Mercurial > dropbear

annotate svr-auth.c @ 1663:c795520269f9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fallback for key gen without hard link support (#89) Add a non-atomic fallback for key generation on platforms where link() is not permitted (such as most stock Android installs) or on filesystems without hard link support (such as FAT).
author Matt Robinson <git@nerdoftheherd.com>
date Sat, 14 Mar 2020 14:37:35 +0000
parents 592a18dac250
children 7c17995bcdfb
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
1 /*
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
2 * Dropbear - a SSH2 server
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
3 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
4 * Copyright (c) 2002,2003 Matt Johnston
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
5 * All rights reserved.
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
6 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
8 * of this software and associated documentation files (the "Software"), to deal
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
9 * in the Software without restriction, including without limitation the rights
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
11 * copies of the Software, and to permit persons to whom the Software is
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
12 * furnished to do so, subject to the following conditions:
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
13 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
14 * The above copyright notice and this permission notice shall be included in
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
15 * all copies or substantial portions of the Software.
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
16 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
23 * SOFTWARE. */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
24
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
25 /* This file (auth.c) handles authentication requests, passing it to the
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
26 * particular type (auth-passwd, auth-pubkey). */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
27
1534
ed930fd6f60f Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents: 1459
diff changeset
28 #include <limits.h>
ed930fd6f60f Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents: 1459
diff changeset
29
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
30 #include "includes.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
31 #include "dbutil.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
32 #include "session.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
33 #include "buffer.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
34 #include "ssh.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
35 #include "packet.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
36 #include "auth.h"
24
469950e86d0f switching to global vars
Matt Johnston <matt@ucc.asn.au>
parents: 22
diff changeset
37 #include "runopts.h"
858
220f55d540ae rename random.h to dbrandom.h since some OSes have a system random.h
Matt Johnston <matt@ucc.asn.au>
parents: 852
diff changeset
38 #include "dbrandom.h"
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
39
1538
f20038b513a5 more linting (#58)
François Perrad <francois.perrad@gadz.org>
parents: 1537
diff changeset
40 static int checkusername(const char *username, unsigned int userlen);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
41
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
42 /* initialise the first time for a session, resetting all parameters */
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
43 void svr_authinitialise() {
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
44 memset(&ses.authstate, 0, sizeof(ses.authstate));
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
45 #if DROPBEAR_SVR_PUBKEY_AUTH
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
46 ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
47 #endif
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
48 #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
35
0ad5fb979f42 set the isserver flag (oops)
Matt Johnston <matt@ucc.asn.au>
parents: 33
diff changeset
49 if (!svr_opts.noauthpass) {
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
50 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
51 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
52 #endif
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
53 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
54
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
55 /* Send a banner message if specified to the client. The client might
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
56 * ignore this, but possibly serves as a legal "no trespassing" sign */
1459
06d52bcb8094 Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents: 1442
diff changeset
57 void send_msg_userauth_banner(const buffer *banner) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
58
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
59 TRACE(("enter send_msg_userauth_banner"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
60
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
61 CHECKCLEARTOWRITE();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
62
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
63 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER);
835
4095b6d7c9fc Merge in changes from the past couple of releases
Matt Johnston <matt@ucc.asn.au>
parents: 801 818
diff changeset
64 buf_putbufstring(ses.writepayload, banner);
1122
aaf576b27a10 Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents: 1100
diff changeset
65 buf_putstring(ses.writepayload, "en", 2);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
66
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
67 encrypt_packet();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
68
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
69 TRACE(("leave send_msg_userauth_banner"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
70 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
71
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
72 /* handle a userauth request, check validity, pass to password or pubkey
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
73 * checking, and handle success or failure */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
74 void recv_msg_userauth_request() {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
75
1100
7b84c3492a95 Turn username, servicename and methodname local variables into char *
Gaël PORTAY <gael.portay@gmail.com>
parents: 1094
diff changeset
76 char *username = NULL, *servicename = NULL, *methodname = NULL;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
77 unsigned int userlen, servicelen, methodlen;
808
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
78 int valid_user = 0;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
79
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
80 TRACE(("enter recv_msg_userauth_request"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
81
1622
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
82 /* for compensating failure delay */
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
83 gettime_wrapper(&ses.authstate.auth_starttime);
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
84
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
85 /* ignore packets if auth is already done */
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
86 if (ses.authstate.authdone == 1) {
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
87 TRACE(("leave recv_msg_userauth_request: authdone already"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
88 return;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
89 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
90
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
91 /* send the banner if it exists, it will only exist once */
24
469950e86d0f switching to global vars
Matt Johnston <matt@ucc.asn.au>
parents: 22
diff changeset
92 if (svr_opts.banner) {
818
8fe36617bf4e Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents: 808
diff changeset
93 send_msg_userauth_banner(svr_opts.banner);
8fe36617bf4e Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents: 808
diff changeset
94 buf_free(svr_opts.banner);
8fe36617bf4e Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents: 808
diff changeset
95 svr_opts.banner = NULL;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
96 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
97
1122
aaf576b27a10 Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents: 1100
diff changeset
98 username = buf_getstring(ses.payload, &userlen);
aaf576b27a10 Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents: 1100
diff changeset
99 servicename = buf_getstring(ses.payload, &servicelen);
aaf576b27a10 Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents: 1100
diff changeset
100 methodname = buf_getstring(ses.payload, &methodlen);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
101
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
102 /* only handle 'ssh-connection' currently */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
103 if (servicelen != SSH_SERVICE_CONNECTION_LEN
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
104 && (strncmp(servicename, SSH_SERVICE_CONNECTION,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
105 SSH_SERVICE_CONNECTION_LEN) != 0)) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
106
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
107 /* TODO - disconnect here */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
108 m_free(username);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
109 m_free(servicename);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
110 m_free(methodname);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
111 dropbear_exit("unknown service in auth");
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
112 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
113
808
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
114 /* check username is good before continuing.
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
115 * the 'incrfail' varies depending on the auth method to
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
116 * avoid giving away which users exist on the system through
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
117 * the time delay. */
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
118 if (checkusername(username, userlen) == DROPBEAR_SUCCESS) {
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
119 valid_user = 1;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
120 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
121
676
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
122 /* user wants to know what methods are supported */
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
123 if (methodlen == AUTH_METHOD_NONE_LEN &&
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
124 strncmp(methodname, AUTH_METHOD_NONE,
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
125 AUTH_METHOD_NONE_LEN) == 0) {
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
126 TRACE(("recv_msg_userauth_request: 'none' request"))
808
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
127 if (valid_user
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
128 && svr_opts.allowblankpass
692
c58a15983808 Allow configuring "allow blank password option" at runtime
Paul Eggleton <paul.eggleton@linux.intel.com>
parents: 678
diff changeset
129 && !svr_opts.noauthpass
676
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
130 && !(svr_opts.norootpass && ses.authstate.pw_uid == 0)
677
55b84e59aaad Fix empty password immediate login
Matt Johnston <matt@ucc.asn.au>
parents: 676
diff changeset
131 && ses.authstate.pw_passwd[0] == '\0')
676
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
132 {
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
133 dropbear_log(LOG_NOTICE,
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
134 "Auth succeeded with blank password for '%s' from %s",
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
135 ses.authstate.pw_name,
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
136 svr_ses.addrstring);
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
137 send_msg_userauth_success();
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
138 goto out;
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
139 }
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
140 else
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
141 {
808
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
142 /* 'none' has no failure delay */
676
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
143 send_msg_userauth_failure(0, 0);
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
144 goto out;
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
145 }
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
146 }
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
147
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
148 #if DROPBEAR_SVR_PASSWORD_AUTH
24
469950e86d0f switching to global vars
Matt Johnston <matt@ucc.asn.au>
parents: 22
diff changeset
149 if (!svr_opts.noauthpass &&
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
150 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
151 /* user wants to try password auth */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
152 if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
153 strncmp(methodname, AUTH_METHOD_PASSWORD,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
154 AUTH_METHOD_PASSWORD_LEN) == 0) {
1616
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1560
diff changeset
155 svr_auth_password(valid_user);
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1560
diff changeset
156 goto out;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
157 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
158 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
159 #endif
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
160
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
161 #if DROPBEAR_SVR_PAM_AUTH
57
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
162 if (!svr_opts.noauthpass &&
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
163 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) {
57
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
164 /* user wants to try password auth */
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
165 if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
166 strncmp(methodname, AUTH_METHOD_PASSWORD,
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
167 AUTH_METHOD_PASSWORD_LEN) == 0) {
1616
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1560
diff changeset
168 svr_auth_pam(valid_user);
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1560
diff changeset
169 goto out;
57
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
170 }
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
171 }
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
172 #endif
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents: 35
diff changeset
173
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
174 #if DROPBEAR_SVR_PUBKEY_AUTH
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
175 /* user wants to try pubkey auth */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
176 if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
177 strncmp(methodname, AUTH_METHOD_PUBKEY,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
178 AUTH_METHOD_PUBKEY_LEN) == 0) {
1616
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1560
diff changeset
179 svr_auth_pubkey(valid_user);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
180 goto out;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
181 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
182 #endif
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
183
808
d7784616409a improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents: 782
diff changeset
184 /* nothing matched, we just fail with a delay */
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
185 send_msg_userauth_failure(0, 1);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
186
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
187 out:
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
188
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
189 m_free(username);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
190 m_free(servicename);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
191 m_free(methodname);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
192 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
193
1551
1acbdf64088e add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents: 1539
diff changeset
194 #ifdef HAVE_GETGROUPLIST
1537
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
195 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
196 static int check_group_membership(gid_t check_gid, const char* username, gid_t user_gid) {
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
197 int ngroups, i, ret;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
198 gid_t *grouplist = NULL;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
199 int match = DROPBEAR_FAILURE;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
200
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
201 for (ngroups = 32; ngroups <= DROPBEAR_NGROUP_MAX; ngroups *= 2) {
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
202 grouplist = m_malloc(sizeof(gid_t) * ngroups);
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
203
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
204 /* BSD returns ret==0 on success. Linux returns ret==ngroups on success */
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
205 ret = getgrouplist(username, user_gid, grouplist, &ngroups);
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
206 if (ret >= 0) {
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
207 break;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
208 }
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
209 m_free(grouplist);
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
210 grouplist = NULL;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
211 }
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
212
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
213 if (!grouplist) {
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
214 dropbear_log(LOG_ERR, "Too many groups for user '%s'", username);
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
215 return DROPBEAR_FAILURE;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
216 }
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
217
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
218 for (i = 0; i < ngroups; i++) {
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
219 if (grouplist[i] == check_gid) {
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
220 match = DROPBEAR_SUCCESS;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
221 break;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
222 }
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
223 }
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
224 m_free(grouplist);
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
225
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
226 return match;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
227 }
1551
1acbdf64088e add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents: 1539
diff changeset
228 #endif
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
229
676
0edf08895a33 Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents: 628
diff changeset
230 /* Check that the username exists and isn't disallowed (root), and has a valid shell.
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
231 * returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */
1538
f20038b513a5 more linting (#58)
François Perrad <francois.perrad@gadz.org>
parents: 1537
diff changeset
232 static int checkusername(const char *username, unsigned int userlen) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
233
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
234 char* listshell = NULL;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
235 char* usershell = NULL;
852
7540c0822374 Various cleanups and fixes for warnings
Matt Johnston <matt@ucc.asn.au>
parents: 835
diff changeset
236 uid_t uid;
1534
ed930fd6f60f Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents: 1459
diff changeset
237
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
238 TRACE(("enter checkusername"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
239 if (userlen > MAX_USERNAME_LEN) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
240 return DROPBEAR_FAILURE;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
241 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
242
1539
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
243 if (strlen(username) != userlen) {
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
244 dropbear_exit("Attempted username with a null byte from %s",
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
245 svr_ses.addrstring);
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
246 }
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
247
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
248 if (ses.authstate.username == NULL) {
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
249 /* first request */
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
250 fill_passwd(username);
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
251 ses.authstate.username = m_strdup(username);
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
252 } else {
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
253 /* check username hasn't changed */
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
254 if (strcmp(username, ses.authstate.username) != 0) {
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
255 dropbear_exit("Client trying multiple usernames from %s",
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
256 svr_ses.addrstring);
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
257 }
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
258 }
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
259
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
260 /* avoids cluttering logs with repeated failure messages from
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
261 consecutive authentication requests in a sesssion */
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
262 if (ses.authstate.checkusername_failed) {
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
263 TRACE(("checkusername: returning cached failure"))
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
264 return DROPBEAR_FAILURE;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
265 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
266
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
267 /* check that user exists */
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
268 if (!ses.authstate.pw_name) {
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
269 TRACE(("leave checkusername: user '%s' doesn't exist", username))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
270 dropbear_log(LOG_WARNING,
594
a98a2138364a Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents: 573
diff changeset
271 "Login attempt for nonexistent user from %s",
158
364a75cfebab Log the IP along with auth success/fail attempts
Matt Johnston <matt@ucc.asn.au>
parents: 121
diff changeset
272 svr_ses.addrstring);
1539
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
273 ses.authstate.checkusername_failed = 1;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
274 return DROPBEAR_FAILURE;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
275 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
276
782
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
277 /* check if we are running as non-root, and login user is different from the server */
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
278 uid = geteuid();
1633
592a18dac250 Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents: 1622
diff changeset
279 if (!(DROPBEAR_SVR_MULTIUSER && uid == 0) && uid != ses.authstate.pw_uid) {
782
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
280 TRACE(("running as nonroot, only server uid is allowed"))
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
281 dropbear_log(LOG_WARNING,
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
282 "Login attempt with wrong user %s from %s",
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
283 ses.authstate.pw_name,
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
284 svr_ses.addrstring);
1539
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
285 ses.authstate.checkusername_failed = 1;
782
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
286 return DROPBEAR_FAILURE;
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
287 }
e0084f136cb8 If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
288
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
289 /* check for non-root if desired */
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
290 if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) {
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
291 TRACE(("leave checkusername: root login disabled"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
292 dropbear_log(LOG_WARNING, "root login rejected");
1539
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
293 ses.authstate.checkusername_failed = 1;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
294 return DROPBEAR_FAILURE;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
295 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
296
1537
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
297 /* check for login restricted to certain group if desired */
1551
1acbdf64088e add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents: 1539
diff changeset
298 #ifdef HAVE_GETGROUPLIST
1537
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
299 if (svr_opts.restrict_group) {
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
300 if (check_group_membership(svr_opts.restrict_group_gid,
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
301 ses.authstate.pw_name, ses.authstate.pw_gid) == DROPBEAR_FAILURE) {
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
302 dropbear_log(LOG_WARNING,
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
303 "Logins are restricted to the group %s but user '%s' is not a member",
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
304 svr_opts.restrict_group, ses.authstate.pw_name);
1539
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
305 ses.authstate.checkusername_failed = 1;
1537
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
306 return DROPBEAR_FAILURE;
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
307 }
6a83b1944432 Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents: 1534
diff changeset
308 }
1560
f5026f7486de fix #endif (#59)
François Perrad <francois.perrad@gadz.org>
parents: 1551
diff changeset
309 #endif /* HAVE_GETGROUPLIST */
1534
ed930fd6f60f Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents: 1459
diff changeset
310
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
311 TRACE(("shell is %s", ses.authstate.pw_shell))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
312
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
313 /* check that the shell is set */
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
314 usershell = ses.authstate.pw_shell;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
315 if (usershell[0] == '\0') {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
316 /* empty shell in /etc/passwd means /bin/sh according to passwd(5) */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
317 usershell = "/bin/sh";
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
318 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
319
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
320 /* check the shell is valid. If /etc/shells doesn't exist, getusershell()
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
321 * should return some standard shells like "/bin/sh" and "/bin/csh" (this
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
322 * is platform-specific) */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
323 setusershell();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
324 while ((listshell = getusershell()) != NULL) {
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
325 TRACE(("test shell is '%s'", listshell))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
326 if (strcmp(listshell, usershell) == 0) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
327 /* have a match */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
328 goto goodshell;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
329 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
330 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
331 /* no matching shell */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
332 endusershell();
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
333 TRACE(("no matching shell"))
1539
51df3d53b050 - Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1538
diff changeset
334 ses.authstate.checkusername_failed = 1;
594
a98a2138364a Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents: 573
diff changeset
335 dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected",
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
336 ses.authstate.pw_name);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
337 return DROPBEAR_FAILURE;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
338
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
339 goodshell:
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
340 endusershell();
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
341 TRACE(("matching shell"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
342
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
343 TRACE(("uid = %d", ses.authstate.pw_uid))
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
344 TRACE(("leave checkusername"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
345 return DROPBEAR_SUCCESS;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
346 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
347
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
348 /* Send a failure message to the client, in responds to a userauth_request.
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
349 * Partial indicates whether to set the "partial success" flag,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
350 * incrfail is whether to count this failure in the failure count (which
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
351 * is limited. This function also handles disconnection after too many
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
352 * failures */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
353 void send_msg_userauth_failure(int partial, int incrfail) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
354
70
b0316ce64e4b Merging in the changes from 0.41-0.43 main Dropbear tree
Matt Johnston <matt@ucc.asn.au>
parents: 68
diff changeset
355 buffer *typebuf = NULL;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
356
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
357 TRACE(("enter send_msg_userauth_failure"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
358
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
359 CHECKCLEARTOWRITE();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
360
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
361 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_FAILURE);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
362
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
363 /* put a list of allowed types */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
364 typebuf = buf_new(30); /* long enough for PUBKEY and PASSWORD */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
365
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
366 if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) {
1094
c45d65392c1a Fix pointer differ in signess warnings [-Werror=pointer-sign]
Gaël PORTAY <gael.portay@gmail.com>
parents: 940
diff changeset
367 buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN);
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
368 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
369 buf_putbyte(typebuf, ',');
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
370 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
371 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
372
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
373 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) {
1094
c45d65392c1a Fix pointer differ in signess warnings [-Werror=pointer-sign]
Gaël PORTAY <gael.portay@gmail.com>
parents: 940
diff changeset
374 buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
375 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
376
761
ac2158e3e403 ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
377 buf_putbufstring(ses.writepayload, typebuf);
300
baea1d43e7eb Some cleanups/fixes for various TRACE statements
Matt Johnston <matt@ucc.asn.au>
parents: 165
diff changeset
378
761
ac2158e3e403 ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents: 692
diff changeset
379 TRACE(("auth fail: methods %d, '%.*s'", ses.authstate.authtypes,
762
a78a38e402d1 - Fix various hardcoded uses of SHA1
Matt Johnston <matt@ucc.asn.au>
parents: 761
diff changeset
380 typebuf->len, typebuf->data))
300
baea1d43e7eb Some cleanups/fixes for various TRACE statements
Matt Johnston <matt@ucc.asn.au>
parents: 165
diff changeset
381
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
382 buf_free(typebuf);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
383
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
384 buf_putbyte(ses.writepayload, partial ? 1 : 0);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
385 encrypt_packet();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
386
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
387 if (incrfail) {
1622
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
388 /* The SSH_MSG_AUTH_FAILURE response is delayed to attempt to
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
389 avoid user enumeration and slow brute force attempts.
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
390 The delay is adjusted by the time already spent in processing
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
391 authentication (ses.authstate.auth_starttime timestamp). */
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
392
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
393 /* Desired total delay 300ms +-50ms (in nanoseconds).
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
394 Beware of integer overflow if increasing these values */
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
395 const unsigned int mindelay = 250000000;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
396 const unsigned int vardelay = 100000000;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
397 unsigned int rand_delay;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
398 struct timespec delay;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
399
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
400 gettime_wrapper(&delay);
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
401 delay.tv_sec -= ses.authstate.auth_starttime.tv_sec;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
402 delay.tv_nsec -= ses.authstate.auth_starttime.tv_nsec;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
403
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
404 /* carry */
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
405 if (delay.tv_nsec < 0) {
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
406 delay.tv_nsec += 1000000000;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
407 delay.tv_sec -= 1;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
408 }
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
409
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
410 genrandom((unsigned char*)&rand_delay, sizeof(rand_delay));
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
411 rand_delay = mindelay + (rand_delay % vardelay);
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
412
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
413 if (delay.tv_sec == 0 && delay.tv_nsec <= mindelay) {
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
414 /* Compensate for elapsed time */
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
415 delay.tv_nsec = rand_delay - delay.tv_nsec;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
416 } else {
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
417 /* No time left or time went backwards, just delay anyway */
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
418 delay.tv_sec = 0;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
419 delay.tv_nsec = rand_delay;
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
420 }
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
421
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
422
1558
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1557
diff changeset
423 #if DROPBEAR_FUZZ
1561
02b226c2675e clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents: 1558
diff changeset
424 if (!fuzz.fuzzing)
02b226c2675e clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents: 1558
diff changeset
425 #endif
02b226c2675e clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents: 1558
diff changeset
426 {
1622
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
427 while (nanosleep(&delay, &delay) == -1 && errno == EINTR) { /* Go back to sleep */ }
1347
b28624698130 copy over some fuzzing code from AFL branch
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
428 }
1622
e11ed628708b - Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents: 1617
diff changeset
429
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
430 ses.authstate.failcount++;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
431 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
432
1442
517c67cbcd31 dropbear server: support -T max auth tries
Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
parents: 1295
diff changeset
433 if (ses.authstate.failcount >= svr_opts.maxauthtries) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
434 char * userstr;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
435 /* XXX - send disconnect ? */
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
436 TRACE(("Max auth tries reached, exiting"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
437
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
438 if (ses.authstate.pw_name == NULL) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
439 userstr = "is invalid";
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
440 } else {
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
441 userstr = ses.authstate.pw_name;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
442 }
158
364a75cfebab Log the IP along with auth success/fail attempts
Matt Johnston <matt@ucc.asn.au>
parents: 121
diff changeset
443 dropbear_exit("Max auth tries reached - user '%s' from %s",
364a75cfebab Log the IP along with auth success/fail attempts
Matt Johnston <matt@ucc.asn.au>
parents: 121
diff changeset
444 userstr, svr_ses.addrstring);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
445 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
446
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
447 TRACE(("leave send_msg_userauth_failure"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
448 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
449
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
450 /* Send a success message to the user, and set the "authdone" flag */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
451 void send_msg_userauth_success() {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
452
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
453 TRACE(("enter send_msg_userauth_success"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
454
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
455 CHECKCLEARTOWRITE();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
456
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
457 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_SUCCESS);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
458 encrypt_packet();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
459
501
d58c478bd399 Add support for [email protected] delayed compression.
Matt Johnston <matt@ucc.asn.au>
parents: 483
diff changeset
460 /* authdone must be set after encrypt_packet() for
d58c478bd399 Add support for [email protected] delayed compression.
Matt Johnston <matt@ucc.asn.au>
parents: 483
diff changeset
461 * delayed-zlib mode */
33
f789045062e6 Progressing client support
Matt Johnston <matt@ucc.asn.au>
parents: 24
diff changeset
462 ses.authstate.authdone = 1;
1139
43a8ea69b24c Fix problem where auth timeout wasn't checked when waiting for ident
Matt Johnston <matt@ucc.asn.au>
parents: 1122
diff changeset
463 ses.connect_time = 0;
43a8ea69b24c Fix problem where auth timeout wasn't checked when waiting for ident
Matt Johnston <matt@ucc.asn.au>
parents: 1122
diff changeset
464
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
465
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 454
diff changeset
466 if (ses.authstate.pw_uid == 0) {
21
d7cc5b484a2e - Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents: 11
diff changeset
467 ses.allowprivport = 1;
d7cc5b484a2e - Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents: 11
diff changeset
468 }
d7cc5b484a2e - Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents: 11
diff changeset
469
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
470 /* Remove from the list of pre-auth sockets. Should be m_close(), since if
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
471 * we fail, we might end up leaking connection slots, and disallow new
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
472 * logins - a nasty situation. */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
473 m_close(svr_ses.childpipe);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
474
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
475 TRACE(("leave send_msg_userauth_success"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
476
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
477 }