- Replacement for setproctitle() - HP-UX support only currently

- Replacement for setproctitle() - HP-UX support only currently

- Improve PAM support (a pam_lastlog module will cause sshd to exit)

- Improve PAM support (a pam_lastlog module will cause sshd to exit)

  and maybe support alternate forms of authentications like OPIE via

  and maybe support alternate forms of authentications like OPIE via

  pam?

  pam?

/* from environment and PATH */

/* from environment and PATH */

#undef LOGIN_PROGRAM_FALLBACK

#undef LOGIN_PROGRAM_FALLBACK

/* Define if your password has a pw_class field */

/* Define if your password has a pw_class field */

#undef HAVE_PW_CLASS_IN_PASSWD

#undef HAVE_PW_CLASS_IN_PASSWD

/* states for do_pam_conversation() */

/* states for do_pam_conversation() */

enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;

enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;

/* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */

/* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */

/* remember whether the last pam_authenticate() succeeded or not */

/* remember whether the last pam_authenticate() succeeded or not */

static int was_authenticated = 0;

static int was_authenticated = 0;

		case PAM_NEW_AUTHTOK_REQD:

		case PAM_NEW_AUTHTOK_REQD:

			message_cat(&__pam_msg, use_privsep ?

			message_cat(&__pam_msg, use_privsep ?

			    NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);

			    NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);

			break;

			break;

#endif

#endif

		default:

		default:

#include "log.h"

#include "log.h"

#include "servconf.h"

#include "servconf.h"

#include "auth.h"

#include "auth.h"

#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)

#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)

/* Don't need any of these headers for the PAM or SIA cases */

/* Don't need any of these headers for the PAM or SIA cases */

#endif /* !USE_PAM && !HAVE_OSF_SIA */

#endif /* !USE_PAM && !HAVE_OSF_SIA */

extern ServerOptions options;

extern ServerOptions options;

/*

/*

 * Tries to authenticate the user using password.  Returns true if

 * Tries to authenticate the user using password.  Returns true if

	/* deny if no user. */

	/* deny if no user. */

	if (pw == NULL)

	if (pw == NULL)

		return 0;

		return 0;

#ifndef HAVE_CYGWIN

#ifndef HAVE_CYGWIN

       if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)

       if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)

		return 0;

		return 0;

#endif

#endif

#ifdef WITH_AIXAUTHENTICATE

#ifdef WITH_AIXAUTHENTICATE

	authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);

	authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);

	        /* We don't have a pty yet, so just label the line as "ssh" */

	        /* We don't have a pty yet, so just label the line as "ssh" */

	        if (loginsuccess(authctxt->user,

	        if (loginsuccess(authctxt->user,

	return(authsuccess);

	return(authsuccess);

#endif

#endif

	/* Authentication is accepted if the encrypted passwords are identical. */

	/* Authentication is accepted if the encrypted passwords are identical. */

	return (strcmp(encrypted_password, pw_password) == 0);

	return (strcmp(encrypted_password, pw_password) == 0);

#endif /* !USE_PAM && !HAVE_OSF_SIA */

#endif /* !USE_PAM && !HAVE_OSF_SIA */

}

}

/* Debugging messages */

/* Debugging messages */

Buffer auth_debug;

Buffer auth_debug;

int auth_debug_init;

int auth_debug_init;

/*

/*

 * Check if the user is allowed to log in via ssh. If user is listed

 * Check if the user is allowed to log in via ssh. If user is listed

	const char *hostname = NULL, *ipaddr = NULL, *passwd;

	const char *hostname = NULL, *ipaddr = NULL, *passwd;

	char *shell;

	char *shell;

	int i;

	int i;

#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)

#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)

	struct spwd *spw;

	struct spwd *spw;

#if !defined(USE_PAM) && defined(HAS_SHADOW_EXPIRE)

#if !defined(USE_PAM) && defined(HAS_SHADOW_EXPIRE)

	 * PermitRootLogin to control logins via ssh), or if running as

	 * PermitRootLogin to control logins via ssh), or if running as

	 * non-root user (since loginrestrictions will always fail).

	 * non-root user (since loginrestrictions will always fail).

	 */

	 */

		int loginrestrict_errno = errno;

		int loginrestrict_errno = errno;

			}

			}

	}

	}

#endif /* WITH_AIXAUTHENTICATE */

#endif /* WITH_AIXAUTHENTICATE */

	/* We found no reason not to let this user try to log on... */

	/* We found no reason not to let this user try to log on... */

#endif

#endif

	struct passwd *pw;

	struct passwd *pw;

	pw = getpwnam(user);

	pw = getpwnam(user);

	if (pw == NULL) {

	if (pw == NULL) {

		log("Illegal user %.100s from %.100s",

		log("Illegal user %.100s from %.100s",

int	 auth_rhosts_rsa(struct passwd *, char *, Key *);

int	 auth_rhosts_rsa(struct passwd *, char *, Key *);

int      auth_password(Authctxt *, const char *);

int      auth_password(Authctxt *, const char *);

int      auth_rsa(struct passwd *, BIGNUM *);

int      auth_rsa(struct passwd *, BIGNUM *);

int      auth_rsa_challenge_dialog(Key *);

int      auth_rsa_challenge_dialog(Key *);

BIGNUM	*auth_rsa_generate_challenge(Key *);

BIGNUM	*auth_rsa_generate_challenge(Key *);

void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));

void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));

void	 auth_debug_send(void);

void	 auth_debug_send(void);

void	 auth_debug_reset(void);

void	 auth_debug_reset(void);

#define AUTH_FAIL_MAX 6

#define AUTH_FAIL_MAX 6

#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)

#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)

	fi

	fi

fi

fi

if test -z "$LD" ; then

if test -z "$LD" ; then

	LD=$CC

	LD=$CC

fi

fi

	options->client_alive_count_max = -1;

	options->client_alive_count_max = -1;

	options->authorized_keys_file = NULL;

	options->authorized_keys_file = NULL;

	options->authorized_keys_file2 = NULL;

	options->authorized_keys_file2 = NULL;

	/* Needs to be accessable in many places */

	/* Needs to be accessable in many places */

	use_privsep = -1;

	use_privsep = -1;

	}

	}

	if (options->authorized_keys_file == NULL)

	if (options->authorized_keys_file == NULL)

		options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;

		options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;

	/* Turn privilege separation on by default */

	/* Turn privilege separation on by default */

	if (use_privsep == -1)

	if (use_privsep == -1)

	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,

	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,

	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,

	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,

	sUsePrivilegeSeparation,

	sUsePrivilegeSeparation,

	sDeprecated

	sDeprecated

} ServerOpCodes;

} ServerOpCodes;

	{ "authorizedkeysfile", sAuthorizedKeysFile },

	{ "authorizedkeysfile", sAuthorizedKeysFile },

	{ "authorizedkeysfile2", sAuthorizedKeysFile2 },

	{ "authorizedkeysfile2", sAuthorizedKeysFile2 },

	{ "useprivilegeseparation", sUsePrivilegeSeparation},

	{ "useprivilegeseparation", sUsePrivilegeSeparation},

	{ NULL, sBadOption }

	{ NULL, sBadOption }

};

};

	case sClientAliveCountMax:

	case sClientAliveCountMax:

		intptr = &options->client_alive_count_max;

		intptr = &options->client_alive_count_max;

		goto parse_int;

		goto parse_int;

	case sDeprecated:

	case sDeprecated:

		log("%s line %d: Deprecated option %s",

		log("%s line %d: Deprecated option %s",

	char   *authorized_keys_file;	/* File containing public keys */

	char   *authorized_keys_file;	/* File containing public keys */

	char   *authorized_keys_file2;

	char   *authorized_keys_file2;

	int	pam_authentication_via_kbd_int;

	int	pam_authentication_via_kbd_int;

}       ServerOptions;

}       ServerOptions;

void	 initialize_server_options(ServerOptions *);

void	 initialize_server_options(ServerOptions *);

/* data */

/* data */

#define MAX_SESSIONS 10

#define MAX_SESSIONS 10

Session	sessions[MAX_SESSIONS];

Session	sessions[MAX_SESSIONS];

#ifdef HAVE_LOGIN_CAP

#ifdef HAVE_LOGIN_CAP

login_cap_t *lc;

login_cap_t *lc;

#if defined(USE_PAM)

#if defined(USE_PAM)

	do_pam_session(s->pw->pw_name, NULL);

	do_pam_session(s->pw->pw_name, NULL);

	do_pam_setcred(1);

	do_pam_setcred(1);

		packet_disconnect("Password change required but no "

		packet_disconnect("Password change required but no "

		    "TTY available");

		    "TTY available");

	/* Fork the child. */

	/* Fork the child. */

	if ((pid = fork()) == 0) {

	if ((pid = fork()) == 0) {

	socklen_t fromlen;

	socklen_t fromlen;

	struct sockaddr_storage from;

	struct sockaddr_storage from;

	struct passwd * pw = s->pw;

	struct passwd * pw = s->pw;

	pid_t pid = getpid();

	pid_t pid = getpid();

	/*

	/*

		    options.verify_reverse_mapping),

		    options.verify_reverse_mapping),

		    (struct sockaddr *)&from, fromlen);

		    (struct sockaddr *)&from, fromlen);

	/*

	/*

	 * If password change is needed, do it now.

	 * If password change is needed, do it now.

	 * This needs to occur before the ~/.hushlogin check.

	 * This needs to occur before the ~/.hushlogin check.

	 */

	 */

	if (is_pam_password_change_required()) {

	if (is_pam_password_change_required()) {

		print_pam_messages();

		print_pam_messages();

	}

	}

#endif

#endif

	if (check_quietlogin(s, command))

	if (check_quietlogin(s, command))

		return;

		return;

	if (!is_pam_password_change_required())

	if (!is_pam_password_change_required())

		print_pam_messages();

		print_pam_messages();

#endif /* USE_PAM */

#endif /* USE_PAM */

#ifndef NO_SSH_LASTLOG

#ifndef NO_SSH_LASTLOG

	if (options.print_lastlog && s->last_login_time != 0) {

	if (options.print_lastlog && s->last_login_time != 0) {

# To disable tunneled clear text passwords, change to no here!

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PasswordAuthentication yes

#PermitEmptyPasswords no

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

#ChallengeResponseAuthentication yes

If the pattern takes the form USER@HOST then USER and HOST

If the pattern takes the form USER@HOST then USER and HOST

are separately checked, restricting logins to particular

are separately checked, restricting logins to particular

users from particular hosts.

users from particular hosts.

.It Cm GatewayPorts

.It Cm GatewayPorts

Specifies whether remote hosts are allowed to connect to ports

Specifies whether remote hosts are allowed to connect to ports

forwarded for the client.

forwarded for the client.

Specifies whether password authentication is allowed.

Specifies whether password authentication is allowed.

The default is

The default is

.Dq yes .

.Dq yes .

.It Cm PermitEmptyPasswords

.It Cm PermitEmptyPasswords

When password authentication is allowed, it specifies whether the

When password authentication is allowed, it specifies whether the

server allows login to accounts with empty password strings.

server allows login to accounts with empty password strings.

	xfree(cp);

	xfree(cp);

}

}

#ifdef _AIX

#ifdef _AIX

void aix_usrinfo(struct passwd *pw);

void aix_usrinfo(struct passwd *pw);

#endif /* _AIX */

#endif /* _AIX */