1 /* $OpenBSD: auth.h,v 1.41 2002/09/26 11:38:43 markus Exp $ */ 2 3 #ifndef _AUTH_H 4 #define _AUTH_H 5 6 #ifdef __cplusplus 7 extern "C" { 8 #endif 9 10 11 /* 12 * Copyright (c) 2000 Markus Friedl. All rights reserved. 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions 16 * are met: 17 * 1. Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * 2. Redistributions in binary form must reproduce the above copyright 20 * notice, this list of conditions and the following disclaimer in the 21 * documentation and/or other materials provided with the distribution. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 * 34 */ 35 /* 36 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 37 * Use is subject to license terms. 38 */ 39 40 #include "key.h" 41 #include "hostfile.h" 42 #include <openssl/rsa.h> 43 44 #ifdef USE_PAM 45 #include <security/pam_appl.h> 46 #endif /* USE_PAM */ 47 48 #ifdef HAVE_LOGIN_CAP 49 #include <login_cap.h> 50 #endif 51 #ifdef BSD_AUTH 52 #include <bsd_auth.h> 53 #endif 54 #ifdef KRB5 55 #include <krb5.h> 56 #endif 57 58 typedef struct Authctxt Authctxt; 59 typedef struct Authmethod Authmethod; 60 typedef struct KbdintDevice KbdintDevice; 61 62 #ifdef USE_PAM 63 typedef struct pam_stuff pam_stuff; 64 65 struct pam_stuff { 66 Authctxt *authctxt; 67 pam_handle_t *h; 68 int state; 69 int last_pam_retval; 70 }; 71 72 /* See auth-pam.h and auth-pam.c */ 73 74 #define PAM_S_DONE_ACCT_MGMT 0x01 /* acct_mgmt done */ 75 #define PAM_S_DONE_SETCRED 0x02 /* setcred done */ 76 #define PAM_S_DONE_OPEN_SESSION 0x04 /* open_session done */ 77 #define PAM_S_DONE 0x07 /* all done */ 78 #endif /* USE_PAM */ 79 80 struct Authctxt { 81 int success; 82 int valid; 83 int attempt; /* all userauth attempt count */ 84 int init_attempt; /* passwd/kbd-int attempt count */ 85 int failures; 86 int init_failures; 87 int unwind_dispatch_loop; 88 int v1_auth_type; 89 char *v1_auth_name; 90 Authmethod *method; 91 char *user; 92 char *service; 93 struct passwd *pw; 94 char *style; 95 void *kbdintctxt; /* XXX Switch to method_data; 96 v1 still needs this*/ 97 #ifdef USE_PAM 98 pam_stuff *pam; 99 char *cuser; /* client side user, needed for setting 100 PAM_AUSER for hostbased authentication 101 using roles */ 102 u_long last_login_time; /* need to get the time of 103 last login before calling 104 pam_open_session() */ 105 char last_login_host[MAXHOSTNAMELEN]; 106 int pam_retval; /* pam_stuff is cleaned before 107 BSM login failure auditing */ 108 #endif /* USE_PAM */ 109 110 /* SUNW - What follows remains to reduce diffs with OpenSSH but 111 * is not used in Solaris. The Solaris SSH internal 112 * architecture requires that this stuff move into the 113 * Authmethod method_data. 114 */ 115 #ifndef SUNW_SSH 116 #ifdef BSD_AUTH 117 auth_session_t *as; 118 #endif 119 #ifdef KRB4 120 char *krb4_ticket_file; 121 #endif 122 #ifdef KRB5 123 krb5_context krb5_ctx; 124 krb5_auth_context krb5_auth_ctx; 125 krb5_ccache krb5_fwd_ccache; 126 krb5_principal krb5_user; 127 char *krb5_ticket_file; 128 #endif 129 void *methoddata; 130 #endif /* SUNW_SSH */ 131 }; 132 133 struct Authmethod { 134 char *name; 135 int *enabled; 136 /* 137 * Userauth method state tracking fields updated in 138 * input_userauth_request() and auth-pam.c. 139 * 140 * The "void (*userauth)(Authctxt *authctxt)" function 141 * communicates the userauth result (success, failure, 142 * "postponed," abandoned) through the 'authenticated', 143 * 'postponed' and 'abandoned' fields. Partial success is 144 * indicated by requiring other userauths to be used by setting 145 * their 'required' or 'sufficient' fields. 146 * 147 * Individual methods should only ever set 'not_again' if it 148 * makes no sense to complete the same userauth more than once, 149 * and they should set any methods' sufficient or required flags 150 * in order to force partial authentication and require that 151 * more userauths be tried. The (void *) 'method_data' and 152 * 'hist_method_data' pointers can be used by methods such as 153 * pubkey which may make sense to run more than once during 154 * userauth or which may require multiple round tripes (e.g., 155 * keyboard-interactive) and which need to keep some state; 156 * 'hist_method_data' is there specifically for pubkey userauth 157 * where multiple successful attempts should all use different 158 * keys. 159 * 160 * The "attempts," "abandons," "successes" and "failures" fields 161 * count the number of times a method has been attempted, 162 * abandoned, and has succeeded or failed. Note that pubkey 163 * userauth does not double-count sig-less probes that are 164 * followed by a pubkey request for the same pubkey anw with a 165 * signature. 166 */ 167 void (*userauth)(Authctxt *authctxt); 168 void (*abandon)(Authctxt *, Authmethod *); 169 void *method_data; 170 void *hist_method_data; 171 unsigned int is_initial; 172 unsigned int attempts:8; 173 unsigned int abandons:8; 174 unsigned int successes:8; 175 unsigned int failures:8; 176 /* 177 * Post-attempt state booleans (authenticated, abandoned, etc...) 178 */ 179 unsigned int authenticated:1; 180 unsigned int not_again:1; 181 unsigned int sufficient:1; 182 unsigned int required:1; 183 unsigned int postponed:1; 184 unsigned int abandoned:1; 185 /* 186 * NOTE: multi-round-trip userauth methods can either 187 * recursively call dispatch_run and detect abandonment 188 * within their message handlers (as PAM kbd-int does) or 189 * set the postponed flag and let input_userauth_request() 190 * detect abandonment (i.e., initiation of some userauth 191 * method before completion of a started, multi-round-trip 192 * userauth method). 193 * 194 */ 195 }; 196 197 /* 198 * Keyboard interactive device: 199 * init_ctx returns: non NULL upon success 200 * query returns: 0 - success, otherwise failure 201 * respond returns: 0 - success, 1 - need further interaction, 202 * otherwise - failure 203 */ 204 struct KbdintDevice 205 { 206 const char *name; 207 void* (*init_ctx)(Authctxt*); 208 int (*query)(void *ctx, char **name, char **infotxt, 209 u_int *numprompts, char ***prompts, u_int **echo_on); 210 int (*respond)(void *ctx, u_int numresp, char **responses); 211 void (*free_ctx)(void *ctx); 212 }; 213 214 int auth_rhosts(struct passwd *, const char *); 215 int 216 auth_rhosts2(struct passwd *, const char *, const char *, const char *); 217 218 int auth_rhosts_rsa(struct passwd *, char *, Key *); 219 int auth_password(Authctxt *, const char *); 220 int auth_rsa(struct passwd *, BIGNUM *); 221 int auth_rsa_challenge_dialog(Key *); 222 BIGNUM *auth_rsa_generate_challenge(Key *); 223 int auth_rsa_verify_response(Key *, BIGNUM *, u_char[]); 224 int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); 225 226 int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); 227 int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); 228 int user_key_allowed(struct passwd *, Key *); 229 230 #ifdef KRB4 231 #include <krb.h> 232 int auth_krb4(Authctxt *, KTEXT, char **, KTEXT); 233 int auth_krb4_password(Authctxt *, const char *); 234 void krb4_cleanup_proc(void *); 235 236 #ifdef AFS 237 #include <kafs.h> 238 int auth_krb4_tgt(Authctxt *, const char *); 239 int auth_afs_token(Authctxt *, const char *); 240 #endif /* AFS */ 241 242 #endif /* KRB4 */ 243 244 #ifdef KRB5 245 int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); 246 int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); 247 int auth_krb5_password(Authctxt *authctxt, const char *password); 248 void krb5_cleanup_proc(void *authctxt); 249 #endif /* KRB5 */ 250 251 #include "auth-pam.h" 252 #include "auth2-pam.h" 253 254 Authctxt *do_authentication(void); 255 Authctxt *do_authentication2(void); 256 257 #ifdef HAVE_BSM 258 void audit_failed_login_cleanup(void *); 259 #endif /* HAVE_BSM */ 260 261 int userauth_check_partial_failure(Authctxt *authctxt); 262 void userauth_force_kbdint(void); 263 264 Authctxt *authctxt_new(void); 265 void auth_log(Authctxt *, int, char *, char *); 266 void userauth_finish(Authctxt *, char *); 267 void userauth_user_svc_change(Authctxt *authctxt, 268 char *user, 269 char *service); 270 int auth_root_allowed(char *); 271 272 char *auth2_read_banner(void); 273 274 void privsep_challenge_enable(void); 275 276 void auth2_challenge(Authctxt *, char *); 277 void auth2_challenge_abandon(Authctxt *); 278 int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **); 279 int bsdauth_respond(void *, u_int, char **); 280 int skey_query(void *, char **, char **, u_int *, char ***, u_int **); 281 int skey_respond(void *, u_int, char **); 282 283 struct passwd * getpwnamallow(const char *user); 284 285 int run_auth_hook(const char *, const char *, const char *); 286 287 char *get_challenge(Authctxt *); 288 int verify_response(Authctxt *, const char *); 289 290 struct passwd * auth_get_user(void); 291 292 char *authorized_keys_file(struct passwd *); 293 char *authorized_keys_file2(struct passwd *); 294 295 int 296 secure_filename(FILE *, const char *, struct passwd *, char *, size_t); 297 298 HostStatus 299 check_key_in_hostfiles(struct passwd *, Key *, const char *, 300 const char *, const char *); 301 302 /* hostkey handling */ 303 #ifndef lint 304 Key *get_hostkey_by_index(int); 305 Key *get_hostkey_by_type(int); 306 int get_hostkey_index(Key *); 307 #endif /* lint */ 308 int ssh1_session_key(BIGNUM *); 309 310 /* debug messages during authentication */ 311 void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); 312 void auth_debug_send(void); 313 void auth_debug_reset(void); 314 315 #define AUTH_FAIL_MAX 6 316 #define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2) 317 #define AUTH_FAIL_MSG "Too many authentication failures for %.100s" 318 319 #define SKEY_PROMPT "\nS/Key Password: " 320 321 #ifdef __cplusplus 322 } 323 #endif 324 325 #endif /* _AUTH_H */