auth2-hostbased.c File Reference

#include "includes.h"
#include "ssh2.h"
#include "xmalloc.h"
#include "packet.h"
#include "buffer.h"
#include "log.h"
#include "servconf.h"
#include "compat.h"
#include "bufaux.h"
#include "auth.h"
#include "key.h"
#include "canohost.h"
#include "monitor_wrap.h"
#include "pathnames.h"

Go to the source code of this file.

Functions
	RCSID ("$OpenBSD: auth2-hostbased.c,v 1.6 2004/01/19 21:25:15 markus Exp $")
static int	userauth_hostbased (Authctxt *authctxt)
int	hostbased_key_allowed (struct passwd *pw, const char *cuser, char *chost, Key *key)
Variables
ServerOptions	options
u_char *	session_id2
u_int	session_id2_len
Authmethod	method_hostbased

---

Function Documentation

int hostbased_key_allowed (  struct passwd *  pw, const char *  cuser, char *  chost, Key *  key )

Definition at line 132 of file auth2-hostbased.c. References _PATH_SSH_SYSTEM_HOSTFILE, _PATH_SSH_SYSTEM_HOSTFILE2, _PATH_SSH_USER_HOSTFILE, _PATH_SSH_USER_HOSTFILE2, auth_rhosts2(), check_key_in_hostfiles(), debug2(), get_canonical_hostname(), get_remote_ipaddr(), HOST_NEW, HOST_OK, ServerOptions::hostbased_uses_name_from_packet_only, ServerOptions::ignore_user_known_hosts, logit(), and ServerOptions::use_dns. Referenced by mm_answer_keyallowed(), and userauth_hostbased(). { const char *resolvedname, *ipaddr, *lookup; HostStatus host_status; int len; resolvedname = get_canonical_hostname(options.use_dns); ipaddr = get_remote_ipaddr(); debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s", chost, resolvedname, ipaddr); if (options.hostbased_uses_name_from_packet_only) { if (auth_rhosts2(pw, cuser, chost, chost) == 0) return 0; lookup = chost; } else { if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') { debug2("stripping trailing dot from chost %s", chost); chost[len - 1] = '\0'; } if (strcasecmp(resolvedname, chost) != 0) logit("userauth_hostbased mismatch: " "client sends %s, but we resolve %s to %s", chost, ipaddr, resolvedname); if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) return 0; lookup = resolvedname; } debug2("userauth_hostbased: access allowed by auth_rhosts2"); host_status = check_key_in_hostfiles(pw, key, lookup, _PATH_SSH_SYSTEM_HOSTFILE, options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE); /* backward compat if no key has been found. */ if (host_status == HOST_NEW) host_status = check_key_in_hostfiles(pw, key, lookup, _PATH_SSH_SYSTEM_HOSTFILE2, options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE2); return (host_status == HOST_OK); }

RCSID (  "$OpenBSD: auth2-hostbased.  c, v 1.6 2004/01/19 21:25:15 markus Exp $"  )

static int userauth_hostbased (  Authctxt *  authctxt  )  [static]

Definition at line 48 of file auth2-hostbased.c. References buffer_append(), buffer_dump(), buffer_free(), buffer_init(), buffer_len(), buffer_ptr(), buffer_put_char(), buffer_put_cstring(), buffer_put_string(), datafellows, debug(), debug2(), error(), hostbased_key_allowed(), key_free(), key_from_blob(), key_type_from_name(), KEY_UNSPEC, key_verify(), logit(), packet_get_string(), PRIVSEP, Authctxt::pw, Authctxt::service, session_id2, session_id2_len, SSH2_MSG_USERAUTH_REQUEST, SSH_BUG_HBSERVICE, Key::type, Authctxt::user, Authctxt::valid, and xfree(). { Buffer b; Key *key = NULL; char *pkalg, *cuser, *chost, *service; u_char *pkblob, *sig; u_int alen, blen, slen; int pktype; int authenticated = 0; if (!authctxt->valid) { debug2("userauth_hostbased: disabled because of invalid user"); return 0; } pkalg = packet_get_string(&alen); pkblob = packet_get_string(&blen); chost = packet_get_string(NULL); cuser = packet_get_string(NULL); sig = packet_get_string(&slen); debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d", cuser, chost, pkalg, slen); #ifdef DEBUG_PK debug("signature:"); buffer_init(&b); buffer_append(&b, sig, slen); buffer_dump(&b); buffer_free(&b); #endif pktype = key_type_from_name(pkalg); if (pktype == KEY_UNSPEC) { /* this is perfectly legal */ logit("userauth_hostbased: unsupported " "public key algorithm: %s", pkalg); goto done; } key = key_from_blob(pkblob, blen); if (key == NULL) { error("userauth_hostbased: cannot decode key: %s", pkalg); goto done; } if (key->type != pktype) { error("userauth_hostbased: type mismatch for decoded key " "(received %d, expected %d)", key->type, pktype); goto done; } service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : authctxt->service; buffer_init(&b); buffer_put_string(&b, session_id2, session_id2_len); /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); buffer_put_cstring(&b, authctxt->user); buffer_put_cstring(&b, service); buffer_put_cstring(&b, "hostbased"); buffer_put_string(&b, pkalg, alen); buffer_put_string(&b, pkblob, blen); buffer_put_cstring(&b, chost); buffer_put_cstring(&b, cuser); #ifdef DEBUG_PK buffer_dump(&b); #endif /* test for allowed key and correct signature */ authenticated = 0; if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b))) == 1) authenticated = 1; buffer_free(&b); done: debug2("userauth_hostbased: authenticated %d", authenticated); if (key != NULL) key_free(key); xfree(pkalg); xfree(pkblob); xfree(cuser); xfree(chost); xfree(sig); return authenticated; }

---

Variable Documentation

Authmethod method_hostbased

Initial value: { "hostbased", userauth_hostbased, &options.hostbased_authentication } Definition at line 178 of file auth2-hostbased.c.

ServerOptions options

Definition at line 110 of file ssh.c.

u_char* session_id2

Definition at line 66 of file sshconnect2.c. Referenced by do_ssh2_kex(), mm_answer_sign(), mm_get_kex(), monitor_valid_hostbasedblob(), monitor_valid_userblob(), sign_and_send_pubkey(), ssh_kex2(), userauth_hostbased(), and userauth_pubkey().

u_int session_id2_len

Definition at line 67 of file sshconnect2.c. Referenced by do_ssh2_kex(), mm_answer_sign(), mm_get_kex(), monitor_valid_hostbasedblob(), monitor_valid_userblob(), sign_and_send_pubkey(), ssh_kex2(), userauth_hostbased(), and userauth_pubkey().

---

© sourcejam.com 2005-2008