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
153 AUTH_METHOD_PASSWORD_LEN) == 0) { |
|
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
154 svr_auth_password(valid_user); |
|
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
155 goto out; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
156 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
157 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
158 #endif |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
159 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
160 #if DROPBEAR_SVR_PAM_AUTH |
|
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
161 if (!svr_opts.noauthpass && |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
162 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) { |
|
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
163 /* user wants to try password auth */ |
|
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
164 if (methodlen == AUTH_METHOD_PASSWORD_LEN && |
|
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
165 strncmp(methodname, AUTH_METHOD_PASSWORD, |
|
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
166 AUTH_METHOD_PASSWORD_LEN) == 0) { |
|
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
167 svr_auth_pam(valid_user); |
|
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
168 goto out; |
|
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
169 } |
|
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
170 } |
|
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
171 #endif |
|
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
172 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
173 #if DROPBEAR_SVR_PUBKEY_AUTH |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
174 /* user wants to try pubkey auth */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
175 if (methodlen == AUTH_METHOD_PUBKEY_LEN && |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
176 strncmp(methodname, AUTH_METHOD_PUBKEY, |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
177 AUTH_METHOD_PUBKEY_LEN) == 0) { |
|
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
178 svr_auth_pubkey(valid_user); |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
179 goto out; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
180 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
181 #endif |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
182 |
|
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
183 /* nothing matched, we just fail with a delay */ |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
184 send_msg_userauth_failure(0, 1); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
185 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
186 out: |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
187 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
188 m_free(username); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
189 m_free(servicename); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
190 m_free(methodname); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
191 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
192 |
|
1551
1acbdf64088e
add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents:
1539
diff
changeset
|
193 #ifdef HAVE_GETGROUPLIST |
|
1537
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
194 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
195 static int check_group_membership(gid_t check_gid, const char* username, gid_t user_gid) { |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
196 int ngroups, i, ret; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
197 gid_t *grouplist = NULL; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
198 int match = DROPBEAR_FAILURE; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
199 |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
200 for (ngroups = 32; ngroups <= DROPBEAR_NGROUP_MAX; ngroups *= 2) { |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
201 grouplist = m_malloc(sizeof(gid_t) * ngroups); |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
202 |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
203 /* BSD returns ret==0 on success. Linux returns ret==ngroups on success */ |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
204 ret = getgrouplist(username, user_gid, grouplist, &ngroups); |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
205 if (ret >= 0) { |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
206 break; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
207 } |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
208 m_free(grouplist); |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
209 grouplist = NULL; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
210 } |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
211 |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
212 if (!grouplist) { |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
213 dropbear_log(LOG_ERR, "Too many groups for user '%s'", username); |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
214 return DROPBEAR_FAILURE; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
215 } |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
216 |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
217 for (i = 0; i < ngroups; i++) { |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
218 if (grouplist[i] == check_gid) { |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
219 match = DROPBEAR_SUCCESS; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
220 break; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
221 } |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
222 } |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
223 m_free(grouplist); |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
224 |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
225 return match; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
226 } |
|
1551
1acbdf64088e
add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents:
1539
diff
changeset
|
227 #endif |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
228 |
|
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
229 /* Check that the username exists and isn't disallowed (root), and has a valid shell. |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
230 * returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */ |
|
1538
f20038b513a5
more linting (#58)
François Perrad <francois.perrad@gadz.org>
parents:
1537
diff
changeset
|
231 static int checkusername(const char *username, unsigned int userlen) { |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
232 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
233 char* listshell = NULL; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
234 char* usershell = NULL; |
|
852
7540c0822374
Various cleanups and fixes for warnings
Matt Johnston <matt@ucc.asn.au>
parents:
835
diff
changeset
|
235 uid_t uid; |
|
1534
ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents:
1459
diff
changeset
|
236 |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
237 TRACE(("enter checkusername")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
238 if (userlen > MAX_USERNAME_LEN) { |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
239 return DROPBEAR_FAILURE; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
240 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
241 |
|
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
242 if (strlen(username) != userlen) { |
|
1665
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
243 dropbear_exit("Attempted username with a null byte"); |
|
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
244 } |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
245 |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
246 if (ses.authstate.username == NULL) { |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
247 /* first request */ |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
248 fill_passwd(username); |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
249 ses.authstate.username = m_strdup(username); |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
250 } else { |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
251 /* check username hasn't changed */ |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
252 if (strcmp(username, ses.authstate.username) != 0) { |
|
1665
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
253 dropbear_exit("Client trying multiple usernames"); |
|
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
254 } |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
255 } |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
256 |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
257 /* avoids cluttering logs with repeated failure messages from |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
258 consecutive authentication requests in a sesssion */ |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
259 if (ses.authstate.checkusername_failed) { |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
260 TRACE(("checkusername: returning cached failure")) |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
261 return DROPBEAR_FAILURE; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
262 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
263 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
264 /* check that user exists */ |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
265 if (!ses.authstate.pw_name) { |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
266 TRACE(("leave checkusername: user '%s' doesn't exist", username)) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
267 dropbear_log(LOG_WARNING, |
|
1665
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
268 "Login attempt for nonexistent user"); |
|
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
269 ses.authstate.checkusername_failed = 1; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
270 return DROPBEAR_FAILURE; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
271 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
272 |
|
782
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
273 /* check if we are running as non-root, and login user is different from the server */ |
|
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
274 uid = geteuid(); |
|
1633
592a18dac250
Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents:
1622
diff
changeset
|
275 if (!(DROPBEAR_SVR_MULTIUSER && uid == 0) && uid != ses.authstate.pw_uid) { |
|
782
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
276 TRACE(("running as nonroot, only server uid is allowed")) |
|
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
277 dropbear_log(LOG_WARNING, |
|
1665
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
278 "Login attempt with wrong user %s", |
|
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
279 ses.authstate.pw_name); |
|
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
280 ses.authstate.checkusername_failed = 1; |
|
782
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
281 return DROPBEAR_FAILURE; |
|
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
282 } |
|
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
283 |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
284 /* check for non-root if desired */ |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
285 if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) { |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
286 TRACE(("leave checkusername: root login disabled")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
287 dropbear_log(LOG_WARNING, "root login rejected"); |
|
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
288 ses.authstate.checkusername_failed = 1; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
289 return DROPBEAR_FAILURE; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
290 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
291 |
|
1537
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
292 /* check for login restricted to certain group if desired */ |
|
1551
1acbdf64088e
add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents:
1539
diff
changeset
|
293 #ifdef HAVE_GETGROUPLIST |
|
1537
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
294 if (svr_opts.restrict_group) { |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
295 if (check_group_membership(svr_opts.restrict_group_gid, |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
296 ses.authstate.pw_name, ses.authstate.pw_gid) == DROPBEAR_FAILURE) { |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
297 dropbear_log(LOG_WARNING, |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
298 "Logins are restricted to the group %s but user '%s' is not a member", |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
299 svr_opts.restrict_group, ses.authstate.pw_name); |
|
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
300 ses.authstate.checkusername_failed = 1; |
|
1537
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
301 return DROPBEAR_FAILURE; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
302 } |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
303 } |
|
1560
f5026f7486de
fix #endif (#59)
François Perrad <francois.perrad@gadz.org>
parents:
1551
diff
changeset
|
304 #endif /* HAVE_GETGROUPLIST */ |
|
1534
ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents:
1459
diff
changeset
|
305 |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
306 TRACE(("shell is %s", ses.authstate.pw_shell)) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
307 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
308 /* check that the shell is set */ |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
309 usershell = ses.authstate.pw_shell; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
310 if (usershell[0] == '\0') { |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
311 /* empty shell in /etc/passwd means /bin/sh according to passwd(5) */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
312 usershell = "/bin/sh"; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
313 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
314 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
315 /* check the shell is valid. If /etc/shells doesn't exist, getusershell() |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
316 * should return some standard shells like "/bin/sh" and "/bin/csh" (this |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
317 * is platform-specific) */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
318 setusershell(); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
319 while ((listshell = getusershell()) != NULL) { |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
320 TRACE(("test shell is '%s'", listshell)) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
321 if (strcmp(listshell, usershell) == 0) { |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
322 /* have a match */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
323 goto goodshell; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
324 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
325 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
326 /* no matching shell */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
327 endusershell(); |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
328 TRACE(("no matching shell")) |
|
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
329 ses.authstate.checkusername_failed = 1; |
|
594
a98a2138364a
Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents:
573
diff
changeset
|
330 dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected", |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
331 ses.authstate.pw_name); |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
332 return DROPBEAR_FAILURE; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
333 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
334 goodshell: |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
335 endusershell(); |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
336 TRACE(("matching shell")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
337 |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
338 TRACE(("uid = %d", ses.authstate.pw_uid)) |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
339 TRACE(("leave checkusername")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
340 return DROPBEAR_SUCCESS; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
341 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
342 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
343 /* Send a failure message to the client, in responds to a userauth_request. |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
344 * Partial indicates whether to set the "partial success" flag, |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
345 * incrfail is whether to count this failure in the failure count (which |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
346 * is limited. This function also handles disconnection after too many |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
347 * failures */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
348 void send_msg_userauth_failure(int partial, int incrfail) { |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
349 |
|
70
b0316ce64e4b
Merging in the changes from 0.41-0.43 main Dropbear tree
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
350 buffer *typebuf = NULL; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
351 |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
352 TRACE(("enter send_msg_userauth_failure")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
353 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
354 CHECKCLEARTOWRITE(); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
355 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
356 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_FAILURE); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
357 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
358 /* put a list of allowed types */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
359 typebuf = buf_new(30); /* long enough for PUBKEY and PASSWORD */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
360 |
| 33 | 361 if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) { |
|
1094
c45d65392c1a
Fix pointer differ in signess warnings [-Werror=pointer-sign]
Gaël PORTAY <gael.portay@gmail.com>
parents:
940
diff
changeset
|
362 buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN); |
| 33 | 363 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
364 buf_putbyte(typebuf, ','); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
365 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
366 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
367 |
| 33 | 368 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { |
|
1094
c45d65392c1a
Fix pointer differ in signess warnings [-Werror=pointer-sign]
Gaël PORTAY <gael.portay@gmail.com>
parents:
940
diff
changeset
|
369 buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN); |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
370 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
371 |
|
761
ac2158e3e403
ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
372 buf_putbufstring(ses.writepayload, typebuf); |
|
300
baea1d43e7eb
Some cleanups/fixes for various TRACE statements
Matt Johnston <matt@ucc.asn.au>
parents:
165
diff
changeset
|
373 |
|
761
ac2158e3e403
ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
374 TRACE(("auth fail: methods %d, '%.*s'", ses.authstate.authtypes, |
|
762
a78a38e402d1
- Fix various hardcoded uses of SHA1
Matt Johnston <matt@ucc.asn.au>
parents:
761
diff
changeset
|
375 typebuf->len, typebuf->data)) |
|
300
baea1d43e7eb
Some cleanups/fixes for various TRACE statements
Matt Johnston <matt@ucc.asn.au>
parents:
165
diff
changeset
|
376 |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
377 buf_free(typebuf); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
378 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
379 buf_putbyte(ses.writepayload, partial ? 1 : 0); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
380 encrypt_packet(); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
381 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
382 if (incrfail) { |
|
1622
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
383 /* The SSH_MSG_AUTH_FAILURE response is delayed to attempt to |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
384 avoid user enumeration and slow brute force attempts. |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
385 The delay is adjusted by the time already spent in processing |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
386 authentication (ses.authstate.auth_starttime timestamp). */ |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
387 |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
388 /* Desired total delay 300ms +-50ms (in nanoseconds). |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
389 Beware of integer overflow if increasing these values */ |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
390 const unsigned int mindelay = 250000000; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
391 const unsigned int vardelay = 100000000; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
392 unsigned int rand_delay; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
393 struct timespec delay; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
394 |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
395 gettime_wrapper(&delay); |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
396 delay.tv_sec -= ses.authstate.auth_starttime.tv_sec; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
397 delay.tv_nsec -= ses.authstate.auth_starttime.tv_nsec; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
398 |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
399 /* carry */ |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
400 if (delay.tv_nsec < 0) { |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
401 delay.tv_nsec += 1000000000; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
402 delay.tv_sec -= 1; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
403 } |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
404 |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
405 genrandom((unsigned char*)&rand_delay, sizeof(rand_delay)); |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
406 rand_delay = mindelay + (rand_delay % vardelay); |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
407 |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
408 if (delay.tv_sec == 0 && delay.tv_nsec <= mindelay) { |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
409 /* Compensate for elapsed time */ |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
410 delay.tv_nsec = rand_delay - delay.tv_nsec; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
411 } else { |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
412 /* No time left or time went backwards, just delay anyway */ |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
413 delay.tv_sec = 0; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
414 delay.tv_nsec = rand_delay; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
415 } |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
416 |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
417 |
|
1558
2f64cb3d3007
- #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents:
1557
diff
changeset
|
418 #if DROPBEAR_FUZZ |
|
1561
02b226c2675e
clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
419 if (!fuzz.fuzzing) |
|
02b226c2675e
clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
420 #endif |
|
02b226c2675e
clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
421 { |
|
1622
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
422 while (nanosleep(&delay, &delay) == -1 && errno == EINTR) { /* Go back to sleep */ } |
|
1347
b28624698130
copy over some fuzzing code from AFL branch
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
423 } |
|
1622
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
424 |
| 33 | 425 ses.authstate.failcount++; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
426 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
427 |
|
1442
517c67cbcd31
dropbear server: support -T max auth tries
Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
parents:
1295
diff
changeset
|
428 if (ses.authstate.failcount >= svr_opts.maxauthtries) { |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
429 char * userstr; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
430 /* XXX - send disconnect ? */ |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
431 TRACE(("Max auth tries reached, exiting")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
432 |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
433 if (ses.authstate.pw_name == NULL) { |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
434 userstr = "is invalid"; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
435 } else { |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
436 userstr = ses.authstate.pw_name; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
437 } |
|
1665
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
438 dropbear_exit("Max auth tries reached - user '%s'", |
|
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
439 userstr); |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
440 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
441 |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
442 TRACE(("leave send_msg_userauth_failure")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
443 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
444 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
445 /* Send a success message to the user, and set the "authdone" flag */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
446 void send_msg_userauth_success() { |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
447 |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
448 TRACE(("enter send_msg_userauth_success")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
449 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
450 CHECKCLEARTOWRITE(); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
451 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
452 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_SUCCESS); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
453 encrypt_packet(); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
454 |
|
501
d58c478bd399
Add support for [email protected] delayed compression.
Matt Johnston <matt@ucc.asn.au>
parents:
483
diff
changeset
|
455 /* authdone must be set after encrypt_packet() for |
|
d58c478bd399
Add support for [email protected] delayed compression.
Matt Johnston <matt@ucc.asn.au>
parents:
483
diff
changeset
|
456 * delayed-zlib mode */ |
| 33 | 457 ses.authstate.authdone = 1; |
|
1139
43a8ea69b24c
Fix problem where auth timeout wasn't checked when waiting for ident
Matt Johnston <matt@ucc.asn.au>
parents:
1122
diff
changeset
|
458 ses.connect_time = 0; |
|
43a8ea69b24c
Fix problem where auth timeout wasn't checked when waiting for ident
Matt Johnston <matt@ucc.asn.au>
parents:
1122
diff
changeset
|
459 |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
460 |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
461 if (ses.authstate.pw_uid == 0) { |
|
21
d7cc5b484a2e
- Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents:
11
diff
changeset
|
462 ses.allowprivport = 1; |
|
d7cc5b484a2e
- Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents:
11
diff
changeset
|
463 } |
|
d7cc5b484a2e
- Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents:
11
diff
changeset
|
464 |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
465 /* Remove from the list of pre-auth sockets. Should be m_close(), since if |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
466 * we fail, we might end up leaking connection slots, and disallow new |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
467 * logins - a nasty situation. */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
468 m_close(svr_ses.childpipe); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
469 |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
470 TRACE(("leave send_msg_userauth_success")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
471 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
472 } |