1 /* $OpenBSD: auth.h,v 1.41 2002/09/26 11:38:43 markus Exp $ */
2
3 #ifndef _AUTH_H
4 #define _AUTH_H
5
6 #ifdef __cplusplus
7 extern "C" {
8 #endif
9
10
11 /*
12 * Copyright (c) 2000 Markus Friedl. All rights reserved.
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 * 2. Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 *
34 */
35 /*
36 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
37 * Use is subject to license terms.
38 */
39
40 #include "key.h"
41 #include "hostfile.h"
42 #include <openssl/rsa.h>
43
44 #ifdef USE_PAM
45 #include <security/pam_appl.h>
46 #endif /* USE_PAM */
47
48 #ifdef HAVE_LOGIN_CAP
49 #include <login_cap.h>
50 #endif
51 #ifdef BSD_AUTH
52 #include <bsd_auth.h>
53 #endif
54 #ifdef KRB5
55 #include <krb5.h>
56 #endif
57
58 typedef struct Authctxt Authctxt;
59 typedef struct Authmethod Authmethod;
60 typedef struct KbdintDevice KbdintDevice;
61
62 #ifdef USE_PAM
63 typedef struct pam_stuff pam_stuff;
64
65 struct pam_stuff {
66 Authctxt *authctxt;
67 pam_handle_t *h;
68 int state;
69 int last_pam_retval;
70 };
71
72 /* See auth-pam.h and auth-pam.c */
73
74 #define PAM_S_DONE_ACCT_MGMT 0x01 /* acct_mgmt done */
75 #define PAM_S_DONE_SETCRED 0x02 /* setcred done */
76 #define PAM_S_DONE_OPEN_SESSION 0x04 /* open_session done */
77 #define PAM_S_DONE 0x07 /* all done */
78 #endif /* USE_PAM */
79
80 struct Authctxt {
81 int success;
82 int valid;
83 int attempt; /* all userauth attempt count */
84 int init_attempt; /* passwd/kbd-int attempt count */
85 int failures;
86 int init_failures;
87 int unwind_dispatch_loop;
88 int v1_auth_type;
89 char *v1_auth_name;
90 Authmethod *method;
91 char *user;
92 char *service;
93 struct passwd *pw;
94 char *style;
95 void *kbdintctxt; /* XXX Switch to method_data;
96 v1 still needs this*/
97 #ifdef USE_PAM
98 pam_stuff *pam;
99 char *cuser; /* client side user, needed for setting
100 PAM_AUSER for hostbased authentication
101 using roles */
102 u_long last_login_time; /* need to get the time of
103 last login before calling
104 pam_open_session() */
105 char last_login_host[MAXHOSTNAMELEN];
106 int pam_retval; /* pam_stuff is cleaned before
107 BSM login failure auditing */
108 #endif /* USE_PAM */
109
110 /* SUNW - What follows remains to reduce diffs with OpenSSH but
111 * is not used in Solaris. The Solaris SSH internal
112 * architecture requires that this stuff move into the
113 * Authmethod method_data.
114 */
115 #ifndef SUNW_SSH
116 #ifdef BSD_AUTH
117 auth_session_t *as;
118 #endif
119 #ifdef KRB4
120 char *krb4_ticket_file;
121 #endif
122 #ifdef KRB5
123 krb5_context krb5_ctx;
124 krb5_auth_context krb5_auth_ctx;
125 krb5_ccache krb5_fwd_ccache;
126 krb5_principal krb5_user;
127 char *krb5_ticket_file;
128 #endif
129 void *methoddata;
130 #endif /* SUNW_SSH */
131 };
132
133 struct Authmethod {
134 char *name;
135 int *enabled;
136 /*
137 * Userauth method state tracking fields updated in
138 * input_userauth_request() and auth-pam.c.
139 *
140 * The "void (*userauth)(Authctxt *authctxt)" function
141 * communicates the userauth result (success, failure,
142 * "postponed," abandoned) through the 'authenticated',
143 * 'postponed' and 'abandoned' fields. Partial success is
144 * indicated by requiring other userauths to be used by setting
145 * their 'required' or 'sufficient' fields.
146 *
147 * Individual methods should only ever set 'not_again' if it
148 * makes no sense to complete the same userauth more than once,
149 * and they should set any methods' sufficient or required flags
150 * in order to force partial authentication and require that
151 * more userauths be tried. The (void *) 'method_data' and
152 * 'hist_method_data' pointers can be used by methods such as
153 * pubkey which may make sense to run more than once during
154 * userauth or which may require multiple round tripes (e.g.,
155 * keyboard-interactive) and which need to keep some state;
156 * 'hist_method_data' is there specifically for pubkey userauth
157 * where multiple successful attempts should all use different
158 * keys.
159 *
160 * The "attempts," "abandons," "successes" and "failures" fields
161 * count the number of times a method has been attempted,
162 * abandoned, and has succeeded or failed. Note that pubkey
163 * userauth does not double-count sig-less probes that are
164 * followed by a pubkey request for the same pubkey anw with a
165 * signature.
166 */
167 void (*userauth)(Authctxt *authctxt);
168 void (*abandon)(Authctxt *, Authmethod *);
169 void *method_data;
170 void *hist_method_data;
171 unsigned int is_initial;
172 unsigned int attempts:8;
173 unsigned int abandons:8;
174 unsigned int successes:8;
175 unsigned int failures:8;
176 /*
177 * Post-attempt state booleans (authenticated, abandoned, etc...)
178 */
179 unsigned int authenticated:1;
180 unsigned int not_again:1;
181 unsigned int sufficient:1;
182 unsigned int required:1;
183 unsigned int postponed:1;
184 unsigned int abandoned:1;
185 /*
186 * NOTE: multi-round-trip userauth methods can either
187 * recursively call dispatch_run and detect abandonment
188 * within their message handlers (as PAM kbd-int does) or
189 * set the postponed flag and let input_userauth_request()
190 * detect abandonment (i.e., initiation of some userauth
191 * method before completion of a started, multi-round-trip
192 * userauth method).
193 *
194 */
195 };
196
197 /*
198 * Keyboard interactive device:
199 * init_ctx returns: non NULL upon success
200 * query returns: 0 - success, otherwise failure
201 * respond returns: 0 - success, 1 - need further interaction,
202 * otherwise - failure
203 */
204 struct KbdintDevice
205 {
206 const char *name;
207 void* (*init_ctx)(Authctxt*);
208 int (*query)(void *ctx, char **name, char **infotxt,
209 u_int *numprompts, char ***prompts, u_int **echo_on);
210 int (*respond)(void *ctx, u_int numresp, char **responses);
211 void (*free_ctx)(void *ctx);
212 };
213
214 int auth_rhosts(struct passwd *, const char *);
215 int
216 auth_rhosts2(struct passwd *, const char *, const char *, const char *);
217
218 int auth_rhosts_rsa(struct passwd *, char *, Key *);
219 int auth_password(Authctxt *, const char *);
220 int auth_rsa(struct passwd *, BIGNUM *);
221 int auth_rsa_challenge_dialog(Key *);
222 BIGNUM *auth_rsa_generate_challenge(Key *);
223 int auth_rsa_verify_response(Key *, BIGNUM *, u_char[]);
224 int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
225
226 int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
227 int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
228 int user_key_allowed(struct passwd *, Key *);
229
230 #ifdef KRB4
231 #include <krb.h>
232 int auth_krb4(Authctxt *, KTEXT, char **, KTEXT);
233 int auth_krb4_password(Authctxt *, const char *);
234 void krb4_cleanup_proc(void *);
235
236 #ifdef AFS
237 #include <kafs.h>
238 int auth_krb4_tgt(Authctxt *, const char *);
239 int auth_afs_token(Authctxt *, const char *);
240 #endif /* AFS */
241
242 #endif /* KRB4 */
243
244 #ifdef KRB5
245 int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
246 int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
247 int auth_krb5_password(Authctxt *authctxt, const char *password);
248 void krb5_cleanup_proc(void *authctxt);
249 #endif /* KRB5 */
250
251 #include "auth-pam.h"
252 #include "auth2-pam.h"
253
254 Authctxt *do_authentication(void);
255 Authctxt *do_authentication2(void);
256
257 #ifdef HAVE_BSM
258 void audit_failed_login_cleanup(void *);
259 #endif /* HAVE_BSM */
260
261 int userauth_check_partial_failure(Authctxt *authctxt);
262 void userauth_force_kbdint(void);
263
264 Authctxt *authctxt_new(void);
265 void auth_log(Authctxt *, int, char *, char *);
266 void userauth_finish(Authctxt *, char *);
267 void userauth_user_svc_change(Authctxt *authctxt,
268 char *user,
269 char *service);
270 int auth_root_allowed(char *);
271
272 char *auth2_read_banner(void);
273
274 void privsep_challenge_enable(void);
275
276 void auth2_challenge(Authctxt *, char *);
277 void auth2_challenge_abandon(Authctxt *);
278 int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
279 int bsdauth_respond(void *, u_int, char **);
280 int skey_query(void *, char **, char **, u_int *, char ***, u_int **);
281 int skey_respond(void *, u_int, char **);
282
283 struct passwd * getpwnamallow(const char *user);
284
285 int run_auth_hook(const char *, const char *, const char *);
286
287 char *get_challenge(Authctxt *);
288 int verify_response(Authctxt *, const char *);
289
290 struct passwd * auth_get_user(void);
291
292 char *authorized_keys_file(struct passwd *);
293 char *authorized_keys_file2(struct passwd *);
294
295 int
296 secure_filename(FILE *, const char *, struct passwd *, char *, size_t);
297
298 HostStatus
299 check_key_in_hostfiles(struct passwd *, Key *, const char *,
300 const char *, const char *);
301
302 /* hostkey handling */
303 #ifndef lint
304 Key *get_hostkey_by_index(int);
305 Key *get_hostkey_by_type(int);
306 int get_hostkey_index(Key *);
307 #endif /* lint */
308 int ssh1_session_key(BIGNUM *);
309
310 /* debug messages during authentication */
311 void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
312 void auth_debug_send(void);
313 void auth_debug_reset(void);
314
315 #define AUTH_FAIL_MAX 6
316 #define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
317 #define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
318
319 #define SKEY_PROMPT "\nS/Key Password: "
320
321 #ifdef __cplusplus
322 }
323 #endif
324
325 #endif /* _AUTH_H */