void quickexit(int eval) { if (as) auth_close(as); exit(eval); }
int main(int ac, char **av) { if(ac < 2) { fprintf(stderr, "Usage: %s username\n", av[0]); return 10; } char *wheel = "no"; struct passwd *pwd = getpwnam(av[1]); if(pwd->pw_gid == 0) { wheel = "yes"; } else { struct group *gr = getgrgid(0); for(char **mem = gr->gr_mem; *mem; mem++) { if(! strcmp(*mem, av[1])) { wheel = "yes"; break; } } } auth_session_t *as = auth_open(); auth_setoption(as, "wheel", wheel); auth_verify(as, "passwd", av[1], (char*)NULL); int ok = auth_close(as); if(ok) puts("Success!"); else puts("Wrong password!"); return ! ok; }
int fwtk_cleanup(struct passwd *pw, sudo_auth *auth) { auth_close(); return AUTH_SUCCESS; }
void sleepexit(int eval) { auth_close(as); (void)sleep(5); exit(eval); }
static void bsdauth_free_ctx(void *ctx) { Authctxt *authctxt = ctx; if (authctxt && authctxt->as) { auth_close(authctxt->as); authctxt->as = NULL; } }
struct passwd * getpwnamallow(const char *user) { #ifdef HAVE_LOGIN_CAP extern login_cap_t *lc; #ifdef BSD_AUTH auth_session_t *as; #endif #endif struct passwd *pw; pw = getpwnam(user); if (pw == NULL) { logit("Illegal user %.100s from %.100s", user, get_remote_ipaddr()); #ifdef CONFIG_AMAZON access__attempted(1, user); #endif #ifdef CUSTOM_FAILED_LOGIN record_failed_login(user, "ssh"); #endif return (NULL); } if (!allowed_user(pw)) { #ifdef CONFIG_AMAZON access__attempted(1, user); #endif return (NULL); } #ifdef HAVE_LOGIN_CAP if ((lc = login_getclass(pw->pw_class)) == NULL) { debug("unable to get login class: %s", user); #ifdef CONFIG_AMAZON access__attempted(1, user); #endif return (NULL); } #ifdef BSD_AUTH if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { debug("Approval failure for %s", user); pw = NULL; } if (as != NULL) auth_close(as); #endif #endif if (pw != NULL) return (pwcopy(pw)); return (NULL); }
int sys_auth_passwd(struct ssh *ssh, const char *password) { Authctxt *authctxt = ssh->authctxt; auth_session_t *as; static int expire_checked = 0; as = auth_usercheck(authctxt->pw->pw_name, authctxt->style, "auth-ssh", (char *)password); if (as == NULL) return (0); if (auth_getstate(as) & AUTH_PWEXPIRED) { auth_close(as); auth_restrict_session(ssh); authctxt->force_pwchange = 1; return (1); } else { if (!expire_checked) { expire_checked = 1; warn_expiry(authctxt, as); } return (auth_close(as)); } }
int sys_auth_passwd(Authctxt *authctxt, const char *password) { struct passwd *pw = authctxt->pw; auth_session_t *as; static int expire_checked = 0; as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh", (char *)password); if (as == NULL) return (0); if (auth_getstate(as) & AUTH_PWEXPIRED) { auth_close(as); disable_forwarding(); authctxt->force_pwchange = 1; return (1); } else { if (!expire_checked) { expire_checked = 1; warn_expiry(authctxt, as); } return (auth_close(as)); } }
struct passwd * getpwnamallow(const char *user) { #ifdef HAVE_LOGIN_CAP extern login_cap_t *lc; #ifdef BSD_AUTH auth_session_t *as; #endif #endif struct passwd *pw; parse_server_match_config(&options, user, get_canonical_hostname(options.use_dns), get_remote_ipaddr()); pw = getpwnam(user); if (pw == NULL) { logit("Invalid user %.100s from %.100s", user, get_remote_ipaddr()); #ifdef CUSTOM_FAILED_LOGIN record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif #ifdef SSH_AUDIT_EVENTS audit_event(SSH_INVALID_USER); #endif /* SSH_AUDIT_EVENTS */ return (NULL); } if (!allowed_user(pw)) return (NULL); #ifdef HAVE_LOGIN_CAP if ((lc = login_getclass(pw->pw_class)) == NULL) { debug("unable to get login class: %s", user); return (NULL); } #ifdef BSD_AUTH if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { debug("Approval failure for %s", user); pw = NULL; } if (as != NULL) auth_close(as); #endif #endif if (pw != NULL) return (pwcopy(pw)); return (NULL); }
struct passwd * getpwnamallow(const char *user) { #ifdef HAVE_LOGIN_CAP extern login_cap_t *lc; #ifdef BSD_AUTH auth_session_t *as; #endif #endif struct passwd *pw; pw = getpwnam(user); if (pw == NULL) { debug("Unknown user %.100s from %.100s", user, get_remote_ipaddr()); /* * Note, was ifdef CUSTOM_FAILED_LOGIN, but this is not an error for * us, as it may just be a mapped user name. This is also why the * above message is a debug() instead of a logit(). */ #if 0 && defined(CUSTOM_FAILED_LOGIN) record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif return (NULL); } if (!allowed_user(pw)) return (NULL); #ifdef HAVE_LOGIN_CAP if ((lc = login_getclass(pw->pw_class)) == NULL) { debug("unable to get login class: %s", user); return (NULL); } #ifdef BSD_AUTH if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { debug("Approval failure for %s", user); pw = NULL; } if (as != NULL) auth_close(as); #endif #endif if (pw != NULL) return (pwcopy(pw)); return (NULL); }
struct passwd * getpwnamallow(const char *user) { #ifdef HAVE_LOGIN_CAP extern login_cap_t *lc; #ifdef BSD_AUTH auth_session_t *as; #endif #endif struct ssh *ssh = active_state; /* XXX */ struct passwd *pw; struct connection_info *ci = get_connection_info(1, options.use_dns); ci->user = user; parse_server_match_config(&options, ci); log_change_level(options.log_level); process_permitopen(ssh, &options); pw = getpwnam(user); if (pw == NULL) { pfilter_notify(1); logit("Invalid user %.100s from %.100s port %d", user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); return (NULL); } if (!allowed_user(pw)) return (NULL); #ifdef HAVE_LOGIN_CAP if ((lc = login_getclass(pw->pw_class)) == NULL) { debug("unable to get login class: %s", user); return (NULL); } #ifdef BSD_AUTH if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { debug("Approval failure for %s", user); pw = NULL; } if (as != NULL) auth_close(as); #endif #endif if (pw != NULL) return (pwcopy(pw)); return (NULL); }
int bsdauth_query(void *ctx, char **name, char **infotxt, u_int *numprompts, char ***prompts, u_int **echo_on) { Authctxt *authctxt = ctx; char *challenge = NULL; *infotxt = NULL; *numprompts = 0; *prompts = NULL; *echo_on = NULL; if (authctxt->as != NULL) { debug2("bsdauth_query: try reuse session"); challenge = auth_getitem(authctxt->as, AUTHV_CHALLENGE); if (challenge == NULL) { auth_close(authctxt->as); authctxt->as = NULL; } } if (challenge == NULL) { debug2("bsdauth_query: new bsd auth session"); debug3("bsdauth_query: style %s", authctxt->style ? authctxt->style : "<default>"); authctxt->as = auth_userchallenge(authctxt->user, authctxt->style, "auth-ssh", &challenge); if (authctxt->as == NULL) challenge = NULL; debug2("bsdauth_query: <%s>", challenge ? challenge : "empty"); } if (challenge == NULL) return -1; *name = xstrdup(""); *infotxt = xstrdup(""); *numprompts = 1; *prompts = xcalloc(*numprompts, sizeof(char *)); *echo_on = xcalloc(*numprompts, sizeof(u_int)); (*prompts)[0] = xstrdup(challenge); return 0; }
int Verify (struct display *d, struct greet_info *greet, struct verify_info *verify) { struct passwd *p; login_cap_t *lc; auth_session_t *as; char *style, *shell, *home, *s, **argv; char path[MAXPATHLEN]; int authok; /* User may have specified an authentication style. */ if ((style = strchr(greet->name, ':')) != NULL) *style++ = '\0'; Debug ("Verify %s, style %s ...\n", greet->name, style ? style : "default"); p = getpwnam (greet->name); endpwent(); if (!p || strlen (greet->name) == 0) { Debug("getpwnam() failed.\n"); bzero(greet->password, strlen(greet->password)); return 0; } if ((lc = login_getclass(p->pw_class)) == NULL) { Debug("login_getclass() failed.\n"); bzero(greet->password, strlen(greet->password)); return 0; } if ((style = login_getstyle(lc, style, "xdm")) == NULL) { Debug("login_getstyle() failed.\n"); bzero(greet->password, strlen(greet->password)); return 0; } if ((as = auth_open()) == NULL) { Debug("auth_open() failed.\n"); login_close(lc); bzero(greet->password, strlen(greet->password)); return 0; } if (auth_setoption(as, "login", "yes") == -1) { Debug("auth_setoption() failed.\n"); login_close(lc); bzero(greet->password, strlen(greet->password)); return 0; } /* Set up state for no challenge, just check a response. */ auth_setstate(as, 0); auth_setdata(as, "", 1); auth_setdata(as, greet->password, strlen(greet->password) + 1); /* Build path of the auth script and call it */ snprintf(path, sizeof(path), _PATH_AUTHPROG "%s", style); auth_call(as, path, style, "-s", "response", greet->name, lc->lc_class, (void *)NULL); authok = auth_getstate(as); if ((authok & AUTH_ALLOW) == 0) { Debug("password verify failed\n"); bzero(greet->password, strlen(greet->password)); auth_close(as); login_close(lc); return 0; } /* Run the approval script */ if (!auth_approval(as, lc, greet->name, "auth-xdm")) { Debug("login not approved\n"); bzero(greet->password, strlen(greet->password)); auth_close(as); login_close(lc); return 0; } auth_close(as); login_close(lc); /* Check empty passwords against allowNullPasswd */ if (!greet->allow_null_passwd && strlen(greet->password) == 0) { Debug("empty password not allowed\n"); return 0; } /* Only accept root logins if allowRootLogin resource is set */ if (p->pw_uid == 0 && !greet->allow_root_login) { Debug("root logins not allowed\n"); bzero(greet->password, strlen(greet->password)); return 0; } /* * Shell must be in /etc/shells */ for (;;) { s = getusershell(); if (s == NULL) { /* did not found the shell in /etc/shells -> failure */ Debug("shell not in /etc/shells\n"); bzero(greet->password, strlen(greet->password)); endusershell(); return 0; } if (strcmp(s, p->pw_shell) == 0) { /* found the shell in /etc/shells */ endusershell(); break; } } #else /* !USE_BSDAUTH */ int Verify (struct display *d, struct greet_info *greet, struct verify_info *verify) { struct passwd *p; #ifdef USE_PAM pam_handle_t **pamhp = thepamhp(); #else #ifdef USESHADOW struct spwd *sp; #endif char *user_pass = NULL; #endif #ifdef __OpenBSD__ char *s; struct timeval tp; #endif char *shell, *home; char **argv; Debug ("Verify %s ...\n", greet->name); #if defined(sun) && defined(SVR4) /* Solaris: If CONSOLE is set to /dev/console in /etc/default/login, then root can only login on system console */ # define SOLARIS_LOGIN_DEFAULTS "/etc/default/login" if (strcmp(greet->name, "root") == 0) { char *console = NULL, *tmp = NULL; FILE *fs; if ((fs= fopen(SOLARIS_LOGIN_DEFAULTS, "r")) != NULL) { char str[120]; while (!feof(fs)) { fgets(str, 120, fs); if(str[0] == '#' || strlen(str) < 8) continue; if((tmp = strstr(str, "CONSOLE=")) != NULL) console = strdup((tmp+8)); } fclose(fs); if ( console != NULL && (strncmp(console, "/dev/console", 12) == 0) && (strncmp(d->name,":0",2) != 0) ) { Debug("Not on system console\n"); bzero(greet->password, strlen(greet->password)); XFree(console); return 0; } XFree(console); } else { Debug("Could not open %s\n", SOLARIS_LOGIN_DEFAULTS); } } #endif #ifndef USE_PAM p = getpwnam (greet->name); endpwent(); if (!p || strlen (greet->name) == 0) { Debug ("getpwnam() failed.\n"); bzero(greet->password, strlen(greet->password)); return 0; } else { #ifdef linux if (!strcmp(p->pw_passwd, "!") || !strcmp(p->pw_passwd, "*")) { Debug ("The account is locked, no login allowed.\n"); bzero(greet->password, strlen(greet->password)); return 0; } #endif user_pass = p->pw_passwd; } #endif #ifdef KERBEROS if(strcmp(greet->name, "root") != 0){ char name[ANAME_SZ]; char realm[REALM_SZ]; char *q; int ret; if(krb_get_lrealm(realm, 1)){ Debug ("Can't get Kerberos realm.\n"); } else { sprintf(krbtkfile, "%s.%s", TKT_ROOT, d->name); krb_set_tkt_string(krbtkfile); unlink(krbtkfile); ret = krb_verify_user(greet->name, "", realm, greet->password, 1, "rcmd"); if(ret == KSUCCESS){ chown(krbtkfile, p->pw_uid, p->pw_gid); Debug("kerberos verify succeeded\n"); if (k_hasafs()) { if (k_setpag() == -1) LogError ("setpag() failed for %s\n", greet->name); if((ret = k_afsklog(NULL, NULL)) != KSUCCESS) LogError("Warning %s\n", krb_get_err_text(ret)); } goto done; } else if(ret != KDC_PR_UNKNOWN && ret != SKDC_CANT){ /* failure */ Debug("kerberos verify failure %d\n", ret); krbtkfile[0] = '\0'; } } } #endif #ifndef USE_PAM #ifdef USESHADOW errno = 0; sp = getspnam(greet->name); if (sp == NULL) { Debug ("getspnam() failed, errno=%d. Are you root?\n", errno); } else { user_pass = sp->sp_pwdp; } #ifndef QNX4 endspent(); #endif /* QNX4 doesn't need endspent() to end shadow passwd ops */ #endif #if defined(ultrix) || defined(__ultrix__) if (authenticate_user(p, greet->password, NULL) < 0) #else if (strcmp (crypt (greet->password, user_pass), user_pass)) #endif { if(!greet->allow_null_passwd || strlen(p->pw_passwd) > 0) { Debug ("password verify failed\n"); bzero(greet->password, strlen(greet->password)); return 0; } /* else: null passwd okay */ } #ifdef KERBEROS done: #endif #ifdef __OpenBSD__ /* * Only accept root logins if allowRootLogin resource is set */ if ((p->pw_uid == 0) && !greet->allow_root_login) { Debug("root logins not allowed\n"); bzero(greet->password, strlen(greet->password)); return 0; } /* * Shell must be in /etc/shells */ for (;;) { s = getusershell(); if (s == NULL) { /* did not found the shell in /etc/shells -> failure */ Debug("shell not in /etc/shells\n"); bzero(greet->password, strlen(greet->password)); endusershell(); return 0; } if (strcmp(s, p->pw_shell) == 0) { /* found the shell in /etc/shells */ endusershell(); break; } } /* * Test for expired password */ if (p->pw_change || p->pw_expire) (void)gettimeofday(&tp, (struct timezone *)NULL); if (p->pw_change) { if (tp.tv_sec >= p->pw_change) { Debug("Password has expired.\n"); bzero(greet->password, strlen(greet->password)); return 0; } } if (p->pw_expire) { if (tp.tv_sec >= p->pw_expire) { Debug("account has expired.\n"); bzero(greet->password, strlen(greet->password)); return 0; } } #endif /* __OpenBSD__ */ bzero(user_pass, strlen(user_pass)); /* in case shadow password */ #else /* USE_PAM */ #define PAM_BAIL \ if (pam_error != PAM_SUCCESS) goto pam_failed; PAM_password = greet->password; pam_error = pam_start("xdm", greet->name, &PAM_conversation, pamhp); PAM_BAIL; pam_error = pam_set_item(*pamhp, PAM_TTY, d->name); PAM_BAIL; pam_error = pam_set_item(*pamhp, PAM_RHOST, ""); PAM_BAIL; pam_error = pam_authenticate(*pamhp, 0); PAM_BAIL; pam_error = pam_acct_mgmt(*pamhp, 0); /* really should do password changing, but it doesn't fit well */ PAM_BAIL; pam_error = pam_setcred(*pamhp, 0); PAM_BAIL; p = getpwnam (greet->name); endpwent(); if (!p || strlen (greet->name) == 0) { Debug ("getpwnam() failed.\n"); bzero(greet->password, strlen(greet->password)); return 0; } if (pam_error != PAM_SUCCESS) { pam_failed: pam_end(*pamhp, PAM_SUCCESS); *pamhp = NULL; return 0; } #undef PAM_BAIL #endif /* USE_PAM */ #endif /* USE_BSDAUTH */ Debug ("verify succeeded\n"); /* The password is passed to StartClient() for use by user-based authorization schemes. It is zeroed there. */ verify->uid = p->pw_uid; verify->gid = p->pw_gid; home = p->pw_dir; shell = p->pw_shell; argv = 0; if (d->session) argv = parseArgs (argv, d->session); if (greet->string) argv = parseArgs (argv, greet->string); if (!argv) argv = parseArgs (argv, "xsession"); verify->argv = argv; verify->userEnviron = userEnv (d, p->pw_uid == 0, greet->name, home, shell); Debug ("user environment:\n"); printEnv (verify->userEnviron); verify->systemEnviron = systemEnv (d, greet->name, home); Debug ("system environment:\n"); printEnv (verify->systemEnviron); Debug ("end of environments\n"); return 1; }
/* * read packets, try to authenticate the user and * return only if authentication is successful */ static void do_authloop(Authctxt *authctxt) { int authenticated = 0; int prev = 0, type = 0; const struct AuthMethod1 *meth; debug("Attempting authentication for %s%.100s.", authctxt->valid ? "" : "invalid user ", authctxt->user); /* If the user has no password, accept authentication immediately. */ if (options.permit_empty_passwd && options.password_authentication && #ifdef KRB5 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif PRIVSEP(auth_password(authctxt, ""))) { #ifdef USE_PAM if (options.use_pam && (PRIVSEP(do_pam_account()))) #endif { auth_log(authctxt, 1, 0, "without authentication", NULL); return; } } /* Indicate that authentication is needed. */ packet_start(SSH_SMSG_FAILURE); packet_send(); packet_write_wait(); for (;;) { /* default to fail */ authenticated = 0; /* Get a packet from the client. */ prev = type; type = packet_read(); /* * If we started challenge-response authentication but the * next packet is not a response to our challenge, release * the resources allocated by get_challenge() (which would * normally have been released by verify_response() had we * received such a response) */ if (prev == SSH_CMSG_AUTH_TIS && type != SSH_CMSG_AUTH_TIS_RESPONSE) abandon_challenge_response(authctxt); if (authctxt->failures >= options.max_authtries) goto skip; if ((meth = lookup_authmethod1(type)) == NULL) { logit("Unknown message during authentication: " "type %d", type); goto skip; } if (!*(meth->enabled)) { verbose("%s authentication disabled.", meth->name); goto skip; } authenticated = meth->method(authctxt); if (authenticated == -1) continue; /* "postponed" */ #ifdef BSD_AUTH if (authctxt->as) { auth_close(authctxt->as); authctxt->as = NULL; } #endif if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); #ifdef _UNICOS if (authenticated && cray_access_denied(authctxt->user)) { authenticated = 0; fatal("Access denied for user %s.",authctxt->user); } #endif /* _UNICOS */ #ifndef HAVE_CYGWIN /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(meth->name)) { authenticated = 0; # ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); # endif } #endif #ifdef USE_PAM if (options.use_pam && authenticated && !PRIVSEP(do_pam_account())) { char *msg; size_t len; error("Access denied for user %s by PAM account " "configuration", authctxt->user); len = buffer_len(&loginmsg); buffer_append(&loginmsg, "\0", 1); msg = buffer_ptr(&loginmsg); /* strip trailing newlines */ if (len > 0) while (len > 0 && msg[--len] == '\n') msg[len] = '\0'; else msg = "Access denied."; packet_disconnect("%s", msg); } #endif skip: /* Log before sending the reply */ auth_log(authctxt, authenticated, 0, get_authname(type), NULL); free(client_user); client_user = NULL; if (authenticated) return; if (++authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); #endif packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } packet_start(SSH_SMSG_FAILURE); packet_send(); packet_write_wait(); } }
/* * read packets, try to authenticate the user and * return only if authentication is successful */ static void do_authloop(Authctxt *authctxt) { int authenticated = 0; int type = 0; const struct AuthMethod1 *meth; debug("Attempting authentication for %s%.100s.", authctxt->valid ? "" : "invalid user ", authctxt->user); /* If the user has no password, accept authentication immediately. */ if (options.permit_empty_passwd && options.password_authentication && #if defined(KRB4) || defined(KRB5) (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif PRIVSEP(auth_password(authctxt, __UNCONST("")))) { #ifdef USE_PAM if (options.use_pam && PRIVSEP(do_pam_account())) #endif { auth_log(authctxt, 1, 0, "without authentication", NULL); return; } return; } /* Indicate that authentication is needed. */ packet_start(SSH_SMSG_FAILURE); packet_send(); packet_write_wait(); for (;;) { /* default to fail */ authenticated = 0; /* Get a packet from the client. */ type = packet_read(); if (authctxt->failures >= options.max_authtries) goto skip; if ((meth = lookup_authmethod1(type)) == NULL) { logit("Unknown message during authentication: " "type %d", type); goto skip; } if (!*(meth->enabled)) { verbose("%s authentication disabled.", meth->name); goto skip; } authenticated = meth->method(authctxt); if (authenticated == -1) continue; /* "postponed" */ #ifdef BSD_AUTH if (authctxt->as) { auth_close(authctxt->as); authctxt->as = NULL; } #endif if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(meth->name)) authenticated = 0; #ifdef USE_PAM if (options.use_pam && authenticated && !PRIVSEP(do_pam_account())) { char *msg; size_t len; error("Access denied for user %s by PAM account " "configuration", authctxt->user); len = buffer_len(&loginmsg); buffer_append(&loginmsg, "\0", 1); msg = (char *)buffer_ptr(&loginmsg); /* strip trailing newlines */ if (len > 0) while (len > 0 && msg[--len] == '\n') msg[len] = '\0'; else msg = __UNCONST("Access denied."); packet_disconnect("%s", msg); } #endif skip: /* Log before sending the reply */ auth_log(authctxt, authenticated, 0, get_authname(type), NULL); if (authenticated) return; if (++authctxt->failures >= options.max_authtries) auth_maxtries_exceeded(authctxt); packet_start(SSH_SMSG_FAILURE); packet_send(); packet_write_wait(); } }
struct passwd * getpwnamallow(const char *user) { #ifdef HAVE_LOGIN_CAP extern login_cap_t *lc; #ifdef BSD_AUTH auth_session_t *as; #endif #endif struct passwd *pw; parse_server_match_config(&options, user, get_canonical_hostname(options.use_dns), get_remote_ipaddr()); #if defined(_AIX) && defined(HAVE_SETAUTHDB) aix_setauthdb(user); #endif pw = getpwnam(user); #if defined(_AIX) && defined(HAVE_SETAUTHDB) aix_restoreauthdb(); #endif #ifdef HAVE_CYGWIN /* * Windows usernames are case-insensitive. To avoid later problems * when trying to match the username, the user is only allowed to * login if the username is given in the same case as stored in the * user database. */ if (pw != NULL && strcmp(user, pw->pw_name) != 0) { logit("Login name %.100s does not match stored username %.100s", user, pw->pw_name); pw = NULL; } #endif if (pw == NULL) { logit("Invalid user %.100s from %.100s", user, get_remote_ipaddr()); #ifdef CUSTOM_FAILED_LOGIN record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif #ifdef SSH_AUDIT_EVENTS audit_event(SSH_INVALID_USER); #endif /* SSH_AUDIT_EVENTS */ return (NULL); } if (!allowed_user(pw)) return (NULL); #ifdef HAVE_LOGIN_CAP if ((lc = login_getclass(pw->pw_class)) == NULL) { debug("unable to get login class: %s", user); return (NULL); } #ifdef BSD_AUTH if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { debug("Approval failure for %s", user); pw = NULL; } if (as != NULL) auth_close(as); #endif #endif if (pw != NULL) return (pwcopy(pw)); return (NULL); }
_X_INTERNAL int Verify (struct display *d, struct greet_info *greet, struct verify_info *verify) { struct passwd *p; login_cap_t *lc; auth_session_t *as; char *style, *shell, *home, *s, **argv; char path[MAXPATHLEN]; int authok; size_t passwd_len; /* User may have specified an authentication style. */ if ((style = strchr(greet->name, ':')) != NULL) *style++ = '\0'; Debug ("Verify %s, style %s ...\n", greet->name, style ? style : "default"); p = getpwnam (greet->name); if (!p || strlen (greet->name) == 0) { Debug("getpwnam() failed.\n"); explicit_bzero(greet->password, strlen(greet->password)); return 0; } if ((lc = login_getclass(p->pw_class)) == NULL) { Debug("login_getclass() failed.\n"); explicit_bzero(greet->password, strlen(greet->password)); return 0; } if ((style = login_getstyle(lc, style, "xdm")) == NULL) { Debug("login_getstyle() failed.\n"); explicit_bzero(greet->password, strlen(greet->password)); return 0; } if ((as = auth_open()) == NULL) { Debug("auth_open() failed.\n"); login_close(lc); explicit_bzero(greet->password, strlen(greet->password)); return 0; } if (auth_setoption(as, "login", "yes") == -1) { Debug("auth_setoption() failed.\n"); login_close(lc); explicit_bzero(greet->password, strlen(greet->password)); return 0; } passwd_len = strlen(greet->password); /* Set up state for no challenge, just check a response. */ auth_setstate(as, 0); auth_setdata(as, "", 1); auth_setdata(as, greet->password, passwd_len + 1); /* wipe password now, otherwise it'll be copied fork() in auth_call */ explicit_bzero(greet->password, passwd_len); /* Build path of the auth script and call it */ snprintf(path, sizeof(path), _PATH_AUTHPROG "%s", style); auth_call(as, path, style, "-s", "response", greet->name, lc->lc_class, (void *)NULL); authok = auth_getstate(as); if ((authok & AUTH_ALLOW) == 0) { Debug("password verify failed\n"); auth_close(as); login_close(lc); return 0; } /* Run the approval script */ if (!auth_approval(as, lc, greet->name, "auth-xdm")) { Debug("login not approved\n"); auth_close(as); login_close(lc); return 0; } auth_close(as); login_close(lc); /* Check empty passwords against allowNullPasswd */ if (!greet->allow_null_passwd && passwd_len == 0) { Debug("empty password not allowed\n"); return 0; } /* Only accept root logins if allowRootLogin resource is set */ if (p->pw_uid == 0 && !greet->allow_root_login) { Debug("root logins not allowed\n"); return 0; } /* * Shell must be in /etc/shells */ for (;;) { s = getusershell(); if (s == NULL) { /* did not found the shell in /etc/shells -> failure */ Debug("shell not in /etc/shells\n"); endusershell(); return 0; } if (strcmp(s, p->pw_shell) == 0) { /* found the shell in /etc/shells */ endusershell(); break; } } Debug ("verify succeeded\n"); verify->uid = p->pw_uid; verify->gid = p->pw_gid; home = p->pw_dir; shell = p->pw_shell; argv = NULL; if (d->session) argv = parseArgs (argv, d->session); if (greet->string) argv = parseArgs (argv, greet->string); if (!argv) argv = parseArgs (argv, "xsession"); verify->argv = argv; verify->userEnviron = userEnv (d, p->pw_uid == 0, greet->name, home, shell); Debug ("user environment:\n"); printEnv (verify->userEnviron); verify->systemEnviron = systemEnv (d, greet->name, home); Debug ("system environment:\n"); printEnv (verify->systemEnviron); Debug ("end of environments\n"); return 1; }
/* * read packets, try to authenticate the user and * return only if authentication is successful */ static void do_authloop(Authctxt *authctxt) { int authenticated = 0; u_int bits; Key *client_host_key; BIGNUM *n; char *client_user, *password; char info[1024]; u_int dlen; u_int ulen; int prev, type = 0; struct passwd *pw = authctxt->pw; debug("Attempting authentication for %s%.100s.", authctxt->valid ? "" : "illegal user ", authctxt->user); /* If the user has no password, accept authentication immediately. */ if (options.password_authentication && #ifdef KRB5 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif PRIVSEP(auth_password(authctxt, ""))) { auth_log(authctxt, 1, "without authentication", ""); return; } /* Indicate that authentication is needed. */ packet_start(SSH_SMSG_FAILURE); packet_send(); packet_write_wait(); client_user = NULL; for (;;) { /* default to fail */ authenticated = 0; info[0] = '\0'; /* Get a packet from the client. */ prev = type; type = packet_read(); /* * If we started challenge-response authentication but the * next packet is not a response to our challenge, release * the resources allocated by get_challenge() (which would * normally have been released by verify_response() had we * received such a response) */ if (prev == SSH_CMSG_AUTH_TIS && type != SSH_CMSG_AUTH_TIS_RESPONSE) abandon_challenge_response(authctxt); /* Process the packet. */ switch (type) { case SSH_CMSG_AUTH_RHOSTS_RSA: if (!options.rhosts_rsa_authentication) { verbose("Rhosts with RSA authentication disabled."); break; } /* * Get client user name. Note that we just have to * trust the client; root on the client machine can * claim to be any user. */ client_user = packet_get_string(&ulen); /* Get the client host key. */ client_host_key = key_new(KEY_RSA1); bits = packet_get_int(); packet_get_bignum(client_host_key->rsa->e); packet_get_bignum(client_host_key->rsa->n); if (bits != BN_num_bits(client_host_key->rsa->n)) verbose("Warning: keysize mismatch for client_host_key: " "actual %d, announced %d", BN_num_bits(client_host_key->rsa->n), bits); packet_check_eom(); authenticated = auth_rhosts_rsa(authctxt, client_user, client_host_key); key_free(client_host_key); snprintf(info, sizeof info, " ruser %.100s", client_user); break; case SSH_CMSG_AUTH_RSA: if (!options.rsa_authentication) { verbose("RSA authentication disabled."); break; } /* RSA authentication requested. */ if ((n = BN_new()) == NULL) fatal("do_authloop: BN_new failed"); packet_get_bignum(n); packet_check_eom(); authenticated = auth_rsa(authctxt, n); BN_clear_free(n); break; case SSH_CMSG_AUTH_PASSWORD: if (!options.password_authentication) { verbose("Password authentication disabled."); break; } /* * Read user password. It is in plain text, but was * transmitted over the encrypted channel so it is * not visible to an outside observer. */ password = packet_get_string(&dlen); packet_check_eom(); /* Try authentication with the password. */ authenticated = PRIVSEP(auth_password(authctxt, password)); memset(password, 0, strlen(password)); xfree(password); break; case SSH_CMSG_AUTH_TIS: debug("rcvd SSH_CMSG_AUTH_TIS"); if (options.challenge_response_authentication == 1) { char *challenge = get_challenge(authctxt); if (challenge != NULL) { debug("sending challenge '%s'", challenge); packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); packet_put_cstring(challenge); xfree(challenge); packet_send(); packet_write_wait(); continue; } } break; case SSH_CMSG_AUTH_TIS_RESPONSE: debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE"); if (options.challenge_response_authentication == 1) { char *response = packet_get_string(&dlen); packet_check_eom(); authenticated = verify_response(authctxt, response); memset(response, 'r', dlen); xfree(response); } break; default: /* * Any unknown messages will be ignored (and failure * returned) during authentication. */ logit("Unknown message during authentication: type %d", type); break; } #ifdef BSD_AUTH if (authctxt->as) { auth_close(authctxt->as); authctxt->as = NULL; } #endif if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); #ifdef _UNICOS if (authenticated && cray_access_denied(authctxt->user)) { authenticated = 0; fatal("Access denied for user %s.",authctxt->user); } #endif /* _UNICOS */ #ifdef HAVE_CYGWIN if (authenticated && !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, pw)) { packet_disconnect("Authentication rejected for uid %d.", pw == NULL ? -1 : pw->pw_uid); authenticated = 0; } #else /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(get_authname(type))) { authenticated = 0; #if defined(HAVE_BSM_AUDIT_H) && defined(HAVE_LIBBSM) PRIVSEP(solaris_audit_not_console()); #endif /* BSM */ } #endif #ifdef USE_PAM if (options.use_pam && authenticated && !PRIVSEP(do_pam_account())) authenticated = 0; #endif /* Log before sending the reply */ auth_log(authctxt, authenticated, get_authname(type), info); if (client_user != NULL) { xfree(client_user); client_user = NULL; } if (authenticated) return; if (authctxt->failures++ > AUTH_FAIL_MAX) { #if defined(HAVE_BSM_AUDIT_H) && defined(HAVE_LIBBSM) PRIVSEP(solaris_audit_maxtrys()); #endif /* BSM */ packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } #if defined(HAVE_BSM_AUDIT_H) && defined(HAVE_LIBBSM) PRIVSEP(solaris_audit_bad_pw("authorization")); #endif /* BSM */ packet_start(SSH_SMSG_FAILURE); packet_send(); packet_write_wait(); } }
void doit(struct sockaddr *fromp) { extern char *__rcmd_errstr; /* syslog hook from libc/net/rcmd.c. */ struct addrinfo hints, *res, *res0; int gaierror; struct passwd *pwd; u_short port; in_port_t *portp; struct pollfd pfd[4]; int cc, nfd, pv[2], s = 0, one = 1; pid_t pid; char *hostname, *errorstr, *errorhost = (char *) NULL; char *cp, sig, buf[BUFSIZ]; char cmdbuf[NCARGS+1], locuser[_PW_NAME_LEN+1], remuser[_PW_NAME_LEN+1]; char remotehost[2 * MAXHOSTNAMELEN + 1]; char hostnamebuf[2 * MAXHOSTNAMELEN + 1]; char naddr[NI_MAXHOST]; char saddr[NI_MAXHOST]; char raddr[NI_MAXHOST]; char pbuf[NI_MAXSERV]; auth_session_t *as; const int niflags = NI_NUMERICHOST | NI_NUMERICSERV; #ifdef KERBEROS AUTH_DAT *kdata = (AUTH_DAT *) NULL; KTEXT ticket = (KTEXT) NULL; char instance[INST_SZ], version[VERSION_SIZE]; struct sockaddr_storage fromaddr; int rc; long authopts; #ifdef CRYPT int pv1[2], pv2[2]; #endif if (sizeof(fromaddr) < fromp->sa_len) { syslog(LOG_ERR, "malformed \"from\" address (af %d)", fromp->sa_family); exit(1); } memcpy(&fromaddr, fromp, fromp->sa_len); #endif (void) signal(SIGINT, SIG_DFL); (void) signal(SIGQUIT, SIG_DFL); (void) signal(SIGTERM, SIG_DFL); #ifdef DEBUG { int t = open(_PATH_TTY, 2); if (t >= 0) { ioctl(t, TIOCNOTTY, (char *)0); (void) close(t); } } #endif switch (fromp->sa_family) { case AF_INET: portp = &((struct sockaddr_in *)fromp)->sin_port; break; case AF_INET6: portp = &((struct sockaddr_in6 *)fromp)->sin6_port; break; default: syslog(LOG_ERR, "malformed \"from\" address (af %d)", fromp->sa_family); exit(1); } if (getnameinfo(fromp, fromp->sa_len, naddr, sizeof(naddr), pbuf, sizeof(pbuf), niflags) != 0) { syslog(LOG_ERR, "malformed \"from\" address (af %d)", fromp->sa_family); exit(1); } #ifdef IP_OPTIONS if (fromp->sa_family == AF_INET) { struct ipoption opts; socklen_t optsize = sizeof(opts); int ipproto, i; struct protoent *ip; if ((ip = getprotobyname("ip")) != NULL) ipproto = ip->p_proto; else ipproto = IPPROTO_IP; if (!getsockopt(STDIN_FILENO, ipproto, IP_OPTIONS, (char *)&opts, &optsize) && optsize != 0) { for (i = 0; (void *)&opts.ipopt_list[i] - (void *)&opts < optsize; ) { u_char c = (u_char)opts.ipopt_list[i]; if (c == IPOPT_LSRR || c == IPOPT_SSRR) exit(1); if (c == IPOPT_EOL) break; i += (c == IPOPT_NOP) ? 1 : (u_char)opts.ipopt_list[i+1]; } } } #endif #ifdef KERBEROS if (!use_kerberos) #endif if (ntohs(*portp) >= IPPORT_RESERVED || ntohs(*portp) < IPPORT_RESERVED/2) { syslog(LOG_NOTICE|LOG_AUTH, "Connection from %s on illegal port %u", naddr, ntohs(*portp)); exit(1); } (void) alarm(60); port = 0; for (;;) { char c; if ((cc = read(STDIN_FILENO, &c, 1)) != 1) { if (cc < 0) syslog(LOG_NOTICE, "read: %m"); shutdown(STDIN_FILENO, SHUT_RDWR); exit(1); } if (c == 0) break; port = port * 10 + c - '0'; } (void) alarm(0); if (port != 0) { int lport; #ifdef KERBEROS if (!use_kerberos) #endif if (port >= IPPORT_RESERVED || port < IPPORT_RESERVED/2) { syslog(LOG_ERR, "2nd port not reserved"); exit(1); } *portp = htons(port); lport = IPPORT_RESERVED - 1; s = rresvport_af(&lport, fromp->sa_family); if (s < 0) { syslog(LOG_ERR, "can't get stderr port: %m"); exit(1); } if (connect(s, (struct sockaddr *)fromp, fromp->sa_len) < 0) { syslog(LOG_INFO, "connect second port %d: %m", port); exit(1); } } #ifdef KERBEROS if (vacuous) { error("rshd: remote host requires Kerberos authentication\n"); exit(1); } #endif #ifdef notdef /* from inetd, socket is already on 0, 1, 2 */ dup2(f, 0); dup2(f, 1); dup2(f, 2); #endif errorstr = NULL; if (getnameinfo(fromp, fromp->sa_len, saddr, sizeof(saddr), NULL, 0, NI_NAMEREQD)== 0) { /* * If name returned by getnameinfo is in our domain, * attempt to verify that we haven't been fooled by someone * in a remote net; look up the name and check that this * address corresponds to the name. */ hostname = saddr; res0 = NULL; #ifdef KERBEROS if (!use_kerberos) #endif if (check_all || local_domain(saddr)) { strlcpy(remotehost, saddr, sizeof(remotehost)); errorhost = remotehost; memset(&hints, 0, sizeof(hints)); hints.ai_family = fromp->sa_family; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_CANONNAME; gaierror = getaddrinfo(remotehost, pbuf, &hints, &res0); if (gaierror) { syslog(LOG_INFO, "Couldn't look up address for %s: %s", remotehost, gai_strerror(gaierror)); errorstr = "Couldn't look up address for your host (%s)\n"; hostname = naddr; } else { for (res = res0; res; res = res->ai_next) { if (res->ai_family != fromp->sa_family) continue; if (res->ai_addrlen != fromp->sa_len) continue; if (getnameinfo(res->ai_addr, res->ai_addrlen, raddr, sizeof(raddr), NULL, 0, niflags) == 0 && strcmp(naddr, raddr) == 0) { hostname = res->ai_canonname ? res->ai_canonname : saddr; break; } } if (res == NULL) { syslog(LOG_NOTICE, "Host addr %s not listed for host %s", naddr, res0->ai_canonname ? res0->ai_canonname : saddr); errorstr = "Host address mismatch for %s\n"; hostname = naddr; } } } strlcpy(hostnamebuf, hostname, sizeof(hostnamebuf)); hostname = hostnamebuf; if (res0) freeaddrinfo(res0); } else strlcpy(hostnamebuf, naddr, sizeof(hostnamebuf)); errorhost = hostname = hostnamebuf; #ifdef KERBEROS if (use_kerberos) { kdata = (AUTH_DAT *) authbuf; ticket = (KTEXT) tickbuf; authopts = 0L; strlcpy(instance, "*", sizeof instance); version[VERSION_SIZE - 1] = '\0'; #ifdef CRYPT if (doencrypt) { struct sockaddr_in local_addr; rc = sizeof(local_addr); if (getsockname(STDIN_FILENO, (struct sockaddr *)&local_addr, &rc) < 0) { syslog(LOG_ERR, "getsockname: %m"); error("rshd: getsockname: %m"); exit(1); } authopts = KOPT_DO_MUTUAL; rc = krb_recvauth(authopts, 0, ticket, "rcmd", instance, (struct sockaddr_in *)&fromaddr, &local_addr, kdata, "", schedule, version); desrw_set_key(&kdata->session, &schedule); } else #endif rc = krb_recvauth(authopts, 0, ticket, "rcmd", instance, (struct sockaddr_in *)&fromaddr, NULL, kdata, "", NULL, version); if (rc != KSUCCESS) { error("Kerberos authentication failure: %s\n", krb_get_err_text(rc)); exit(1); } } else #endif getstr(remuser, sizeof(remuser), "remuser"); getstr(locuser, sizeof(locuser), "locuser"); getstr(cmdbuf, sizeof(cmdbuf), "command"); pwd = getpwnam(locuser); if (pwd == NULL) { syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: unknown login. cmd='%.80s'", remuser, hostname, locuser, cmdbuf); if (errorstr == NULL) errorstr = "Permission denied.\n"; goto fail; } lc = login_getclass(pwd->pw_class); if (lc == NULL) { syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: unknown class. cmd='%.80s'", remuser, hostname, locuser, cmdbuf); if (errorstr == NULL) errorstr = "Login incorrect.\n"; goto fail; } as = auth_open(); if (as == NULL || auth_setpwd(as, pwd) != 0) { syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: unable to allocate memory. cmd='%.80s'", remuser, hostname, locuser, cmdbuf); if (errorstr == NULL) errorstr = "Cannot allocate memory.\n"; goto fail; } setegid(pwd->pw_gid); seteuid(pwd->pw_uid); if (chdir(pwd->pw_dir) < 0) { (void) chdir("/"); #ifdef notdef syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: no home directory. cmd='%.80s'", remuser, hostname, locuser, cmdbuf); error("No remote directory.\n"); exit(1); #endif } seteuid(0); setegid(0); /* XXX use a saved gid instead? */ #ifdef KERBEROS if (use_kerberos) { if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0') { if (kuserok(kdata, locuser) != 0) { syslog(LOG_INFO|LOG_AUTH, "Kerberos rsh denied to %s.%s@%s", kdata->pname, kdata->pinst, kdata->prealm); error("Permission denied.\n"); exit(1); } } } else #endif if (errorstr || (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' && iruserok_sa(fromp, fromp->sa_len, pwd->pw_uid == 0, remuser, locuser) < 0)) { if (__rcmd_errstr) syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied (%s). cmd='%.80s'", remuser, hostname, locuser, __rcmd_errstr, cmdbuf); else syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied. cmd='%.80s'", remuser, hostname, locuser, cmdbuf); fail: if (errorstr == NULL) errorstr = "Permission denied.\n"; error(errorstr, errorhost); exit(1); } if (pwd->pw_uid) auth_checknologin(lc); (void) write(STDERR_FILENO, "\0", 1); sent_null = 1; if (port) { if (pipe(pv) < 0) { error("Can't make pipe.\n"); exit(1); } #ifdef CRYPT #ifdef KERBEROS if (doencrypt) { if (pipe(pv1) < 0) { error("Can't make 2nd pipe.\n"); exit(1); } if (pipe(pv2) < 0) { error("Can't make 3rd pipe.\n"); exit(1); } } #endif #endif pid = fork(); if (pid == -1) { error("Can't fork; try again.\n"); exit(1); } if (pid) { #ifdef CRYPT #ifdef KERBEROS if (doencrypt) { static char msg[] = SECURE_MESSAGE; (void) close(pv1[1]); (void) close(pv2[1]); des_write(s, msg, sizeof(msg) - 1); } else #endif #endif { (void) close(STDIN_FILENO); (void) close(STDOUT_FILENO); } (void) close(STDERR_FILENO); (void) close(pv[1]); pfd[P_SOCKREAD].fd = s; pfd[P_SOCKREAD].events = POLLIN; pfd[P_PIPEREAD].fd = pv[0]; pfd[P_PIPEREAD].events = POLLIN; nfd = 2; #ifdef CRYPT #ifdef KERBEROS if (doencrypt) { pfd[P_CRYPTREAD].fd = pv1[0]; pfd[P_CRYPTREAD].events = POLLIN; pfd[P_CRYPTWRITE].fd = pv2[0]; pfd[P_CRYPTWRITE].events = POLLOUT; nfd += 2; } else #endif #endif ioctl(pv[0], FIONBIO, (char *)&one); /* should set s nbio! */ do { if (poll(pfd, nfd, INFTIM) < 0) break; if (pfd[P_SOCKREAD].revents & POLLIN) { int ret; #ifdef CRYPT #ifdef KERBEROS if (doencrypt) ret = des_read(s, &sig, 1); else #endif #endif ret = read(s, &sig, 1); if (ret <= 0) pfd[P_SOCKREAD].revents = 0; else killpg(pid, sig); } if (pfd[P_PIPEREAD].revents & POLLIN) { errno = 0; cc = read(pv[0], buf, sizeof(buf)); if (cc <= 0) { shutdown(s, SHUT_RDWR); pfd[P_PIPEREAD].revents = 0; } else { #ifdef CRYPT #ifdef KERBEROS if (doencrypt) (void) des_write(s, buf, cc); else #endif #endif (void) write(s, buf, cc); } } #ifdef CRYPT #ifdef KERBEROS if (doencrypt && (pfd[P_CRYPTREAD].revents & POLLIN)) { errno = 0; cc = read(pv1[0], buf, sizeof(buf)); if (cc <= 0) { shutdown(pv1[0], SHUT_RDWR); pfd[P_CRYPTREAD].revents = 0; } else (void) des_write(STDOUT_FILENO, buf, cc); } if (doencrypt && (pfd[P_CRYPTWRITE].revents & POLLIN)) { errno = 0; cc = des_read(STDIN_FILENO, buf, sizeof(buf)); if (cc <= 0) { shutdown(pv2[0], SHUT_RDWR); pfd[P_CRYPTWRITE].revents = 0; } else (void) write(pv2[0], buf, cc); } #endif #endif } while ((pfd[P_SOCKREAD].revents & POLLIN) || #ifdef CRYPT #ifdef KERBEROS (doencrypt && (pfd[P_CRYPTREAD].revents & POLLIN)) || #endif #endif (pfd[P_PIPEREAD].revents & POLLIN)); exit(0); } setsid(); (void) close(s); (void) close(pv[0]); #ifdef CRYPT #ifdef KERBEROS if (doencrypt) { close(pv1[0]); close(pv2[0]); dup2(pv1[1], 1); dup2(pv2[1], 0); close(pv1[1]); close(pv2[1]); } #endif #endif dup2(pv[1], 2); close(pv[1]); } else setsid(); if (*pwd->pw_shell == '\0') pwd->pw_shell = _PATH_BSHELL; environ = envinit; if (setenv("HOME", pwd->pw_dir, 1) == -1 || setenv("SHELL", pwd->pw_shell, 1) == -1 || setenv("USER", pwd->pw_name, 1) == -1 || setenv("LOGNAME", pwd->pw_name, 1) == -1) errx(1, "cannot setup environment"); if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL)) errx(1, "cannot set user context"); if (auth_approval(as, lc, pwd->pw_name, "rsh") <= 0) errx(1, "approval failure"); auth_close(as); login_close(lc); cp = strrchr(pwd->pw_shell, '/'); if (cp) cp++; else cp = pwd->pw_shell; endpwent(); if (log_success || pwd->pw_uid == 0) { #ifdef KERBEROS if (use_kerberos) syslog(LOG_INFO|LOG_AUTH, "Kerberos shell from %s.%s@%s on %s as %s, cmd='%.80s'", kdata->pname, kdata->pinst, kdata->prealm, hostname, locuser, cmdbuf); else #endif syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: cmd='%.80s'", remuser, hostname, locuser, cmdbuf); } execl(pwd->pw_shell, cp, "-c", cmdbuf, (char *)NULL); perror(pwd->pw_shell); exit(1); }
/* * read packets, try to authenticate the user and * return only if authentication is successful */ static void do_authloop(Authctxt *authctxt) { int authenticated = 0; u_int bits; Key *client_host_key; BIGNUM *n; char *client_user, *password; char info[1024]; u_int dlen; u_int ulen; int type = 0; struct passwd *pw = authctxt->pw; debug("Attempting authentication for %s%.100s.", authctxt->valid ? "" : "illegal user ", authctxt->user); /* If the user has no password, accept authentication immediately. */ if (options.password_authentication && #if defined(KRB4) || defined(KRB5) (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif PRIVSEP(auth_password(authctxt, ""))) { auth_log(authctxt, 1, "without authentication", ""); return; } /* Indicate that authentication is needed. */ packet_start(SSH_SMSG_FAILURE); packet_send(); packet_write_wait(); client_user = NULL; for ( ;; ) { /* default to fail */ authenticated = 0; info[0] = '\0'; /* Get a packet from the client. */ authctxt->v1_auth_type = type = packet_read(); authctxt->v1_auth_name = get_authname(type); authctxt->attempt++; /* Process the packet. */ switch (type) { #if defined(KRB4) || defined(KRB5) case SSH_CMSG_AUTH_KERBEROS: if (!options.kerberos_authentication) { verbose("Kerberos authentication disabled."); } else { char *kdata = packet_get_string(&dlen); packet_check_eom(); if (kdata[0] == 4) { /* KRB_PROT_VERSION */ #ifdef KRB4 KTEXT_ST tkt, reply; tkt.length = dlen; if (tkt.length < MAX_KTXT_LEN) memcpy(tkt.dat, kdata, tkt.length); if (PRIVSEP(auth_krb4(authctxt, &tkt, &client_user, &reply))) { authenticated = 1; snprintf(info, sizeof(info), " tktuser %.100s", client_user); packet_start( SSH_SMSG_AUTH_KERBEROS_RESPONSE); packet_put_string((char *) reply.dat, reply.length); packet_send(); packet_write_wait(); } #endif /* KRB4 */ } else { #ifdef KRB5 krb5_data tkt, reply; tkt.length = dlen; tkt.data = kdata; if (PRIVSEP(auth_krb5(authctxt, &tkt, &client_user, &reply))) { authenticated = 1; snprintf(info, sizeof(info), " tktuser %.100s", client_user); /* Send response to client */ packet_start( SSH_SMSG_AUTH_KERBEROS_RESPONSE); packet_put_string((char *) reply.data, reply.length); packet_send(); packet_write_wait(); if (reply.length) xfree(reply.data); } #endif /* KRB5 */ } xfree(kdata); } break; #endif /* KRB4 || KRB5 */ #if defined(AFS) || defined(KRB5) /* XXX - punt on backward compatibility here. */ case SSH_CMSG_HAVE_KERBEROS_TGT: packet_send_debug("Kerberos TGT passing disabled before authentication."); break; #ifdef AFS case SSH_CMSG_HAVE_AFS_TOKEN: packet_send_debug("AFS token passing disabled before authentication."); break; #endif /* AFS */ #endif /* AFS || KRB5 */ case SSH_CMSG_AUTH_RHOSTS: if (!options.rhosts_authentication) { verbose("Rhosts authentication disabled."); break; } /* * Get client user name. Note that we just have to * trust the client; this is one reason why rhosts * authentication is insecure. (Another is * IP-spoofing on a local network.) */ client_user = packet_get_string(&ulen); packet_check_eom(); /* Try to authenticate using /etc/hosts.equiv and .rhosts. */ authenticated = auth_rhosts(pw, client_user); snprintf(info, sizeof info, " ruser %.100s", client_user); break; case SSH_CMSG_AUTH_RHOSTS_RSA: if (!options.rhosts_rsa_authentication) { verbose("Rhosts with RSA authentication disabled."); break; } /* * Get client user name. Note that we just have to * trust the client; root on the client machine can * claim to be any user. */ client_user = packet_get_string(&ulen); /* Get the client host key. */ client_host_key = key_new(KEY_RSA1); bits = packet_get_int(); packet_get_bignum(client_host_key->rsa->e); packet_get_bignum(client_host_key->rsa->n); if (bits != BN_num_bits(client_host_key->rsa->n)) verbose("Warning: keysize mismatch for client_host_key: " "actual %d, announced %d", BN_num_bits(client_host_key->rsa->n), bits); packet_check_eom(); authenticated = auth_rhosts_rsa(pw, client_user, client_host_key); key_free(client_host_key); snprintf(info, sizeof info, " ruser %.100s", client_user); break; case SSH_CMSG_AUTH_RSA: if (!options.rsa_authentication) { verbose("RSA authentication disabled."); break; } /* RSA authentication requested. */ if ((n = BN_new()) == NULL) fatal("do_authloop: BN_new failed"); packet_get_bignum(n); packet_check_eom(); authenticated = auth_rsa(pw, n); BN_clear_free(n); break; case SSH_CMSG_AUTH_PASSWORD: authctxt->init_attempt++; if (!options.password_authentication) { verbose("Password authentication disabled."); break; } /* * Read user password. It is in plain text, but was * transmitted over the encrypted channel so it is * not visible to an outside observer. */ password = packet_get_string(&dlen); packet_check_eom(); /* Try authentication with the password. */ if (authctxt->init_failures < options.max_init_auth_tries) authenticated = PRIVSEP(auth_password(authctxt, password)); memset(password, 0, strlen(password)); xfree(password); break; case SSH_CMSG_AUTH_TIS: debug("rcvd SSH_CMSG_AUTH_TIS"); if (options.challenge_response_authentication == 1) { char *challenge = get_challenge(authctxt); if (challenge != NULL) { debug("sending challenge '%s'", challenge); packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); packet_put_cstring(challenge); xfree(challenge); packet_send(); packet_write_wait(); continue; } } break; case SSH_CMSG_AUTH_TIS_RESPONSE: debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE"); if (options.challenge_response_authentication == 1) { char *response = packet_get_string(&dlen); debug("got response '%s'", response); packet_check_eom(); authenticated = verify_response(authctxt, response); memset(response, 'r', dlen); xfree(response); } break; default: /* * Any unknown messages will be ignored (and failure * returned) during authentication. */ log("Unknown message during authentication: type %d", type); break; } #ifdef BSD_AUTH if (authctxt->as) { auth_close(authctxt->as); authctxt->as = NULL; } #endif if (!authctxt->valid && authenticated) { authenticated = 0; log("Ignoring authenticated invalid user %s", authctxt->user); } #ifdef _UNICOS if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated) cray_login_failure(authctxt->user, IA_UDBERR); if (authenticated && cray_access_denied(authctxt->user)) { authenticated = 0; fatal("Access denied for user %s.",authctxt->user); } #endif /* _UNICOS */ #ifdef HAVE_CYGWIN if (authenticated && !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, pw)) { packet_disconnect("Authentication rejected for uid %d.", pw == NULL ? -1 : pw->pw_uid); authenticated = 0; } #else /* Special handling for root */ if (!use_privsep && authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(get_authname(type))) authenticated = 0; #endif #ifdef USE_PAM /* XXX PAM and PRIVSEP don't mix */ if (use_privsep && authenticated) fatal("Privsep is not supported"); if (authenticated && type != SSH_CMSG_AUTH_PASSWORD) authenticated = do_pam_non_initial_userauth(authctxt); else if (authenticated && !AUTHPAM_DONE(authctxt)) authenticated = 0; if (!authenticated) authctxt->pam_retval = AUTHPAM_ERROR(authctxt, PAM_PERM_DENIED); #endif /* USE_PAM */ /* Log before sending the reply */ auth_log(authctxt, authenticated, get_authname(type), info); if (client_user != NULL) { xfree(client_user); client_user = NULL; } if (authenticated) return; if (type == SSH_CMSG_AUTH_PASSWORD) authctxt->init_failures++; if (authctxt->failures++ > options.max_auth_tries) { #ifdef HAVE_BSM fatal_remove_cleanup(audit_failed_login_cleanup, authctxt); audit_sshd_login_failure(&ah, PAM_MAXTRIES); #endif /* HAVE_BSM */ packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } packet_start(SSH_SMSG_FAILURE); packet_send(); packet_write_wait(); } }
static void child_process(entry *e) { int stdin_pipe[2], stdout_pipe[2]; char * volatile input_data; char *homedir, *usernm, * volatile mailto; int children = 0; Debug(DPROC, ("[%ld] child_process('%s')\n", (long)getpid(), e->cmd)); setproctitle("running job"); /* discover some useful and important environment settings */ usernm = e->pwd->pw_name; mailto = env_get("MAILTO", e->envp); /* our parent is watching for our death by catching SIGCHLD. we * do not care to watch for our children's deaths this way -- we * use wait() explicitly. so we have to reset the signal (which * was inherited from the parent). */ (void) signal(SIGCHLD, SIG_DFL); /* create some pipes to talk to our future child */ if (pipe(stdin_pipe) == -1) /* child's stdin */ log_it("CRON", getpid(), "error", "create child stdin pipe"); if (pipe(stdout_pipe) == -1) /* child's stdout */ log_it("CRON", getpid(), "error", "create child stdout pipe"); /* since we are a forked process, we can diddle the command string * we were passed -- nobody else is going to use it again, right? * * if a % is present in the command, previous characters are the * command, and subsequent characters are the additional input to * the command. An escaped % will have the escape character stripped * from it. Subsequent %'s will be transformed into newlines, * but that happens later. */ /*local*/{ int escaped = FALSE; int ch; char *p; /* translation: * \% -> % * % -> end of command, following is command input. * \x -> \x for all x != % */ input_data = p = e->cmd; while ((ch = *input_data++) != '\0') { if (escaped) { if (ch != '%') *p++ = '\\'; } else { if (ch == '%') { break; } } if (!(escaped = (ch == '\\'))) { *p++ = ch; } } if (ch == '\0') { /* move pointer back, so that code below * won't think we encountered % sequence */ input_data--; } if (escaped) *p++ = '\\'; *p = '\0'; } /* fork again, this time so we can exec the user's command. */ switch (vfork()) { case -1: log_it("CRON", getpid(), "error", "can't vfork"); exit(ERROR_EXIT); /*NOTREACHED*/ case 0: Debug(DPROC, ("[%ld] grandchild process vfork()'ed\n", (long)getpid())); /* write a log message. we've waited this long to do it * because it was not until now that we knew the PID that * the actual user command shell was going to get and the * PID is part of the log message. */ if ((e->flags & DONT_LOG) == 0) { char *x = mkprints(e->cmd, strlen(e->cmd)); log_it(usernm, getpid(), "CMD START", x); free(x); } /* that's the last thing we'll log. close the log files. */ log_close(); /* get new pgrp, void tty, etc. */ if (setsid() == -1) syslog(LOG_ERR, "setsid() failure: %m"); /* close the pipe ends that we won't use. this doesn't affect * the parent, who has to read and write them; it keeps the * kernel from recording us as a potential client TWICE -- * which would keep it from sending SIGPIPE in otherwise * appropriate circumstances. */ (void)close(stdin_pipe[WRITE_PIPE]); (void)close(stdout_pipe[READ_PIPE]); /* grandchild process. make std{in,out} be the ends of * pipes opened by our daddy; make stderr go to stdout. */ if (stdin_pipe[READ_PIPE] != STDIN) { (void)dup2(stdin_pipe[READ_PIPE], STDIN); (void)close(stdin_pipe[READ_PIPE]); } if (stdout_pipe[WRITE_PIPE] != STDOUT) { (void)dup2(stdout_pipe[WRITE_PIPE], STDOUT); (void)close(stdout_pipe[WRITE_PIPE]); } (void)dup2(STDOUT, STDERR); /* set our directory, uid and gid. Set gid first, since once * we set uid, we've lost root privledges. */ #ifdef LOGIN_CAP { #ifdef BSD_AUTH auth_session_t *as; #endif login_cap_t *lc; char *p; if ((lc = login_getclass(e->pwd->pw_class)) == NULL) { warnx("unable to get login class for `%s'", e->pwd->pw_name); _exit(ERROR_EXIT); } if (setusercontext(lc, e->pwd, e->pwd->pw_uid, LOGIN_SETALL) < 0) { warnx("setusercontext failed for `%s'", e->pwd->pw_name); _exit(ERROR_EXIT); } #ifdef BSD_AUTH as = auth_open(); if (as == NULL || auth_setpwd(as, e->pwd) != 0) { warn("can't malloc"); _exit(ERROR_EXIT); } if (auth_approval(as, lc, usernm, "cron") <= 0) { warnx("approval failed for `%s'", e->pwd->pw_name); _exit(ERROR_EXIT); } auth_close(as); #endif /* BSD_AUTH */ login_close(lc); /* If no PATH specified in crontab file but * we just added one via login.conf, add it to * the crontab environment. */ if (env_get("PATH", e->envp) == NULL) { if ((p = getenv("PATH")) != NULL) e->envp = env_set(e->envp, p); } } #else if (setgid(e->pwd->pw_gid) != 0) { syslog(LOG_ERR, "setgid(%d) failed for %s: %m", e->pwd->pw_gid, e->pwd->pw_name); _exit(ERROR_EXIT); } if (initgroups(usernm, e->pwd->pw_gid) != 0) { syslog(LOG_ERR, "initgroups(%s, %d) failed for %s: %m", usernm, e->pwd->pw_gid, e->pwd->pw_name); _exit(ERROR_EXIT); } #if (defined(BSD)) && (BSD >= 199103) if (setlogin(usernm) < 0) { syslog(LOG_ERR, "setlogin(%s) failure for %s: %m", usernm, e->pwd->pw_name); _exit(ERROR_EXIT); } #endif /* BSD */ if (setuid(e->pwd->pw_uid) != 0) { syslog(LOG_ERR, "setuid(%d) failed for %s: %m", e->pwd->pw_uid, e->pwd->pw_name); _exit(ERROR_EXIT); } /* we aren't root after this... */ #endif /* LOGIN_CAP */ homedir = env_get("HOME", e->envp); if (chdir(homedir) != 0) { syslog(LOG_ERR, "chdir(%s) $HOME failed for %s: %m", homedir, e->pwd->pw_name); _exit(ERROR_EXIT); } #ifdef USE_SIGCHLD /* our grandparent is watching for our death by catching * SIGCHLD. the parent is ignoring SIGCHLD's; we want * to restore default behaviour. */ (void) signal(SIGCHLD, SIG_DFL); #endif (void) signal(SIGHUP, SIG_DFL); /* * Exec the command. */ { char *shell = env_get("SHELL", e->envp); # if DEBUGGING if (DebugFlags & DTEST) { (void)fprintf(stderr, "debug DTEST is on, not exec'ing command.\n"); (void)fprintf(stderr, "\tcmd='%s' shell='%s'\n", e->cmd, shell); _exit(OK_EXIT); } # endif /*DEBUGGING*/ (void)execle(shell, shell, "-c", e->cmd, NULL, e->envp); warn("execl: couldn't exec `%s'", shell); _exit(ERROR_EXIT); } break; default: /* parent process */ break; } children++; /* middle process, child of original cron, parent of process running * the user's command. */ Debug(DPROC, ("[%ld] child continues, closing pipes\n",(long)getpid())); /* close the ends of the pipe that will only be referenced in the * grandchild process... */ (void)close(stdin_pipe[READ_PIPE]); (void)close(stdout_pipe[WRITE_PIPE]); /* * write, to the pipe connected to child's stdin, any input specified * after a % in the crontab entry. while we copy, convert any * additional %'s to newlines. when done, if some characters were * written and the last one wasn't a newline, write a newline. * * Note that if the input data won't fit into one pipe buffer (2K * or 4K on most BSD systems), and the child doesn't read its stdin, * we would block here. thus we must fork again. */ if (*input_data && fork() == 0) { FILE *out = fdopen(stdin_pipe[WRITE_PIPE], "w"); int need_newline = FALSE; int escaped = FALSE; int ch; Debug(DPROC, ("[%ld] child2 sending data to grandchild\n", (long)getpid())); /* close the pipe we don't use, since we inherited it and * are part of its reference count now. */ (void)close(stdout_pipe[READ_PIPE]); /* translation: * \% -> % * % -> \n * \x -> \x for all x != % */ while ((ch = *input_data++) != '\0') { if (escaped) { if (ch != '%') (void)putc('\\', out); } else { if (ch == '%') ch = '\n'; } if (!(escaped = (ch == '\\'))) { (void)putc(ch, out); need_newline = (ch != '\n'); } } if (escaped) (void)putc('\\', out); if (need_newline) (void)putc('\n', out); /* close the pipe, causing an EOF condition. fclose causes * stdin_pipe[WRITE_PIPE] to be closed, too. */ (void)fclose(out); Debug(DPROC, ("[%ld] child2 done sending to grandchild\n", (long)getpid())); exit(0); } /* close the pipe to the grandkiddie's stdin, since its wicked uncle * ernie back there has it open and will close it when he's done. */ (void)close(stdin_pipe[WRITE_PIPE]); children++; /* * read output from the grandchild. it's stderr has been redirected to * it's stdout, which has been redirected to our pipe. if there is any * output, we'll be mailing it to the user whose crontab this is... * when the grandchild exits, we'll get EOF. */ Debug(DPROC, ("[%ld] child reading output from grandchild\n", (long)getpid())); /*local*/{ FILE *in = fdopen(stdout_pipe[READ_PIPE], "r"); int ch = getc(in); if (ch != EOF) { FILE *mail = NULL; int bytes = 1; int status = 0; Debug(DPROC|DEXT, ("[%ld] got data (%x:%c) from grandchild\n", (long)getpid(), ch, ch)); /* get name of recipient. this is MAILTO if set to a * valid local username; USER otherwise. */ if (mailto) { /* MAILTO was present in the environment */ if (!*mailto) { /* ... but it's empty. set to NULL */ mailto = NULL; } } else { /* MAILTO not present, set to USER. */ mailto = usernm; } /* if we are supposed to be mailing, MAILTO will * be non-NULL. only in this case should we set * up the mail command and subjects and stuff... */ if (mailto && safe_p(usernm, mailto)) { char **env; char mailcmd[MAX_COMMAND]; char hostname[MAXHOSTNAMELEN + 1]; (void)gethostname(hostname, MAXHOSTNAMELEN); if (strlens(MAILFMT, MAILARG, NULL) + 1 >= sizeof mailcmd) { warnx("mailcmd too long"); (void) _exit(ERROR_EXIT); } (void)snprintf(mailcmd, sizeof(mailcmd), MAILFMT, MAILARG); if (!(mail = cron_popen(mailcmd, "w", e->pwd))) { warn("cannot run `%s'", mailcmd); (void) _exit(ERROR_EXIT); } (void)fprintf(mail, "From: root (Cron Daemon)\n"); (void)fprintf(mail, "To: %s\n", mailto); (void)fprintf(mail, "Subject: Cron <%s@%s> %s\n", usernm, first_word(hostname, "."), e->cmd); (void)fprintf(mail, "Auto-Submitted: auto-generated\n"); #ifdef MAIL_DATE (void)fprintf(mail, "Date: %s\n", arpadate(&StartTime)); #endif /*MAIL_DATE*/ for (env = e->envp; *env; env++) (void)fprintf(mail, "X-Cron-Env: <%s>\n", *env); (void)fprintf(mail, "\n"); /* this was the first char from the pipe */ (void)putc(ch, mail); } /* we have to read the input pipe no matter whether * we mail or not, but obviously we only write to * mail pipe if we ARE mailing. */ while (EOF != (ch = getc(in))) { bytes++; if (mailto) (void)putc(ch, mail); } /* only close pipe if we opened it -- i.e., we're * mailing... */ if (mailto) { Debug(DPROC, ("[%ld] closing pipe to mail\n", (long)getpid())); /* Note: the pclose will probably see * the termination of the grandchild * in addition to the mail process, since * it (the grandchild) is likely to exit * after closing its stdout. */ status = cron_pclose(mail); } /* if there was output and we could not mail it, * log the facts so the poor user can figure out * what's going on. */ if (mailto && status) { char buf[MAX_TEMPSTR]; (void)snprintf(buf, sizeof(buf), "mailed %d byte%s of output but got status 0x%04x\n", bytes, (bytes==1)?"":"s", status); log_it(usernm, getpid(), "MAIL", buf); } } /*if data from grandchild*/ Debug(DPROC, ("[%ld] got EOF from grandchild\n", (long)getpid())); (void)fclose(in); /* also closes stdout_pipe[READ_PIPE] */ } /* wait for children to die. */ for (; children > 0; children--) { WAIT_T waiter; PID_T pid; Debug(DPROC, ("[%ld] waiting for grandchild #%d to finish\n", (long)getpid(), children)); while ((pid = wait(&waiter)) < OK && errno == EINTR) ; if (pid < OK) { Debug(DPROC, ("[%ld] no more grandchildren--mail written?\n", (long)getpid())); break; } Debug(DPROC, ("[%ld] grandchild #%ld finished, status=%04x", (long)getpid(), (long)pid, WEXITSTATUS(waiter))); if (WIFSIGNALED(waiter) && WCOREDUMP(waiter)) Debug(DPROC, (", dumped core")); Debug(DPROC, ("\n")); } /* Log the time when we finished deadling with the job */ /*local*/{ char *x = mkprints(e->cmd, strlen(e->cmd)); log_it(usernm, getpid(), "CMD FINISH", x); free(x); } }
/* * read packets, try to authenticate the user and * return only if authentication is successful */ static void do_authloop(Authctxt *authctxt) { int authenticated = 0; char info[1024]; int type = 0; const struct AuthMethod1 *meth; debug("Attempting authentication for %s%.100s.", authctxt->valid ? "" : "invalid user ", authctxt->user); /* If the user has no password, accept authentication immediately. */ if (options.password_authentication && #ifdef KRB5 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif PRIVSEP(auth_password(authctxt, ""))) { auth_log(authctxt, 1, "without authentication", ""); return; } /* Indicate that authentication is needed. */ packet_start(SSH_SMSG_FAILURE); packet_send(); packet_write_wait(); for (;;) { /* default to fail */ authenticated = 0; info[0] = '\0'; /* Get a packet from the client. */ type = packet_read(); if (authctxt->failures >= options.max_authtries) goto skip; if ((meth = lookup_authmethod1(type)) == NULL) { logit("Unknown message during authentication: " "type %d", type); goto skip; } if (!*(meth->enabled)) { verbose("%s authentication disabled.", meth->name); goto skip; } authenticated = meth->method(authctxt, info, sizeof(info)); if (authenticated == -1) continue; /* "postponed" */ if (authctxt->as) { auth_close(authctxt->as); authctxt->as = NULL; } if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(meth->name)) authenticated = 0; skip: /* Log before sending the reply */ auth_log(authctxt, authenticated, get_authname(type), info); if (authenticated) return; if (++authctxt->failures >= options.max_authtries) packet_disconnect(AUTH_FAIL_MSG, authctxt->user); packet_start(SSH_SMSG_FAILURE); packet_send(); packet_write_wait(); } }
int main(int argc, char *argv[]) { char *domain, *p, *ttyn, *shell, *fullname, *instance; char *lipaddr, *script, *ripaddr, *style, *type, *fqdn; char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10]; char localhost[MAXHOSTNAMELEN], *copyright; char mail[sizeof(_PATH_MAILDIR) + 1 + NAME_MAX]; int ask, ch, cnt, fflag, pflag, quietlog, rootlogin, lastchance; int error, homeless, needto, authok, tries, backoff; struct addrinfo *ai, hints; struct rlimit cds, scds; quad_t expire, warning; struct utmp utmp; struct group *gr; struct stat st; uid_t uid; openlog("login", LOG_ODELAY, LOG_AUTH); fqdn = lipaddr = ripaddr = fullname = type = NULL; authok = 0; tries = 10; backoff = 3; domain = NULL; if (gethostname(localhost, sizeof(localhost)) < 0) { syslog(LOG_ERR, "couldn't get local hostname: %m"); strlcpy(localhost, "localhost", sizeof(localhost)); } else if ((domain = strchr(localhost, '.'))) { domain++; if (*domain && strchr(domain, '.') == NULL) domain = localhost; } if ((as = auth_open()) == NULL) { syslog(LOG_ERR, "auth_open: %m"); err(1, "unable to initialize BSD authentication"); } auth_setoption(as, "login", "yes"); /* * -p is used by getty to tell login not to destroy the environment * -f is used to skip a second login authentication * -h is used by other servers to pass the name of the remote * host to login so that it may be placed in utmp and wtmp */ fflag = pflag = 0; uid = getuid(); while ((ch = getopt(argc, argv, "fh:pu:L:R:")) != -1) switch (ch) { case 'f': fflag = 1; break; case 'h': if (uid) { warnc(EPERM, "-h option"); quickexit(1); } free(fqdn); if ((fqdn = strdup(optarg)) == NULL) { warn(NULL); quickexit(1); } auth_setoption(as, "fqdn", fqdn); if (domain && (p = strchr(optarg, '.')) && strcasecmp(p+1, domain) == 0) *p = 0; hostname = optarg; auth_setoption(as, "hostname", hostname); break; case 'L': if (uid) { warnc(EPERM, "-L option"); quickexit(1); } if (lipaddr) { warnx("duplicate -L option"); quickexit(1); } lipaddr = optarg; memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_UNSPEC; hints.ai_flags = AI_CANONNAME; error = getaddrinfo(lipaddr, NULL, &hints, &ai); if (!error) { strlcpy(localhost, ai->ai_canonname, sizeof(localhost)); freeaddrinfo(ai); } else strlcpy(localhost, lipaddr, sizeof(localhost)); auth_setoption(as, "local_addr", lipaddr); break; case 'p': pflag = 1; break; case 'R': if (uid) { warnc(EPERM, "-R option"); quickexit(1); } if (ripaddr) { warnx("duplicate -R option"); quickexit(1); } ripaddr = optarg; auth_setoption(as, "remote_addr", ripaddr); break; case 'u': if (uid) { warnc(EPERM, "-u option"); quickexit(1); } rusername = optarg; break; default: if (!uid) syslog(LOG_ERR, "invalid flag %c", ch); (void)fprintf(stderr, "usage: login [-fp] [-h hostname] [-L local-addr] " "[-R remote-addr] [-u username]\n\t[user]\n"); quickexit(1); } argc -= optind; argv += optind; if (*argv) { username = *argv; ask = 0; } else ask = 1; /* * If effective user is not root, just run su(1) to emulate login(1). */ if (geteuid() != 0) { char *av[5], **ap; auth_close(as); closelog(); closefrom(STDERR_FILENO + 1); ap = av; *ap++ = _PATH_SU; *ap++ = "-L"; if (!pflag) *ap++ = "-l"; if (!ask) *ap++ = username; *ap = NULL; execv(_PATH_SU, av); warn("unable to exec %s", _PATH_SU); _exit(1); } ttyn = ttyname(STDIN_FILENO); if (ttyn == NULL || *ttyn == '\0') { (void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY); ttyn = tname; } if ((tty = strrchr(ttyn, '/'))) ++tty; else tty = ttyn; /* * Since login deals with sensitive information, turn off coredumps. */ if (getrlimit(RLIMIT_CORE, &scds) < 0) { syslog(LOG_ERR, "couldn't get core dump size: %m"); scds.rlim_cur = scds.rlim_max = QUAD_MIN; } cds.rlim_cur = cds.rlim_max = 0; if (setrlimit(RLIMIT_CORE, &cds) < 0) { syslog(LOG_ERR, "couldn't set core dump size to 0: %m"); scds.rlim_cur = scds.rlim_max = QUAD_MIN; } (void)signal(SIGALRM, timedout); if (argc > 1) { needto = 0; (void)alarm(timeout); } else needto = 1; (void)signal(SIGQUIT, SIG_IGN); (void)signal(SIGINT, SIG_IGN); (void)signal(SIGHUP, SIG_IGN); (void)setpriority(PRIO_PROCESS, 0, 0); #ifdef notyet /* XXX - we don't (yet) support per-tty auth stuff */ /* BSDi uses a ttys.conf file but we could just overload /etc/ttys */ /* * Classify the attempt. * By default we use the value in the ttys file. * If there is a classify script we run that as * * classify [-f] [username] */ if (type = getttyauth(tty)) auth_setoption(as, "auth_type", type); #endif /* get the default login class */ if ((lc = login_getclass(0)) == NULL) { /* get the default class */ warnx("Failure to retrieve default class"); quickexit(1); } timeout = (u_int)login_getcapnum(lc, "login-timeout", 300, 300); if ((script = login_getcapstr(lc, "classify", NULL, NULL)) != NULL) { unsetenv("AUTH_TYPE"); unsetenv("REMOTE_NAME"); if (script[0] != '/') { syslog(LOG_ERR, "Invalid classify script: %s", script); warnx("Classification failure"); quickexit(1); } shell = strrchr(script, '/') + 1; auth_setstate(as, AUTH_OKAY); auth_call(as, script, shell, fflag ? "-f" : username, fflag ? username : 0, (char *)0); if (!(auth_getstate(as) & AUTH_ALLOW)) quickexit(1); auth_setenv(as); if ((p = getenv("AUTH_TYPE")) != NULL && strncmp(p, "auth-", 5) == 0) type = p; if ((p = getenv("REMOTE_NAME")) != NULL) hostname = p; /* * we may have changed some values, reset them */ auth_clroptions(as); if (type) auth_setoption(as, "auth_type", type); if (fqdn) auth_setoption(as, "fqdn", fqdn); if (hostname) auth_setoption(as, "hostname", hostname); if (lipaddr) auth_setoption(as, "local_addr", lipaddr); if (ripaddr) auth_setoption(as, "remote_addr", ripaddr); } /* * Request the things like the approval script print things * to stdout (in particular, the nologins files) */ auth_setitem(as, AUTHV_INTERACTIVE, "True"); for (cnt = 0;; ask = 1) { /* * Clean up our current authentication session. * Options are not cleared so we need to clear any * we might set below. */ auth_clean(as); auth_clroption(as, "style"); auth_clroption(as, "lastchance"); lastchance = 0; if (ask) { fflag = 0; getloginname(); } if (needto) { needto = 0; alarm(timeout); } if ((style = strchr(username, ':')) != NULL) *style++ = '\0'; if (fullname) free(fullname); if (auth_setitem(as, AUTHV_NAME, username) < 0 || (fullname = strdup(username)) == NULL) { syslog(LOG_ERR, "%m"); warn(NULL); quickexit(1); } rootlogin = 0; if ((instance = strchr(username, '/')) != NULL) { if (strncmp(instance + 1, "root", 4) == 0) rootlogin = 1; *instance++ = '\0'; } else instance = ""; if (strlen(username) > UT_NAMESIZE) username[UT_NAMESIZE] = '\0'; /* * Note if trying multiple user names; log failures for * previous user name, but don't bother logging one failure * for nonexistent name (mistyped username). */ if (failures && strcmp(tbuf, username)) { if (failures > (pwd ? 0 : 1)) badlogin(tbuf); failures = 0; } (void)strlcpy(tbuf, username, sizeof(tbuf)); if ((pwd = getpwnam(username)) != NULL && auth_setpwd(as, pwd) < 0) { syslog(LOG_ERR, "%m"); warn(NULL); quickexit(1); } lc = login_getclass(pwd ? pwd->pw_class : NULL); if (!lc) goto failed; style = login_getstyle(lc, style, type); if (!style) goto failed; /* * We allow "login-tries" attempts to login but start * slowing down after "login-backoff" attempts. */ tries = (int)login_getcapnum(lc, "login-tries", 10, 10); backoff = (int)login_getcapnum(lc, "login-backoff", 3, 3); /* * Turn off the fflag if we have an invalid user * or we are not root and we are trying to change uids. */ if (!pwd || (uid && uid != pwd->pw_uid)) fflag = 0; if (pwd && pwd->pw_uid == 0) rootlogin = 1; /* * If we do not have the force flag authenticate the user */ if (!fflag) { lastchance = login_getcaptime(lc, "password-dead", 0, 0) != 0; if (lastchance) auth_setoption(as, "lastchance", "yes"); /* * Once we start asking for a password * we want to log a failure on a hup. */ signal(SIGHUP, sighup); auth_verify(as, style, NULL, lc->lc_class, NULL); authok = auth_getstate(as); /* * If their password expired and it has not been * too long since then, give the user one last * chance to change their password */ if ((authok & AUTH_PWEXPIRED) && lastchance) { authok = AUTH_OKAY; } else lastchance = 0; if ((authok & AUTH_ALLOW) == 0) goto failed; if (auth_setoption(as, "style", style) < 0) { syslog(LOG_ERR, "%m"); warn(NULL); quickexit(1); } } /* * explicitly reject users without password file entries */ if (pwd == NULL) goto failed; /* * If trying to log in as root on an insecure terminal, * refuse the login attempt unless the authentication * style explicitly says a root login is okay. */ if (pwd && rootlogin && !rootterm(tty)) goto failed; if (fflag) { type = 0; style = "forced"; } break; failed: if (authok & AUTH_SILENT) quickexit(0); if (rootlogin && !rootterm(tty)) { warnx("%s login refused on this terminal.", fullname); if (hostname) syslog(LOG_NOTICE, "LOGIN %s REFUSED FROM %s%s%s ON TTY %s", fullname, rusername ? rusername : "", rusername ? "@" : "", hostname, tty); else syslog(LOG_NOTICE, "LOGIN %s REFUSED ON TTY %s", fullname, tty); } else { if (!as || (p = auth_getvalue(as, "errormsg")) == NULL) p = "Login incorrect"; (void)printf("%s\n", p); } failures++; if (pwd) log_failedlogin(pwd->pw_uid, hostname, rusername, tty); /* * By default, we allow 10 tries, but after 3 we start * backing off to slow down password guessers. */ if (++cnt > backoff) { if (cnt >= tries) { badlogin(username); sleepexit(1); } sleep((u_int)((cnt - backoff) * tries / 2)); } } /* committed to login -- turn off timeout */ (void)alarm(0); endpwent(); shell = login_getcapstr(lc, "shell", pwd->pw_shell, pwd->pw_shell); if (*shell == '\0') shell = _PATH_BSHELL; else if (strlen(shell) >= MAXPATHLEN) { syslog(LOG_ERR, "shell path too long: %s", shell); warnx("invalid shell"); quickexit(1); } /* Destroy environment unless user has requested its preservation. */ if (!pflag) { if ((environ = calloc(1, sizeof (char *))) == NULL) err(1, "calloc"); } else { char **cpp, **cpp2; for (cpp2 = cpp = environ; *cpp; cpp++) { if (strncmp(*cpp, "LD_", 3) && strncmp(*cpp, "ENV=", 4) && strncmp(*cpp, "BASH_ENV=", 9) && strncmp(*cpp, "IFS=", 4)) *cpp2++ = *cpp; } *cpp2 = 0; } /* Note: setusercontext(3) will set PATH */ if (setenv("HOME", pwd->pw_dir, 1) == -1 || setenv("SHELL", pwd->pw_shell, 1) == -1) { warn("unable to setenv()"); quickexit(1); } if (term[0] == '\0') (void)strlcpy(term, stypeof(tty), sizeof(term)); (void)snprintf(mail, sizeof(mail), "%s/%s", _PATH_MAILDIR, pwd->pw_name); if (setenv("TERM", term, 0) == -1 || setenv("LOGNAME", pwd->pw_name, 1) == -1 || setenv("USER", pwd->pw_name, 1) == -1 || setenv("MAIL", mail, 1) == -1) { warn("unable to setenv()"); quickexit(1); } if (hostname) { if (setenv("REMOTEHOST", hostname, 1) == -1) { warn("unable to setenv()"); quickexit(1); } } if (rusername) { if (setenv("REMOTEUSER", rusername, 1) == -1) { warn("unable to setenv()"); quickexit(1); } } if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH)) { warn("unable to set user context"); quickexit(1); } auth_setenv(as); /* if user not super-user, check for disabled logins */ if (!rootlogin) auth_checknologin(lc); setegid(pwd->pw_gid); seteuid(pwd->pw_uid); homeless = chdir(pwd->pw_dir); if (homeless) { if (login_getcapbool(lc, "requirehome", 0)) { (void)printf("No home directory %s!\n", pwd->pw_dir); quickexit(1); } if (chdir("/")) quickexit(0); } quietlog = ((strcmp(pwd->pw_shell, "/sbin/nologin") == 0) || login_getcapbool(lc, "hushlogin", 0) || (access(_PATH_HUSHLOGIN, F_OK) == 0)); seteuid(0); setegid(0); /* XXX use a saved gid instead? */ if ((p = auth_getvalue(as, "warnmsg")) != NULL) (void)printf("WARNING: %s\n\n", p); expire = auth_check_expire(as); if (expire < 0) { (void)printf("Sorry -- your account has expired.\n"); quickexit(1); } else if (expire > 0 && !quietlog) { warning = login_getcaptime(lc, "expire-warn", 2 * DAYSPERWEEK * SECSPERDAY, 2 * DAYSPERWEEK * SECSPERDAY); if (expire < warning) (void)printf("Warning: your account expires on %s", ctime(&pwd->pw_expire)); } /* Nothing else left to fail -- really log in. */ (void)signal(SIGHUP, SIG_DFL); memset(&utmp, 0, sizeof(utmp)); (void)time(&utmp.ut_time); (void)strncpy(utmp.ut_name, username, sizeof(utmp.ut_name)); if (hostname) (void)strncpy(utmp.ut_host, hostname, sizeof(utmp.ut_host)); (void)strncpy(utmp.ut_line, tty, sizeof(utmp.ut_line)); login(&utmp); if (!quietlog) (void)check_failedlogin(pwd->pw_uid); dolastlog(quietlog); login_fbtab(tty, pwd->pw_uid, pwd->pw_gid); (void)chown(ttyn, pwd->pw_uid, (gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid); /* If fflag is on, assume caller/authenticator has logged root login. */ if (rootlogin && fflag == 0) { if (hostname) syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s FROM %s%s%s", username, tty, rusername ? rusername : "", rusername ? "@" : "", hostname); else syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s", username, tty); } if (!quietlog) { if ((copyright = login_getcapstr(lc, "copyright", NULL, NULL)) != NULL) auth_cat(copyright); motd(); if (stat(mail, &st) == 0 && st.st_size != 0) (void)printf("You have %smail.\n", (st.st_mtime > st.st_atime) ? "new " : ""); } (void)signal(SIGALRM, SIG_DFL); (void)signal(SIGQUIT, SIG_DFL); (void)signal(SIGHUP, SIG_DFL); (void)signal(SIGINT, SIG_DFL); (void)signal(SIGTSTP, SIG_IGN); tbuf[0] = '-'; (void)strlcpy(tbuf + 1, (p = strrchr(shell, '/')) ? p + 1 : shell, sizeof(tbuf) - 1); if ((scds.rlim_cur != QUAD_MIN || scds.rlim_max != QUAD_MIN) && setrlimit(RLIMIT_CORE, &scds) < 0) syslog(LOG_ERR, "couldn't reset core dump size: %m"); if (lastchance) (void)printf("WARNING: Your password has expired." " You must change your password, now!\n"); if (setusercontext(lc, pwd, rootlogin ? 0 : pwd->pw_uid, LOGIN_SETALL & ~LOGIN_SETPATH) < 0) { warn("unable to set user context"); quickexit(1); } if (homeless) { (void)printf("No home directory %s!\n", pwd->pw_dir); (void)printf("Logging in with home = \"/\".\n"); (void)setenv("HOME", "/", 1); } if (auth_approval(as, lc, NULL, "login") == 0) { if (auth_getstate(as) & AUTH_EXPIRED) (void)printf("Sorry -- your account has expired.\n"); else (void)printf("approval failure\n"); quickexit(1); } /* * The last thing we do is discard all of the open file descriptors. * Last because the C library may have some open. */ closefrom(STDERR_FILENO + 1); /* * Close the authentication session, make sure it is marked * as okay so no files are removed. */ auth_setstate(as, AUTH_OKAY); auth_close(as); execlp(shell, tbuf, (char *)NULL); err(1, "%s", shell); }