summaryrefslogtreecommitdiffstats
path: root/auth2-methods.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-08-26 07:43:00 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-08-26 07:43:00 +0000
commitc7042a16e2e4aac1030d8785c2c874d6a309b06a (patch)
tree5cc2a7944ee7d0073ecb2ae03b28fdbc4630a484 /auth2-methods.c
parentAdding upstream version 1:9.7p1. (diff)
downloadopenssh-c7042a16e2e4aac1030d8785c2c874d6a309b06a.tar.xz
openssh-c7042a16e2e4aac1030d8785c2c874d6a309b06a.zip
Adding upstream version 1:9.8p1.upstream/1%9.8p1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'auth2-methods.c')
-rw-r--r--auth2-methods.c134
1 files changed, 134 insertions, 0 deletions
diff --git a/auth2-methods.c b/auth2-methods.c
new file mode 100644
index 0000000..99637a8
--- /dev/null
+++ b/auth2-methods.c
@@ -0,0 +1,134 @@
+/*
+ * Copyright (c) 2012,2023 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "log.h"
+#include "misc.h"
+#include "servconf.h"
+#include "xmalloc.h"
+#include "hostfile.h"
+#include "auth.h"
+
+extern ServerOptions options;
+
+/*
+ * Configuration of enabled authentication methods. Separate from the rest of
+ * auth2-*.c because we want to query it during server configuration validity
+ * checking in the sshd listener process without pulling all the auth code in
+ * too.
+ */
+
+/* "none" is allowed only one time and it is cleared by userauth_none() later */
+int none_enabled = 1;
+struct authmethod_cfg methodcfg_none = {
+ "none",
+ NULL,
+ &none_enabled
+};
+struct authmethod_cfg methodcfg_pubkey = {
+ "publickey",
+ "publickey-hostbound-v00@openssh.com",
+ &options.pubkey_authentication
+};
+#ifdef GSSAPI
+struct authmethod_cfg methodcfg_gssapi = {
+ "gssapi-with-mic",
+ NULL,
+ &options.gss_authentication
+};
+#endif
+struct authmethod_cfg methodcfg_passwd = {
+ "password",
+ NULL,
+ &options.password_authentication
+};
+struct authmethod_cfg methodcfg_kbdint = {
+ "keyboard-interactive",
+ NULL,
+ &options.kbd_interactive_authentication
+};
+struct authmethod_cfg methodcfg_hostbased = {
+ "hostbased",
+ NULL,
+ &options.hostbased_authentication
+};
+
+static struct authmethod_cfg *authmethod_cfgs[] = {
+ &methodcfg_none,
+ &methodcfg_pubkey,
+#ifdef GSSAPI
+ &methodcfg_gssapi,
+#endif
+ &methodcfg_passwd,
+ &methodcfg_kbdint,
+ &methodcfg_hostbased,
+ NULL
+};
+
+/*
+ * Check a comma-separated list of methods for validity. If need_enable is
+ * non-zero, then also require that the methods are enabled.
+ * Returns 0 on success or -1 if the methods list is invalid.
+ */
+int
+auth2_methods_valid(const char *_methods, int need_enable)
+{
+ char *methods, *omethods, *method, *p;
+ u_int i, found;
+ int ret = -1;
+ const struct authmethod_cfg *cfg;
+
+ if (*_methods == '\0') {
+ error("empty authentication method list");
+ return -1;
+ }
+ omethods = methods = xstrdup(_methods);
+ while ((method = strsep(&methods, ",")) != NULL) {
+ for (found = i = 0; !found && authmethod_cfgs[i] != NULL; i++) {
+ cfg = authmethod_cfgs[i];
+ if ((p = strchr(method, ':')) != NULL)
+ *p = '\0';
+ if (strcmp(method, cfg->name) != 0)
+ continue;
+ if (need_enable) {
+ if (cfg->enabled == NULL ||
+ *(cfg->enabled) == 0) {
+ error("Disabled method \"%s\" in "
+ "AuthenticationMethods list \"%s\"",
+ method, _methods);
+ goto out;
+ }
+ }
+ found = 1;
+ break;
+ }
+ if (!found) {
+ error("Unknown authentication method \"%s\" in list",
+ method);
+ goto out;
+ }
+ }
+ ret = 0;
+ out:
+ free(omethods);
+ return ret;
+}