diff options
Diffstat (limited to '')
-rw-r--r-- | auth2.c | 91 |
1 files changed, 21 insertions, 70 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.168 2023/12/18 14:45:49 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.169 2024/05/17 00:30:23 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -156,7 +156,7 @@ userauth_banner(struct ssh *ssh) if (options.banner == NULL) return; - if ((banner = PRIVSEP(auth2_read_banner())) == NULL) + if ((banner = mm_auth2_read_banner()) == NULL) goto done; userauth_send_banner(ssh, banner); @@ -291,7 +291,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) auth_maxtries_exceeded(ssh); if (authctxt->attempt++ == 0) { /* setup auth context */ - authctxt->pw = PRIVSEP(getpwnamallow(ssh, user)); + authctxt->pw = mm_getpwnamallow(ssh, user); authctxt->user = xstrdup(user); if (authctxt->pw && strcmp(service, "ssh-connection")==0) { authctxt->valid = 1; @@ -301,21 +301,19 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) /* Invalid user, fake password information */ authctxt->pw = fakepw(); #ifdef SSH_AUDIT_EVENTS - PRIVSEP(audit_event(ssh, SSH_INVALID_USER)); + mm_audit_event(ssh, SSH_INVALID_USER); #endif } #ifdef USE_PAM if (options.use_pam) - PRIVSEP(start_pam(ssh)); + mm_start_pam(ssh); #endif ssh_packet_set_log_preamble(ssh, "%suser %s", authctxt->valid ? "authenticating " : "invalid ", user); - setproctitle("%s%s", authctxt->valid ? user : "unknown", - use_privsep ? " [net]" : ""); + setproctitle("%s [net]", authctxt->valid ? user : "unknown"); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; - if (use_privsep) - mm_inform_authserv(service, style); + mm_inform_authserv(service, style); userauth_banner(ssh); if ((r = kex_server_update_ext_info(ssh)) != 0) fatal_fr(r, "kex_server_update_ext_info failed"); @@ -379,7 +377,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method, /* prefer primary authmethod name to possible synonym */ if ((m = authmethod_byname(method)) == NULL) fatal("INTERNAL ERROR: bad method %s", method); - method = m->name; + method = m->cfg->name; } /* Special handling for root */ @@ -387,7 +385,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method, !auth_root_allowed(ssh, method)) { authenticated = 0; #ifdef SSH_AUDIT_EVENTS - PRIVSEP(audit_event(ssh, SSH_LOGIN_ROOT_DENIED)); + mm_audit_event(ssh, SSH_LOGIN_ROOT_DENIED); #endif } @@ -410,7 +408,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method, #ifdef USE_PAM if (options.use_pam && authenticated) { - int r, success = PRIVSEP(do_pam_account()); + int r, success = mm_do_pam_account(); /* If PAM returned a message, send it to the user. */ if (sshbuf_len(loginmsg) > 0) { @@ -448,7 +446,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method, authctxt->failures++; if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS - PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES)); + mm_audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES); #endif auth_maxtries_exceeded(ssh); } @@ -500,16 +498,16 @@ authmethods_get(Authctxt *authctxt) if ((b = sshbuf_new()) == NULL) fatal_f("sshbuf_new failed"); for (i = 0; authmethods[i] != NULL; i++) { - if (strcmp(authmethods[i]->name, "none") == 0) + if (strcmp(authmethods[i]->cfg->name, "none") == 0) continue; - if (authmethods[i]->enabled == NULL || - *(authmethods[i]->enabled) == 0) + if (authmethods[i]->cfg->enabled == NULL || + *(authmethods[i]->cfg->enabled) == 0) continue; - if (!auth2_method_allowed(authctxt, authmethods[i]->name, + if (!auth2_method_allowed(authctxt, authmethods[i]->cfg->name, NULL)) continue; if ((r = sshbuf_putf(b, "%s%s", sshbuf_len(b) ? "," : "", - authmethods[i]->name)) != 0) + authmethods[i]->cfg->name)) != 0) fatal_fr(r, "buffer error"); } if ((list = sshbuf_dup_string(b)) == NULL) @@ -526,9 +524,9 @@ authmethod_byname(const char *name) if (name == NULL) fatal_f("NULL authentication method name"); for (i = 0; authmethods[i] != NULL; i++) { - if (strcmp(name, authmethods[i]->name) == 0 || - (authmethods[i]->synonym != NULL && - strcmp(name, authmethods[i]->synonym) == 0)) + if (strcmp(name, authmethods[i]->cfg->name) == 0 || + (authmethods[i]->cfg->synonym != NULL && + strcmp(name, authmethods[i]->cfg->synonym) == 0)) return authmethods[i]; } debug_f("unrecognized authentication method name: %s", name); @@ -543,11 +541,11 @@ authmethod_lookup(Authctxt *authctxt, const char *name) if ((method = authmethod_byname(name)) == NULL) return NULL; - if (method->enabled == NULL || *(method->enabled) == 0) { + if (method->cfg->enabled == NULL || *(method->cfg->enabled) == 0) { debug3_f("method %s not enabled", name); return NULL; } - if (!auth2_method_allowed(authctxt, method->name, NULL)) { + if (!auth2_method_allowed(authctxt, method->cfg->name, NULL)) { debug3_f("method %s not allowed " "by AuthenticationMethods", name); return NULL; @@ -556,53 +554,6 @@ authmethod_lookup(Authctxt *authctxt, const char *name) } /* - * Check a comma-separated list of methods for validity. Is need_enable is - * non-zero, then also require that the methods are enabled. - * Returns 0 on success or -1 if the methods list is invalid. - */ -int -auth2_methods_valid(const char *_methods, int need_enable) -{ - char *methods, *omethods, *method, *p; - u_int i, found; - int ret = -1; - - if (*_methods == '\0') { - error("empty authentication method list"); - return -1; - } - omethods = methods = xstrdup(_methods); - while ((method = strsep(&methods, ",")) != NULL) { - for (found = i = 0; !found && authmethods[i] != NULL; i++) { - if ((p = strchr(method, ':')) != NULL) - *p = '\0'; - if (strcmp(method, authmethods[i]->name) != 0) - continue; - if (need_enable) { - if (authmethods[i]->enabled == NULL || - *(authmethods[i]->enabled) == 0) { - error("Disabled method \"%s\" in " - "AuthenticationMethods list \"%s\"", - method, _methods); - goto out; - } - } - found = 1; - break; - } - if (!found) { - error("Unknown authentication method \"%s\" in list", - method); - goto out; - } - } - ret = 0; - out: - free(omethods); - return ret; -} - -/* * Prune the AuthenticationMethods supplied in the configuration, removing * any methods lists that include disabled methods. Note that this might * leave authctxt->num_auth_methods == 0, even when multiple required auth |