1 /* 2 * Copyright (c) 2012,2023 Damien Miller <djm@mindrot.org> 3 * 4 * Permission to use, copy, modify, and distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15 */ 16 17 #include <sys/types.h> 18 19 #include <stdlib.h> 20 #include <string.h> 21 22 #include "log.h" 23 #include "misc.h" 24 #include "servconf.h" 25 #include "xmalloc.h" 26 #include "hostfile.h" 27 #include "auth.h" 28 29 extern ServerOptions options; 30 31 /* 32 * Configuration of enabled authentication methods. Separate to the rest of 33 * auth2-*.c because we want to query it during server configuration validity 34 * checking in the sshd listener process without pulling all the auth code in 35 * too. 36 */ 37 38 /* "none" is allowed only one time and it cleared by userauth_none() later */ 39 int none_enabled = 1; 40 struct authmethod_cfg methodcfg_none = { 41 "none", 42 NULL, 43 &none_enabled 44 }; 45 struct authmethod_cfg methodcfg_pubkey = { 46 "publickey", 47 "publickey-hostbound-v00@openssh.com", 48 &options.pubkey_authentication 49 }; 50 #ifdef GSSAPI 51 struct authmethod_cfg methodcfg_gssapi = { 52 "gssapi-with-mic", 53 NULL, 54 &options.gss_authentication 55 }; 56 #endif 57 struct authmethod_cfg methodcfg_passwd = { 58 "password", 59 NULL, 60 &options.password_authentication 61 }; 62 struct authmethod_cfg methodcfg_kbdint = { 63 "keyboard-interactive", 64 NULL, 65 &options.kbd_interactive_authentication 66 }; 67 struct authmethod_cfg methodcfg_hostbased = { 68 "hostbased", 69 NULL, 70 &options.hostbased_authentication 71 }; 72 73 static struct authmethod_cfg *authmethod_cfgs[] = { 74 &methodcfg_none, 75 &methodcfg_pubkey, 76 #ifdef GSSAPI 77 &methodcfg_gssapi, 78 #endif 79 &methodcfg_passwd, 80 &methodcfg_kbdint, 81 &methodcfg_hostbased, 82 NULL 83 }; 84 85 /* 86 * Check a comma-separated list of methods for validity. Is need_enable is 87 * non-zero, then also require that the methods are enabled. 88 * Returns 0 on success or -1 if the methods list is invalid. 89 */ 90 int 91 auth2_methods_valid(const char *_methods, int need_enable) 92 { 93 char *methods, *omethods, *method, *p; 94 u_int i, found; 95 int ret = -1; 96 const struct authmethod_cfg *cfg; 97 98 if (*_methods == '\0') { 99 error("empty authentication method list"); 100 return -1; 101 } 102 omethods = methods = xstrdup(_methods); 103 while ((method = strsep(&methods, ",")) != NULL) { 104 for (found = i = 0; !found && authmethod_cfgs[i] != NULL; i++) { 105 cfg = authmethod_cfgs[i]; 106 if ((p = strchr(method, ':')) != NULL) 107 *p = '\0'; 108 if (strcmp(method, cfg->name) != 0) 109 continue; 110 if (need_enable) { 111 if (cfg->enabled == NULL || 112 *(cfg->enabled) == 0) { 113 error("Disabled method \"%s\" in " 114 "AuthenticationMethods list \"%s\"", 115 method, _methods); 116 goto out; 117 } 118 } 119 found = 1; 120 break; 121 } 122 if (!found) { 123 error("Unknown authentication method \"%s\" in list", 124 method); 125 goto out; 126 } 127 } 128 ret = 0; 129 out: 130 free(omethods); 131 return ret; 132 } 133