14d3fc8b0SEd Maste /* $OpenBSD: auth.c,v 1.160 2023/03/05 05:34:09 dtucker Exp $ */
2a04a10f8SKris Kennaway /*
3a04a10f8SKris Kennaway * Copyright (c) 2000 Markus Friedl. All rights reserved.
4e8aafc91SKris Kennaway *
5c2d3a559SKris Kennaway * Redistribution and use in source and binary forms, with or without
6c2d3a559SKris Kennaway * modification, are permitted provided that the following conditions
7c2d3a559SKris Kennaway * are met:
8c2d3a559SKris Kennaway * 1. Redistributions of source code must retain the above copyright
9c2d3a559SKris Kennaway * notice, this list of conditions and the following disclaimer.
10c2d3a559SKris Kennaway * 2. Redistributions in binary form must reproduce the above copyright
11c2d3a559SKris Kennaway * notice, this list of conditions and the following disclaimer in the
12c2d3a559SKris Kennaway * documentation and/or other materials provided with the distribution.
13c2d3a559SKris Kennaway *
14c2d3a559SKris Kennaway * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15c2d3a559SKris Kennaway * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16c2d3a559SKris Kennaway * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17c2d3a559SKris Kennaway * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18c2d3a559SKris Kennaway * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19c2d3a559SKris Kennaway * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20c2d3a559SKris Kennaway * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21c2d3a559SKris Kennaway * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22c2d3a559SKris Kennaway * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23c2d3a559SKris Kennaway * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24a04a10f8SKris Kennaway */
25a04a10f8SKris Kennaway
26a04a10f8SKris Kennaway #include "includes.h"
27a04a10f8SKris Kennaway
28333ee039SDag-Erling Smørgrav #include <sys/types.h>
29333ee039SDag-Erling Smørgrav #include <sys/stat.h>
30076ad2f8SDag-Erling Smørgrav #include <sys/socket.h>
3147dd1d1bSDag-Erling Smørgrav #include <sys/wait.h>
32333ee039SDag-Erling Smørgrav
33333ee039SDag-Erling Smørgrav #include <netinet/in.h>
34333ee039SDag-Erling Smørgrav
3519261079SEd Maste #include <stdlib.h>
36333ee039SDag-Erling Smørgrav #include <errno.h>
37d4af9e69SDag-Erling Smørgrav #include <fcntl.h>
38333ee039SDag-Erling Smørgrav #ifdef HAVE_PATHS_H
39333ee039SDag-Erling Smørgrav # include <paths.h>
40333ee039SDag-Erling Smørgrav #endif
41333ee039SDag-Erling Smørgrav #include <pwd.h>
42989dd127SDag-Erling Smørgrav #ifdef HAVE_LOGIN_H
43989dd127SDag-Erling Smørgrav #include <login.h>
44989dd127SDag-Erling Smørgrav #endif
451ec0d754SDag-Erling Smørgrav #ifdef USE_SHADOW
46989dd127SDag-Erling Smørgrav #include <shadow.h>
471ec0d754SDag-Erling Smørgrav #endif
48333ee039SDag-Erling Smørgrav #include <stdarg.h>
49333ee039SDag-Erling Smørgrav #include <stdio.h>
50333ee039SDag-Erling Smørgrav #include <string.h>
51d4af9e69SDag-Erling Smørgrav #include <unistd.h>
52bc5531deSDag-Erling Smørgrav #include <limits.h>
53076ad2f8SDag-Erling Smørgrav #include <netdb.h>
5419261079SEd Maste #include <time.h>
55af12a3e7SDag-Erling Smørgrav
56a04a10f8SKris Kennaway #include "xmalloc.h"
57a04a10f8SKris Kennaway #include "match.h"
58ca3176e7SBrian Feldman #include "groupaccess.h"
59ca3176e7SBrian Feldman #include "log.h"
60190cef3dSDag-Erling Smørgrav #include "sshbuf.h"
61a0ee8cc6SDag-Erling Smørgrav #include "misc.h"
62ca3176e7SBrian Feldman #include "servconf.h"
63190cef3dSDag-Erling Smørgrav #include "sshkey.h"
64333ee039SDag-Erling Smørgrav #include "hostfile.h"
65a04a10f8SKris Kennaway #include "auth.h"
66ca3176e7SBrian Feldman #include "auth-options.h"
67ca3176e7SBrian Feldman #include "canohost.h"
68af12a3e7SDag-Erling Smørgrav #include "uidswap.h"
6980628bacSDag-Erling Smørgrav #include "packet.h"
70aa49c926SDag-Erling Smørgrav #include "loginrec.h"
71333ee039SDag-Erling Smørgrav #ifdef GSSAPI
72333ee039SDag-Erling Smørgrav #include "ssh-gss.h"
73333ee039SDag-Erling Smørgrav #endif
74b15c8340SDag-Erling Smørgrav #include "authfile.h"
75aa49c926SDag-Erling Smørgrav #include "monitor_wrap.h"
76bc5531deSDag-Erling Smørgrav #include "ssherr.h"
7747dd1d1bSDag-Erling Smørgrav #include "channels.h"
78b2af61ecSKurt Lidl #include "blacklist_client.h"
79a04a10f8SKris Kennaway
80a04a10f8SKris Kennaway /* import */
81a04a10f8SKris Kennaway extern ServerOptions options;
8219261079SEd Maste extern struct include_list includes;
83333ee039SDag-Erling Smørgrav extern int use_privsep;
84190cef3dSDag-Erling Smørgrav extern struct sshbuf *loginmsg;
85333ee039SDag-Erling Smørgrav extern struct passwd *privsep_pw;
8647dd1d1bSDag-Erling Smørgrav extern struct sshauthopt *auth_opts;
87a04a10f8SKris Kennaway
8880628bacSDag-Erling Smørgrav /* Debugging messages */
89190cef3dSDag-Erling Smørgrav static struct sshbuf *auth_debug;
9080628bacSDag-Erling Smørgrav
91a04a10f8SKris Kennaway /*
92ca3176e7SBrian Feldman * Check if the user is allowed to log in via ssh. If user is listed
93ca3176e7SBrian Feldman * in DenyUsers or one of user's groups is listed in DenyGroups, false
94ca3176e7SBrian Feldman * will be returned. If AllowUsers isn't empty and user isn't listed
95ca3176e7SBrian Feldman * there, or if AllowGroups isn't empty and one of user's groups isn't
96ca3176e7SBrian Feldman * listed there, false will be returned.
97a04a10f8SKris Kennaway * If the user's shell is not executable, false will be returned.
98a04a10f8SKris Kennaway * Otherwise true is returned.
99a04a10f8SKris Kennaway */
100a04a10f8SKris Kennaway int
allowed_user(struct ssh * ssh,struct passwd * pw)10119261079SEd Maste allowed_user(struct ssh *ssh, struct passwd * pw)
102a04a10f8SKris Kennaway {
103a04a10f8SKris Kennaway struct stat st;
10487c1498dSEd Maste const char *hostname = NULL, *ipaddr = NULL;
105d4ecd108SDag-Erling Smørgrav u_int i;
106ca86bcf2SDag-Erling Smørgrav int r;
107a04a10f8SKris Kennaway
108a04a10f8SKris Kennaway /* Shouldn't be called if pw is NULL, but better safe than sorry... */
109ca3176e7SBrian Feldman if (!pw || !pw->pw_name)
110a04a10f8SKris Kennaway return 0;
111a04a10f8SKris Kennaway
11287c1498dSEd Maste if (!options.use_pam && platform_locked_account(pw)) {
113cf2b5f3bSDag-Erling Smørgrav logit("User %.100s not allowed because account is locked",
114cf2b5f3bSDag-Erling Smørgrav pw->pw_name);
115cf2b5f3bSDag-Erling Smørgrav return 0;
116cf2b5f3bSDag-Erling Smørgrav }
117cf2b5f3bSDag-Erling Smørgrav
118c322fe35SKris Kennaway /*
119b15c8340SDag-Erling Smørgrav * Deny if shell does not exist or is not executable unless we
120b15c8340SDag-Erling Smørgrav * are chrooting.
121c322fe35SKris Kennaway */
122b15c8340SDag-Erling Smørgrav if (options.chroot_directory == NULL ||
123b15c8340SDag-Erling Smørgrav strcasecmp(options.chroot_directory, "none") == 0) {
124b15c8340SDag-Erling Smørgrav char *shell = xstrdup((pw->pw_shell[0] == '\0') ?
125b15c8340SDag-Erling Smørgrav _PATH_BSHELL : pw->pw_shell); /* empty = /bin/sh */
126c322fe35SKris Kennaway
12719261079SEd Maste if (stat(shell, &st) == -1) {
128b15c8340SDag-Erling Smørgrav logit("User %.100s not allowed because shell %.100s "
129b15c8340SDag-Erling Smørgrav "does not exist", pw->pw_name, shell);
130e4a9863fSDag-Erling Smørgrav free(shell);
131a04a10f8SKris Kennaway return 0;
132af12a3e7SDag-Erling Smørgrav }
13380628bacSDag-Erling Smørgrav if (S_ISREG(st.st_mode) == 0 ||
13480628bacSDag-Erling Smørgrav (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
135b15c8340SDag-Erling Smørgrav logit("User %.100s not allowed because shell %.100s "
136b15c8340SDag-Erling Smørgrav "is not executable", pw->pw_name, shell);
137e4a9863fSDag-Erling Smørgrav free(shell);
138a04a10f8SKris Kennaway return 0;
139af12a3e7SDag-Erling Smørgrav }
140e4a9863fSDag-Erling Smørgrav free(shell);
141b15c8340SDag-Erling Smørgrav }
142af12a3e7SDag-Erling Smørgrav
143aa49c926SDag-Erling Smørgrav if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
144aa49c926SDag-Erling Smørgrav options.num_deny_groups > 0 || options.num_allow_groups > 0) {
145076ad2f8SDag-Erling Smørgrav hostname = auth_get_canonical_hostname(ssh, options.use_dns);
146076ad2f8SDag-Erling Smørgrav ipaddr = ssh_remote_ipaddr(ssh);
147af12a3e7SDag-Erling Smørgrav }
148a04a10f8SKris Kennaway
149a04a10f8SKris Kennaway /* Return false if user is listed in DenyUsers */
150a04a10f8SKris Kennaway if (options.num_deny_users > 0) {
151ca86bcf2SDag-Erling Smørgrav for (i = 0; i < options.num_deny_users; i++) {
152ca86bcf2SDag-Erling Smørgrav r = match_user(pw->pw_name, hostname, ipaddr,
153ca86bcf2SDag-Erling Smørgrav options.deny_users[i]);
154ca86bcf2SDag-Erling Smørgrav if (r < 0) {
155ca86bcf2SDag-Erling Smørgrav fatal("Invalid DenyUsers pattern \"%.100s\"",
156ca86bcf2SDag-Erling Smørgrav options.deny_users[i]);
157ca86bcf2SDag-Erling Smørgrav } else if (r != 0) {
158aa49c926SDag-Erling Smørgrav logit("User %.100s from %.100s not allowed "
159aa49c926SDag-Erling Smørgrav "because listed in DenyUsers",
160aa49c926SDag-Erling Smørgrav pw->pw_name, hostname);
161a04a10f8SKris Kennaway return 0;
162a04a10f8SKris Kennaway }
163af12a3e7SDag-Erling Smørgrav }
164ca86bcf2SDag-Erling Smørgrav }
165a04a10f8SKris Kennaway /* Return false if AllowUsers isn't empty and user isn't listed there */
166a04a10f8SKris Kennaway if (options.num_allow_users > 0) {
167ca86bcf2SDag-Erling Smørgrav for (i = 0; i < options.num_allow_users; i++) {
168ca86bcf2SDag-Erling Smørgrav r = match_user(pw->pw_name, hostname, ipaddr,
169ca86bcf2SDag-Erling Smørgrav options.allow_users[i]);
170ca86bcf2SDag-Erling Smørgrav if (r < 0) {
171ca86bcf2SDag-Erling Smørgrav fatal("Invalid AllowUsers pattern \"%.100s\"",
172ca86bcf2SDag-Erling Smørgrav options.allow_users[i]);
173ca86bcf2SDag-Erling Smørgrav } else if (r == 1)
174a04a10f8SKris Kennaway break;
175ca86bcf2SDag-Erling Smørgrav }
176a04a10f8SKris Kennaway /* i < options.num_allow_users iff we break for loop */
177af12a3e7SDag-Erling Smørgrav if (i >= options.num_allow_users) {
178aa49c926SDag-Erling Smørgrav logit("User %.100s from %.100s not allowed because "
179aa49c926SDag-Erling Smørgrav "not listed in AllowUsers", pw->pw_name, hostname);
180a04a10f8SKris Kennaway return 0;
181a04a10f8SKris Kennaway }
182af12a3e7SDag-Erling Smørgrav }
183a04a10f8SKris Kennaway if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
184ca3176e7SBrian Feldman /* Get the user's group access list (primary and supplementary) */
185af12a3e7SDag-Erling Smørgrav if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
186aa49c926SDag-Erling Smørgrav logit("User %.100s from %.100s not allowed because "
187aa49c926SDag-Erling Smørgrav "not in any group", pw->pw_name, hostname);
188a04a10f8SKris Kennaway return 0;
189af12a3e7SDag-Erling Smørgrav }
190a04a10f8SKris Kennaway
191ca3176e7SBrian Feldman /* Return false if one of user's groups is listed in DenyGroups */
192ca3176e7SBrian Feldman if (options.num_deny_groups > 0)
193ca3176e7SBrian Feldman if (ga_match(options.deny_groups,
194ca3176e7SBrian Feldman options.num_deny_groups)) {
195ca3176e7SBrian Feldman ga_free();
196aa49c926SDag-Erling Smørgrav logit("User %.100s from %.100s not allowed "
197aa49c926SDag-Erling Smørgrav "because a group is listed in DenyGroups",
198aa49c926SDag-Erling Smørgrav pw->pw_name, hostname);
199a04a10f8SKris Kennaway return 0;
200a04a10f8SKris Kennaway }
201a04a10f8SKris Kennaway /*
202ca3176e7SBrian Feldman * Return false if AllowGroups isn't empty and one of user's groups
203a04a10f8SKris Kennaway * isn't listed there
204a04a10f8SKris Kennaway */
205ca3176e7SBrian Feldman if (options.num_allow_groups > 0)
206ca3176e7SBrian Feldman if (!ga_match(options.allow_groups,
207ca3176e7SBrian Feldman options.num_allow_groups)) {
208ca3176e7SBrian Feldman ga_free();
209aa49c926SDag-Erling Smørgrav logit("User %.100s from %.100s not allowed "
210aa49c926SDag-Erling Smørgrav "because none of user's groups are listed "
211aa49c926SDag-Erling Smørgrav "in AllowGroups", pw->pw_name, hostname);
212a04a10f8SKris Kennaway return 0;
213a04a10f8SKris Kennaway }
214ca3176e7SBrian Feldman ga_free();
215a04a10f8SKris Kennaway }
216989dd127SDag-Erling Smørgrav
21721e764dfSDag-Erling Smørgrav #ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
21819261079SEd Maste if (!sys_auth_allowed_user(pw, loginmsg))
219989dd127SDag-Erling Smørgrav return 0;
22021e764dfSDag-Erling Smørgrav #endif
221989dd127SDag-Erling Smørgrav
222a04a10f8SKris Kennaway /* We found no reason not to let this user try to log on... */
223a04a10f8SKris Kennaway return 1;
224a04a10f8SKris Kennaway }
225ca3176e7SBrian Feldman
2264f52dfbbSDag-Erling Smørgrav /*
2274f52dfbbSDag-Erling Smørgrav * Formats any key left in authctxt->auth_method_key for inclusion in
2284f52dfbbSDag-Erling Smørgrav * auth_log()'s message. Also includes authxtct->auth_method_info if present.
2294f52dfbbSDag-Erling Smørgrav */
2304f52dfbbSDag-Erling Smørgrav static char *
format_method_key(Authctxt * authctxt)2314f52dfbbSDag-Erling Smørgrav format_method_key(Authctxt *authctxt)
232e4a9863fSDag-Erling Smørgrav {
2334f52dfbbSDag-Erling Smørgrav const struct sshkey *key = authctxt->auth_method_key;
2344f52dfbbSDag-Erling Smørgrav const char *methinfo = authctxt->auth_method_info;
2352f513db7SEd Maste char *fp, *cafp, *ret = NULL;
236e4a9863fSDag-Erling Smørgrav
2374f52dfbbSDag-Erling Smørgrav if (key == NULL)
2384f52dfbbSDag-Erling Smørgrav return NULL;
239e4a9863fSDag-Erling Smørgrav
240190cef3dSDag-Erling Smørgrav if (sshkey_is_cert(key)) {
2412f513db7SEd Maste fp = sshkey_fingerprint(key,
2424f52dfbbSDag-Erling Smørgrav options.fingerprint_hash, SSH_FP_DEFAULT);
2432f513db7SEd Maste cafp = sshkey_fingerprint(key->cert->signature_key,
2442f513db7SEd Maste options.fingerprint_hash, SSH_FP_DEFAULT);
2452f513db7SEd Maste xasprintf(&ret, "%s %s ID %s (serial %llu) CA %s %s%s%s",
2462f513db7SEd Maste sshkey_type(key), fp == NULL ? "(null)" : fp,
2472f513db7SEd Maste key->cert->key_id,
2484f52dfbbSDag-Erling Smørgrav (unsigned long long)key->cert->serial,
2494f52dfbbSDag-Erling Smørgrav sshkey_type(key->cert->signature_key),
2502f513db7SEd Maste cafp == NULL ? "(null)" : cafp,
2514f52dfbbSDag-Erling Smørgrav methinfo == NULL ? "" : ", ",
2524f52dfbbSDag-Erling Smørgrav methinfo == NULL ? "" : methinfo);
2534f52dfbbSDag-Erling Smørgrav free(fp);
2542f513db7SEd Maste free(cafp);
2554f52dfbbSDag-Erling Smørgrav } else {
2564f52dfbbSDag-Erling Smørgrav fp = sshkey_fingerprint(key, options.fingerprint_hash,
2574f52dfbbSDag-Erling Smørgrav SSH_FP_DEFAULT);
2584f52dfbbSDag-Erling Smørgrav xasprintf(&ret, "%s %s%s%s", sshkey_type(key),
2594f52dfbbSDag-Erling Smørgrav fp == NULL ? "(null)" : fp,
2604f52dfbbSDag-Erling Smørgrav methinfo == NULL ? "" : ", ",
2614f52dfbbSDag-Erling Smørgrav methinfo == NULL ? "" : methinfo);
2624f52dfbbSDag-Erling Smørgrav free(fp);
2634f52dfbbSDag-Erling Smørgrav }
2644f52dfbbSDag-Erling Smørgrav return ret;
265e4a9863fSDag-Erling Smørgrav }
266e4a9863fSDag-Erling Smørgrav
267e4a9863fSDag-Erling Smørgrav void
auth_log(struct ssh * ssh,int authenticated,int partial,const char * method,const char * submethod)26819261079SEd Maste auth_log(struct ssh *ssh, int authenticated, int partial,
269e4a9863fSDag-Erling Smørgrav const char *method, const char *submethod)
270ca3176e7SBrian Feldman {
27119261079SEd Maste Authctxt *authctxt = (Authctxt *)ssh->authctxt;
2722f513db7SEd Maste int level = SYSLOG_LEVEL_VERBOSE;
2734f52dfbbSDag-Erling Smørgrav const char *authmsg;
2744f52dfbbSDag-Erling Smørgrav char *extra = NULL;
275ca3176e7SBrian Feldman
276333ee039SDag-Erling Smørgrav if (use_privsep && !mm_is_monitor() && !authctxt->postponed)
277333ee039SDag-Erling Smørgrav return;
278333ee039SDag-Erling Smørgrav
279ca3176e7SBrian Feldman /* Raise logging level */
280ca3176e7SBrian Feldman if (authenticated == 1 ||
281ca3176e7SBrian Feldman !authctxt->valid ||
28221e764dfSDag-Erling Smørgrav authctxt->failures >= options.max_authtries / 2 ||
283ca3176e7SBrian Feldman strcmp(method, "password") == 0)
2842f513db7SEd Maste level = SYSLOG_LEVEL_INFO;
285ca3176e7SBrian Feldman
286ca3176e7SBrian Feldman if (authctxt->postponed)
287ca3176e7SBrian Feldman authmsg = "Postponed";
2886888a9beSDag-Erling Smørgrav else if (partial)
2896888a9beSDag-Erling Smørgrav authmsg = "Partial";
290b2af61ecSKurt Lidl else {
291ca3176e7SBrian Feldman authmsg = authenticated ? "Accepted" : "Failed";
2925057f656SKurt Lidl if (authenticated)
2930f9bafdfSEd Maste BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK, "ssh");
294b2af61ecSKurt Lidl }
295ca3176e7SBrian Feldman
2964f52dfbbSDag-Erling Smørgrav if ((extra = format_method_key(authctxt)) == NULL) {
2974f52dfbbSDag-Erling Smørgrav if (authctxt->auth_method_info != NULL)
2984f52dfbbSDag-Erling Smørgrav extra = xstrdup(authctxt->auth_method_info);
2994f52dfbbSDag-Erling Smørgrav }
3004f52dfbbSDag-Erling Smørgrav
3012f513db7SEd Maste do_log2(level, "%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s",
302ca3176e7SBrian Feldman authmsg,
303ca3176e7SBrian Feldman method,
3046888a9beSDag-Erling Smørgrav submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
30521e764dfSDag-Erling Smørgrav authctxt->valid ? "" : "invalid user ",
306af12a3e7SDag-Erling Smørgrav authctxt->user,
307076ad2f8SDag-Erling Smørgrav ssh_remote_ipaddr(ssh),
308076ad2f8SDag-Erling Smørgrav ssh_remote_port(ssh),
3094f52dfbbSDag-Erling Smørgrav extra != NULL ? ": " : "",
3104f52dfbbSDag-Erling Smørgrav extra != NULL ? extra : "");
3114f52dfbbSDag-Erling Smørgrav
3124f52dfbbSDag-Erling Smørgrav free(extra);
313f388f5efSDag-Erling Smørgrav
31419261079SEd Maste #if defined(CUSTOM_FAILED_LOGIN) || defined(SSH_AUDIT_EVENTS)
31519261079SEd Maste if (authenticated == 0 && !(authctxt->postponed || partial)) {
31619261079SEd Maste /* Log failed login attempt */
317cf2b5f3bSDag-Erling Smørgrav # ifdef CUSTOM_FAILED_LOGIN
31819261079SEd Maste if (strcmp(method, "password") == 0 ||
319aa49c926SDag-Erling Smørgrav strncmp(method, "keyboard-interactive", 20) == 0 ||
32019261079SEd Maste strcmp(method, "challenge-response") == 0)
32119261079SEd Maste record_failed_login(ssh, authctxt->user,
322076ad2f8SDag-Erling Smørgrav auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
32319261079SEd Maste # endif
32419261079SEd Maste # ifdef SSH_AUDIT_EVENTS
32519261079SEd Maste audit_event(ssh, audit_classify_auth(method));
32619261079SEd Maste # endif
32719261079SEd Maste }
32819261079SEd Maste #endif
32919261079SEd Maste #if defined(CUSTOM_FAILED_LOGIN) && defined(WITH_AIXAUTHENTICATE)
330333ee039SDag-Erling Smørgrav if (authenticated)
331333ee039SDag-Erling Smørgrav sys_auth_record_login(authctxt->user,
332076ad2f8SDag-Erling Smørgrav auth_get_canonical_hostname(ssh, options.use_dns), "ssh",
33319261079SEd Maste loginmsg);
334cf2b5f3bSDag-Erling Smørgrav #endif
335ca3176e7SBrian Feldman }
336ca3176e7SBrian Feldman
337a0ee8cc6SDag-Erling Smørgrav void
auth_maxtries_exceeded(struct ssh * ssh)33819261079SEd Maste auth_maxtries_exceeded(struct ssh *ssh)
339a0ee8cc6SDag-Erling Smørgrav {
34019261079SEd Maste Authctxt *authctxt = (Authctxt *)ssh->authctxt;
341076ad2f8SDag-Erling Smørgrav
342bc5531deSDag-Erling Smørgrav error("maximum authentication attempts exceeded for "
343ca86bcf2SDag-Erling Smørgrav "%s%.100s from %.200s port %d ssh2",
344a0ee8cc6SDag-Erling Smørgrav authctxt->valid ? "" : "invalid user ",
345a0ee8cc6SDag-Erling Smørgrav authctxt->user,
346076ad2f8SDag-Erling Smørgrav ssh_remote_ipaddr(ssh),
347ca86bcf2SDag-Erling Smørgrav ssh_remote_port(ssh));
34819261079SEd Maste ssh_packet_disconnect(ssh, "Too many authentication failures");
349a0ee8cc6SDag-Erling Smørgrav /* NOTREACHED */
350a0ee8cc6SDag-Erling Smørgrav }
351a0ee8cc6SDag-Erling Smørgrav
352ca3176e7SBrian Feldman /*
353ca3176e7SBrian Feldman * Check whether root logins are disallowed.
354ca3176e7SBrian Feldman */
355ca3176e7SBrian Feldman int
auth_root_allowed(struct ssh * ssh,const char * method)35647dd1d1bSDag-Erling Smørgrav auth_root_allowed(struct ssh *ssh, const char *method)
357ca3176e7SBrian Feldman {
358ca3176e7SBrian Feldman switch (options.permit_root_login) {
359ca3176e7SBrian Feldman case PERMIT_YES:
360ca3176e7SBrian Feldman return 1;
361ca3176e7SBrian Feldman case PERMIT_NO_PASSWD:
362eccfee6eSDag-Erling Smørgrav if (strcmp(method, "publickey") == 0 ||
363eccfee6eSDag-Erling Smørgrav strcmp(method, "hostbased") == 0 ||
364fc1ba28aSDag-Erling Smørgrav strcmp(method, "gssapi-with-mic") == 0)
365ca3176e7SBrian Feldman return 1;
366ca3176e7SBrian Feldman break;
367ca3176e7SBrian Feldman case PERMIT_FORCED_ONLY:
36847dd1d1bSDag-Erling Smørgrav if (auth_opts->force_command != NULL) {
369cf2b5f3bSDag-Erling Smørgrav logit("Root login accepted for forced command.");
370ca3176e7SBrian Feldman return 1;
371ca3176e7SBrian Feldman }
372ca3176e7SBrian Feldman break;
373ca3176e7SBrian Feldman }
374076ad2f8SDag-Erling Smørgrav logit("ROOT LOGIN REFUSED FROM %.200s port %d",
375076ad2f8SDag-Erling Smørgrav ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
376ca3176e7SBrian Feldman return 0;
377ca3176e7SBrian Feldman }
378af12a3e7SDag-Erling Smørgrav
379af12a3e7SDag-Erling Smørgrav
380af12a3e7SDag-Erling Smørgrav /*
381af12a3e7SDag-Erling Smørgrav * Given a template and a passwd structure, build a filename
382af12a3e7SDag-Erling Smørgrav * by substituting % tokenised options. Currently, %% becomes '%',
383af12a3e7SDag-Erling Smørgrav * %h becomes the home directory and %u the username.
384af12a3e7SDag-Erling Smørgrav *
385af12a3e7SDag-Erling Smørgrav * This returns a buffer allocated by xmalloc.
386af12a3e7SDag-Erling Smørgrav */
387e146993eSDag-Erling Smørgrav char *
expand_authorized_keys(const char * filename,struct passwd * pw)388d4ecd108SDag-Erling Smørgrav expand_authorized_keys(const char *filename, struct passwd *pw)
389af12a3e7SDag-Erling Smørgrav {
390190cef3dSDag-Erling Smørgrav char *file, uidstr[32], ret[PATH_MAX];
391333ee039SDag-Erling Smørgrav int i;
392af12a3e7SDag-Erling Smørgrav
393190cef3dSDag-Erling Smørgrav snprintf(uidstr, sizeof(uidstr), "%llu",
394190cef3dSDag-Erling Smørgrav (unsigned long long)pw->pw_uid);
395d4ecd108SDag-Erling Smørgrav file = percent_expand(filename, "h", pw->pw_dir,
396190cef3dSDag-Erling Smørgrav "u", pw->pw_name, "U", uidstr, (char *)NULL);
397af12a3e7SDag-Erling Smørgrav
398af12a3e7SDag-Erling Smørgrav /*
399af12a3e7SDag-Erling Smørgrav * Ensure that filename starts anchored. If not, be backward
400af12a3e7SDag-Erling Smørgrav * compatible and prepend the '%h/'
401af12a3e7SDag-Erling Smørgrav */
40219261079SEd Maste if (path_absolute(file))
403d4ecd108SDag-Erling Smørgrav return (file);
404af12a3e7SDag-Erling Smørgrav
405333ee039SDag-Erling Smørgrav i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file);
406333ee039SDag-Erling Smørgrav if (i < 0 || (size_t)i >= sizeof(ret))
407d4ecd108SDag-Erling Smørgrav fatal("expand_authorized_keys: path too long");
408e4a9863fSDag-Erling Smørgrav free(file);
409333ee039SDag-Erling Smørgrav return (xstrdup(ret));
410af12a3e7SDag-Erling Smørgrav }
411af12a3e7SDag-Erling Smørgrav
412af12a3e7SDag-Erling Smørgrav char *
authorized_principals_file(struct passwd * pw)413e2f6069cSDag-Erling Smørgrav authorized_principals_file(struct passwd *pw)
414e2f6069cSDag-Erling Smørgrav {
415557f75e5SDag-Erling Smørgrav if (options.authorized_principals_file == NULL)
416e2f6069cSDag-Erling Smørgrav return NULL;
417e2f6069cSDag-Erling Smørgrav return expand_authorized_keys(options.authorized_principals_file, pw);
418e2f6069cSDag-Erling Smørgrav }
419e2f6069cSDag-Erling Smørgrav
420af12a3e7SDag-Erling Smørgrav /* return ok if key exists in sysfile or userfile */
421af12a3e7SDag-Erling Smørgrav HostStatus
check_key_in_hostfiles(struct passwd * pw,struct sshkey * key,const char * host,const char * sysfile,const char * userfile)4224f52dfbbSDag-Erling Smørgrav check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
423af12a3e7SDag-Erling Smørgrav const char *sysfile, const char *userfile)
424af12a3e7SDag-Erling Smørgrav {
425af12a3e7SDag-Erling Smørgrav char *user_hostfile;
426af12a3e7SDag-Erling Smørgrav struct stat st;
427af12a3e7SDag-Erling Smørgrav HostStatus host_status;
4284a421b63SDag-Erling Smørgrav struct hostkeys *hostkeys;
4294a421b63SDag-Erling Smørgrav const struct hostkey_entry *found;
430af12a3e7SDag-Erling Smørgrav
4314a421b63SDag-Erling Smørgrav hostkeys = init_hostkeys();
43219261079SEd Maste load_hostkeys(hostkeys, host, sysfile, 0);
4334a421b63SDag-Erling Smørgrav if (userfile != NULL) {
434af12a3e7SDag-Erling Smørgrav user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
435af12a3e7SDag-Erling Smørgrav if (options.strict_modes &&
436af12a3e7SDag-Erling Smørgrav (stat(user_hostfile, &st) == 0) &&
437af12a3e7SDag-Erling Smørgrav ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
438af12a3e7SDag-Erling Smørgrav (st.st_mode & 022) != 0)) {
439cf2b5f3bSDag-Erling Smørgrav logit("Authentication refused for %.100s: "
440af12a3e7SDag-Erling Smørgrav "bad owner or modes for %.200s",
441af12a3e7SDag-Erling Smørgrav pw->pw_name, user_hostfile);
442e2f6069cSDag-Erling Smørgrav auth_debug_add("Ignored %.200s: bad ownership or modes",
443e2f6069cSDag-Erling Smørgrav user_hostfile);
444af12a3e7SDag-Erling Smørgrav } else {
445af12a3e7SDag-Erling Smørgrav temporarily_use_uid(pw);
44619261079SEd Maste load_hostkeys(hostkeys, host, user_hostfile, 0);
447af12a3e7SDag-Erling Smørgrav restore_uid();
448af12a3e7SDag-Erling Smørgrav }
449e4a9863fSDag-Erling Smørgrav free(user_hostfile);
450af12a3e7SDag-Erling Smørgrav }
4514a421b63SDag-Erling Smørgrav host_status = check_key_in_hostkeys(hostkeys, key, &found);
4524a421b63SDag-Erling Smørgrav if (host_status == HOST_REVOKED)
4534a421b63SDag-Erling Smørgrav error("WARNING: revoked key for %s attempted authentication",
45419261079SEd Maste host);
4554a421b63SDag-Erling Smørgrav else if (host_status == HOST_OK)
45619261079SEd Maste debug_f("key for %s found at %s:%ld",
4574a421b63SDag-Erling Smørgrav found->host, found->file, found->line);
4584a421b63SDag-Erling Smørgrav else
45919261079SEd Maste debug_f("key for host %s not found", host);
460af12a3e7SDag-Erling Smørgrav
4614a421b63SDag-Erling Smørgrav free_hostkeys(hostkeys);
4624a421b63SDag-Erling Smørgrav
463af12a3e7SDag-Erling Smørgrav return host_status;
464af12a3e7SDag-Erling Smørgrav }
465af12a3e7SDag-Erling Smørgrav
46680628bacSDag-Erling Smørgrav struct passwd *
getpwnamallow(struct ssh * ssh,const char * user)46719261079SEd Maste getpwnamallow(struct ssh *ssh, const char *user)
46880628bacSDag-Erling Smørgrav {
46980628bacSDag-Erling Smørgrav #ifdef HAVE_LOGIN_CAP
47080628bacSDag-Erling Smørgrav extern login_cap_t *lc;
47127ceebbcSEd Maste #ifdef HAVE_AUTH_HOSTOK
47227ceebbcSEd Maste const char *from_host, *from_ip;
47327ceebbcSEd Maste #endif
47480628bacSDag-Erling Smørgrav #ifdef BSD_AUTH
47580628bacSDag-Erling Smørgrav auth_session_t *as;
47680628bacSDag-Erling Smørgrav #endif
47780628bacSDag-Erling Smørgrav #endif
47880628bacSDag-Erling Smørgrav struct passwd *pw;
47919261079SEd Maste struct connection_info *ci;
48019261079SEd Maste u_int i;
48180628bacSDag-Erling Smørgrav
48219261079SEd Maste ci = get_connection_info(ssh, 1, options.use_dns);
483462c32cbSDag-Erling Smørgrav ci->user = user;
48419261079SEd Maste parse_server_match_config(&options, &includes, ci);
4854f52dfbbSDag-Erling Smørgrav log_change_level(options.log_level);
48619261079SEd Maste log_verbose_reset();
48719261079SEd Maste for (i = 0; i < options.num_log_verbose; i++)
48819261079SEd Maste log_verbose_add(options.log_verbose[i]);
4894f52dfbbSDag-Erling Smørgrav process_permitopen(ssh, &options);
490333ee039SDag-Erling Smørgrav
491b15c8340SDag-Erling Smørgrav #if defined(_AIX) && defined(HAVE_SETAUTHDB)
492b15c8340SDag-Erling Smørgrav aix_setauthdb(user);
493b15c8340SDag-Erling Smørgrav #endif
494b15c8340SDag-Erling Smørgrav
49580628bacSDag-Erling Smørgrav pw = getpwnam(user);
496b15c8340SDag-Erling Smørgrav
497b15c8340SDag-Erling Smørgrav #if defined(_AIX) && defined(HAVE_SETAUTHDB)
498b15c8340SDag-Erling Smørgrav aix_restoreauthdb();
499b15c8340SDag-Erling Smørgrav #endif
500f388f5efSDag-Erling Smørgrav if (pw == NULL) {
5010f9bafdfSEd Maste BLACKLIST_NOTIFY(ssh, BLACKLIST_BAD_USER, user);
502076ad2f8SDag-Erling Smørgrav logit("Invalid user %.100s from %.100s port %d",
503076ad2f8SDag-Erling Smørgrav user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
504cf2b5f3bSDag-Erling Smørgrav #ifdef CUSTOM_FAILED_LOGIN
50519261079SEd Maste record_failed_login(ssh, user,
506076ad2f8SDag-Erling Smørgrav auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
507e73e9afaSDag-Erling Smørgrav #endif
508aa49c926SDag-Erling Smørgrav #ifdef SSH_AUDIT_EVENTS
50919261079SEd Maste audit_event(ssh, SSH_INVALID_USER);
510aa49c926SDag-Erling Smørgrav #endif /* SSH_AUDIT_EVENTS */
511f388f5efSDag-Erling Smørgrav return (NULL);
512f388f5efSDag-Erling Smørgrav }
51319261079SEd Maste if (!allowed_user(ssh, pw))
51480628bacSDag-Erling Smørgrav return (NULL);
51580628bacSDag-Erling Smørgrav #ifdef HAVE_LOGIN_CAP
516f38aa77fSTony Finch if ((lc = login_getpwclass(pw)) == NULL) {
51780628bacSDag-Erling Smørgrav debug("unable to get login class: %s", user);
51880628bacSDag-Erling Smørgrav return (NULL);
51980628bacSDag-Erling Smørgrav }
52027ceebbcSEd Maste #ifdef HAVE_AUTH_HOSTOK
52127ceebbcSEd Maste from_host = auth_get_canonical_hostname(ssh, options.use_dns);
52227ceebbcSEd Maste from_ip = ssh_remote_ipaddr(ssh);
52327ceebbcSEd Maste if (!auth_hostok(lc, from_host, from_ip)) {
52427ceebbcSEd Maste debug("Denied connection for %.200s from %.200s [%.200s].",
52527ceebbcSEd Maste pw->pw_name, from_host, from_ip);
52627ceebbcSEd Maste return (NULL);
52727ceebbcSEd Maste }
52827ceebbcSEd Maste #endif /* HAVE_AUTH_HOSTOK */
52927ceebbcSEd Maste #ifdef HAVE_AUTH_TIMEOK
53027ceebbcSEd Maste if (!auth_timeok(lc, time(NULL))) {
53127ceebbcSEd Maste debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name);
53227ceebbcSEd Maste return (NULL);
53327ceebbcSEd Maste }
53427ceebbcSEd Maste #endif /* HAVE_AUTH_TIMEOK */
53580628bacSDag-Erling Smørgrav #ifdef BSD_AUTH
53680628bacSDag-Erling Smørgrav if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
53780628bacSDag-Erling Smørgrav auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
53880628bacSDag-Erling Smørgrav debug("Approval failure for %s", user);
53980628bacSDag-Erling Smørgrav pw = NULL;
54080628bacSDag-Erling Smørgrav }
54180628bacSDag-Erling Smørgrav if (as != NULL)
54280628bacSDag-Erling Smørgrav auth_close(as);
54380628bacSDag-Erling Smørgrav #endif
54480628bacSDag-Erling Smørgrav #endif
54580628bacSDag-Erling Smørgrav if (pw != NULL)
54680628bacSDag-Erling Smørgrav return (pwcopy(pw));
54780628bacSDag-Erling Smørgrav return (NULL);
54880628bacSDag-Erling Smørgrav }
54980628bacSDag-Erling Smørgrav
550b15c8340SDag-Erling Smørgrav /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
551b15c8340SDag-Erling Smørgrav int
auth_key_is_revoked(struct sshkey * key)5524f52dfbbSDag-Erling Smørgrav auth_key_is_revoked(struct sshkey *key)
553b15c8340SDag-Erling Smørgrav {
554bc5531deSDag-Erling Smørgrav char *fp = NULL;
555bc5531deSDag-Erling Smørgrav int r;
556b15c8340SDag-Erling Smørgrav
557b15c8340SDag-Erling Smørgrav if (options.revoked_keys_file == NULL)
558b15c8340SDag-Erling Smørgrav return 0;
559bc5531deSDag-Erling Smørgrav if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
560bc5531deSDag-Erling Smørgrav SSH_FP_DEFAULT)) == NULL) {
561bc5531deSDag-Erling Smørgrav r = SSH_ERR_ALLOC_FAIL;
56219261079SEd Maste error_fr(r, "fingerprint key");
563bc5531deSDag-Erling Smørgrav goto out;
564bc5531deSDag-Erling Smørgrav }
565bc5531deSDag-Erling Smørgrav
566bc5531deSDag-Erling Smørgrav r = sshkey_check_revoked(key, options.revoked_keys_file);
567bc5531deSDag-Erling Smørgrav switch (r) {
5686888a9beSDag-Erling Smørgrav case 0:
569bc5531deSDag-Erling Smørgrav break; /* not revoked */
570bc5531deSDag-Erling Smørgrav case SSH_ERR_KEY_REVOKED:
571bc5531deSDag-Erling Smørgrav error("Authentication key %s %s revoked by file %s",
572bc5531deSDag-Erling Smørgrav sshkey_type(key), fp, options.revoked_keys_file);
573bc5531deSDag-Erling Smørgrav goto out;
5746888a9beSDag-Erling Smørgrav default:
57519261079SEd Maste error_r(r, "Error checking authentication key %s %s in "
57619261079SEd Maste "revoked keys file %s", sshkey_type(key), fp,
57719261079SEd Maste options.revoked_keys_file);
578bc5531deSDag-Erling Smørgrav goto out;
5796888a9beSDag-Erling Smørgrav }
580bc5531deSDag-Erling Smørgrav
581bc5531deSDag-Erling Smørgrav /* Success */
582bc5531deSDag-Erling Smørgrav r = 0;
583bc5531deSDag-Erling Smørgrav
584bc5531deSDag-Erling Smørgrav out:
585bc5531deSDag-Erling Smørgrav free(fp);
586bc5531deSDag-Erling Smørgrav return r == 0 ? 0 : 1;
587b15c8340SDag-Erling Smørgrav }
588b15c8340SDag-Erling Smørgrav
58980628bacSDag-Erling Smørgrav void
auth_debug_add(const char * fmt,...)59080628bacSDag-Erling Smørgrav auth_debug_add(const char *fmt,...)
59180628bacSDag-Erling Smørgrav {
59280628bacSDag-Erling Smørgrav char buf[1024];
59380628bacSDag-Erling Smørgrav va_list args;
594190cef3dSDag-Erling Smørgrav int r;
59580628bacSDag-Erling Smørgrav
59680628bacSDag-Erling Smørgrav va_start(args, fmt);
59780628bacSDag-Erling Smørgrav vsnprintf(buf, sizeof(buf), fmt, args);
59880628bacSDag-Erling Smørgrav va_end(args);
599f374ba41SEd Maste debug3("%s", buf);
600f374ba41SEd Maste if (auth_debug != NULL)
601190cef3dSDag-Erling Smørgrav if ((r = sshbuf_put_cstring(auth_debug, buf)) != 0)
60219261079SEd Maste fatal_fr(r, "sshbuf_put_cstring");
60380628bacSDag-Erling Smørgrav }
60480628bacSDag-Erling Smørgrav
60580628bacSDag-Erling Smørgrav void
auth_debug_send(struct ssh * ssh)60619261079SEd Maste auth_debug_send(struct ssh *ssh)
60780628bacSDag-Erling Smørgrav {
60880628bacSDag-Erling Smørgrav char *msg;
609190cef3dSDag-Erling Smørgrav int r;
61080628bacSDag-Erling Smørgrav
611190cef3dSDag-Erling Smørgrav if (auth_debug == NULL)
61280628bacSDag-Erling Smørgrav return;
613190cef3dSDag-Erling Smørgrav while (sshbuf_len(auth_debug) != 0) {
614190cef3dSDag-Erling Smørgrav if ((r = sshbuf_get_cstring(auth_debug, &msg, NULL)) != 0)
61519261079SEd Maste fatal_fr(r, "sshbuf_get_cstring");
616190cef3dSDag-Erling Smørgrav ssh_packet_send_debug(ssh, "%s", msg);
617e4a9863fSDag-Erling Smørgrav free(msg);
61880628bacSDag-Erling Smørgrav }
61980628bacSDag-Erling Smørgrav }
62080628bacSDag-Erling Smørgrav
62180628bacSDag-Erling Smørgrav void
auth_debug_reset(void)62280628bacSDag-Erling Smørgrav auth_debug_reset(void)
62380628bacSDag-Erling Smørgrav {
624190cef3dSDag-Erling Smørgrav if (auth_debug != NULL)
625190cef3dSDag-Erling Smørgrav sshbuf_reset(auth_debug);
626190cef3dSDag-Erling Smørgrav else if ((auth_debug = sshbuf_new()) == NULL)
62719261079SEd Maste fatal_f("sshbuf_new failed");
62880628bacSDag-Erling Smørgrav }
629cf2b5f3bSDag-Erling Smørgrav
630cf2b5f3bSDag-Erling Smørgrav struct passwd *
fakepw(void)631cf2b5f3bSDag-Erling Smørgrav fakepw(void)
632cf2b5f3bSDag-Erling Smørgrav {
6331323ec57SEd Maste static int done = 0;
634cf2b5f3bSDag-Erling Smørgrav static struct passwd fake;
6351323ec57SEd Maste const char hashchars[] = "./ABCDEFGHIJKLMNOPQRSTUVWXYZ"
6361323ec57SEd Maste "abcdefghijklmnopqrstuvwxyz0123456789"; /* from bcrypt.c */
6371323ec57SEd Maste char *cp;
6381323ec57SEd Maste
6391323ec57SEd Maste if (done)
6401323ec57SEd Maste return (&fake);
641cf2b5f3bSDag-Erling Smørgrav
642cf2b5f3bSDag-Erling Smørgrav memset(&fake, 0, sizeof(fake));
643cf2b5f3bSDag-Erling Smørgrav fake.pw_name = "NOUSER";
6441323ec57SEd Maste fake.pw_passwd = xstrdup("$2a$10$"
6451323ec57SEd Maste "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
6461323ec57SEd Maste for (cp = fake.pw_passwd + 7; *cp != '\0'; cp++)
6471323ec57SEd Maste *cp = hashchars[arc4random_uniform(sizeof(hashchars) - 1)];
648e4a9863fSDag-Erling Smørgrav #ifdef HAVE_STRUCT_PASSWD_PW_GECOS
649cf2b5f3bSDag-Erling Smørgrav fake.pw_gecos = "NOUSER";
650e4a9863fSDag-Erling Smørgrav #endif
651d4af9e69SDag-Erling Smørgrav fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;
652d4af9e69SDag-Erling Smørgrav fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;
653e4a9863fSDag-Erling Smørgrav #ifdef HAVE_STRUCT_PASSWD_PW_CLASS
654cf2b5f3bSDag-Erling Smørgrav fake.pw_class = "";
655cf2b5f3bSDag-Erling Smørgrav #endif
656cf2b5f3bSDag-Erling Smørgrav fake.pw_dir = "/nonexist";
657cf2b5f3bSDag-Erling Smørgrav fake.pw_shell = "/nonexist";
6581323ec57SEd Maste done = 1;
659cf2b5f3bSDag-Erling Smørgrav
660cf2b5f3bSDag-Erling Smørgrav return (&fake);
661cf2b5f3bSDag-Erling Smørgrav }
662076ad2f8SDag-Erling Smørgrav
663076ad2f8SDag-Erling Smørgrav /*
664076ad2f8SDag-Erling Smørgrav * Returns the remote DNS hostname as a string. The returned string must not
665076ad2f8SDag-Erling Smørgrav * be freed. NB. this will usually trigger a DNS query the first time it is
666076ad2f8SDag-Erling Smørgrav * called.
667076ad2f8SDag-Erling Smørgrav * This function does additional checks on the hostname to mitigate some
66819261079SEd Maste * attacks on based on conflation of hostnames and IP addresses.
669076ad2f8SDag-Erling Smørgrav */
670076ad2f8SDag-Erling Smørgrav
671076ad2f8SDag-Erling Smørgrav static char *
remote_hostname(struct ssh * ssh)672076ad2f8SDag-Erling Smørgrav remote_hostname(struct ssh *ssh)
673076ad2f8SDag-Erling Smørgrav {
674076ad2f8SDag-Erling Smørgrav struct sockaddr_storage from;
675076ad2f8SDag-Erling Smørgrav socklen_t fromlen;
676076ad2f8SDag-Erling Smørgrav struct addrinfo hints, *ai, *aitop;
677076ad2f8SDag-Erling Smørgrav char name[NI_MAXHOST], ntop2[NI_MAXHOST];
678076ad2f8SDag-Erling Smørgrav const char *ntop = ssh_remote_ipaddr(ssh);
679076ad2f8SDag-Erling Smørgrav
680076ad2f8SDag-Erling Smørgrav /* Get IP address of client. */
681076ad2f8SDag-Erling Smørgrav fromlen = sizeof(from);
682076ad2f8SDag-Erling Smørgrav memset(&from, 0, sizeof(from));
683076ad2f8SDag-Erling Smørgrav if (getpeername(ssh_packet_get_connection_in(ssh),
68419261079SEd Maste (struct sockaddr *)&from, &fromlen) == -1) {
685076ad2f8SDag-Erling Smørgrav debug("getpeername failed: %.100s", strerror(errno));
68619261079SEd Maste return xstrdup(ntop);
687076ad2f8SDag-Erling Smørgrav }
688076ad2f8SDag-Erling Smørgrav
689076ad2f8SDag-Erling Smørgrav ipv64_normalise_mapped(&from, &fromlen);
690076ad2f8SDag-Erling Smørgrav if (from.ss_family == AF_INET6)
691076ad2f8SDag-Erling Smørgrav fromlen = sizeof(struct sockaddr_in6);
692076ad2f8SDag-Erling Smørgrav
693076ad2f8SDag-Erling Smørgrav debug3("Trying to reverse map address %.100s.", ntop);
694076ad2f8SDag-Erling Smørgrav /* Map the IP address to a host name. */
695076ad2f8SDag-Erling Smørgrav if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
696076ad2f8SDag-Erling Smørgrav NULL, 0, NI_NAMEREQD) != 0) {
697076ad2f8SDag-Erling Smørgrav /* Host name not found. Use ip address. */
69819261079SEd Maste return xstrdup(ntop);
699076ad2f8SDag-Erling Smørgrav }
700076ad2f8SDag-Erling Smørgrav
701076ad2f8SDag-Erling Smørgrav /*
702076ad2f8SDag-Erling Smørgrav * if reverse lookup result looks like a numeric hostname,
703076ad2f8SDag-Erling Smørgrav * someone is trying to trick us by PTR record like following:
704076ad2f8SDag-Erling Smørgrav * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
705076ad2f8SDag-Erling Smørgrav */
706076ad2f8SDag-Erling Smørgrav memset(&hints, 0, sizeof(hints));
707076ad2f8SDag-Erling Smørgrav hints.ai_socktype = SOCK_DGRAM; /*dummy*/
708076ad2f8SDag-Erling Smørgrav hints.ai_flags = AI_NUMERICHOST;
709076ad2f8SDag-Erling Smørgrav if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
710076ad2f8SDag-Erling Smørgrav logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
711076ad2f8SDag-Erling Smørgrav name, ntop);
712076ad2f8SDag-Erling Smørgrav freeaddrinfo(ai);
71319261079SEd Maste return xstrdup(ntop);
714076ad2f8SDag-Erling Smørgrav }
715076ad2f8SDag-Erling Smørgrav
716076ad2f8SDag-Erling Smørgrav /* Names are stored in lowercase. */
717076ad2f8SDag-Erling Smørgrav lowercase(name);
718076ad2f8SDag-Erling Smørgrav
719076ad2f8SDag-Erling Smørgrav /*
720076ad2f8SDag-Erling Smørgrav * Map it back to an IP address and check that the given
721076ad2f8SDag-Erling Smørgrav * address actually is an address of this host. This is
722076ad2f8SDag-Erling Smørgrav * necessary because anyone with access to a name server can
723076ad2f8SDag-Erling Smørgrav * define arbitrary names for an IP address. Mapping from
724076ad2f8SDag-Erling Smørgrav * name to IP address can be trusted better (but can still be
725076ad2f8SDag-Erling Smørgrav * fooled if the intruder has access to the name server of
726076ad2f8SDag-Erling Smørgrav * the domain).
727076ad2f8SDag-Erling Smørgrav */
728076ad2f8SDag-Erling Smørgrav memset(&hints, 0, sizeof(hints));
729076ad2f8SDag-Erling Smørgrav hints.ai_family = from.ss_family;
730076ad2f8SDag-Erling Smørgrav hints.ai_socktype = SOCK_STREAM;
731076ad2f8SDag-Erling Smørgrav if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
732076ad2f8SDag-Erling Smørgrav logit("reverse mapping checking getaddrinfo for %.700s "
733076ad2f8SDag-Erling Smørgrav "[%s] failed.", name, ntop);
73419261079SEd Maste return xstrdup(ntop);
735076ad2f8SDag-Erling Smørgrav }
736076ad2f8SDag-Erling Smørgrav /* Look for the address from the list of addresses. */
737076ad2f8SDag-Erling Smørgrav for (ai = aitop; ai; ai = ai->ai_next) {
738076ad2f8SDag-Erling Smørgrav if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
739076ad2f8SDag-Erling Smørgrav sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
740076ad2f8SDag-Erling Smørgrav (strcmp(ntop, ntop2) == 0))
741076ad2f8SDag-Erling Smørgrav break;
742076ad2f8SDag-Erling Smørgrav }
743076ad2f8SDag-Erling Smørgrav freeaddrinfo(aitop);
744076ad2f8SDag-Erling Smørgrav /* If we reached the end of the list, the address was not there. */
745076ad2f8SDag-Erling Smørgrav if (ai == NULL) {
746076ad2f8SDag-Erling Smørgrav /* Address not found for the host name. */
747076ad2f8SDag-Erling Smørgrav logit("Address %.100s maps to %.600s, but this does not "
748076ad2f8SDag-Erling Smørgrav "map back to the address.", ntop, name);
74919261079SEd Maste return xstrdup(ntop);
750076ad2f8SDag-Erling Smørgrav }
75119261079SEd Maste return xstrdup(name);
752076ad2f8SDag-Erling Smørgrav }
753076ad2f8SDag-Erling Smørgrav
754076ad2f8SDag-Erling Smørgrav /*
755076ad2f8SDag-Erling Smørgrav * Return the canonical name of the host in the other side of the current
756076ad2f8SDag-Erling Smørgrav * connection. The host name is cached, so it is efficient to call this
757076ad2f8SDag-Erling Smørgrav * several times.
758076ad2f8SDag-Erling Smørgrav */
759076ad2f8SDag-Erling Smørgrav
760076ad2f8SDag-Erling Smørgrav const char *
auth_get_canonical_hostname(struct ssh * ssh,int use_dns)761076ad2f8SDag-Erling Smørgrav auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
762076ad2f8SDag-Erling Smørgrav {
763076ad2f8SDag-Erling Smørgrav static char *dnsname;
764076ad2f8SDag-Erling Smørgrav
765076ad2f8SDag-Erling Smørgrav if (!use_dns)
766076ad2f8SDag-Erling Smørgrav return ssh_remote_ipaddr(ssh);
767076ad2f8SDag-Erling Smørgrav else if (dnsname != NULL)
768076ad2f8SDag-Erling Smørgrav return dnsname;
769076ad2f8SDag-Erling Smørgrav else {
770076ad2f8SDag-Erling Smørgrav dnsname = remote_hostname(ssh);
771076ad2f8SDag-Erling Smørgrav return dnsname;
772076ad2f8SDag-Erling Smørgrav }
773076ad2f8SDag-Erling Smørgrav }
77447dd1d1bSDag-Erling Smørgrav
77547dd1d1bSDag-Erling Smørgrav /* These functions link key/cert options to the auth framework */
77647dd1d1bSDag-Erling Smørgrav
77747dd1d1bSDag-Erling Smørgrav /* Log sshauthopt options locally and (optionally) for remote transmission */
77847dd1d1bSDag-Erling Smørgrav void
auth_log_authopts(const char * loc,const struct sshauthopt * opts,int do_remote)77947dd1d1bSDag-Erling Smørgrav auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote)
78047dd1d1bSDag-Erling Smørgrav {
78147dd1d1bSDag-Erling Smørgrav int do_env = options.permit_user_env && opts->nenv > 0;
78247dd1d1bSDag-Erling Smørgrav int do_permitopen = opts->npermitopen > 0 &&
78347dd1d1bSDag-Erling Smørgrav (options.allow_tcp_forwarding & FORWARD_LOCAL) != 0;
784190cef3dSDag-Erling Smørgrav int do_permitlisten = opts->npermitlisten > 0 &&
785190cef3dSDag-Erling Smørgrav (options.allow_tcp_forwarding & FORWARD_REMOTE) != 0;
78647dd1d1bSDag-Erling Smørgrav size_t i;
78747dd1d1bSDag-Erling Smørgrav char msg[1024], buf[64];
78847dd1d1bSDag-Erling Smørgrav
78947dd1d1bSDag-Erling Smørgrav snprintf(buf, sizeof(buf), "%d", opts->force_tun_device);
79047dd1d1bSDag-Erling Smørgrav /* Try to keep this alphabetically sorted */
79119261079SEd Maste snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s",
79247dd1d1bSDag-Erling Smørgrav opts->permit_agent_forwarding_flag ? " agent-forwarding" : "",
79347dd1d1bSDag-Erling Smørgrav opts->force_command == NULL ? "" : " command",
79447dd1d1bSDag-Erling Smørgrav do_env ? " environment" : "",
79547dd1d1bSDag-Erling Smørgrav opts->valid_before == 0 ? "" : "expires",
79619261079SEd Maste opts->no_require_user_presence ? " no-touch-required" : "",
79747dd1d1bSDag-Erling Smørgrav do_permitopen ? " permitopen" : "",
798190cef3dSDag-Erling Smørgrav do_permitlisten ? " permitlisten" : "",
79947dd1d1bSDag-Erling Smørgrav opts->permit_port_forwarding_flag ? " port-forwarding" : "",
80047dd1d1bSDag-Erling Smørgrav opts->cert_principals == NULL ? "" : " principals",
80147dd1d1bSDag-Erling Smørgrav opts->permit_pty_flag ? " pty" : "",
80219261079SEd Maste opts->require_verify ? " uv" : "",
80347dd1d1bSDag-Erling Smørgrav opts->force_tun_device == -1 ? "" : " tun=",
80447dd1d1bSDag-Erling Smørgrav opts->force_tun_device == -1 ? "" : buf,
80547dd1d1bSDag-Erling Smørgrav opts->permit_user_rc ? " user-rc" : "",
80647dd1d1bSDag-Erling Smørgrav opts->permit_x11_forwarding_flag ? " x11-forwarding" : "");
80747dd1d1bSDag-Erling Smørgrav
80847dd1d1bSDag-Erling Smørgrav debug("%s: %s", loc, msg);
80947dd1d1bSDag-Erling Smørgrav if (do_remote)
81047dd1d1bSDag-Erling Smørgrav auth_debug_add("%s: %s", loc, msg);
81147dd1d1bSDag-Erling Smørgrav
81247dd1d1bSDag-Erling Smørgrav if (options.permit_user_env) {
81347dd1d1bSDag-Erling Smørgrav for (i = 0; i < opts->nenv; i++) {
81447dd1d1bSDag-Erling Smørgrav debug("%s: environment: %s", loc, opts->env[i]);
81547dd1d1bSDag-Erling Smørgrav if (do_remote) {
81647dd1d1bSDag-Erling Smørgrav auth_debug_add("%s: environment: %s",
81747dd1d1bSDag-Erling Smørgrav loc, opts->env[i]);
81847dd1d1bSDag-Erling Smørgrav }
81947dd1d1bSDag-Erling Smørgrav }
82047dd1d1bSDag-Erling Smørgrav }
82147dd1d1bSDag-Erling Smørgrav
82247dd1d1bSDag-Erling Smørgrav /* Go into a little more details for the local logs. */
82347dd1d1bSDag-Erling Smørgrav if (opts->valid_before != 0) {
82447dd1d1bSDag-Erling Smørgrav format_absolute_time(opts->valid_before, buf, sizeof(buf));
82547dd1d1bSDag-Erling Smørgrav debug("%s: expires at %s", loc, buf);
82647dd1d1bSDag-Erling Smørgrav }
82747dd1d1bSDag-Erling Smørgrav if (opts->cert_principals != NULL) {
82847dd1d1bSDag-Erling Smørgrav debug("%s: authorized principals: \"%s\"",
82947dd1d1bSDag-Erling Smørgrav loc, opts->cert_principals);
83047dd1d1bSDag-Erling Smørgrav }
83147dd1d1bSDag-Erling Smørgrav if (opts->force_command != NULL)
83247dd1d1bSDag-Erling Smørgrav debug("%s: forced command: \"%s\"", loc, opts->force_command);
833190cef3dSDag-Erling Smørgrav if (do_permitopen) {
83447dd1d1bSDag-Erling Smørgrav for (i = 0; i < opts->npermitopen; i++) {
83547dd1d1bSDag-Erling Smørgrav debug("%s: permitted open: %s",
83647dd1d1bSDag-Erling Smørgrav loc, opts->permitopen[i]);
83747dd1d1bSDag-Erling Smørgrav }
83847dd1d1bSDag-Erling Smørgrav }
839190cef3dSDag-Erling Smørgrav if (do_permitlisten) {
840190cef3dSDag-Erling Smørgrav for (i = 0; i < opts->npermitlisten; i++) {
841190cef3dSDag-Erling Smørgrav debug("%s: permitted listen: %s",
842190cef3dSDag-Erling Smørgrav loc, opts->permitlisten[i]);
843190cef3dSDag-Erling Smørgrav }
844190cef3dSDag-Erling Smørgrav }
84547dd1d1bSDag-Erling Smørgrav }
84647dd1d1bSDag-Erling Smørgrav
84747dd1d1bSDag-Erling Smørgrav /* Activate a new set of key/cert options; merging with what is there. */
84847dd1d1bSDag-Erling Smørgrav int
auth_activate_options(struct ssh * ssh,struct sshauthopt * opts)84947dd1d1bSDag-Erling Smørgrav auth_activate_options(struct ssh *ssh, struct sshauthopt *opts)
85047dd1d1bSDag-Erling Smørgrav {
85147dd1d1bSDag-Erling Smørgrav struct sshauthopt *old = auth_opts;
85247dd1d1bSDag-Erling Smørgrav const char *emsg = NULL;
85347dd1d1bSDag-Erling Smørgrav
85419261079SEd Maste debug_f("setting new authentication options");
85547dd1d1bSDag-Erling Smørgrav if ((auth_opts = sshauthopt_merge(old, opts, &emsg)) == NULL) {
85647dd1d1bSDag-Erling Smørgrav error("Inconsistent authentication options: %s", emsg);
85747dd1d1bSDag-Erling Smørgrav return -1;
85847dd1d1bSDag-Erling Smørgrav }
85947dd1d1bSDag-Erling Smørgrav return 0;
86047dd1d1bSDag-Erling Smørgrav }
86147dd1d1bSDag-Erling Smørgrav
86247dd1d1bSDag-Erling Smørgrav /* Disable forwarding, etc for the session */
86347dd1d1bSDag-Erling Smørgrav void
auth_restrict_session(struct ssh * ssh)86447dd1d1bSDag-Erling Smørgrav auth_restrict_session(struct ssh *ssh)
86547dd1d1bSDag-Erling Smørgrav {
86647dd1d1bSDag-Erling Smørgrav struct sshauthopt *restricted;
86747dd1d1bSDag-Erling Smørgrav
86819261079SEd Maste debug_f("restricting session");
86947dd1d1bSDag-Erling Smørgrav
87047dd1d1bSDag-Erling Smørgrav /* A blank sshauthopt defaults to permitting nothing */
87138a52bd3SEd Maste if ((restricted = sshauthopt_new()) == NULL)
87238a52bd3SEd Maste fatal_f("sshauthopt_new failed");
873190cef3dSDag-Erling Smørgrav restricted->permit_pty_flag = 1;
87447dd1d1bSDag-Erling Smørgrav restricted->restricted = 1;
87547dd1d1bSDag-Erling Smørgrav
87647dd1d1bSDag-Erling Smørgrav if (auth_activate_options(ssh, restricted) != 0)
87719261079SEd Maste fatal_f("failed to restrict session");
87847dd1d1bSDag-Erling Smørgrav sshauthopt_free(restricted);
87947dd1d1bSDag-Erling Smørgrav }
880