annotate svr-auth.c @ 803:460410334267 ecc

Fix static library order, libtomcrypt depends on libtommath
author Matt Johnston <matt@ucc.asn.au>
date Tue, 21 May 2013 13:20:02 +0800
parents 7dcb46da72d9
children 4095b6d7c9fc
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
1 /*
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
2 * Dropbear - a SSH2 server
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
3 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
4 * Copyright (c) 2002,2003 Matt Johnston
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
5 * All rights reserved.
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
6 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
8 * of this software and associated documentation files (the "Software"), to deal
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
9 * in the Software without restriction, including without limitation the rights
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
11 * copies of the Software, and to permit persons to whom the Software is
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
12 * furnished to do so, subject to the following conditions:
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
13 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
14 * The above copyright notice and this permission notice shall be included in
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
15 * all copies or substantial portions of the Software.
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
16 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
23 * SOFTWARE. */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
24
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
25 /* This file (auth.c) handles authentication requests, passing it to the
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
26 * particular type (auth-passwd, auth-pubkey). */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
27
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
28 #include "includes.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
29 #include "dbutil.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
30 #include "session.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
31 #include "buffer.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
32 #include "ssh.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
33 #include "packet.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
34 #include "auth.h"
24
469950e86d0f switching to global vars
Matt Johnston <matt@ucc.asn.au>
parents: 22
diff changeset
35 #include "runopts.h"
573
d3ea8b9672f0 - Test for pam_fail_delay() function in configure
Matt Johnston <matt@ucc.asn.au>
parents: 501
diff changeset
36 #include "random.h"
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
37
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
38 static void authclear();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
39 static int checkusername(unsigned char *username, unsigned int userlen);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
40 static void send_msg_userauth_banner();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
41
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
42 /* initialise the first time for a session, resetting all parameters */
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
43 void svr_authinitialise() {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
44
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
45 ses.authstate.failcount = 0;
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
46 ses.authstate.pw_name = NULL;
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
47 ses.authstate.pw_dir = NULL;
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
48 ses.authstate.pw_shell = NULL;
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
49 ses.authstate.pw_passwd = NULL;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
50 authclear();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
51
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
52 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
53
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
54 /* Reset the auth state, but don't reset the failcount. This is for if the
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
55 * user decides to try with a different username etc, and is also invoked
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
56 * on initialisation */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
57 static void authclear() {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
58
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
59 memset(&ses.authstate, 0, sizeof(ses.authstate));
68
eee77ac31ccc cleaning up the pubkey defines
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
60 #ifdef ENABLE_SVR_PUBKEY_AUTH
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
61 ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
62 #endif
121
9337c9f9a607 PAM improvements
Matt Johnston <matt@ucc.asn.au>
parents: 119
diff changeset
63 #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
35
0ad5fb979f42 set the isserver flag (oops)
Matt Johnston <matt@ucc.asn.au>
parents: 33
diff changeset
64 if (!svr_opts.noauthpass) {
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
65 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
66 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
67 #endif
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
68 if (ses.authstate.pw_name) {
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
69 m_free(ses.authstate.pw_name);
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
70 }
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
71 if (ses.authstate.pw_shell) {
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
72 m_free(ses.authstate.pw_shell);
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
73 }
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
74 if (ses.authstate.pw_dir) {
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
75 m_free(ses.authstate.pw_dir);
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
76 }
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
77 if (ses.authstate.pw_passwd) {
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
78 m_free(ses.authstate.pw_passwd);
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
79 }
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
80
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
81 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
82
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
83 /* Send a banner message if specified to the client. The client might
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
84 * ignore this, but possibly serves as a legal "no trespassing" sign */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
85 static void send_msg_userauth_banner() {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
86
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
87 TRACE(("enter send_msg_userauth_banner"))
24
469950e86d0f switching to global vars
Matt Johnston <matt@ucc.asn.au>
parents: 22
diff changeset
88 if (svr_opts.banner == NULL) {
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
89 TRACE(("leave send_msg_userauth_banner: banner is NULL"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
90 return;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
91 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
92
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
93 CHECKCLEARTOWRITE();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
94
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
95 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER);
761
ac2158e3e403 ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
96 buf_putbufstring(ses.writepayload, svr_opts.banner);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
97 buf_putstring(ses.writepayload, "en", 2);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
98
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
99 encrypt_packet();
24
469950e86d0f switching to global vars
Matt Johnston <matt@ucc.asn.au>
parents: 22
diff changeset
100 buf_free(svr_opts.banner);
469950e86d0f switching to global vars
Matt Johnston <matt@ucc.asn.au>
parents: 22
diff changeset
101 svr_opts.banner = NULL;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
102
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
103 TRACE(("leave send_msg_userauth_banner"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
104 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
105
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
106 /* handle a userauth request, check validity, pass to password or pubkey
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
107 * checking, and handle success or failure */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
108 void recv_msg_userauth_request() {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
109
70
b0316ce64e4b Merging in the changes from 0.41-0.43 main Dropbear tree
Matt Johnston <matt@ucc.asn.au>
parents: 68
diff changeset
110 unsigned char *username = NULL, *servicename = NULL, *methodname = NULL;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
111 unsigned int userlen, servicelen, methodlen;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
112
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
113 TRACE(("enter recv_msg_userauth_request"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
114
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
115 /* ignore packets if auth is already done */
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
116 if (ses.authstate.authdone == 1) {
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
117 TRACE(("leave recv_msg_userauth_request: authdone already"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
118 return;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
119 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
120
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
121 /* send the banner if it exists, it will only exist once */
24
469950e86d0f switching to global vars
Matt Johnston <matt@ucc.asn.au>
parents: 22
diff changeset
122 if (svr_opts.banner) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
123 send_msg_userauth_banner();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
124 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
125
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
126
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
127 username = buf_getstring(ses.payload, &userlen);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
128 servicename = buf_getstring(ses.payload, &servicelen);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
129 methodname = buf_getstring(ses.payload, &methodlen);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
130
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
131 /* only handle 'ssh-connection' currently */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
132 if (servicelen != SSH_SERVICE_CONNECTION_LEN
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
133 && (strncmp(servicename, SSH_SERVICE_CONNECTION,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
134 SSH_SERVICE_CONNECTION_LEN) != 0)) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
135
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
136 /* TODO - disconnect here */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
137 m_free(username);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
138 m_free(servicename);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
139 m_free(methodname);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
140 dropbear_exit("unknown service in auth");
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
141 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
142
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
143 /* check username is good before continuing */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
144 if (checkusername(username, userlen) == DROPBEAR_FAILURE) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
145 /* username is invalid/no shell/etc - send failure */
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
146 TRACE(("sending checkusername failure"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
147 send_msg_userauth_failure(0, 1);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
148 goto out;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
149 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
150
676
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
151 /* user wants to know what methods are supported */
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
152 if (methodlen == AUTH_METHOD_NONE_LEN &&
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
153 strncmp(methodname, AUTH_METHOD_NONE,
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
154 AUTH_METHOD_NONE_LEN) == 0) {
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
155 TRACE(("recv_msg_userauth_request: 'none' request"))
692
c58a15983808 Allow configuring "allow blank password option" at runtime
Paul Eggleton <paul.eggleton@linux.intel.com>
parents: 678
diff changeset
156 if (svr_opts.allowblankpass
c58a15983808 Allow configuring "allow blank password option" at runtime
Paul Eggleton <paul.eggleton@linux.intel.com>
parents: 678
diff changeset
157 && !svr_opts.noauthpass
676
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
158 && !(svr_opts.norootpass && ses.authstate.pw_uid == 0)
677
55b84e59aaad Fix empty password immediate login
Matt Johnston <matt@ucc.asn.au>
parents: 676
diff changeset
159 && ses.authstate.pw_passwd[0] == '\0')
676
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
160 {
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
161 dropbear_log(LOG_NOTICE,
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
162 "Auth succeeded with blank password for '%s' from %s",
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
163 ses.authstate.pw_name,
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
164 svr_ses.addrstring);
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
165 send_msg_userauth_success();
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
166 goto out;
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
167 }
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
168 else
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
169 {
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
170 send_msg_userauth_failure(0, 0);
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
171 goto out;
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
172 }
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
173 }
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
174
68
eee77ac31ccc cleaning up the pubkey defines
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
175 #ifdef ENABLE_SVR_PASSWORD_AUTH
24
469950e86d0f switching to global vars
Matt Johnston <matt@ucc.asn.au>
parents: 22
diff changeset
176 if (!svr_opts.noauthpass &&
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
177 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
178 /* user wants to try password auth */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
179 if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
180 strncmp(methodname, AUTH_METHOD_PASSWORD,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
181 AUTH_METHOD_PASSWORD_LEN) == 0) {
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
182 svr_auth_password();
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
183 goto out;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
184 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
185 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
186 #endif
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
187
119
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents: 118
diff changeset
188 #ifdef ENABLE_SVR_PAM_AUTH
57
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
189 if (!svr_opts.noauthpass &&
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
190 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) {
57
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
191 /* user wants to try password auth */
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
192 if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
193 strncmp(methodname, AUTH_METHOD_PASSWORD,
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
194 AUTH_METHOD_PASSWORD_LEN) == 0) {
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
195 svr_auth_pam();
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
196 goto out;
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
197 }
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
198 }
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
199 #endif
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
200
68
eee77ac31ccc cleaning up the pubkey defines
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
201 #ifdef ENABLE_SVR_PUBKEY_AUTH
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
202 /* user wants to try pubkey auth */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
203 if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
204 strncmp(methodname, AUTH_METHOD_PUBKEY,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
205 AUTH_METHOD_PUBKEY_LEN) == 0) {
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
206 svr_auth_pubkey();
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
207 goto out;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
208 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
209 #endif
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
210
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
211 /* nothing matched, we just fail */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
212 send_msg_userauth_failure(0, 1);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
213
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
214 out:
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
215
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
216 m_free(username);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
217 m_free(servicename);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
218 m_free(methodname);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
219 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
220
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
221
676
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
222 /* Check that the username exists and isn't disallowed (root), and has a valid shell.
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
223 * returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
224 static int checkusername(unsigned char *username, unsigned int userlen) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
225
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
226 char* listshell = NULL;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
227 char* usershell = NULL;
782
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
228 int uid;
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
229 TRACE(("enter checkusername"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
230 if (userlen > MAX_USERNAME_LEN) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
231 return DROPBEAR_FAILURE;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
232 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
233
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
234 /* new user or username has changed */
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
235 if (ses.authstate.username == NULL ||
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
236 strcmp(username, ses.authstate.username) != 0) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
237 /* the username needs resetting */
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
238 if (ses.authstate.username != NULL) {
594
a98a2138364a Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents: 573
diff changeset
239 dropbear_log(LOG_WARNING, "Client trying multiple usernames from %s",
158
364a75cfebab Log the IP along with auth success/fail attempts
Matt Johnston <matt@ucc.asn.au>
parents: 121
diff changeset
240 svr_ses.addrstring);
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
241 m_free(ses.authstate.username);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
242 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
243 authclear();
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
244 fill_passwd(username);
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
245 ses.authstate.username = m_strdup(username);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
246 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
247
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
248 /* check that user exists */
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
249 if (!ses.authstate.pw_name) {
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
250 TRACE(("leave checkusername: user '%s' doesn't exist", username))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
251 dropbear_log(LOG_WARNING,
594
a98a2138364a Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents: 573
diff changeset
252 "Login attempt for nonexistent user from %s",
158
364a75cfebab Log the IP along with auth success/fail attempts
Matt Johnston <matt@ucc.asn.au>
parents: 121
diff changeset
253 svr_ses.addrstring);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
254 send_msg_userauth_failure(0, 1);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
255 return DROPBEAR_FAILURE;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
256 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
257
782
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
258 /* check if we are running as non-root, and login user is different from the server */
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
259 uid = geteuid();
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
260 if (uid != 0 && uid != ses.authstate.pw_uid) {
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
261 TRACE(("running as nonroot, only server uid is allowed"))
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
262 dropbear_log(LOG_WARNING,
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
263 "Login attempt with wrong user %s from %s",
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
264 ses.authstate.pw_name,
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
265 svr_ses.addrstring);
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
266 send_msg_userauth_failure(0, 1);
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
267 return DROPBEAR_FAILURE;
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
268 }
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
269
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
270 /* check for non-root if desired */
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
271 if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) {
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
272 TRACE(("leave checkusername: root login disabled"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
273 dropbear_log(LOG_WARNING, "root login rejected");
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
274 send_msg_userauth_failure(0, 1);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
275 return DROPBEAR_FAILURE;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
276 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
277
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
278 TRACE(("shell is %s", ses.authstate.pw_shell))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
279
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
280 /* check that the shell is set */
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
281 usershell = ses.authstate.pw_shell;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
282 if (usershell[0] == '\0') {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
283 /* empty shell in /etc/passwd means /bin/sh according to passwd(5) */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
284 usershell = "/bin/sh";
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
285 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
286
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
287 /* check the shell is valid. If /etc/shells doesn't exist, getusershell()
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
288 * should return some standard shells like "/bin/sh" and "/bin/csh" (this
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
289 * is platform-specific) */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
290 setusershell();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
291 while ((listshell = getusershell()) != NULL) {
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
292 TRACE(("test shell is '%s'", listshell))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
293 if (strcmp(listshell, usershell) == 0) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
294 /* have a match */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
295 goto goodshell;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
296 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
297 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
298 /* no matching shell */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
299 endusershell();
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
300 TRACE(("no matching shell"))
594
a98a2138364a Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents: 573
diff changeset
301 dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected",
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
302 ses.authstate.pw_name);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
303 send_msg_userauth_failure(0, 1);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
304 return DROPBEAR_FAILURE;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
305
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
306 goodshell:
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
307 endusershell();
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
308 TRACE(("matching shell"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
309
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
310 TRACE(("uid = %d", ses.authstate.pw_uid))
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
311 TRACE(("leave checkusername"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
312 return DROPBEAR_SUCCESS;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
313
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
314 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
315
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
316 /* Send a failure message to the client, in responds to a userauth_request.
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
317 * Partial indicates whether to set the "partial success" flag,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
318 * incrfail is whether to count this failure in the failure count (which
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
319 * is limited. This function also handles disconnection after too many
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
320 * failures */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
321 void send_msg_userauth_failure(int partial, int incrfail) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
322
70
b0316ce64e4b Merging in the changes from 0.41-0.43 main Dropbear tree
Matt Johnston <matt@ucc.asn.au>
parents: 68
diff changeset
323 buffer *typebuf = NULL;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
324
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
325 TRACE(("enter send_msg_userauth_failure"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
326
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
327 CHECKCLEARTOWRITE();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
328
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
329 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_FAILURE);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
330
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
331 /* put a list of allowed types */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
332 typebuf = buf_new(30); /* long enough for PUBKEY and PASSWORD */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
333
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
334 if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
335 buf_putbytes(typebuf, AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN);
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
336 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
337 buf_putbyte(typebuf, ',');
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
338 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
339 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
340
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
341 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
342 buf_putbytes(typebuf, AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
343 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
344
761
ac2158e3e403 ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
345 buf_putbufstring(ses.writepayload, typebuf);
300
baea1d43e7eb Some cleanups/fixes for various TRACE statements
Matt Johnston <matt@ucc.asn.au>
parents: 165
diff changeset
346
761
ac2158e3e403 ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
347 TRACE(("auth fail: methods %d, '%.*s'", ses.authstate.authtypes,
762
a78a38e402d1 - Fix various hardcoded uses of SHA1
Matt Johnston <matt@ucc.asn.au>
parents: 761
diff changeset
348 typebuf->len, typebuf->data))
300
baea1d43e7eb Some cleanups/fixes for various TRACE statements
Matt Johnston <matt@ucc.asn.au>
parents: 165
diff changeset
349
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
350 buf_free(typebuf);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
351
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
352 buf_putbyte(ses.writepayload, partial ? 1 : 0);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
353 encrypt_packet();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
354
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
355 if (incrfail) {
573
d3ea8b9672f0 - Test for pam_fail_delay() function in configure
Matt Johnston <matt@ucc.asn.au>
parents: 501
diff changeset
356 unsigned int delay;
d3ea8b9672f0 - Test for pam_fail_delay() function in configure
Matt Johnston <matt@ucc.asn.au>
parents: 501
diff changeset
357 genrandom((unsigned char*)&delay, sizeof(delay));
d3ea8b9672f0 - Test for pam_fail_delay() function in configure
Matt Johnston <matt@ucc.asn.au>
parents: 501
diff changeset
358 /* We delay for 300ms +- 50ms, 0.1ms granularity */
d3ea8b9672f0 - Test for pam_fail_delay() function in configure
Matt Johnston <matt@ucc.asn.au>
parents: 501
diff changeset
359 delay = 250000 + (delay % 1000)*100;
d3ea8b9672f0 - Test for pam_fail_delay() function in configure
Matt Johnston <matt@ucc.asn.au>
parents: 501
diff changeset
360 usleep(delay);
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
361 ses.authstate.failcount++;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
362 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
363
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
364 if (ses.authstate.failcount >= MAX_AUTH_TRIES) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
365 char * userstr;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
366 /* XXX - send disconnect ? */
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
367 TRACE(("Max auth tries reached, exiting"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
368
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
369 if (ses.authstate.pw_name == NULL) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
370 userstr = "is invalid";
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
371 } else {
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
372 userstr = ses.authstate.pw_name;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
373 }
158
364a75cfebab Log the IP along with auth success/fail attempts
Matt Johnston <matt@ucc.asn.au>
parents: 121
diff changeset
374 dropbear_exit("Max auth tries reached - user '%s' from %s",
364a75cfebab Log the IP along with auth success/fail attempts
Matt Johnston <matt@ucc.asn.au>
parents: 121
diff changeset
375 userstr, svr_ses.addrstring);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
376 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
377
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
378 TRACE(("leave send_msg_userauth_failure"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
379 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
380
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
381 /* Send a success message to the user, and set the "authdone" flag */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
382 void send_msg_userauth_success() {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
383
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
384 TRACE(("enter send_msg_userauth_success"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
385
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
386 CHECKCLEARTOWRITE();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
387
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
388 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_SUCCESS);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
389 encrypt_packet();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
390
501
d58c478bd399 Add support for [email protected] delayed compression.
Matt Johnston <matt@ucc.asn.au>
parents: 483
diff changeset
391 /* authdone must be set after encrypt_packet() for
d58c478bd399 Add support for [email protected] delayed compression.
Matt Johnston <matt@ucc.asn.au>
parents: 483
diff changeset
392 * delayed-zlib mode */
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
393 ses.authstate.authdone = 1;
454
7e43f5e473b9 - Add -K keepalive flag for dropbear and dbclient
Matt Johnston <matt@ucc.asn.au>
parents: 300
diff changeset
394 ses.connect_time = 0;
92
2e92778dd162 Auth doesn't timeout after 5 minutes.
Matt Johnston <matt@ucc.asn.au>
parents: 70
diff changeset
395
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
396
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
397 if (ses.authstate.pw_uid == 0) {
21
d7cc5b484a2e - Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents: 11
diff changeset
398 ses.allowprivport = 1;
d7cc5b484a2e - Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents: 11
diff changeset
399 }
d7cc5b484a2e - Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents: 11
diff changeset
400
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
401 /* Remove from the list of pre-auth sockets. Should be m_close(), since if
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
402 * we fail, we might end up leaking connection slots, and disallow new
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
403 * logins - a nasty situation. */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
404 m_close(svr_ses.childpipe);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
405
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
406 TRACE(("leave send_msg_userauth_success"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
407
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
408 }