Mercurial > dropbear
annotate svr-auth.c @ 1659:d32bcb5c557d
Add Ed25519 support (#91)
* Add support for Ed25519 as a public key type
Ed25519 is a elliptic curve signature scheme that offers
better security than ECDSA and DSA and good performance. It may be
used for both user and host keys.
OpenSSH key import and fuzzer are not supported yet.
Initially inspired by Peter Szabo.
* Add curve25519 and ed25519 fuzzers
* Add import and export of Ed25519 keys
| author | Vladislav Grishenko <themiron@users.noreply.github.com> |
|---|---|
| date | Wed, 11 Mar 2020 21:09:45 +0500 |
| parents | 592a18dac250 |
| children | 7c17995bcdfb |
| rev | line source |
|---|---|
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
1 /* |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
2 * Dropbear - a SSH2 server |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
3 * |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
4 * Copyright (c) 2002,2003 Matt Johnston |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
5 * All rights reserved. |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
6 * |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
7 * Permission is hereby granted, free of charge, to any person obtaining a copy |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
8 * of this software and associated documentation files (the "Software"), to deal |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
9 * in the Software without restriction, including without limitation the rights |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
11 * copies of the Software, and to permit persons to whom the Software is |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
12 * furnished to do so, subject to the following conditions: |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
13 * |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
14 * The above copyright notice and this permission notice shall be included in |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
15 * all copies or substantial portions of the Software. |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
16 * |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
23 * SOFTWARE. */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
24 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
25 /* This file (auth.c) handles authentication requests, passing it to the |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
26 * particular type (auth-passwd, auth-pubkey). */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
27 |
|
1534
ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents:
1459
diff
changeset
|
28 #include <limits.h> |
|
ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents:
1459
diff
changeset
|
29 |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
30 #include "includes.h" |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
31 #include "dbutil.h" |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
32 #include "session.h" |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
33 #include "buffer.h" |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
34 #include "ssh.h" |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
35 #include "packet.h" |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
36 #include "auth.h" |
| 24 | 37 #include "runopts.h" |
|
858
220f55d540ae
rename random.h to dbrandom.h since some OSes have a system random.h
Matt Johnston <matt@ucc.asn.au>
parents:
852
diff
changeset
|
38 #include "dbrandom.h" |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
39 |
|
1538
f20038b513a5
more linting (#58)
François Perrad <francois.perrad@gadz.org>
parents:
1537
diff
changeset
|
40 static int checkusername(const char *username, unsigned int userlen); |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
41 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
42 /* initialise the first time for a session, resetting all parameters */ |
| 33 | 43 void svr_authinitialise() { |
| 44 memset(&ses.authstate, 0, sizeof(ses.authstate)); | |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
45 #if DROPBEAR_SVR_PUBKEY_AUTH |
| 33 | 46 ses.authstate.authtypes |= AUTH_TYPE_PUBKEY; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
47 #endif |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
48 #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH |
|
35
0ad5fb979f42
set the isserver flag (oops)
Matt Johnston <matt@ucc.asn.au>
parents:
33
diff
changeset
|
49 if (!svr_opts.noauthpass) { |
| 33 | 50 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
51 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
52 #endif |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
53 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
54 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
55 /* Send a banner message if specified to the client. The client might |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
56 * ignore this, but possibly serves as a legal "no trespassing" sign */ |
|
1459
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1442
diff
changeset
|
57 void send_msg_userauth_banner(const buffer *banner) { |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
58 |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
59 TRACE(("enter send_msg_userauth_banner")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
60 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
61 CHECKCLEARTOWRITE(); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
62 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
63 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER); |
|
835
4095b6d7c9fc
Merge in changes from the past couple of releases
Matt Johnston <matt@ucc.asn.au>
diff
changeset
|
64 buf_putbufstring(ses.writepayload, banner); |
|
1122
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1100
diff
changeset
|
65 buf_putstring(ses.writepayload, "en", 2); |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
66 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
67 encrypt_packet(); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
68 |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
69 TRACE(("leave send_msg_userauth_banner")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
70 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
71 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
72 /* handle a userauth request, check validity, pass to password or pubkey |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
73 * checking, and handle success or failure */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
74 void recv_msg_userauth_request() { |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
75 |
|
1100
7b84c3492a95
Turn username, servicename and methodname local variables into char *
Gaël PORTAY <gael.portay@gmail.com>
parents:
1094
diff
changeset
|
76 char *username = NULL, *servicename = NULL, *methodname = NULL; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
77 unsigned int userlen, servicelen, methodlen; |
|
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
78 int valid_user = 0; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
79 |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
80 TRACE(("enter recv_msg_userauth_request")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
81 |
|
1622
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
82 /* for compensating failure delay */ |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
83 gettime_wrapper(&ses.authstate.auth_starttime); |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
84 |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
85 /* ignore packets if auth is already done */ |
| 33 | 86 if (ses.authstate.authdone == 1) { |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
87 TRACE(("leave recv_msg_userauth_request: authdone already")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
88 return; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
89 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
90 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
91 /* send the banner if it exists, it will only exist once */ |
| 24 | 92 if (svr_opts.banner) { |
|
818
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
808
diff
changeset
|
93 send_msg_userauth_banner(svr_opts.banner); |
|
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
808
diff
changeset
|
94 buf_free(svr_opts.banner); |
|
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
808
diff
changeset
|
95 svr_opts.banner = NULL; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
96 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
97 |
|
1122
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1100
diff
changeset
|
98 username = buf_getstring(ses.payload, &userlen); |
|
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1100
diff
changeset
|
99 servicename = buf_getstring(ses.payload, &servicelen); |
|
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1100
diff
changeset
|
100 methodname = buf_getstring(ses.payload, &methodlen); |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
101 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
102 /* only handle 'ssh-connection' currently */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
103 if (servicelen != SSH_SERVICE_CONNECTION_LEN |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
104 && (strncmp(servicename, SSH_SERVICE_CONNECTION, |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
105 SSH_SERVICE_CONNECTION_LEN) != 0)) { |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
106 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
107 /* TODO - disconnect here */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
108 m_free(username); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
109 m_free(servicename); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
110 m_free(methodname); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
111 dropbear_exit("unknown service in auth"); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
112 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
113 |
|
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
114 /* check username is good before continuing. |
|
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
115 * the 'incrfail' varies depending on the auth method to |
|
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
116 * avoid giving away which users exist on the system through |
|
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
117 * the time delay. */ |
|
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
118 if (checkusername(username, userlen) == DROPBEAR_SUCCESS) { |
|
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
119 valid_user = 1; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
120 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
121 |
|
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
122 /* user wants to know what methods are supported */ |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
123 if (methodlen == AUTH_METHOD_NONE_LEN && |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
124 strncmp(methodname, AUTH_METHOD_NONE, |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
125 AUTH_METHOD_NONE_LEN) == 0) { |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
126 TRACE(("recv_msg_userauth_request: 'none' request")) |
|
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
127 if (valid_user |
|
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
128 && svr_opts.allowblankpass |
|
692
c58a15983808
Allow configuring "allow blank password option" at runtime
Paul Eggleton <paul.eggleton@linux.intel.com>
parents:
678
diff
changeset
|
129 && !svr_opts.noauthpass |
|
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
130 && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) |
|
677
55b84e59aaad
Fix empty password immediate login
Matt Johnston <matt@ucc.asn.au>
parents:
676
diff
changeset
|
131 && ses.authstate.pw_passwd[0] == '\0') |
|
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
132 { |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
133 dropbear_log(LOG_NOTICE, |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
134 "Auth succeeded with blank password for '%s' from %s", |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
135 ses.authstate.pw_name, |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
136 svr_ses.addrstring); |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
137 send_msg_userauth_success(); |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
138 goto out; |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
139 } |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
140 else |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
141 { |
|
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
142 /* 'none' has no failure delay */ |
|
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
143 send_msg_userauth_failure(0, 0); |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
144 goto out; |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
145 } |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
146 } |
|
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
147 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
148 #if DROPBEAR_SVR_PASSWORD_AUTH |
| 24 | 149 if (!svr_opts.noauthpass && |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
150 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) { |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
151 /* user wants to try password auth */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
152 if (methodlen == AUTH_METHOD_PASSWORD_LEN && |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
153 strncmp(methodname, AUTH_METHOD_PASSWORD, |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
154 AUTH_METHOD_PASSWORD_LEN) == 0) { |
|
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
155 svr_auth_password(valid_user); |
|
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
156 goto out; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
157 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
158 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
159 #endif |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
160 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
161 #if DROPBEAR_SVR_PAM_AUTH |
|
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
162 if (!svr_opts.noauthpass && |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
163 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) { |
|
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
164 /* user wants to try password auth */ |
|
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
165 if (methodlen == AUTH_METHOD_PASSWORD_LEN && |
|
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
166 strncmp(methodname, AUTH_METHOD_PASSWORD, |
|
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
167 AUTH_METHOD_PASSWORD_LEN) == 0) { |
|
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
168 svr_auth_pam(valid_user); |
|
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
169 goto out; |
|
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
170 } |
|
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
171 } |
|
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
172 #endif |
|
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
35
diff
changeset
|
173 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
174 #if DROPBEAR_SVR_PUBKEY_AUTH |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
175 /* user wants to try pubkey auth */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
176 if (methodlen == AUTH_METHOD_PUBKEY_LEN && |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
177 strncmp(methodname, AUTH_METHOD_PUBKEY, |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
178 AUTH_METHOD_PUBKEY_LEN) == 0) { |
|
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1560
diff
changeset
|
179 svr_auth_pubkey(valid_user); |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
180 goto out; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
181 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
182 #endif |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
183 |
|
808
d7784616409a
improve auth failure delays to avoid indicating which users exist
Matt Johnston <matt@ucc.asn.au>
parents:
782
diff
changeset
|
184 /* nothing matched, we just fail with a delay */ |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
185 send_msg_userauth_failure(0, 1); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
186 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
187 out: |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
188 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
189 m_free(username); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
190 m_free(servicename); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
191 m_free(methodname); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
192 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
193 |
|
1551
1acbdf64088e
add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents:
1539
diff
changeset
|
194 #ifdef HAVE_GETGROUPLIST |
|
1537
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
195 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
196 static int check_group_membership(gid_t check_gid, const char* username, gid_t user_gid) { |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
197 int ngroups, i, ret; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
198 gid_t *grouplist = NULL; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
199 int match = DROPBEAR_FAILURE; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
200 |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
201 for (ngroups = 32; ngroups <= DROPBEAR_NGROUP_MAX; ngroups *= 2) { |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
202 grouplist = m_malloc(sizeof(gid_t) * ngroups); |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
203 |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
204 /* BSD returns ret==0 on success. Linux returns ret==ngroups on success */ |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
205 ret = getgrouplist(username, user_gid, grouplist, &ngroups); |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
206 if (ret >= 0) { |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
207 break; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
208 } |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
209 m_free(grouplist); |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
210 grouplist = NULL; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
211 } |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
212 |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
213 if (!grouplist) { |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
214 dropbear_log(LOG_ERR, "Too many groups for user '%s'", username); |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
215 return DROPBEAR_FAILURE; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
216 } |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
217 |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
218 for (i = 0; i < ngroups; i++) { |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
219 if (grouplist[i] == check_gid) { |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
220 match = DROPBEAR_SUCCESS; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
221 break; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
222 } |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
223 } |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
224 m_free(grouplist); |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
225 |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
226 return match; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
227 } |
|
1551
1acbdf64088e
add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents:
1539
diff
changeset
|
228 #endif |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
229 |
|
676
0edf08895a33
Return immediate success for blank passwords if allowed
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
230 /* Check that the username exists and isn't disallowed (root), and has a valid shell. |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
231 * returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */ |
|
1538
f20038b513a5
more linting (#58)
François Perrad <francois.perrad@gadz.org>
parents:
1537
diff
changeset
|
232 static int checkusername(const char *username, unsigned int userlen) { |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
233 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
234 char* listshell = NULL; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
235 char* usershell = NULL; |
|
852
7540c0822374
Various cleanups and fixes for warnings
Matt Johnston <matt@ucc.asn.au>
parents:
835
diff
changeset
|
236 uid_t uid; |
|
1534
ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents:
1459
diff
changeset
|
237 |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
238 TRACE(("enter checkusername")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
239 if (userlen > MAX_USERNAME_LEN) { |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
240 return DROPBEAR_FAILURE; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
241 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
242 |
|
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
243 if (strlen(username) != userlen) { |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
244 dropbear_exit("Attempted username with a null byte from %s", |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
245 svr_ses.addrstring); |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
246 } |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
247 |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
248 if (ses.authstate.username == NULL) { |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
249 /* first request */ |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
250 fill_passwd(username); |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
251 ses.authstate.username = m_strdup(username); |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
252 } else { |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
253 /* check username hasn't changed */ |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
254 if (strcmp(username, ses.authstate.username) != 0) { |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
255 dropbear_exit("Client trying multiple usernames from %s", |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
256 svr_ses.addrstring); |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
257 } |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
258 } |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
259 |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
260 /* avoids cluttering logs with repeated failure messages from |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
261 consecutive authentication requests in a sesssion */ |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
262 if (ses.authstate.checkusername_failed) { |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
263 TRACE(("checkusername: returning cached failure")) |
|
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
264 return DROPBEAR_FAILURE; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
265 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
266 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
267 /* check that user exists */ |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
268 if (!ses.authstate.pw_name) { |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
269 TRACE(("leave checkusername: user '%s' doesn't exist", username)) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
270 dropbear_log(LOG_WARNING, |
|
594
a98a2138364a
Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents:
573
diff
changeset
|
271 "Login attempt for nonexistent user from %s", |
|
158
364a75cfebab
Log the IP along with auth success/fail attempts
Matt Johnston <matt@ucc.asn.au>
parents:
121
diff
changeset
|
272 svr_ses.addrstring); |
|
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
273 ses.authstate.checkusername_failed = 1; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
274 return DROPBEAR_FAILURE; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
275 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
276 |
|
782
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
277 /* check if we are running as non-root, and login user is different from the server */ |
|
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
278 uid = geteuid(); |
|
1633
592a18dac250
Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents:
1622
diff
changeset
|
279 if (!(DROPBEAR_SVR_MULTIUSER && uid == 0) && uid != ses.authstate.pw_uid) { |
|
782
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
280 TRACE(("running as nonroot, only server uid is allowed")) |
|
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
281 dropbear_log(LOG_WARNING, |
|
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
282 "Login attempt with wrong user %s from %s", |
|
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
283 ses.authstate.pw_name, |
|
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
284 svr_ses.addrstring); |
|
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
285 ses.authstate.checkusername_failed = 1; |
|
782
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
286 return DROPBEAR_FAILURE; |
|
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
287 } |
|
e0084f136cb8
If running as non-root only allow that user to log in
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
288 |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
289 /* check for non-root if desired */ |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
290 if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) { |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
291 TRACE(("leave checkusername: root login disabled")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
292 dropbear_log(LOG_WARNING, "root login rejected"); |
|
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
293 ses.authstate.checkusername_failed = 1; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
294 return DROPBEAR_FAILURE; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
295 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
296 |
|
1537
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
297 /* check for login restricted to certain group if desired */ |
|
1551
1acbdf64088e
add guard HAVE_GETGROUPLIST
Matt Johnston <matt@ucc.asn.au>
parents:
1539
diff
changeset
|
298 #ifdef HAVE_GETGROUPLIST |
|
1537
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
299 if (svr_opts.restrict_group) { |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
300 if (check_group_membership(svr_opts.restrict_group_gid, |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
301 ses.authstate.pw_name, ses.authstate.pw_gid) == DROPBEAR_FAILURE) { |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
302 dropbear_log(LOG_WARNING, |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
303 "Logins are restricted to the group %s but user '%s' is not a member", |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
304 svr_opts.restrict_group, ses.authstate.pw_name); |
|
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
305 ses.authstate.checkusername_failed = 1; |
|
1537
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
306 return DROPBEAR_FAILURE; |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
307 } |
|
6a83b1944432
Fix restricted group code for BSDs, move to separate function
Matt Johnston <matt@ucc.asn.au>
parents:
1534
diff
changeset
|
308 } |
|
1560
f5026f7486de
fix #endif (#59)
François Perrad <francois.perrad@gadz.org>
parents:
1551
diff
changeset
|
309 #endif /* HAVE_GETGROUPLIST */ |
|
1534
ed930fd6f60f
Added the -G option to allow logins only for users that are members of a certain group. This allows finer control of an instance on who can and cannot login over a certain instance (e.g. password and not key). Needs double-checking and ensuring it meets platform requirements.
stellarpower <stellarpower@googlemail.com>
parents:
1459
diff
changeset
|
310 |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
311 TRACE(("shell is %s", ses.authstate.pw_shell)) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
312 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
313 /* check that the shell is set */ |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
314 usershell = ses.authstate.pw_shell; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
315 if (usershell[0] == '\0') { |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
316 /* empty shell in /etc/passwd means /bin/sh according to passwd(5) */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
317 usershell = "/bin/sh"; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
318 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
319 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
320 /* check the shell is valid. If /etc/shells doesn't exist, getusershell() |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
321 * should return some standard shells like "/bin/sh" and "/bin/csh" (this |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
322 * is platform-specific) */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
323 setusershell(); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
324 while ((listshell = getusershell()) != NULL) { |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
325 TRACE(("test shell is '%s'", listshell)) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
326 if (strcmp(listshell, usershell) == 0) { |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
327 /* have a match */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
328 goto goodshell; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
329 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
330 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
331 /* no matching shell */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
332 endusershell(); |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
333 TRACE(("no matching shell")) |
|
1539
51df3d53b050
- Don't try to handle changed usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1538
diff
changeset
|
334 ses.authstate.checkusername_failed = 1; |
|
594
a98a2138364a
Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents:
573
diff
changeset
|
335 dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected", |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
336 ses.authstate.pw_name); |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
337 return DROPBEAR_FAILURE; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
338 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
339 goodshell: |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
340 endusershell(); |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
341 TRACE(("matching shell")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
342 |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
343 TRACE(("uid = %d", ses.authstate.pw_uid)) |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
344 TRACE(("leave checkusername")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
345 return DROPBEAR_SUCCESS; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
346 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
347 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
348 /* Send a failure message to the client, in responds to a userauth_request. |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
349 * Partial indicates whether to set the "partial success" flag, |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
350 * incrfail is whether to count this failure in the failure count (which |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
351 * is limited. This function also handles disconnection after too many |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
352 * failures */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
353 void send_msg_userauth_failure(int partial, int incrfail) { |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
354 |
|
70
b0316ce64e4b
Merging in the changes from 0.41-0.43 main Dropbear tree
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
355 buffer *typebuf = NULL; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
356 |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
357 TRACE(("enter send_msg_userauth_failure")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
358 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
359 CHECKCLEARTOWRITE(); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
360 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
361 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_FAILURE); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
362 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
363 /* put a list of allowed types */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
364 typebuf = buf_new(30); /* long enough for PUBKEY and PASSWORD */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
365 |
| 33 | 366 if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) { |
|
1094
c45d65392c1a
Fix pointer differ in signess warnings [-Werror=pointer-sign]
Gaël PORTAY <gael.portay@gmail.com>
parents:
940
diff
changeset
|
367 buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN); |
| 33 | 368 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
369 buf_putbyte(typebuf, ','); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
370 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
371 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
372 |
| 33 | 373 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { |
|
1094
c45d65392c1a
Fix pointer differ in signess warnings [-Werror=pointer-sign]
Gaël PORTAY <gael.portay@gmail.com>
parents:
940
diff
changeset
|
374 buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN); |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
375 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
376 |
|
761
ac2158e3e403
ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
377 buf_putbufstring(ses.writepayload, typebuf); |
|
300
baea1d43e7eb
Some cleanups/fixes for various TRACE statements
Matt Johnston <matt@ucc.asn.au>
parents:
165
diff
changeset
|
378 |
|
761
ac2158e3e403
ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents:
692
diff
changeset
|
379 TRACE(("auth fail: methods %d, '%.*s'", ses.authstate.authtypes, |
|
762
a78a38e402d1
- Fix various hardcoded uses of SHA1
Matt Johnston <matt@ucc.asn.au>
parents:
761
diff
changeset
|
380 typebuf->len, typebuf->data)) |
|
300
baea1d43e7eb
Some cleanups/fixes for various TRACE statements
Matt Johnston <matt@ucc.asn.au>
parents:
165
diff
changeset
|
381 |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
382 buf_free(typebuf); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
383 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
384 buf_putbyte(ses.writepayload, partial ? 1 : 0); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
385 encrypt_packet(); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
386 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
387 if (incrfail) { |
|
1622
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
388 /* The SSH_MSG_AUTH_FAILURE response is delayed to attempt to |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
389 avoid user enumeration and slow brute force attempts. |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
390 The delay is adjusted by the time already spent in processing |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
391 authentication (ses.authstate.auth_starttime timestamp). */ |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
392 |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
393 /* Desired total delay 300ms +-50ms (in nanoseconds). |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
394 Beware of integer overflow if increasing these values */ |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
395 const unsigned int mindelay = 250000000; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
396 const unsigned int vardelay = 100000000; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
397 unsigned int rand_delay; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
398 struct timespec delay; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
399 |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
400 gettime_wrapper(&delay); |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
401 delay.tv_sec -= ses.authstate.auth_starttime.tv_sec; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
402 delay.tv_nsec -= ses.authstate.auth_starttime.tv_nsec; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
403 |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
404 /* carry */ |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
405 if (delay.tv_nsec < 0) { |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
406 delay.tv_nsec += 1000000000; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
407 delay.tv_sec -= 1; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
408 } |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
409 |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
410 genrandom((unsigned char*)&rand_delay, sizeof(rand_delay)); |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
411 rand_delay = mindelay + (rand_delay % vardelay); |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
412 |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
413 if (delay.tv_sec == 0 && delay.tv_nsec <= mindelay) { |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
414 /* Compensate for elapsed time */ |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
415 delay.tv_nsec = rand_delay - delay.tv_nsec; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
416 } else { |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
417 /* No time left or time went backwards, just delay anyway */ |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
418 delay.tv_sec = 0; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
419 delay.tv_nsec = rand_delay; |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
420 } |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
421 |
|
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
422 |
|
1558
2f64cb3d3007
- #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents:
1557
diff
changeset
|
423 #if DROPBEAR_FUZZ |
|
1561
02b226c2675e
clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
424 if (!fuzz.fuzzing) |
|
02b226c2675e
clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
425 #endif |
|
02b226c2675e
clean some fuzzing conditionals
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
426 { |
|
1622
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
427 while (nanosleep(&delay, &delay) == -1 && errno == EINTR) { /* Go back to sleep */ } |
|
1347
b28624698130
copy over some fuzzing code from AFL branch
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
428 } |
|
1622
e11ed628708b
- Add adaptive authentication failure delay
Matt Johnston <matt@ucc.asn.au>
parents:
1617
diff
changeset
|
429 |
| 33 | 430 ses.authstate.failcount++; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
431 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
432 |
|
1442
517c67cbcd31
dropbear server: support -T max auth tries
Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
parents:
1295
diff
changeset
|
433 if (ses.authstate.failcount >= svr_opts.maxauthtries) { |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
434 char * userstr; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
435 /* XXX - send disconnect ? */ |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
436 TRACE(("Max auth tries reached, exiting")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
437 |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
438 if (ses.authstate.pw_name == NULL) { |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
439 userstr = "is invalid"; |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
440 } else { |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
441 userstr = ses.authstate.pw_name; |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
442 } |
|
158
364a75cfebab
Log the IP along with auth success/fail attempts
Matt Johnston <matt@ucc.asn.au>
parents:
121
diff
changeset
|
443 dropbear_exit("Max auth tries reached - user '%s' from %s", |
|
364a75cfebab
Log the IP along with auth success/fail attempts
Matt Johnston <matt@ucc.asn.au>
parents:
121
diff
changeset
|
444 userstr, svr_ses.addrstring); |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
445 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
446 |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
447 TRACE(("leave send_msg_userauth_failure")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
448 } |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
449 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
450 /* Send a success message to the user, and set the "authdone" flag */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
451 void send_msg_userauth_success() { |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
452 |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
453 TRACE(("enter send_msg_userauth_success")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
454 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
455 CHECKCLEARTOWRITE(); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
456 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
457 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_SUCCESS); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
458 encrypt_packet(); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
459 |
|
501
d58c478bd399
Add support for [email protected] delayed compression.
Matt Johnston <matt@ucc.asn.au>
parents:
483
diff
changeset
|
460 /* authdone must be set after encrypt_packet() for |
|
d58c478bd399
Add support for [email protected] delayed compression.
Matt Johnston <matt@ucc.asn.au>
parents:
483
diff
changeset
|
461 * delayed-zlib mode */ |
| 33 | 462 ses.authstate.authdone = 1; |
|
1139
43a8ea69b24c
Fix problem where auth timeout wasn't checked when waiting for ident
Matt Johnston <matt@ucc.asn.au>
parents:
1122
diff
changeset
|
463 ses.connect_time = 0; |
|
43a8ea69b24c
Fix problem where auth timeout wasn't checked when waiting for ident
Matt Johnston <matt@ucc.asn.au>
parents:
1122
diff
changeset
|
464 |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
465 |
|
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
454
diff
changeset
|
466 if (ses.authstate.pw_uid == 0) { |
|
21
d7cc5b484a2e
- Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents:
11
diff
changeset
|
467 ses.allowprivport = 1; |
|
d7cc5b484a2e
- Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents:
11
diff
changeset
|
468 } |
|
d7cc5b484a2e
- Port restriction code back in
Matt Johnston <matt@ucc.asn.au>
parents:
11
diff
changeset
|
469 |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
470 /* Remove from the list of pre-auth sockets. Should be m_close(), since if |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
471 * we fail, we might end up leaking connection slots, and disallow new |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
472 * logins - a nasty situation. */ |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
473 m_close(svr_ses.childpipe); |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
474 |
|
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
475 TRACE(("leave send_msg_userauth_success")) |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
476 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
477 } |