summaryrefslogtreecommitdiffstats
path: root/auth2.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--auth2.c91
1 files changed, 21 insertions, 70 deletions
diff --git a/auth2.c b/auth2.c
index 271789a..67dec88 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.168 2023/12/18 14:45:49 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.169 2024/05/17 00:30:23 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -156,7 +156,7 @@ userauth_banner(struct ssh *ssh)
if (options.banner == NULL)
return;
- if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
+ if ((banner = mm_auth2_read_banner()) == NULL)
goto done;
userauth_send_banner(ssh, banner);
@@ -291,7 +291,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
auth_maxtries_exceeded(ssh);
if (authctxt->attempt++ == 0) {
/* setup auth context */
- authctxt->pw = PRIVSEP(getpwnamallow(ssh, user));
+ authctxt->pw = mm_getpwnamallow(ssh, user);
authctxt->user = xstrdup(user);
if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
authctxt->valid = 1;
@@ -301,21 +301,19 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
/* Invalid user, fake password information */
authctxt->pw = fakepw();
#ifdef SSH_AUDIT_EVENTS
- PRIVSEP(audit_event(ssh, SSH_INVALID_USER));
+ mm_audit_event(ssh, SSH_INVALID_USER);
#endif
}
#ifdef USE_PAM
if (options.use_pam)
- PRIVSEP(start_pam(ssh));
+ mm_start_pam(ssh);
#endif
ssh_packet_set_log_preamble(ssh, "%suser %s",
authctxt->valid ? "authenticating " : "invalid ", user);
- setproctitle("%s%s", authctxt->valid ? user : "unknown",
- use_privsep ? " [net]" : "");
+ setproctitle("%s [net]", authctxt->valid ? user : "unknown");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
- if (use_privsep)
- mm_inform_authserv(service, style);
+ mm_inform_authserv(service, style);
userauth_banner(ssh);
if ((r = kex_server_update_ext_info(ssh)) != 0)
fatal_fr(r, "kex_server_update_ext_info failed");
@@ -379,7 +377,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
/* prefer primary authmethod name to possible synonym */
if ((m = authmethod_byname(method)) == NULL)
fatal("INTERNAL ERROR: bad method %s", method);
- method = m->name;
+ method = m->cfg->name;
}
/* Special handling for root */
@@ -387,7 +385,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
!auth_root_allowed(ssh, method)) {
authenticated = 0;
#ifdef SSH_AUDIT_EVENTS
- PRIVSEP(audit_event(ssh, SSH_LOGIN_ROOT_DENIED));
+ mm_audit_event(ssh, SSH_LOGIN_ROOT_DENIED);
#endif
}
@@ -410,7 +408,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
#ifdef USE_PAM
if (options.use_pam && authenticated) {
- int r, success = PRIVSEP(do_pam_account());
+ int r, success = mm_do_pam_account();
/* If PAM returned a message, send it to the user. */
if (sshbuf_len(loginmsg) > 0) {
@@ -448,7 +446,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
authctxt->failures++;
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
- PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));
+ mm_audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES);
#endif
auth_maxtries_exceeded(ssh);
}
@@ -500,16 +498,16 @@ authmethods_get(Authctxt *authctxt)
if ((b = sshbuf_new()) == NULL)
fatal_f("sshbuf_new failed");
for (i = 0; authmethods[i] != NULL; i++) {
- if (strcmp(authmethods[i]->name, "none") == 0)
+ if (strcmp(authmethods[i]->cfg->name, "none") == 0)
continue;
- if (authmethods[i]->enabled == NULL ||
- *(authmethods[i]->enabled) == 0)
+ if (authmethods[i]->cfg->enabled == NULL ||
+ *(authmethods[i]->cfg->enabled) == 0)
continue;
- if (!auth2_method_allowed(authctxt, authmethods[i]->name,
+ if (!auth2_method_allowed(authctxt, authmethods[i]->cfg->name,
NULL))
continue;
if ((r = sshbuf_putf(b, "%s%s", sshbuf_len(b) ? "," : "",
- authmethods[i]->name)) != 0)
+ authmethods[i]->cfg->name)) != 0)
fatal_fr(r, "buffer error");
}
if ((list = sshbuf_dup_string(b)) == NULL)
@@ -526,9 +524,9 @@ authmethod_byname(const char *name)
if (name == NULL)
fatal_f("NULL authentication method name");
for (i = 0; authmethods[i] != NULL; i++) {
- if (strcmp(name, authmethods[i]->name) == 0 ||
- (authmethods[i]->synonym != NULL &&
- strcmp(name, authmethods[i]->synonym) == 0))
+ if (strcmp(name, authmethods[i]->cfg->name) == 0 ||
+ (authmethods[i]->cfg->synonym != NULL &&
+ strcmp(name, authmethods[i]->cfg->synonym) == 0))
return authmethods[i];
}
debug_f("unrecognized authentication method name: %s", name);
@@ -543,11 +541,11 @@ authmethod_lookup(Authctxt *authctxt, const char *name)
if ((method = authmethod_byname(name)) == NULL)
return NULL;
- if (method->enabled == NULL || *(method->enabled) == 0) {
+ if (method->cfg->enabled == NULL || *(method->cfg->enabled) == 0) {
debug3_f("method %s not enabled", name);
return NULL;
}
- if (!auth2_method_allowed(authctxt, method->name, NULL)) {
+ if (!auth2_method_allowed(authctxt, method->cfg->name, NULL)) {
debug3_f("method %s not allowed "
"by AuthenticationMethods", name);
return NULL;
@@ -556,53 +554,6 @@ authmethod_lookup(Authctxt *authctxt, const char *name)
}
/*
- * Check a comma-separated list of methods for validity. Is need_enable is
- * non-zero, then also require that the methods are enabled.
- * Returns 0 on success or -1 if the methods list is invalid.
- */
-int
-auth2_methods_valid(const char *_methods, int need_enable)
-{
- char *methods, *omethods, *method, *p;
- u_int i, found;
- int ret = -1;
-
- if (*_methods == '\0') {
- error("empty authentication method list");
- return -1;
- }
- omethods = methods = xstrdup(_methods);
- while ((method = strsep(&methods, ",")) != NULL) {
- for (found = i = 0; !found && authmethods[i] != NULL; i++) {
- if ((p = strchr(method, ':')) != NULL)
- *p = '\0';
- if (strcmp(method, authmethods[i]->name) != 0)
- continue;
- if (need_enable) {
- if (authmethods[i]->enabled == NULL ||
- *(authmethods[i]->enabled) == 0) {
- error("Disabled method \"%s\" in "
- "AuthenticationMethods list \"%s\"",
- method, _methods);
- goto out;
- }
- }
- found = 1;
- break;
- }
- if (!found) {
- error("Unknown authentication method \"%s\" in list",
- method);
- goto out;
- }
- }
- ret = 0;
- out:
- free(omethods);
- return ret;
-}
-
-/*
* Prune the AuthenticationMethods supplied in the configuration, removing
* any methods lists that include disabled methods. Note that this might
* leave authctxt->num_auth_methods == 0, even when multiple required auth