1 /*      $OpenBSD: auth.h,v 1.41 2002/09/26 11:38:43 markus Exp $        */
   2 
   3 #ifndef _AUTH_H
   4 #define _AUTH_H
   5 
   6 #ifdef __cplusplus
   7 extern "C" {
   8 #endif
   9 
  10 
  11 /*
  12  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  13  *
  14  * Redistribution and use in source and binary forms, with or without
  15  * modification, are permitted provided that the following conditions
  16  * are met:
  17  * 1. Redistributions of source code must retain the above copyright
  18  *    notice, this list of conditions and the following disclaimer.
  19  * 2. Redistributions in binary form must reproduce the above copyright
  20  *    notice, this list of conditions and the following disclaimer in the
  21  *    documentation and/or other materials provided with the distribution.
  22  *
  23  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  24  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  25  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  26  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  27  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  28  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  29  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  30  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  31  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  32  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  33  *
  34  */
  35 /*
  36  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  37  * Use is subject to license terms.
  38  */
  39 
  40 #include "key.h"
  41 #include "hostfile.h"
  42 #include <openssl/rsa.h>
  43 
  44 #ifdef USE_PAM
  45 #include <security/pam_appl.h>
  46 #endif /* USE_PAM */
  47 
  48 #ifdef HAVE_LOGIN_CAP
  49 #include <login_cap.h>
  50 #endif
  51 #ifdef BSD_AUTH
  52 #include <bsd_auth.h>
  53 #endif
  54 #ifdef KRB5
  55 #include <krb5.h>
  56 #endif
  57 
  58 typedef struct Authctxt Authctxt;
  59 typedef struct Authmethod Authmethod;
  60 typedef struct KbdintDevice KbdintDevice;
  61 
  62 #ifdef USE_PAM
  63 typedef struct pam_stuff pam_stuff;
  64 
  65 struct pam_stuff {
  66         Authctxt        *authctxt;
  67         pam_handle_t    *h;
  68         int             state;
  69         int             last_pam_retval;
  70 };
  71 
  72 /* See auth-pam.h and auth-pam.c */
  73 
  74 #define PAM_S_DONE_ACCT_MGMT            0x01 /* acct_mgmt done */
  75 #define PAM_S_DONE_SETCRED              0x02 /* setcred done */
  76 #define PAM_S_DONE_OPEN_SESSION         0x04 /* open_session done */
  77 #define PAM_S_DONE                      0x07 /* all done */
  78 #endif /* USE_PAM */
  79 
  80 struct Authctxt {
  81         int              success;
  82         int              valid;
  83         int              attempt;       /* all userauth attempt count */
  84         int              init_attempt;  /* passwd/kbd-int attempt count */
  85         int              failures;
  86         int              init_failures;
  87         int              unwind_dispatch_loop;
  88         int              v1_auth_type;
  89         char            *v1_auth_name;
  90         Authmethod      *method;
  91         char            *user;
  92         char            *service;
  93         struct passwd   *pw;
  94         char            *style;
  95         void            *kbdintctxt;    /* XXX Switch to method_data;
  96                                            v1 still needs this*/
  97 #ifdef USE_PAM
  98         pam_stuff       *pam;
  99         char            *cuser; /* client side user, needed for setting
 100                                    PAM_AUSER for hostbased authentication
 101                                    using roles */
 102         u_long           last_login_time; /* need to get the time of
 103                                              last login before calling
 104                                              pam_open_session() */
 105         char             last_login_host[MAXHOSTNAMELEN];
 106         int              pam_retval;    /* pam_stuff is cleaned before
 107                                            BSM login failure auditing */
 108 #endif /* USE_PAM */
 109         
 110         /* SUNW - What follows remains to reduce diffs with OpenSSH but
 111          *        is not used in Solaris.  The Solaris SSH internal
 112          *        architecture requires that this stuff move into the
 113          *        Authmethod method_data.
 114          */
 115 #ifndef SUNW_SSH
 116 #ifdef BSD_AUTH
 117         auth_session_t  *as;
 118 #endif
 119 #ifdef KRB4
 120         char            *krb4_ticket_file;
 121 #endif
 122 #ifdef KRB5
 123         krb5_context     krb5_ctx;
 124         krb5_auth_context krb5_auth_ctx;
 125         krb5_ccache      krb5_fwd_ccache;
 126         krb5_principal   krb5_user;
 127         char            *krb5_ticket_file;
 128 #endif
 129         void *methoddata;
 130 #endif /* SUNW_SSH */
 131 };
 132 
 133 struct Authmethod {
 134         char    *name;
 135         int     *enabled;
 136         /*
 137          * Userauth method state tracking fields updated in
 138          * input_userauth_request() and auth-pam.c.
 139          *
 140          * The "void (*userauth)(Authctxt *authctxt)" function
 141          * communicates the userauth result (success, failure,
 142          * "postponed," abandoned) through the 'authenticated',
 143          * 'postponed' and 'abandoned' fields.  Partial success is
 144          * indicated by requiring other userauths to be used by setting
 145          * their 'required' or 'sufficient' fields.
 146          *
 147          * Individual methods should only ever set 'not_again' if it
 148          * makes no sense to complete the same userauth more than once,
 149          * and they should set any methods' sufficient or required flags
 150          * in order to force partial authentication and require that
 151          * more userauths be tried.  The (void *) 'method_data' and
 152          * 'hist_method_data' pointers can be used by methods such as
 153          * pubkey which may make sense to run more than once during
 154          * userauth or which may require multiple round tripes (e.g.,
 155          * keyboard-interactive) and which need to keep some state;
 156          * 'hist_method_data' is there specifically for pubkey userauth
 157          * where multiple successful attempts should all use different
 158          * keys.
 159          *
 160          * The "attempts," "abandons," "successes" and "failures" fields
 161          * count the number of times a method has been attempted,
 162          * abandoned, and has succeeded or failed.  Note that pubkey
 163          * userauth does not double-count sig-less probes that are
 164          * followed by a pubkey request for the same pubkey anw with a
 165          * signature.
 166          */
 167         void            (*userauth)(Authctxt *authctxt);
 168         void            (*abandon)(Authctxt *, Authmethod *);
 169         void            *method_data;
 170         void            *hist_method_data;
 171         unsigned int     is_initial;
 172         unsigned int     attempts:8;
 173         unsigned int     abandons:8;
 174         unsigned int     successes:8;
 175         unsigned int     failures:8;
 176         /*
 177          * Post-attempt state booleans (authenticated, abandoned, etc...)
 178          */
 179         unsigned int     authenticated:1;
 180         unsigned int     not_again:1;
 181         unsigned int     sufficient:1;
 182         unsigned int     required:1;
 183         unsigned int     postponed:1;
 184         unsigned int     abandoned:1;
 185         /*
 186          * NOTE: multi-round-trip userauth methods can either
 187          *       recursively call dispatch_run and detect abandonment
 188          *       within their message handlers (as PAM kbd-int does) or
 189          *       set the postponed flag and let input_userauth_request()
 190          *       detect abandonment (i.e., initiation of some userauth
 191          *       method before completion of a started, multi-round-trip
 192          *       userauth method).
 193          *
 194          */
 195 };
 196 
 197 /*
 198  * Keyboard interactive device:
 199  * init_ctx     returns: non NULL upon success
 200  * query        returns: 0 - success, otherwise failure
 201  * respond      returns: 0 - success, 1 - need further interaction,
 202  *              otherwise - failure
 203  */
 204 struct KbdintDevice
 205 {
 206         const char *name;
 207         void*   (*init_ctx)(Authctxt*);
 208         int     (*query)(void *ctx, char **name, char **infotxt,
 209                     u_int *numprompts, char ***prompts, u_int **echo_on);
 210         int     (*respond)(void *ctx, u_int numresp, char **responses);
 211         void    (*free_ctx)(void *ctx);
 212 };
 213 
 214 int      auth_rhosts(struct passwd *, const char *);
 215 int
 216 auth_rhosts2(struct passwd *, const char *, const char *, const char *);
 217 
 218 int      auth_rhosts_rsa(struct passwd *, char *, Key *);
 219 int      auth_password(Authctxt *, const char *);
 220 int      auth_rsa(struct passwd *, BIGNUM *);
 221 int      auth_rsa_challenge_dialog(Key *);
 222 BIGNUM  *auth_rsa_generate_challenge(Key *);
 223 int      auth_rsa_verify_response(Key *, BIGNUM *, u_char[]);
 224 int      auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
 225 
 226 int      auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
 227 int      hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
 228 int      user_key_allowed(struct passwd *, Key *);
 229 
 230 #ifdef KRB4
 231 #include <krb.h>
 232 int     auth_krb4(Authctxt *, KTEXT, char **, KTEXT);
 233 int     auth_krb4_password(Authctxt *, const char *);
 234 void    krb4_cleanup_proc(void *);
 235 
 236 #ifdef AFS
 237 #include <kafs.h>
 238 int     auth_krb4_tgt(Authctxt *, const char *);
 239 int     auth_afs_token(Authctxt *, const char *);
 240 #endif /* AFS */
 241 
 242 #endif /* KRB4 */
 243 
 244 #ifdef KRB5
 245 int     auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
 246 int     auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
 247 int     auth_krb5_password(Authctxt *authctxt, const char *password);
 248 void    krb5_cleanup_proc(void *authctxt);
 249 #endif /* KRB5 */
 250 
 251 #include "auth-pam.h"
 252 #include "auth2-pam.h"
 253 
 254 Authctxt *do_authentication(void);
 255 Authctxt *do_authentication2(void);
 256 
 257 #ifdef HAVE_BSM
 258 void    audit_failed_login_cleanup(void *);
 259 #endif /* HAVE_BSM */
 260 
 261 int     userauth_check_partial_failure(Authctxt *authctxt);
 262 void    userauth_force_kbdint(void);
 263 
 264 Authctxt *authctxt_new(void);
 265 void    auth_log(Authctxt *, int, char *, char *);
 266 void    userauth_finish(Authctxt *, char *);
 267 void    userauth_user_svc_change(Authctxt *authctxt,
 268                                  char *user,
 269                                  char *service);
 270 int     auth_root_allowed(char *);
 271 
 272 char    *auth2_read_banner(void);
 273 
 274 void    privsep_challenge_enable(void);
 275 
 276 void    auth2_challenge(Authctxt *, char *);
 277 void    auth2_challenge_abandon(Authctxt *);
 278 int     bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
 279 int     bsdauth_respond(void *, u_int, char **);
 280 int     skey_query(void *, char **, char **, u_int *, char ***, u_int **);
 281 int     skey_respond(void *, u_int, char **);
 282 
 283 struct passwd * getpwnamallow(const char *user);
 284 
 285 int     run_auth_hook(const char *, const char *, const char *);
 286 
 287 char    *get_challenge(Authctxt *);
 288 int     verify_response(Authctxt *, const char *);
 289 
 290 struct passwd * auth_get_user(void);
 291 
 292 char    *authorized_keys_file(struct passwd *);
 293 char    *authorized_keys_file2(struct passwd *);
 294 
 295 int
 296 secure_filename(FILE *, const char *, struct passwd *, char *, size_t);
 297 
 298 HostStatus
 299 check_key_in_hostfiles(struct passwd *, Key *, const char *,
 300     const char *, const char *);
 301 
 302 /* hostkey handling */
 303 #ifndef lint
 304 Key     *get_hostkey_by_index(int);
 305 Key     *get_hostkey_by_type(int);
 306 int      get_hostkey_index(Key *);
 307 #endif /* lint */
 308 int      ssh1_session_key(BIGNUM *);
 309 
 310 /* debug messages during authentication */
 311 void     auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
 312 void     auth_debug_send(void);
 313 void     auth_debug_reset(void);
 314 
 315 #define AUTH_FAIL_MAX 6
 316 #define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
 317 #define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
 318 
 319 #define SKEY_PROMPT "\nS/Key Password: "
 320 
 321 #ifdef __cplusplus
 322 }
 323 #endif
 324 
 325 #endif /* _AUTH_H */