mirror of
https://git.FreeBSD.org/ports.git
synced 2024-12-26 05:02:18 +00:00
196 lines
5.2 KiB
C
196 lines
5.2 KiB
C
--- auth1.c.orig Wed Jun 19 02:27:55 2002
|
|
+++ auth1.c Sun Jul 7 20:36:36 2002
|
|
@@ -26,6 +26,15 @@
|
|
#include "session.h"
|
|
#include "uidswap.h"
|
|
#include "monitor_wrap.h"
|
|
+#include "canohost.h"
|
|
+
|
|
+#ifdef HAVE_LOGIN_CAP
|
|
+#include <login_cap.h>
|
|
+#endif /* HAVE_LOGIN_CAP */
|
|
+#ifdef USE_PAM
|
|
+#include "auth-pam.h"
|
|
+#include <security/pam_appl.h>
|
|
+#endif /* USE_PAM */
|
|
|
|
/* import */
|
|
extern ServerOptions options;
|
|
@@ -75,6 +84,16 @@
|
|
u_int ulen;
|
|
int type = 0;
|
|
struct passwd *pw = authctxt->pw;
|
|
+#ifdef HAVE_LOGIN_CAP
|
|
+ login_cap_t *lc;
|
|
+#endif /* HAVE_LOGIN_CAP */
|
|
+#ifdef USE_PAM
|
|
+ struct inverted_pam_cookie *pam_cookie;
|
|
+#endif /* USE_PAM */
|
|
+ const char *from_host, *from_ip;
|
|
+
|
|
+ from_host = get_canonical_hostname(options.verify_reverse_mapping);
|
|
+ from_ip = get_remote_ipaddr();
|
|
|
|
debug("Attempting authentication for %s%.100s.",
|
|
authctxt->valid ? "" : "illegal user ", authctxt->user);
|
|
@@ -84,7 +103,11 @@
|
|
#if defined(KRB4) || defined(KRB5)
|
|
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
|
|
#endif
|
|
- PRIVSEP(auth_password(authctxt, ""))) {
|
|
+#ifdef USE_PAM
|
|
+ PRIVSEP(auth_pam_password(authctxt, ""))) {
|
|
+#else
|
|
+ PRIVSEP(auth_password(authctxt, ""))) {
|
|
+#endif /* USE_PAM */
|
|
auth_log(authctxt, 1, "without authentication", "");
|
|
return;
|
|
}
|
|
@@ -94,6 +117,8 @@
|
|
packet_send();
|
|
packet_write_wait();
|
|
|
|
+ client_user = NULL;
|
|
+
|
|
for (;;) {
|
|
/* default to fail */
|
|
authenticated = 0;
|
|
@@ -243,12 +268,52 @@
|
|
packet_check_eom();
|
|
|
|
/* Try authentication with the password. */
|
|
- authenticated = PRIVSEP(auth_password(authctxt, password));
|
|
+ authenticated =
|
|
+#ifdef USE_PAM
|
|
+ PRIVSEP(auth_pam_password(authctxt, password));
|
|
+#else
|
|
+ PRIVSEP(auth_password(authctxt, password));
|
|
+#endif /* USE_PAM */
|
|
|
|
memset(password, 0, strlen(password));
|
|
xfree(password);
|
|
break;
|
|
|
|
+#ifdef USE_PAM
|
|
+ case SSH_CMSG_AUTH_TIS:
|
|
+ debug("rcvd SSH_CMSG_AUTH_TIS: Trying PAM");
|
|
+ if (pw == NULL)
|
|
+ break;
|
|
+ pam_cookie = ipam_start_auth("sshd", pw->pw_name);
|
|
+ if (pam_cookie == NULL)
|
|
+ break;
|
|
+ /* We now have data available to send as a challenge */
|
|
+ if (pam_cookie->num_msg != 1 ||
|
|
+ (pam_cookie->msg[0]->msg_style != PAM_PROMPT_ECHO_OFF &&
|
|
+ pam_cookie->msg[0]->msg_style != PAM_PROMPT_ECHO_ON)) {
|
|
+ /* We got several challenges or an unknown challenge type */
|
|
+ ipam_free_cookie(pam_cookie);
|
|
+ pam_cookie = NULL;
|
|
+ break;
|
|
+ }
|
|
+ packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
|
|
+ packet_put_string(pam_cookie->msg[0]->msg, strlen(pam_cookie->msg[0]->msg));
|
|
+ packet_send();
|
|
+ packet_write_wait();
|
|
+ continue;
|
|
+ case SSH_CMSG_AUTH_TIS_RESPONSE:
|
|
+ debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
|
|
+ if (pam_cookie != NULL) {
|
|
+ char *response = packet_get_string(&dlen);
|
|
+
|
|
+ pam_cookie->resp[0]->resp = strdup(response);
|
|
+ xfree(response);
|
|
+ authenticated = ipam_complete_auth(pam_cookie);
|
|
+ ipam_free_cookie(pam_cookie);
|
|
+ pam_cookie = NULL;
|
|
+ }
|
|
+ break;
|
|
+#elif defined(SKEY)
|
|
case SSH_CMSG_AUTH_TIS:
|
|
debug("rcvd SSH_CMSG_AUTH_TIS");
|
|
if (options.challenge_response_authentication == 1) {
|
|
@@ -275,6 +340,12 @@
|
|
xfree(response);
|
|
}
|
|
break;
|
|
+#else
|
|
+ case SSH_CMSG_AUTH_TIS:
|
|
+ /* TIS Authentication is unsupported */
|
|
+ log("TIS authentication unsupported.");
|
|
+ break;
|
|
+#endif
|
|
|
|
default:
|
|
/*
|
|
@@ -284,6 +355,34 @@
|
|
log("Unknown message during authentication: type %d", type);
|
|
break;
|
|
}
|
|
+
|
|
+#ifdef HAVE_LOGIN_CAP
|
|
+ if (pw != NULL) {
|
|
+ lc = login_getpwclass(pw);
|
|
+ if (lc == NULL)
|
|
+ lc = login_getclassbyname(NULL, pw);
|
|
+ if (!auth_hostok(lc, from_host, from_ip)) {
|
|
+ log("Denied connection for %.200s from %.200s [%.200s].",
|
|
+ pw->pw_name, from_host, from_ip);
|
|
+ packet_disconnect("Sorry, you are not allowed to connect.");
|
|
+ }
|
|
+ if (!auth_timeok(lc, time(NULL))) {
|
|
+ log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
|
|
+ pw->pw_name, from_host);
|
|
+ packet_disconnect("Logins not available right now.");
|
|
+ }
|
|
+ login_close(lc);
|
|
+ lc = NULL;
|
|
+ }
|
|
+#endif /* HAVE_LOGIN_CAP */
|
|
+#ifdef LOGIN_ACCESS
|
|
+ if (pw != NULL && !login_access(pw->pw_name, from_host)) {
|
|
+ log("Denied connection for %.200s from %.200s [%.200s].",
|
|
+ pw->pw_name, from_host, from_ip);
|
|
+ packet_disconnect("Sorry, you are not allowed to connect.");
|
|
+ }
|
|
+#endif /* LOGIN_ACCESS */
|
|
+
|
|
#ifdef BSD_AUTH
|
|
if (authctxt->as) {
|
|
auth_close(authctxt->as);
|
|
@@ -299,9 +398,23 @@
|
|
!auth_root_allowed(get_authname(type)))
|
|
authenticated = 0;
|
|
|
|
+ if (pw != NULL && pw->pw_uid == 0)
|
|
+ log("ROOT LOGIN as '%.100s' from %.100s",
|
|
+ pw->pw_name, from_host);
|
|
+
|
|
/* Log before sending the reply */
|
|
auth_log(authctxt, authenticated, get_authname(type), info);
|
|
|
|
+#ifdef USE_PAM
|
|
+ if (authenticated && !do_pam_account(pw->pw_name, client_user))
|
|
+ authenticated = 0;
|
|
+#endif
|
|
+
|
|
+ if (client_user != NULL) {
|
|
+ xfree(client_user);
|
|
+ client_user = NULL;
|
|
+ }
|
|
+
|
|
if (authenticated)
|
|
return;
|
|
|
|
@@ -354,6 +467,11 @@
|
|
authctxt->valid = 1;
|
|
else
|
|
debug("do_authentication: illegal user %s", user);
|
|
+
|
|
+#ifdef USE_PAM
|
|
+ if (authctxt->pw != NULL)
|
|
+ start_pam(authctxt->pw);
|
|
+#endif
|
|
|
|
setproctitle("%s%s", authctxt->pw ? user : "unknown",
|
|
use_privsep ? " [net]" : "");
|