Mercurial > dropbear
annotate svr-auth.c @ 1665:7c17995bcdfb
Improve address logging on early exit messages (#83)
Change 'Early exit' and 'Exit before auth' messages to include the IP
address & port as part of the message.
This allows log scanning utilities such as 'fail2ban' to obtain the
offending IP address as part of the failure event instead of extracting
the PID from the message and then scanning the log again for match
'child connection from' messages
Signed-off-by: Kevin Darbyshire-Bryant <[email protected]>
author | Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com> |
---|---|
date | Wed, 18 Mar 2020 15:28:56 +0000 |
parents | 592a18dac250 |
children | 8dc43b30c6bf |
rev | line source |
---|---|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
1 /* |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
2 * Dropbear - a SSH2 server |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
3 * |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
4 * Copyright (c) 2002,2003 Matt Johnston |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
5 * All rights reserved. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
6 * |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
7 * Permission is hereby granted, free of charge, to any person obtaining a copy |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
8 * of this software and associated documentation files (the "Software"), to deal |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
9 * in the Software without restriction, including without limitation the rights |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
11 * copies of the Software, and to permit persons to whom the Software is |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
12 * furnished to do so, subject to the following conditions: |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
13 * |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
14 * The above copyright notice and this permission notice shall be included in |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
15 * all copies or substantial portions of the Software. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
16 * |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
23 * SOFTWARE. */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
24 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
25 /* This file (auth.c) handles authentication requests, passing it to the |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
26 * particular type (auth-passwd, auth-pubkey). */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
27 |
1534
ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents:
1459
diff
changeset
|
28 #include <limits.h> |
ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents:
1459
diff
changeset
|
29 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
30 #include "includes.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
31 #include "dbutil.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
32 #include "session.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
33 #include "buffer.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
34 #include "ssh.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
35 #include "packet.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
36 #include "auth.h" |
24 | 37 #include "runopts.h" |
858
220f55d540ae
rename random.h to dbrandom.h since some OSes have a system random.h
Matt Johnston <matt@ucc.asn.au>
parents:
852
diff
changeset
|
38 #include "dbrandom.h" |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
39 |
1538
f20038b513a5
more linting (#58)
François Perrad <francois.perrad@gadz.org>
parents:
1537
diff
changeset
|
40 static int checkusername(const char *username, unsigned int userlen); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
41 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
42 /* initialise the first time for a session, resetting all parameters */ |
33 | 43 void svr_authinitialise() { |
44 memset(&ses.authstate, 0, sizeof(ses.authstate)); | |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
45 #if DROPBEAR_SVR_PUBKEY_AUTH |
33 | 46 ses.authstate.authtypes |= AUTH_TYPE_PUBKEY; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
47 #endif |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
48 #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH |
35
0ad5fb979f42
set the isserver flag (oops)
Matt Johnston <matt@ucc.asn.au>
parents:
33
diff
changeset
|
49 if (!svr_opts.noauthpass) { |
33 | 50 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
51 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
52 #endif |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
53 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
54 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
55 /* Send a banner message if specified to the client. The client might |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
56 * ignore this, but possibly serves as a legal "no trespassing" sign */ |
1459
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1442
diff
changeset
|
57 void send_msg_userauth_banner(const buffer *banner) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
58 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
59 TRACE(("enter send_msg_userauth_banner")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
60 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
61 CHECKCLEARTOWRITE(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
62 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
63 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER); |
835
4095b6d7c9fc
Merge in changes from the past couple of releases
Matt Johnston <matt@ucc.asn.au>
diff
changeset
|
64 buf_putbufstring(ses.writepayload, banner); |
1122
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1100
diff
changeset
|
65 buf_putstring(ses.writepayload, "en", 2); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
66 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
67 encrypt_packet(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
68 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
69 TRACE(("leave send_msg_userauth_banner")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
70 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
71 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
72 /* handle a userauth request, check validity, pass to password or pubkey |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
73 * checking, and handle success or failure */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
74 void recv_msg_userauth_request() { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
75 |
1100
7b84c3492a95
Turn username, servicename and methodname local variables into char *
Gaël PORTAY <gael.portay@gmail.com>
parents:
1094
diff
changeset
|
76 char *username = NULL, *servicename = NULL, *methodname = NULL; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
77 unsigned int userlen, servicelen, methodlen; |
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
78 int valid_user = 0; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
79 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
80 TRACE(("enter recv_msg_userauth_request")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
81 |
1622
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
82 /* for compensating failure delay */ |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
83 gettime_wrapper(&ses.authstate.auth_starttime); |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
84 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
85 /* ignore packets if auth is already done */ |
33 | 86 if (ses.authstate.authdone == 1) { |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
87 TRACE(("leave recv_msg_userauth_request: authdone already")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
88 return; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
89 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
90 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
91 /* send the banner if it exists, it will only exist once */ |
24 | 92 if (svr_opts.banner) { |
818
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
808
diff
changeset
|
93 send_msg_userauth_banner(svr_opts.banner); |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
808
diff
changeset
|
94 buf_free(svr_opts.banner); |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
808
diff
changeset
|
95 svr_opts.banner = NULL; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
96 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
97 |
1122
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1100
diff
changeset
|
98 username = buf_getstring(ses.payload, &userlen); |
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1100
diff
changeset
|
99 servicename = buf_getstring(ses.payload, &servicelen); |
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1100
diff
changeset
|
100 methodname = buf_getstring(ses.payload, &methodlen); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
101 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
102 /* only handle 'ssh-connection' currently */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
103 if (servicelen != SSH_SERVICE_CONNECTION_LEN |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
104 && (strncmp(servicename, SSH_SERVICE_CONNECTION, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
105 SSH_SERVICE_CONNECTION_LEN) != 0)) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
106 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
107 /* TODO - disconnect here */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
108 m_free(username); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
109 m_free(servicename); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
110 m_free(methodname); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
111 dropbear_exit("unknown service in auth"); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
112 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
113 |
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
114 /* check username is good before continuing. |
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
115 * the 'incrfail' varies depending on the auth method to |
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
116 * avoid giving away which users exist on the system through |
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
117 * the time delay. */ |
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
118 if (checkusername(username, userlen) == DROPBEAR_SUCCESS) { |
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
119 valid_user = 1; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
120 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
121 |
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
122 /* user wants to know what methods are supported */ |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
123 if (methodlen == AUTH_METHOD_NONE_LEN && |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
124 strncmp(methodname, AUTH_METHOD_NONE, |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
125 AUTH_METHOD_NONE_LEN) == 0) { |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
126 TRACE(("recv_msg_userauth_request: 'none' request")) |
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
127 if (valid_user |
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
128 && svr_opts.allowblankpass |
692
c58a15983808
Allow configuring "allow blank password option" at runtime
Paul Eggleton <paul.eggleton@linux.intel.com>
parents:
678
diff
changeset
|
129 && !svr_opts.noauthpass |
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
130 && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) |
677
55b84e59aaad
Fix empty password immediate login
Matt Johnston <matt@ucc.asn.au>
parents:
676
diff
changeset
|
131 && ses.authstate.pw_passwd[0] == '\0') |
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
132 { |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
133 dropbear_log(LOG_NOTICE, |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
134 "Auth succeeded with blank password for '%s' from %s", |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
135 ses.authstate.pw_name, |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
136 svr_ses.addrstring); |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
137 send_msg_userauth_success(); |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
138 goto out; |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
139 } |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
140 else |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
141 { |
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
142 /* 'none' has no failure delay */ |
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
143 send_msg_userauth_failure(0, 0); |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
144 goto out; |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
145 } |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
146 } |
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
147 |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
148 #if DROPBEAR_SVR_PASSWORD_AUTH |
24 | 149 if (!svr_opts.noauthpass && |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
150 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
151 /* user wants to try password auth */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
152 if (methodlen == AUTH_METHOD_PASSWORD_LEN && |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
153 strncmp(methodname, AUTH_METHOD_PASSWORD, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
154 AUTH_METHOD_PASSWORD_LEN) == 0) { |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
155 svr_auth_password(valid_user); |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
156 goto out; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
157 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
158 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
159 #endif |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
160 |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
161 #if DROPBEAR_SVR_PAM_AUTH |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
162 if (!svr_opts.noauthpass && |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
163 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) { |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
164 /* user wants to try password auth */ |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
165 if (methodlen == AUTH_METHOD_PASSWORD_LEN && |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
166 strncmp(methodname, AUTH_METHOD_PASSWORD, |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
167 AUTH_METHOD_PASSWORD_LEN) == 0) { |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
168 svr_auth_pam(valid_user); |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
169 goto out; |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
170 } |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
171 } |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
172 #endif |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
173 |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
174 #if DROPBEAR_SVR_PUBKEY_AUTH |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
175 /* user wants to try pubkey auth */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
176 if (methodlen == AUTH_METHOD_PUBKEY_LEN && |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
177 strncmp(methodname, AUTH_METHOD_PUBKEY, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
178 AUTH_METHOD_PUBKEY_LEN) == 0) { |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
179 svr_auth_pubkey(valid_user); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
180 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
181 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
182 #endif |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
183 |
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
184 /* nothing matched, we just fail with a delay */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
185 send_msg_userauth_failure(0, 1); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
186 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
187 out: |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
188 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
189 m_free(username); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
190 m_free(servicename); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
191 m_free(methodname); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
192 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
193 |
1551
1acbdf64088e
add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents:
1539
diff
changeset
|
194 #ifdef HAVE_GETGROUPLIST |
1537
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
195 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
196 static int check_group_membership(gid_t check_gid, const char* username, gid_t user_gid) { |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
197 int ngroups, i, ret; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
198 gid_t *grouplist = NULL; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
199 int match = DROPBEAR_FAILURE; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
200 |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
201 for (ngroups = 32; ngroups <= DROPBEAR_NGROUP_MAX; ngroups *= 2) { |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
202 grouplist = m_malloc(sizeof(gid_t) * ngroups); |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
203 |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
204 /* BSD returns ret==0 on success. Linux returns ret==ngroups on success */ |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
205 ret = getgrouplist(username, user_gid, grouplist, &ngroups); |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
206 if (ret >= 0) { |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
207 break; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
208 } |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
209 m_free(grouplist); |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
210 grouplist = NULL; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
211 } |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
212 |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
213 if (!grouplist) { |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
214 dropbear_log(LOG_ERR, "Too many groups for user '%s'", username); |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
215 return DROPBEAR_FAILURE; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
216 } |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
217 |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
218 for (i = 0; i < ngroups; i++) { |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
219 if (grouplist[i] == check_gid) { |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
220 match = DROPBEAR_SUCCESS; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
221 break; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
222 } |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
223 } |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
224 m_free(grouplist); |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
225 |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
226 return match; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
227 } |
1551
1acbdf64088e
add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents:
1539
diff
changeset
|
228 #endif |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
229 |
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
230 /* Check that the username exists and isn't disallowed (root), and has a valid shell. |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
231 * returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */ |
1538
f20038b513a5
more linting (#58)
François Perrad <francois.perrad@gadz.org>
parents:
1537
diff
changeset
|
232 static int checkusername(const char *username, unsigned int userlen) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
233 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
234 char* listshell = NULL; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
235 char* usershell = NULL; |
852
7540c0822374
Various cleanups and fixes for warnings
Matt Johnston <matt@ucc.asn.au>
parents:
835
diff
changeset
|
236 uid_t uid; |
1534
ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents:
1459
diff
changeset
|
237 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
238 TRACE(("enter checkusername")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
239 if (userlen > MAX_USERNAME_LEN) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
240 return DROPBEAR_FAILURE; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
241 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
242 |
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
243 if (strlen(username) != userlen) { |
1665
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
244 dropbear_exit("Attempted username with a null byte"); |
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
245 } |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
246 |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
247 if (ses.authstate.username == NULL) { |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
248 /* first request */ |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
249 fill_passwd(username); |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
250 ses.authstate.username = m_strdup(username); |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
251 } else { |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
252 /* check username hasn't changed */ |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
253 if (strcmp(username, ses.authstate.username) != 0) { |
1665
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
254 dropbear_exit("Client trying multiple usernames"); |
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
255 } |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
256 } |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
257 |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
258 /* avoids cluttering logs with repeated failure messages from |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
259 consecutive authentication requests in a sesssion */ |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
260 if (ses.authstate.checkusername_failed) { |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
261 TRACE(("checkusername: returning cached failure")) |
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
262 return DROPBEAR_FAILURE; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
263 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
264 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
265 /* check that user exists */ |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
266 if (!ses.authstate.pw_name) { |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
267 TRACE(("leave checkusername: user '%s' doesn't exist", username)) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
268 dropbear_log(LOG_WARNING, |
1665
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
269 "Login attempt for nonexistent user"); |
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
270 ses.authstate.checkusername_failed = 1; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
271 return DROPBEAR_FAILURE; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
272 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
273 |
782
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
274 /* check if we are running as non-root, and login user is different from the server */ |
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
275 uid = geteuid(); |
1633
592a18dac250
Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents:
1622
diff
changeset
|
276 if (!(DROPBEAR_SVR_MULTIUSER && uid == 0) && uid != ses.authstate.pw_uid) { |
782
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
277 TRACE(("running as nonroot, only server uid is allowed")) |
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
278 dropbear_log(LOG_WARNING, |
1665
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
279 "Login attempt with wrong user %s", |
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
280 ses.authstate.pw_name); |
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
281 ses.authstate.checkusername_failed = 1; |
782
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
282 return DROPBEAR_FAILURE; |
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
283 } |
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
284 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
285 /* check for non-root if desired */ |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
286 if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) { |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
287 TRACE(("leave checkusername: root login disabled")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
288 dropbear_log(LOG_WARNING, "root login rejected"); |
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
289 ses.authstate.checkusername_failed = 1; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
290 return DROPBEAR_FAILURE; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
291 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
292 |
1537
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
293 /* check for login restricted to certain group if desired */ |
1551
1acbdf64088e
add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents:
1539
diff
changeset
|
294 #ifdef HAVE_GETGROUPLIST |
1537
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
295 if (svr_opts.restrict_group) { |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
296 if (check_group_membership(svr_opts.restrict_group_gid, |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
297 ses.authstate.pw_name, ses.authstate.pw_gid) == DROPBEAR_FAILURE) { |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
298 dropbear_log(LOG_WARNING, |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
299 "Logins are restricted to the group %s but user '%s' is not a member", |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
300 svr_opts.restrict_group, ses.authstate.pw_name); |
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
301 ses.authstate.checkusername_failed = 1; |
1537
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
302 return DROPBEAR_FAILURE; |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
303 } |
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
304 } |
1560
f5026f7486de
fix #endif (#59)
François Perrad <francois.perrad@gadz.org>
parents:
1551
diff
changeset
|
305 #endif /* HAVE_GETGROUPLIST */ |
1534
ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents:
1459
diff
changeset
|
306 |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
307 TRACE(("shell is %s", ses.authstate.pw_shell)) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
308 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
309 /* check that the shell is set */ |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
310 usershell = ses.authstate.pw_shell; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
311 if (usershell[0] == '\0') { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
312 /* empty shell in /etc/passwd means /bin/sh according to passwd(5) */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
313 usershell = "/bin/sh"; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
314 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
315 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
316 /* check the shell is valid. If /etc/shells doesn't exist, getusershell() |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
317 * should return some standard shells like "/bin/sh" and "/bin/csh" (this |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
318 * is platform-specific) */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
319 setusershell(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
320 while ((listshell = getusershell()) != NULL) { |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
321 TRACE(("test shell is '%s'", listshell)) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
322 if (strcmp(listshell, usershell) == 0) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
323 /* have a match */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
324 goto goodshell; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
325 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
326 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
327 /* no matching shell */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
328 endusershell(); |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
329 TRACE(("no matching shell")) |
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
330 ses.authstate.checkusername_failed = 1; |
594
a98a2138364a
Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents:
573
diff
changeset
|
331 dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected", |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
332 ses.authstate.pw_name); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
333 return DROPBEAR_FAILURE; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
334 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
335 goodshell: |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
336 endusershell(); |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
337 TRACE(("matching shell")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
338 |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
339 TRACE(("uid = %d", ses.authstate.pw_uid)) |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
340 TRACE(("leave checkusername")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
341 return DROPBEAR_SUCCESS; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
342 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
343 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
344 /* Send a failure message to the client, in responds to a userauth_request. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
345 * Partial indicates whether to set the "partial success" flag, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
346 * incrfail is whether to count this failure in the failure count (which |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
347 * is limited. This function also handles disconnection after too many |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
348 * failures */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
349 void send_msg_userauth_failure(int partial, int incrfail) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
350 |
70
b0316ce64e4b
Merging in the changes from 0.41-0.43 main Dropbear tree
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
351 buffer *typebuf = NULL; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
352 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
353 TRACE(("enter send_msg_userauth_failure")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
354 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
355 CHECKCLEARTOWRITE(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
356 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
357 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_FAILURE); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
358 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
359 /* put a list of allowed types */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
360 typebuf = buf_new(30); /* long enough for PUBKEY and PASSWORD */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
361 |
33 | 362 if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) { |
1094
c45d65392c1a
Fix pointer differ in signess warnings [-Werror=pointer-sign]
Gaël PORTAY <gael.portay@gmail.com>
parents:
940
diff
changeset
|
363 buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN); |
33 | 364 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
365 buf_putbyte(typebuf, ','); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
366 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
367 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
368 |
33 | 369 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { |
1094
c45d65392c1a
Fix pointer differ in signess warnings [-Werror=pointer-sign]
Gaël PORTAY <gael.portay@gmail.com>
parents:
940
diff
changeset
|
370 buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
371 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
372 |
761
ac2158e3e403
ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
373 buf_putbufstring(ses.writepayload, typebuf); |
300
baea1d43e7eb
Some cleanups/fixes for various TRACE statements
Matt Johnston <matt@ucc.asn.au>
parents:
165
diff
changeset
|
374 |
761
ac2158e3e403
ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
375 TRACE(("auth fail: methods %d, '%.*s'", ses.authstate.authtypes, |
762
a78a38e402d1
- Fix various hardcoded uses of SHA1
Matt Johnston <matt@ucc.asn.au>
parents:
761
diff
changeset
|
376 typebuf->len, typebuf->data)) |
300
baea1d43e7eb
Some cleanups/fixes for various TRACE statements
Matt Johnston <matt@ucc.asn.au>
parents:
165
diff
changeset
|
377 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
378 buf_free(typebuf); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
379 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
380 buf_putbyte(ses.writepayload, partial ? 1 : 0); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
381 encrypt_packet(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
382 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
383 if (incrfail) { |
1622
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
384 /* The SSH_MSG_AUTH_FAILURE response is delayed to attempt to |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
385 avoid user enumeration and slow brute force attempts. |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
386 The delay is adjusted by the time already spent in processing |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
387 authentication (ses.authstate.auth_starttime timestamp). */ |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
388 |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
389 /* Desired total delay 300ms +-50ms (in nanoseconds). |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
390 Beware of integer overflow if increasing these values */ |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
391 const unsigned int mindelay = 250000000; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
392 const unsigned int vardelay = 100000000; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
393 unsigned int rand_delay; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
394 struct timespec delay; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
395 |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
396 gettime_wrapper(&delay); |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
397 delay.tv_sec -= ses.authstate.auth_starttime.tv_sec; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
398 delay.tv_nsec -= ses.authstate.auth_starttime.tv_nsec; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
399 |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
400 /* carry */ |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
401 if (delay.tv_nsec < 0) { |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
402 delay.tv_nsec += 1000000000; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
403 delay.tv_sec -= 1; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
404 } |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
405 |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
406 genrandom((unsigned char*)&rand_delay, sizeof(rand_delay)); |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
407 rand_delay = mindelay + (rand_delay % vardelay); |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
408 |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
409 if (delay.tv_sec == 0 && delay.tv_nsec <= mindelay) { |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
410 /* Compensate for elapsed time */ |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
411 delay.tv_nsec = rand_delay - delay.tv_nsec; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
412 } else { |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
413 /* No time left or time went backwards, just delay anyway */ |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
414 delay.tv_sec = 0; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
415 delay.tv_nsec = rand_delay; |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
416 } |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
417 |
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
418 |
1558
2f64cb3d3007
- #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents:
1557
diff
changeset
|
419 #if DROPBEAR_FUZZ |
1561
02b226c2675e
clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
420 if (!fuzz.fuzzing) |
02b226c2675e
clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
421 #endif |
02b226c2675e
clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
422 { |
1622
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
423 while (nanosleep(&delay, &delay) == -1 && errno == EINTR) { /* Go back to sleep */ } |
1347
b28624698130
copy over some fuzzing code from AFL branch
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
424 } |
1622
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
425 |
33 | 426 ses.authstate.failcount++; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
427 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
428 |
1442
517c67cbcd31
dropbear server: support -T max auth tries
Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
parents:
1295
diff
changeset
|
429 if (ses.authstate.failcount >= svr_opts.maxauthtries) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
430 char * userstr; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
431 /* XXX - send disconnect ? */ |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
432 TRACE(("Max auth tries reached, exiting")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
433 |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
434 if (ses.authstate.pw_name == NULL) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
435 userstr = "is invalid"; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
436 } else { |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
437 userstr = ses.authstate.pw_name; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
438 } |
1665
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
439 dropbear_exit("Max auth tries reached - user '%s'", |
7c17995bcdfb
Improve address logging on early exit messages (#83)
Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com>
parents:
1633
diff
changeset
|
440 userstr); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
441 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
442 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
443 TRACE(("leave send_msg_userauth_failure")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
444 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
445 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
446 /* Send a success message to the user, and set the "authdone" flag */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
447 void send_msg_userauth_success() { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
448 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
449 TRACE(("enter send_msg_userauth_success")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
450 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
451 CHECKCLEARTOWRITE(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
452 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
453 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_SUCCESS); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
454 encrypt_packet(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
455 |
501
d58c478bd399
Add support for [email protected] delayed compression.
Matt Johnston <matt@ucc.asn.au>
parents:
483
diff
changeset
|
456 /* authdone must be set after encrypt_packet() for |
d58c478bd399
Add support for [email protected] delayed compression.
Matt Johnston <matt@ucc.asn.au>
parents:
483
diff
changeset
|
457 * delayed-zlib mode */ |
33 | 458 ses.authstate.authdone = 1; |
1139
43a8ea69b24c
Fix problem where auth timeout wasn't checked when waiting for ident
Matt Johnston <matt@ucc.asn.au>
parents:
1122
diff
changeset
|
459 ses.connect_time = 0; |
43a8ea69b24c
Fix problem where auth timeout wasn't checked when waiting for ident
Matt Johnston <matt@ucc.asn.au>
parents:
1122
diff
changeset
|
460 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
461 |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
462 if (ses.authstate.pw_uid == 0) { |
21
d7cc5b484a2e
- Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents:
11
diff
changeset
|
463 ses.allowprivport = 1; |
d7cc5b484a2e
- Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents:
11
diff
changeset
|
464 } |
d7cc5b484a2e
- Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents:
11
diff
changeset
|
465 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
466 /* Remove from the list of pre-auth sockets. Should be m_close(), since if |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
467 * we fail, we might end up leaking connection slots, and disallow new |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
468 * logins - a nasty situation. */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
469 m_close(svr_ses.childpipe); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
470 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
471 TRACE(("leave send_msg_userauth_success")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
472 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
473 } |