1 /* 2 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 /* 25 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 26 */ 27 28 #include "includes.h" 29 RCSID("$OpenBSD: auth2.c,v 1.95 2002/08/22 21:33:58 markus Exp $"); 30 31 #include "ssh2.h" 32 #include "xmalloc.h" 33 #include "packet.h" 34 #include "log.h" 35 #include "servconf.h" 36 #include "compat.h" 37 #include "misc.h" 38 #include "auth.h" 39 #include "dispatch.h" 40 #include "sshlogin.h" 41 #include "pathnames.h" 42 43 #ifdef HAVE_BSM 44 #include "bsmaudit.h" 45 extern adt_session_data_t *ah; 46 #endif /* HAVE_BSM */ 47 48 #ifdef GSSAPI 49 #include "ssh-gss.h" 50 #endif 51 52 /* import */ 53 extern ServerOptions options; 54 extern u_char *session_id2; 55 extern int session_id2_len; 56 57 Authctxt *x_authctxt = NULL; 58 59 /* methods */ 60 61 extern Authmethod method_none; 62 extern Authmethod method_pubkey; 63 extern Authmethod method_passwd; 64 extern Authmethod method_kbdint; 65 extern Authmethod method_hostbased; 66 extern Authmethod method_external; 67 extern Authmethod method_gssapi; 68 69 static Authmethod *authmethods[] = { 70 &method_none, 71 #ifdef GSSAPI 72 &method_external, 73 &method_gssapi, 74 #endif 75 &method_pubkey, 76 &method_passwd, 77 &method_kbdint, 78 &method_hostbased, 79 NULL 80 }; 81 82 /* protocol */ 83 84 static void input_service_request(int, u_int32_t, void *); 85 static void input_userauth_request(int, u_int32_t, void *); 86 87 /* helper */ 88 static Authmethod *authmethod_lookup(const char *); 89 static char *authmethods_get(void); 90 static char *authmethods_check_abandonment(Authctxt *authctxt, 91 Authmethod *method); 92 static void authmethod_count_attempt(Authmethod *method); 93 /*static char *authmethods_get_kbdint(void);*/ 94 int user_key_allowed(struct passwd *, Key *); 95 int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); 96 static int userauth_method_can_run(Authmethod *method); 97 static void userauth_reset_methods(void); 98 99 /* 100 * loop until authctxt->success == TRUE 101 */ 102 103 Authctxt * 104 do_authentication2(void) 105 { 106 Authctxt *authctxt = authctxt_new(); 107 108 x_authctxt = authctxt; /*XXX*/ 109 110 #ifdef HAVE_BSM 111 fatal_add_cleanup(audit_failed_login_cleanup, authctxt); 112 #endif /* HAVE_BSM */ 113 114 dispatch_init(&dispatch_protocol_error); 115 dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); 116 dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); 117 118 return (authctxt); 119 } 120 121 static void 122 input_service_request(int type, u_int32_t seq, void *ctxt) 123 { 124 Authctxt *authctxt = ctxt; 125 u_int len; 126 int acceptit = 0; 127 char *service = packet_get_string(&len); 128 packet_check_eom(); 129 130 if (authctxt == NULL) 131 fatal("input_service_request: no authctxt"); 132 133 if (strcmp(service, "ssh-userauth") == 0) { 134 if (!authctxt->success) { 135 acceptit = 1; 136 /* now we can handle user-auth requests */ 137 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request); 138 } 139 } 140 /* XXX all other service requests are denied */ 141 142 if (acceptit) { 143 packet_start(SSH2_MSG_SERVICE_ACCEPT); 144 packet_put_cstring(service); 145 packet_send(); 146 packet_write_wait(); 147 } else { 148 debug("bad service request %s", service); 149 packet_disconnect("bad service request %s", service); 150 } 151 xfree(service); 152 } 153 154 static void 155 input_userauth_request(int type, u_int32_t seq, void *ctxt) 156 { 157 Authctxt *authctxt = ctxt; 158 Authmethod *m = NULL; 159 char *user, *service, *method, *style = NULL; 160 int valid_attempt; 161 162 if (authctxt == NULL) 163 fatal("input_userauth_request: no authctxt"); 164 165 user = packet_get_string(NULL); 166 service = packet_get_string(NULL); 167 method = packet_get_string(NULL); 168 debug("userauth-request for user %s service %s method %s", user, 169 service, method); 170 debug("attempt %d initial attempt %d failures %d initial failures %d", 171 authctxt->attempt, authctxt->init_attempt, 172 authctxt->failures, authctxt->init_failures); 173 174 m = authmethod_lookup(method); 175 176 if ((style = strchr(user, ':')) != NULL) 177 *style++ = 0; 178 179 authctxt->attempt++; 180 if (m != NULL && m->is_initial) 181 authctxt->init_attempt++; 182 183 if (options.pre_userauth_hook != NULL && 184 run_auth_hook(options.pre_userauth_hook, user, m->name) != 0) { 185 valid_attempt = 0; 186 } else { 187 valid_attempt = 1; 188 } 189 190 if (authctxt->attempt == 1) { 191 /* setup auth context */ 192 authctxt->pw = getpwnamallow(user); 193 /* May want to abstract SSHv2 services someday */ 194 if (authctxt->pw && strcmp(service, "ssh-connection")==0) { 195 /* enforced in userauth_finish() below */ 196 if (valid_attempt) { 197 authctxt->valid = 1; 198 } 199 debug2("input_userauth_request: setting up authctxt for %s", user); 200 } else { 201 log("input_userauth_request: illegal user %s", user); 202 } 203 setproctitle("%s", authctxt->pw ? user : "unknown"); 204 authctxt->user = xstrdup(user); 205 authctxt->service = xstrdup(service); 206 authctxt->style = style ? xstrdup(style) : NULL; 207 userauth_reset_methods(); 208 } else { 209 char *abandoned; 210 211 /* 212 * Check for abandoned [multi-round-trip] userauths 213 * methods (e.g., kbdint). Userauth method abandonment 214 * should be treated as userauth method failure and 215 * counted against max_auth_tries. 216 */ 217 abandoned = authmethods_check_abandonment(authctxt, m); 218 219 if (abandoned != NULL && 220 authctxt->failures > options.max_auth_tries) { 221 /* userauth_finish() will now packet_disconnect() */ 222 userauth_finish(authctxt, abandoned); 223 /* NOTREACHED */ 224 } 225 226 /* Handle user|service changes, possibly packet_disconnect() */ 227 userauth_user_svc_change(authctxt, user, service); 228 } 229 230 authctxt->method = m; 231 232 /* run userauth method, try to authenticate user */ 233 if (m != NULL && userauth_method_can_run(m)) { 234 debug2("input_userauth_request: try method %s", method); 235 236 m->postponed = 0; 237 m->abandoned = 0; 238 m->authenticated = 0; 239 240 if (!m->is_initial || 241 authctxt->init_failures < options.max_init_auth_tries) 242 m->userauth(authctxt); 243 244 authmethod_count_attempt(m); 245 246 if (authctxt->unwind_dispatch_loop) { 247 /* 248 * Method ran nested dispatch loop but was 249 * abandoned. Cleanup and return without doing 250 * anything else; we're just unwinding the stack. 251 */ 252 authctxt->unwind_dispatch_loop = 0; 253 goto done; 254 } 255 256 if (m->postponed) 257 goto done; /* multi-round trip userauth not finished */ 258 259 if (m->abandoned) { 260 /* multi-round trip userauth abandoned, log failure */ 261 auth_log(authctxt, 0, method, " ssh2"); 262 goto done; 263 } 264 } 265 266 userauth_finish(authctxt, method); 267 268 done: 269 xfree(service); 270 xfree(user); 271 xfree(method); 272 } 273 274 void 275 userauth_finish(Authctxt *authctxt, char *method) 276 { 277 int authenticated, partial; 278 279 if (authctxt == NULL) 280 fatal("%s: missing context", __func__); 281 282 /* unknown method handling -- must elicit userauth failure msg */ 283 if (authctxt->method == NULL) { 284 authenticated = 0; 285 partial = 0; 286 goto done_checking; 287 } 288 289 #ifndef USE_PAM 290 /* Special handling for root (done elsewhere for PAM) */ 291 if (authctxt->method->authenticated && 292 authctxt->pw != NULL && authctxt->pw->pw_uid == 0 && 293 !auth_root_allowed(method)) 294 authctxt->method->authenticated = 0; 295 #endif /* USE_PAM */ 296 297 #ifdef _UNICOS 298 if (authctxt->method->authenticated && 299 cray_access_denied(authctxt->user)) { 300 authctxt->method->authenticated = 0; 301 fatal("Access denied for user %s.",authctxt->user); 302 } 303 #endif /* _UNICOS */ 304 305 partial = userauth_check_partial_failure(authctxt); 306 authenticated = authctxt->method->authenticated; 307 308 #ifdef USE_PAM 309 /* 310 * If the userauth method failed to complete PAM work then force 311 * partial failure. 312 */ 313 if (authenticated && !AUTHPAM_DONE(authctxt)) 314 partial = 1; 315 #endif /* USE_PAM */ 316 317 /* 318 * To properly support invalid userauth method names we set 319 * authenticated=0, partial=0 above and know that 320 * authctxt->method == NULL. 321 * 322 * No unguarded reference to authctxt->method allowed from here. 323 * Checking authenticated != 0 is a valid guard; authctxt->method 324 * MUST NOT be NULL if authenticated. 325 */ 326 done_checking: 327 if (!authctxt->valid && authenticated) { 328 /* 329 * We get here if the PreUserauthHook fails but the 330 * user is otherwise valid. 331 * An error in the PAM handling could also get us here 332 * but we need not panic, just treat as a failure. 333 */ 334 authctxt->method->authenticated = 0; 335 authenticated = 0; 336 log("Ignoring authenticated invalid user %s", 337 authctxt->user); 338 auth_log(authctxt, 0, method, " ssh2"); 339 } 340 341 /* Log before sending the reply */ 342 auth_log(authctxt, authenticated, method, " ssh2"); 343 344 if (authenticated && !partial) { 345 346 /* turn off userauth */ 347 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 348 packet_start(SSH2_MSG_USERAUTH_SUCCESS); 349 packet_send(); 350 packet_write_wait(); 351 /* now we can break out */ 352 authctxt->success = 1; 353 } else { 354 char *methods; 355 356 if (authctxt->method && authctxt->method->is_initial) 357 authctxt->init_failures++; 358 359 authctxt->method = NULL; 360 361 #ifdef USE_PAM 362 /* 363 * Keep track of last PAM error (or PERM_DENIED) for BSM 364 * login failure auditing, which may run after the PAM 365 * state has been cleaned up. 366 */ 367 authctxt->pam_retval = AUTHPAM_ERROR(authctxt, PAM_PERM_DENIED); 368 #endif /* USE_PAM */ 369 370 if (authctxt->failures++ > options.max_auth_tries) { 371 #ifdef HAVE_BSM 372 fatal_remove_cleanup(audit_failed_login_cleanup, 373 authctxt); 374 audit_sshd_login_failure(&ah, PAM_MAXTRIES, 375 authctxt->user); 376 #endif /* HAVE_BSM */ 377 packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 378 } 379 380 #ifdef _UNICOS 381 if (strcmp(method, "password") == 0) 382 cray_login_failure(authctxt->user, IA_UDBERR); 383 #endif /* _UNICOS */ 384 packet_start(SSH2_MSG_USERAUTH_FAILURE); 385 386 /* 387 * If (partial) then authmethods_get() will return only 388 * required methods, likely only "keyboard-interactive;" 389 * (methods == NULL) implies failure, even if (partial == 1) 390 */ 391 methods = authmethods_get(); 392 packet_put_cstring(methods); 393 packet_put_char((authenticated && partial && methods) ? 1 : 0); 394 if (methods) 395 xfree(methods); 396 packet_send(); 397 packet_write_wait(); 398 } 399 } 400 401 /* get current user */ 402 403 struct passwd* 404 auth_get_user(void) 405 { 406 return (x_authctxt != NULL && x_authctxt->valid) ? x_authctxt->pw : NULL; 407 } 408 409 #define DELIM "," 410 411 #if 0 412 static char * 413 authmethods_get_kbdint(void) 414 { 415 Buffer b; 416 int i; 417 418 for (i = 0; authmethods[i] != NULL; i++) { 419 if (strcmp(authmethods[i]->name, "keyboard-interactive") != 0) 420 continue; 421 return xstrdup(authmethods[i]->name); 422 } 423 return NULL; 424 } 425 #endif 426 427 void 428 userauth_user_svc_change(Authctxt *authctxt, char *user, char *service) 429 { 430 /* 431 * NOTE: 432 * 433 * SSHv2 services should be abstracted and service changes during 434 * userauth should be supported as per the userauth draft. In the PAM 435 * case, support for multiple SSHv2 services means that we have to 436 * format the PAM service name according to the SSHv2 service *and* the 437 * SSHv2 userauth being attempted ("passwd", "kbdint" and "other"). 438 * 439 * We'll cross that bridge when we come to it. For now disallow service 440 * changes during userauth if using PAM, but allow username changes. 441 */ 442 443 /* authctxt->service must == ssh-connection here */ 444 if (service != NULL && strcmp(service, authctxt->service) != 0) { 445 packet_disconnect("Change of service not " 446 "allowed: %s and %s", 447 authctxt->service, service); 448 } 449 if (user != NULL && authctxt->user != NULL && 450 strcmp(user, authctxt->user) == 0) 451 return; 452 453 /* All good; update authctxt */ 454 xfree(authctxt->user); 455 authctxt->user = xstrdup(user); 456 pwfree(&authctxt->pw); 457 authctxt->pw = getpwnamallow(user); 458 authctxt->valid = (authctxt->pw != NULL); 459 460 /* Forget method state; abandon postponed userauths */ 461 userauth_reset_methods(); 462 } 463 464 int 465 userauth_check_partial_failure(Authctxt *authctxt) 466 { 467 int i; 468 int required = 0; 469 int sufficient = 0; 470 471 /* 472 * v1 does not set authctxt->method 473 * partial userauth failure is a v2 concept 474 */ 475 if (authctxt->method == NULL) 476 return 0; 477 478 for (i = 0; authmethods[i] != NULL; i++) { 479 if (authmethods[i]->required) 480 required++; 481 if (authmethods[i]->sufficient) 482 sufficient++; 483 } 484 485 if (required == 0 && sufficient == 0) 486 return !authctxt->method->authenticated; 487 488 if (required == 1 && authctxt->method->required) 489 return !authctxt->method->authenticated; 490 491 if (sufficient && authctxt->method->sufficient) 492 return !authctxt->method->authenticated; 493 494 return 1; 495 } 496 497 int 498 userauth_method_can_run(Authmethod *method) 499 { 500 if (method->not_again) 501 return 0; 502 503 return 1; 504 } 505 506 static 507 void 508 userauth_reset_methods(void) 509 { 510 int i; 511 512 for (i = 0; authmethods[i] != NULL; i++) { 513 /* note: counters not reset */ 514 authmethods[i]->required = 0; 515 authmethods[i]->sufficient = 0; 516 authmethods[i]->authenticated = 0; 517 authmethods[i]->not_again = 0; 518 authmethods[i]->postponed = 0; 519 authmethods[i]->abandoned = 0; 520 } 521 } 522 523 void 524 userauth_force_kbdint(void) 525 { 526 int i; 527 528 for (i = 0; authmethods[i] != NULL; i++) { 529 authmethods[i]->required = 0; 530 authmethods[i]->sufficient = 0; 531 } 532 method_kbdint.required = 1; 533 } 534 535 /* 536 * Check to see if a previously run multi-round trip userauth method has 537 * been abandoned and call its cleanup function. 538 * 539 * Abandoned userauth method invocations are counted as userauth failures. 540 */ 541 static 542 char * 543 authmethods_check_abandonment(Authctxt *authctxt, Authmethod *method) 544 { 545 int i; 546 547 /* optimization: check current method first */ 548 if (method && method->postponed) { 549 method->postponed = 0; 550 if (method->abandon) 551 method->abandon(authctxt, method); 552 else 553 method->abandons++; 554 authctxt->failures++; /* abandonment -> failure */ 555 if (method->is_initial) 556 authctxt->init_failures++; 557 558 /* 559 * Since we check for abandonment whenever a userauth is 560 * requested we know only one method could have been 561 * in postponed state, so we can return now. 562 */ 563 return (method->name); 564 } 565 for (i = 0; authmethods[i] != NULL; i++) { 566 if (!authmethods[i]->postponed) 567 continue; 568 569 /* some method was postponed and a diff one is being started */ 570 if (method != authmethods[i]) { 571 authmethods[i]->postponed = 0; 572 if (authmethods[i]->abandon) 573 authmethods[i]->abandon(authctxt, 574 authmethods[i]); 575 else 576 authmethods[i]->abandons++; 577 authctxt->failures++; 578 if (authmethods[i]->is_initial) 579 authctxt->init_failures++; 580 return (authmethods[i]->name); /* see above */ 581 } 582 } 583 584 return NULL; 585 } 586 587 static char * 588 authmethods_get(void) 589 { 590 Buffer b; 591 char *list; 592 int i; 593 int sufficient = 0; 594 int required = 0; 595 int authenticated = 0; 596 int partial = 0; 597 598 /* 599 * If at least one method succeeded partially then at least one 600 * authmethod will be required and only required methods should 601 * continue. 602 */ 603 for (i = 0; authmethods[i] != NULL; i++) { 604 if (authmethods[i]->authenticated) 605 authenticated++; 606 if (authmethods[i]->required) 607 required++; 608 if (authmethods[i]->sufficient) 609 sufficient++; 610 } 611 612 partial = (required + sufficient) > 0; 613 614 buffer_init(&b); 615 for (i = 0; authmethods[i] != NULL; i++) { 616 if (strcmp(authmethods[i]->name, "none") == 0) 617 continue; 618 if (required && !authmethods[i]->required) 619 continue; 620 if (sufficient && !required && !authmethods[i]->sufficient) 621 continue; 622 if (authmethods[i]->not_again) 623 continue; 624 625 if (authmethods[i]->required) { 626 if (buffer_len(&b) > 0) 627 buffer_append(&b, ",", 1); 628 buffer_append(&b, authmethods[i]->name, 629 strlen(authmethods[i]->name)); 630 continue; 631 } 632 633 /* 634 * A method can be enabled (marked sufficient) 635 * dynamically provided that at least one other method 636 * has succeeded partially. 637 */ 638 if ((partial && authmethods[i]->sufficient) || 639 (authmethods[i]->enabled != NULL && 640 *(authmethods[i]->enabled) != 0)) { 641 if (buffer_len(&b) > 0) 642 buffer_append(&b, ",", 1); 643 buffer_append(&b, authmethods[i]->name, 644 strlen(authmethods[i]->name)); 645 } 646 } 647 buffer_append(&b, "\0", 1); 648 list = xstrdup(buffer_ptr(&b)); 649 buffer_free(&b); 650 return list; 651 } 652 653 static Authmethod * 654 authmethod_lookup(const char *name) 655 { 656 int i; 657 658 /* 659 * Method must be sufficient, required or enabled and must not 660 * be marked as not able to run again 661 */ 662 if (name != NULL) 663 for (i = 0; authmethods[i] != NULL; i++) 664 if (((authmethods[i]->sufficient || 665 authmethods[i]->required) || 666 (authmethods[i]->enabled != NULL && 667 *(authmethods[i]->enabled) != 0)) && 668 !authmethods[i]->not_again && 669 strcmp(name, authmethods[i]->name) == 0) 670 return authmethods[i]; 671 debug2("Unrecognized authentication method name: %s", 672 name ? name : "NULL"); 673 return NULL; 674 } 675 676 static void 677 authmethod_count_attempt(Authmethod *method) 678 { 679 if (!method) 680 fatal("Internal error in authmethod_count_attempt()"); 681 682 if (method->postponed) 683 return; 684 685 method->attempts++; 686 687 if (method->abandoned) 688 method->abandons++; 689 else if (method->authenticated) 690 method->successes++; 691 else 692 method->failures++; 693 694 return; 695 }