View | Details | Raw Unified | Return to bug 1100
Collapse All | Expand All

(-)auth.c (-2 / +4 lines)
Lines 268-274 Link Here
268
	    authmsg,
268
	    authmsg,
269
	    method,
269
	    method,
270
	    authctxt->valid ? "" : "invalid user ",
270
	    authctxt->valid ? "" : "invalid user ",
271
	    authctxt->user,
271
	    (authctxt->user && authctxt->user[0]) ?
272
		authctxt->user : "unknown",
272
	    get_remote_ipaddr(),
273
	    get_remote_ipaddr(),
273
	    get_remote_port(),
274
	    get_remote_port(),
274
	    info);
275
	    info);
Lines 487-493 Link Here
487
	pw = getpwnam(user);
488
	pw = getpwnam(user);
488
	if (pw == NULL) {
489
	if (pw == NULL) {
489
		logit("Invalid user %.100s from %.100s",
490
		logit("Invalid user %.100s from %.100s",
490
		    user, get_remote_ipaddr());
491
		      (user && user[0]) ? user : "unknown",
492
		      get_remote_ipaddr());
491
#ifdef CUSTOM_FAILED_LOGIN
493
#ifdef CUSTOM_FAILED_LOGIN
492
		record_failed_login(user,
494
		record_failed_login(user,
493
		    get_canonical_hostname(options.use_dns), "ssh");
495
		    get_canonical_hostname(options.use_dns), "ssh");
(-)auth2-gss.c (-1 / +32 lines)
Lines 68-74 Link Here
68
	u_int len;
68
	u_int len;
69
	u_char *doid = NULL;
69
	u_char *doid = NULL;
70
70
71
	if (!authctxt->valid || authctxt->user == NULL)
71
	/* authctxt->valid may be 0 if we haven't yet determined
72
	   username from gssapi context. */
73
74
	if (authctxt->user == NULL)
72
		return (0);
75
		return (0);
73
76
74
	mechs = packet_get_int();
77
	mechs = packet_get_int();
Lines 217-222 Link Here
217
	gss_release_buffer(&maj_status, &send_tok);
220
	gss_release_buffer(&maj_status, &send_tok);
218
}
221
}
219
222
223
static void
224
gssapi_set_username(Authctxt *authctxt)
225
{
226
    char *lname = NULL;
227
228
    if ((authctxt->user == NULL) || (authctxt->user[0] == '\0')) {
229
        PRIVSEP(ssh_gssapi_localname(&lname));
230
        if (lname && lname[0] != '\0') {
231
            if (authctxt->user) xfree(authctxt->user);
232
            authctxt->user = lname;
233
            debug("set username to %s from gssapi context", lname);
234
            authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user));
235
            if (authctxt->pw) {
236
                authctxt->valid = 1;
237
#ifdef USE_PAM
238
                if (options.use_pam)
239
                    PRIVSEP(start_pam(authctxt));
240
#endif
241
            }
242
        } else {
243
            debug("failed to set username from gssapi context");
244
            packet_send_debug("failed to set username from gssapi context");
245
        }
246
    }
247
}
248
220
/*
249
/*
221
 * This is called when the client thinks we've completed authentication.
250
 * This is called when the client thinks we've completed authentication.
222
 * It should only be enabled in the dispatch handler by the function above,
251
 * It should only be enabled in the dispatch handler by the function above,
Lines 275-280 Link Here
275
304
276
	gssbuf.value = buffer_ptr(&b);
305
	gssbuf.value = buffer_ptr(&b);
277
	gssbuf.length = buffer_len(&b);
306
	gssbuf.length = buffer_len(&b);
307
308
	gssapi_set_username(authctxt);
278
309
279
	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
310
	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
280
		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
311
		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
(-)auth2.c (-11 / +36 lines)
Lines 160-170 Link Here
160
	if ((style = strchr(user, ':')) != NULL)
160
	if ((style = strchr(user, ':')) != NULL)
161
		*style++ = 0;
161
		*style++ = 0;
162
162
163
	if (authctxt->attempt++ == 0) {
163
	/* If first time or username changed or empty username,
164
		/* setup auth context */
164
	   setup/reset authentication context. */
165
	if ((authctxt->attempt++ == 0) ||
166
	    (strcmp(user, authctxt->user) != 0) ||
167
	    (strcmp(user, "") == 0)) {
168
		if (authctxt->user) {
169
		    xfree(authctxt->user);
170
		    authctxt->user = NULL;
171
		}
172
		authctxt->valid = 0;
173
        authctxt->user = xstrdup(user);
174
        if (strcmp(service, "ssh-connection") != 0) {
175
            packet_disconnect("Unsupported service %s", service);
176
        }
177
#ifdef GSSAPI
178
		/* If we're going to set the username based on the
179
		   GSSAPI context later, then wait until then to
180
		   verify it. Just put in placeholders for now. */
181
		if ((strcmp(user, "") == 0) &&
182
		    (strcmp(method, "gssapi-with-mic") == 0)) {
183
			authctxt->pw = fakepw();
184
		} else {
185
#endif
165
		authctxt->pw = PRIVSEP(getpwnamallow(user));
186
		authctxt->pw = PRIVSEP(getpwnamallow(user));
166
		authctxt->user = xstrdup(user);
187
		if (authctxt->pw) {
167
		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
168
			authctxt->valid = 1;
188
			authctxt->valid = 1;
169
			debug2("input_userauth_request: setting up authctxt for %s", user);
189
			debug2("input_userauth_request: setting up authctxt for %s", user);
170
		} else {
190
		} else {
Lines 178-192 Link Here
178
		if (options.use_pam)
198
		if (options.use_pam)
179
			PRIVSEP(start_pam(authctxt));
199
			PRIVSEP(start_pam(authctxt));
180
#endif
200
#endif
201
#ifdef GSSAPI
202
		} /* endif for setting username based on GSSAPI context */
203
#endif
181
		setproctitle("%s%s", authctxt->valid ? user : "unknown",
204
		setproctitle("%s%s", authctxt->valid ? user : "unknown",
182
		    use_privsep ? " [net]" : "");
205
		    use_privsep ? " [net]" : "");
183
		authctxt->service = xstrdup(service);
206
		if (authctxt->attempt == 1) {
184
		authctxt->style = style ? xstrdup(style) : NULL;
207
            authctxt->service = xstrdup(service);
185
		if (use_privsep)
208
            authctxt->style = style ? xstrdup(style) : NULL;
186
			mm_inform_authserv(service, style);
209
            if (use_privsep)
187
	} else if (strcmp(user, authctxt->user) != 0 ||
210
                mm_inform_authserv(service, style);
188
	    strcmp(service, authctxt->service) != 0) {
211
		}
189
		packet_disconnect("Change of username or service not allowed: "
212
	}
213
	if (strcmp(service, authctxt->service) != 0) {
214
		packet_disconnect("Change of service not allowed: "
190
		    "(%s,%s) -> (%s,%s)",
215
		    "(%s,%s) -> (%s,%s)",
191
		    authctxt->user, authctxt->service, user, service);
216
		    authctxt->user, authctxt->service, user, service);
192
	}
217
	}
(-)gss-serv-krb5.c (-1 / +30 lines)
Lines 109-114 Link Here
109
}
109
}
110
110
111
111
112
/* Retrieve the local username associated with a set of Kerberos 
113
 * credentials. Hopefully we can use this for the 'empty' username
114
 * logins discussed in the draft  */
115
static int
116
ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user) {
117
	krb5_principal princ;
118
	int retval;
119
	
120
	if (ssh_gssapi_krb5_init() == 0)
121
		return 0;
122
123
	if ((retval=krb5_parse_name(krb_context, client->displayname.value, 
124
				    &princ))) {
125
		logit("krb5_parse_name(): %.100s", 
126
			krb5_get_err_text(krb_context,retval));
127
		return 0;
128
	}
129
	
130
	/* We've got to return a malloc'd string */
131
	*user = (char *)xmalloc(256);
132
	if (krb5_aname_to_localname(krb_context, princ, 256, *user)) {
133
		xfree(*user);
134
		*user = NULL;
135
		return(0);
136
	}
137
	
138
	return(1);
139
}
140
	
112
/* This writes out any forwarded credentials from the structure populated
141
/* This writes out any forwarded credentials from the structure populated
113
 * during userauth. Called after we have setuid to the user */
142
 * during userauth. Called after we have setuid to the user */
114
143
Lines 190-196 Link Here
190
	{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
219
	{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
191
	NULL,
220
	NULL,
192
	&ssh_gssapi_krb5_userok,
221
	&ssh_gssapi_krb5_userok,
193
	NULL,
222
	&ssh_gssapi_krb5_localname,
194
	&ssh_gssapi_krb5_storecreds
223
	&ssh_gssapi_krb5_storecreds
195
};
224
};
196
225
(-)gss-serv.c (+18 lines)
Lines 313-316 Link Here
313
	return (ctx->major);
313
	return (ctx->major);
314
}
314
}
315
315
316
/* Priviledged */
317
int
318
ssh_gssapi_localname(char **user)
319
{
320
    	*user = NULL;
321
	if (gssapi_client.displayname.length==0 || 
322
	    gssapi_client.displayname.value==NULL) {
323
		debug("No suitable client data");
324
		return(0);;
325
	}
326
	if (gssapi_client.mech && gssapi_client.mech->localname) {
327
		return((*gssapi_client.mech->localname)(&gssapi_client,user));
328
	} else {
329
		debug("Unknown client authentication type");
330
	}
331
	return(0);
332
}
333
316
#endif
334
#endif
(-)monitor.c (-5 / +26 lines)
Lines 162-167 Link Here
162
int mm_answer_gss_setup_ctx(int, Buffer *);
162
int mm_answer_gss_setup_ctx(int, Buffer *);
163
int mm_answer_gss_accept_ctx(int, Buffer *);
163
int mm_answer_gss_accept_ctx(int, Buffer *);
164
int mm_answer_gss_userok(int, Buffer *);
164
int mm_answer_gss_userok(int, Buffer *);
165
int mm_answer_gss_localname(int, Buffer *);
165
int mm_answer_gss_checkmic(int, Buffer *);
166
int mm_answer_gss_checkmic(int, Buffer *);
166
#endif
167
#endif
167
168
Lines 202-213 Link Here
202
struct mon_table mon_dispatch_proto20[] = {
203
struct mon_table mon_dispatch_proto20[] = {
203
    {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
204
    {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
204
    {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
205
    {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
205
    {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
206
    {MONITOR_REQ_PWNAM, MON_AUTH, mm_answer_pwnamallow},
206
    {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
207
    {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
207
    {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
208
    {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
208
    {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
209
    {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
209
#ifdef USE_PAM
210
#ifdef USE_PAM
210
    {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
211
    {MONITOR_REQ_PAM_START, MON_ISAUTH, mm_answer_pam_start},
211
    {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
212
    {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
212
    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
213
    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
213
    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
214
    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
Lines 231-236 Link Here
231
    {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
232
    {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
232
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
233
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
233
    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
234
    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
235
    {MONITOR_REQ_GSSLOCALNAME, MON_ISAUTH, mm_answer_gss_localname},
234
    {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
236
    {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
235
#endif
237
#endif
236
    {0, 0, NULL}
238
    {0, 0, NULL}
Lines 609-621 Link Here
609
611
610
	debug3("%s", __func__);
612
	debug3("%s", __func__);
611
613
612
	if (authctxt->attempt++ != 0)
613
		fatal("%s: multiple attempts for getpwnam", __func__);
614
615
	username = buffer_get_string(m, NULL);
614
	username = buffer_get_string(m, NULL);
616
615
617
	pwent = getpwnamallow(username);
616
	pwent = getpwnamallow(username);
618
617
618
	if (authctxt->user) xfree(authctxt->user);
619
	authctxt->user = xstrdup(username);
619
	authctxt->user = xstrdup(username);
620
	setproctitle("%s [priv]", pwent ? username : "unknown");
620
	setproctitle("%s [priv]", pwent ? username : "unknown");
621
	xfree(username);
621
	xfree(username);
Lines 1950-1954 Link Here
1950
1950
1951
	/* Monitor loop will terminate if authenticated */
1951
	/* Monitor loop will terminate if authenticated */
1952
	return (authenticated);
1952
	return (authenticated);
1953
}
1954
1955
int
1956
mm_answer_gss_localname(int socket, Buffer *m) {
1957
	char *name;
1958
1959
	ssh_gssapi_localname(&name);
1960
1961
    buffer_clear(m);
1962
	if (name) {
1963
	    buffer_put_cstring(m, name);
1964
	    debug3("%s: sending result %s", __func__, name);
1965
	    xfree(name);
1966
	} else {
1967
	    buffer_put_cstring(m, "");
1968
	    debug3("%s: sending result \"\"", __func__);
1969
	}
1970
1971
    mm_request_send(socket, MONITOR_ANS_GSSLOCALNAME, m);
1972
1973
    return(0);
1953
}
1974
}
1954
#endif /* GSSAPI */
1975
#endif /* GSSAPI */
(-)monitor.h (+1 lines)
Lines 52-57 Link Here
52
	MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP,
52
	MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP,
53
	MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
53
	MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
54
	MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
54
	MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
55
	MONITOR_REQ_GSSLOCALNAME, MONITOR_ANS_GSSLOCALNAME,
55
	MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC,
56
	MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC,
56
	MONITOR_REQ_PAM_START,
57
	MONITOR_REQ_PAM_START,
57
	MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
58
	MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
(-)monitor_wrap.c (+24 lines)
Lines 1224-1227 Link Here
1224
	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
1224
	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
1225
	return (authenticated);
1225
	return (authenticated);
1226
}
1226
}
1227
1228
int
1229
mm_ssh_gssapi_localname(char **lname)
1230
{
1231
        Buffer m;
1232
1233
	buffer_init(&m);
1234
        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSLOCALNAME, &m);
1235
1236
        debug3("%s: waiting for MONITOR_ANS_GSSLOCALNAME", __func__);
1237
        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSLOCALNAME,
1238
                                  &m);
1239
1240
	*lname = buffer_get_string(&m, NULL);
1241
1242
        buffer_free(&m);
1243
	if (lname[0] == '\0') {
1244
	    debug3("%s: gssapi identity mapping failed", __func__);
1245
	} else {
1246
	    debug3("%s: gssapi identity mapped to %s", __func__, *lname);
1247
	}
1248
	
1249
        return(0);
1250
}	
1227
#endif /* GSSAPI */
1251
#endif /* GSSAPI */
(-)monitor_wrap.h (+1 lines)
Lines 58-63 Link Here
58
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
58
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
59
   gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
59
   gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
60
int mm_ssh_gssapi_userok(char *user);
60
int mm_ssh_gssapi_userok(char *user);
61
int mm_ssh_gssapi_localname(char **user);
61
OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
62
OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
62
#endif
63
#endif
63
64
(-)ssh-gss.h (+1 lines)
Lines 122-127 Link Here
122
122
123
/* In the server */
123
/* In the server */
124
int ssh_gssapi_userok(char *name);
124
int ssh_gssapi_userok(char *name);
125
int ssh_gssapi_localname(char **name);
125
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
126
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
126
void ssh_gssapi_do_child(char ***, u_int *);
127
void ssh_gssapi_do_child(char ***, u_int *);
127
void ssh_gssapi_cleanup_creds(void);
128
void ssh_gssapi_cleanup_creds(void);

Return to bug 1100