Merging upstream version 1:9.8p1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-08-26 07:43:00 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-08-26 07:43:00 +0000
commit: f74e883352a52dd3ed454627dc159aa65f98d7f3 (patch)
tree: ef77b7637e7135f0f61cad9ae9923215ed60066b /auth2.c
parent: Adding debian version 1:9.7p1-7. (diff)
download: openssh-f74e883352a52dd3ed454627dc159aa65f98d7f3.tar.xz
openssh-f74e883352a52dd3ed454627dc159aa65f98d7f3.zip
1 files changed, 21 insertions, 70 deletions
diff --git a/auth2.c b/auth2.c
index 271789a..67dec88 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.168 2023/12/18 14:45:49 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.169 2024/05/17 00:30:23 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -156,7 +156,7 @@ userauth_banner(struct ssh *ssh)
 	if (options.banner == NULL)
 		return;
 
-	if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
+	if ((banner = mm_auth2_read_banner()) == NULL)
 		goto done;
 	userauth_send_banner(ssh, banner);
 
@@ -291,7 +291,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
 		auth_maxtries_exceeded(ssh);
 	if (authctxt->attempt++ == 0) {
 		/* setup auth context */
-		authctxt->pw = PRIVSEP(getpwnamallow(ssh, user));
+		authctxt->pw = mm_getpwnamallow(ssh, user);
 		authctxt->user = xstrdup(user);
 		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
 			authctxt->valid = 1;
@@ -301,21 +301,19 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
 			/* Invalid user, fake password information */
 			authctxt->pw = fakepw();
 #ifdef SSH_AUDIT_EVENTS
-			PRIVSEP(audit_event(ssh, SSH_INVALID_USER));
+			mm_audit_event(ssh, SSH_INVALID_USER);
 #endif
 		}
 #ifdef USE_PAM
 		if (options.use_pam)
-			PRIVSEP(start_pam(ssh));
+			mm_start_pam(ssh);
 #endif
 		ssh_packet_set_log_preamble(ssh, "%suser %s",
 		    authctxt->valid ? "authenticating " : "invalid ", user);
-		setproctitle("%s%s", authctxt->valid ? user : "unknown",
-		    use_privsep ? " [net]" : "");
+		setproctitle("%s [net]", authctxt->valid ? user : "unknown");
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
-		if (use_privsep)
-			mm_inform_authserv(service, style);
+		mm_inform_authserv(service, style);
 		userauth_banner(ssh);
 		if ((r = kex_server_update_ext_info(ssh)) != 0)
 			fatal_fr(r, "kex_server_update_ext_info failed");
@@ -379,7 +377,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
 		/* prefer primary authmethod name to possible synonym */
 		if ((m = authmethod_byname(method)) == NULL)
 			fatal("INTERNAL ERROR: bad method %s", method);
-		method = m->name;
+		method = m->cfg->name;
 	}
 
 	/* Special handling for root */
@@ -387,7 +385,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
 	    !auth_root_allowed(ssh, method)) {
 		authenticated = 0;
 #ifdef SSH_AUDIT_EVENTS
-		PRIVSEP(audit_event(ssh, SSH_LOGIN_ROOT_DENIED));
+		mm_audit_event(ssh, SSH_LOGIN_ROOT_DENIED);
 #endif
 	}
 
@@ -410,7 +408,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
 
 #ifdef USE_PAM
 	if (options.use_pam && authenticated) {
-		int r, success = PRIVSEP(do_pam_account());
+		int r, success = mm_do_pam_account();
 
 		/* If PAM returned a message, send it to the user. */
 		if (sshbuf_len(loginmsg) > 0) {
@@ -448,7 +446,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
 			authctxt->failures++;
 		if (authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
-			PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));
+			mm_audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES);
 #endif
 			auth_maxtries_exceeded(ssh);
 		}
@@ -500,16 +498,16 @@ authmethods_get(Authctxt *authctxt)
 	if ((b = sshbuf_new()) == NULL)
 		fatal_f("sshbuf_new failed");
 	for (i = 0; authmethods[i] != NULL; i++) {
-		if (strcmp(authmethods[i]->name, "none") == 0)
+		if (strcmp(authmethods[i]->cfg->name, "none") == 0)
 			continue;
-		if (authmethods[i]->enabled == NULL ||
-		    *(authmethods[i]->enabled) == 0)
+		if (authmethods[i]->cfg->enabled == NULL ||
+		    *(authmethods[i]->cfg->enabled) == 0)
 			continue;
-		if (!auth2_method_allowed(authctxt, authmethods[i]->name,
+		if (!auth2_method_allowed(authctxt, authmethods[i]->cfg->name,
 		    NULL))
 			continue;
 		if ((r = sshbuf_putf(b, "%s%s", sshbuf_len(b) ? "," : "",
-		    authmethods[i]->name)) != 0)
+		    authmethods[i]->cfg->name)) != 0)
 			fatal_fr(r, "buffer error");
 	}
 	if ((list = sshbuf_dup_string(b)) == NULL)
@@ -526,9 +524,9 @@ authmethod_byname(const char *name)
 	if (name == NULL)
 		fatal_f("NULL authentication method name");
 	for (i = 0; authmethods[i] != NULL; i++) {
-		if (strcmp(name, authmethods[i]->name) == 0 ||
-		    (authmethods[i]->synonym != NULL &&
-		    strcmp(name, authmethods[i]->synonym) == 0))
+		if (strcmp(name, authmethods[i]->cfg->name) == 0 ||
+		    (authmethods[i]->cfg->synonym != NULL &&
+		    strcmp(name, authmethods[i]->cfg->synonym) == 0))
 			return authmethods[i];
 	}
 	debug_f("unrecognized authentication method name: %s", name);
@@ -543,11 +541,11 @@ authmethod_lookup(Authctxt *authctxt, const char *name)
 	if ((method = authmethod_byname(name)) == NULL)
 		return NULL;
 
-	if (method->enabled == NULL || *(method->enabled) == 0) {
+	if (method->cfg->enabled == NULL || *(method->cfg->enabled) == 0) {
 		debug3_f("method %s not enabled", name);
 		return NULL;
 	}
-	if (!auth2_method_allowed(authctxt, method->name, NULL)) {
+	if (!auth2_method_allowed(authctxt, method->cfg->name, NULL)) {
 		debug3_f("method %s not allowed "
 		    "by AuthenticationMethods", name);
 		return NULL;
@@ -556,53 +554,6 @@ authmethod_lookup(Authctxt *authctxt, const char *name)
 }
 
 /*
- * Check a comma-separated list of methods for validity. Is need_enable is
- * non-zero, then also require that the methods are enabled.
- * Returns 0 on success or -1 if the methods list is invalid.
- */
-int
-auth2_methods_valid(const char *_methods, int need_enable)
-{
-	char *methods, *omethods, *method, *p;
-	u_int i, found;
-	int ret = -1;
-
-	if (*_methods == '\0') {
-		error("empty authentication method list");
-		return -1;
-	}
-	omethods = methods = xstrdup(_methods);
-	while ((method = strsep(&methods, ",")) != NULL) {
-		for (found = i = 0; !found && authmethods[i] != NULL; i++) {
-			if ((p = strchr(method, ':')) != NULL)
-				*p = '\0';
-			if (strcmp(method, authmethods[i]->name) != 0)
-				continue;
-			if (need_enable) {
-				if (authmethods[i]->enabled == NULL ||
-				    *(authmethods[i]->enabled) == 0) {
-					error("Disabled method \"%s\" in "
-					    "AuthenticationMethods list \"%s\"",
-					    method, _methods);
-					goto out;
-				}
-			}
-			found = 1;
-			break;
-		}
-		if (!found) {
-			error("Unknown authentication method \"%s\" in list",
-			    method);
-			goto out;
-		}
-	}
-	ret = 0;
- out:
-	free(omethods);
-	return ret;
-}
-
-/*
  * Prune the AuthenticationMethods supplied in the configuration, removing
  * any methods lists that include disabled methods. Note that this might
  * leave authctxt->num_auth_methods == 0, even when multiple required auth
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-08-26 07:43:00 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-08-26 07:43:00 +0000
commit	f74e883352a52dd3ed454627dc159aa65f98d7f3 (patch)
tree	ef77b7637e7135f0f61cad9ae9923215ed60066b /auth2.c
parent	Adding debian version 1:9.7p1-7. (diff)
download	openssh-f74e883352a52dd3ed454627dc159aa65f98d7f3.tar.xz openssh-f74e883352a52dd3ed454627dc159aa65f98d7f3.zip