Mercurial > dropbear

comparison svr-auth.c @ 925:bae0b34bc059 pam

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Better PAM through recursion
author Matt Johnston <matt@ucc.asn.au>
date Wed, 12 Mar 2014 23:40:02 +0800
parents 220f55d540ae
children 73ea0dce9a57
comparison
equal deleted inserted replaced
923:25b7ed9fe854 925:bae0b34bc059
57 57
58 memset(&ses.authstate, 0, sizeof(ses.authstate)); 58 memset(&ses.authstate, 0, sizeof(ses.authstate));
59 #ifdef ENABLE_SVR_PUBKEY_AUTH 59 #ifdef ENABLE_SVR_PUBKEY_AUTH
60 ses.authstate.authtypes |= AUTH_TYPE_PUBKEY; 60 ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
61 #endif 61 #endif
62 #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH) 62 #ifdef ENABLE_SVR_PASSWORD_AUTH
63 if (!svr_opts.noauthpass) { 63 if (!svr_opts.noauthpass) {
64 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD; 64 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
65 } 65 }
66 #endif
67 #ifdef ENABLE_SVR_PAM_AUTH
68 ses.authstate.authtypes |= AUTH_TYPE_INTERACT;
66 #endif 69 #endif
67 if (ses.authstate.pw_name) { 70 if (ses.authstate.pw_name) {
68 m_free(ses.authstate.pw_name); 71 m_free(ses.authstate.pw_name);
69 } 72 }
70 if (ses.authstate.pw_shell) { 73 if (ses.authstate.pw_shell) {
183 } 186 }
184 } 187 }
185 #endif 188 #endif
186 189
187 #ifdef ENABLE_SVR_PAM_AUTH 190 #ifdef ENABLE_SVR_PAM_AUTH
188 if (!svr_opts.noauthpass && 191 if (!(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) {
189 !(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) {
190 /* user wants to try password auth */ 192 /* user wants to try password auth */
191 if (methodlen == AUTH_METHOD_PASSWORD_LEN && 193 if (methodlen == AUTH_METHOD_INTERACT_LEN &&
192 strncmp(methodname, AUTH_METHOD_PASSWORD, 194 strncmp(methodname, AUTH_METHOD_INTERACT,
193 AUTH_METHOD_PASSWORD_LEN) == 0) { 195 AUTH_METHOD_INTERACT_LEN) == 0) {
194 if (valid_user) { 196 if (valid_user) {
195 svr_auth_pam(); 197 svr_auth_pam();
196 goto out; 198 goto out;
197 } 199 }
198 } 200 }
328 CHECKCLEARTOWRITE(); 330 CHECKCLEARTOWRITE();
329 331
330 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_FAILURE); 332 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_FAILURE);
331 333
332 /* put a list of allowed types */ 334 /* put a list of allowed types */
333 typebuf = buf_new(30); /* long enough for PUBKEY and PASSWORD */ 335 typebuf = buf_new(55);
334 336
335 if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) { 337 if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) {
336 buf_putbytes(typebuf, AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN); 338 buf_putbytes(typebuf, AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN);
337 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { 339 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) {
338 buf_putbyte(typebuf, ','); 340 buf_putbyte(typebuf, ',');
339 } 341 }
340 } 342 }
341 343
342 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { 344 if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) {
343 buf_putbytes(typebuf, AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN); 345 buf_putbytes(typebuf, AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN);
346 if (ses.authstate.authtypes & AUTH_TYPE_INTERACT) {
347 buf_putbyte(typebuf, ',');
348 }
349 }
350
351 if (ses.authstate.authtypes & AUTH_TYPE_INTERACT) {
352 buf_putbytes(typebuf, AUTH_METHOD_INTERACT, AUTH_METHOD_INTERACT_LEN);
344 } 353 }
345 354
346 buf_putbufstring(ses.writepayload, typebuf); 355 buf_putbufstring(ses.writepayload, typebuf);
347 356
348 TRACE(("auth fail: methods %d, '%.*s'", ses.authstate.authtypes, 357 TRACE(("auth fail: methods %d, '%.*s'", ses.authstate.authtypes,
349 typebuf->len, typebuf->data)) 358 typebuf->len, typebuf->data))
350 359
351 buf_free(typebuf); 360 buf_free(typebuf);
352 361
353 buf_putbyte(ses.writepayload, partial ? 1 : 0); 362 buf_putbool(ses.writepayload, partial);
354 encrypt_packet(); 363 encrypt_packet();
355 364
356 if (incrfail) { 365 if (incrfail) {
357 unsigned int delay; 366 unsigned int delay;
358 genrandom((unsigned char*)&delay, sizeof(delay)); 367 genrandom((unsigned char*)&delay, sizeof(delay));