#include "key.h"#include "hostfile.h"#include "buffer.h"#include <openssl/rsa.h>#include "auth-pam.h"#include "audit.h"Go to the source code of this file.
|
|
Definition at line 191 of file auth.h. Referenced by do_authloop(), and userauth_finish(). |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Definition at line 111 of file auth-chall.c. References KbdintDevice::free_ctx, and Authctxt::kbdintctxt. Referenced by do_authloop(). 00112 { 00113 if (authctxt->kbdintctxt != NULL) { 00114 device->free_ctx(authctxt->kbdintctxt); 00115 authctxt->kbdintctxt = NULL; 00116 } 00117 }
|
|
|
Definition at line 74 of file auth.c. References _PATH_BSHELL, ServerOptions::allow_groups, ServerOptions::allow_users, ServerOptions::deny_groups, ServerOptions::deny_users, ga_free(), ga_init(), ga_match(), get_canonical_hostname(), get_remote_ipaddr(), hostname, locked, logit(), match_user(), ServerOptions::num_allow_groups, ServerOptions::num_allow_users, ServerOptions::num_deny_groups, ServerOptions::num_deny_users, S_ISREG, S_IXGRP, S_IXOTH, S_IXUSR, ServerOptions::use_dns, and ServerOptions::use_pam. Referenced by getpwnamallow(). 00075 { 00076 struct stat st; 00077 const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; 00078 char *shell; 00079 u_int i; 00080 #ifdef USE_SHADOW 00081 struct spwd *spw = NULL; 00082 #endif 00083 00084 /* Shouldn't be called if pw is NULL, but better safe than sorry... */ 00085 if (!pw || !pw->pw_name) 00086 return 0; 00087 00088 #ifdef USE_SHADOW 00089 if (!options.use_pam) 00090 spw = getspnam(pw->pw_name); 00091 #ifdef HAS_SHADOW_EXPIRE 00092 if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw)) 00093 return 0; 00094 #endif /* HAS_SHADOW_EXPIRE */ 00095 #endif /* USE_SHADOW */ 00096 00097 /* grab passwd field for locked account check */ 00098 #ifdef USE_SHADOW 00099 if (spw != NULL) 00100 #if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) 00101 passwd = get_iaf_password(pw); 00102 #else 00103 passwd = spw->sp_pwdp; 00104 #endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */ 00105 #else 00106 passwd = pw->pw_passwd; 00107 #endif 00108 00109 /* check for locked account */ 00110 if (!options.use_pam && passwd && *passwd) { 00111 int locked = 0; 00112 00113 #ifdef LOCKED_PASSWD_STRING 00114 if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0) 00115 locked = 1; 00116 #endif 00117 #ifdef LOCKED_PASSWD_PREFIX 00118 if (strncmp(passwd, LOCKED_PASSWD_PREFIX, 00119 strlen(LOCKED_PASSWD_PREFIX)) == 0) 00120 locked = 1; 00121 #endif 00122 #ifdef LOCKED_PASSWD_SUBSTR 00123 if (strstr(passwd, LOCKED_PASSWD_SUBSTR)) 00124 locked = 1; 00125 #endif 00126 #if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) 00127 free(passwd); 00128 #endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */ 00129 if (locked) { 00130 logit("User %.100s not allowed because account is locked", 00131 pw->pw_name); 00132 return 0; 00133 } 00134 } 00135 00136 /* 00137 * Get the shell from the password data. An empty shell field is 00138 * legal, and means /bin/sh. 00139 */ 00140 shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; 00141 00142 /* deny if shell does not exists or is not executable */ 00143 if (stat(shell, &st) != 0) { 00144 logit("User %.100s not allowed because shell %.100s does not exist", 00145 pw->pw_name, shell); 00146 return 0; 00147 } 00148 if (S_ISREG(st.st_mode) == 0 || 00149 (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) { 00150 logit("User %.100s not allowed because shell %.100s is not executable", 00151 pw->pw_name, shell); 00152 return 0; 00153 } 00154 00155 if (options.num_deny_users > 0 || options.num_allow_users > 0 || 00156 options.num_deny_groups > 0 || options.num_allow_groups > 0) { 00157 hostname = get_canonical_hostname(options.use_dns); 00158 ipaddr = get_remote_ipaddr(); 00159 } 00160 00161 /* Return false if user is listed in DenyUsers */ 00162 if (options.num_deny_users > 0) { 00163 for (i = 0; i < options.num_deny_users; i++) 00164 if (match_user(pw->pw_name, hostname, ipaddr, 00165 options.deny_users[i])) { 00166 logit("User %.100s from %.100s not allowed " 00167 "because listed in DenyUsers", 00168 pw->pw_name, hostname); 00169 return 0; 00170 } 00171 } 00172 /* Return false if AllowUsers isn't empty and user isn't listed there */ 00173 if (options.num_allow_users > 0) { 00174 for (i = 0; i < options.num_allow_users; i++) 00175 if (match_user(pw->pw_name, hostname, ipaddr, 00176 options.allow_users[i])) 00177 break; 00178 /* i < options.num_allow_users iff we break for loop */ 00179 if (i >= options.num_allow_users) { 00180 logit("User %.100s from %.100s not allowed because " 00181 "not listed in AllowUsers", pw->pw_name, hostname); 00182 return 0; 00183 } 00184 } 00185 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { 00186 /* Get the user's group access list (primary and supplementary) */ 00187 if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 00188 logit("User %.100s from %.100s not allowed because " 00189 "not in any group", pw->pw_name, hostname); 00190 return 0; 00191 } 00192 00193 /* Return false if one of user's groups is listed in DenyGroups */ 00194 if (options.num_deny_groups > 0) 00195 if (ga_match(options.deny_groups, 00196 options.num_deny_groups)) { 00197 ga_free(); 00198 logit("User %.100s from %.100s not allowed " 00199 "because a group is listed in DenyGroups", 00200 pw->pw_name, hostname); 00201 return 0; 00202 } 00203 /* 00204 * Return false if AllowGroups isn't empty and one of user's groups 00205 * isn't listed there 00206 */ 00207 if (options.num_allow_groups > 0) 00208 if (!ga_match(options.allow_groups, 00209 options.num_allow_groups)) { 00210 ga_free(); 00211 logit("User %.100s from %.100s not allowed " 00212 "because none of user's groups are listed " 00213 "in AllowGroups", pw->pw_name, hostname); 00214 return 0; 00215 } 00216 ga_free(); 00217 } 00218 00219 #ifdef CUSTOM_SYS_AUTH_ALLOWED_USER 00220 if (!sys_auth_allowed_user(pw, &loginmsg)) 00221 return 0; 00222 #endif 00223 00224 /* We found no reason not to let this user try to log on... */ 00225 return 1; 00226 }
|
|
||||||||||||
|
Definition at line 181 of file auth2-chall.c. References auth2_challenge_start(), debug(), kbdint_alloc(), Authctxt::kbdintctxt, and Authctxt::user. Referenced by userauth_kbdint(). 00182 { 00183 debug("auth2_challenge: user=%s devs=%s", 00184 authctxt->user ? authctxt->user : "<nouser>", 00185 devs ? devs : "<no devs>"); 00186 00187 if (authctxt->user == NULL || !devs) 00188 return 0; 00189 if (authctxt->kbdintctxt == NULL) 00190 authctxt->kbdintctxt = kbdint_alloc(devs); 00191 return auth2_challenge_start(authctxt); 00192 }
|
|
|
Definition at line 196 of file auth2-chall.c. References dispatch_set(), kbdint_free(), Authctxt::kbdintctxt, and SSH2_MSG_USERAUTH_INFO_RESPONSE. Referenced by auth2_challenge_start(), input_userauth_info_response(), and input_userauth_request(). 00197 { 00198 /* unregister callback */ 00199 dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); 00200 if (authctxt->kbdintctxt != NULL) { 00201 kbdint_free(authctxt->kbdintctxt); 00202 authctxt->kbdintctxt = NULL; 00203 } 00204 }
|
|
|
Definition at line 45 of file auth2-none.c. References atomicio(), ServerOptions::banner, xfree(), and xmalloc(). Referenced by mm_answer_auth2_read_banner(), and userauth_banner(). 00046 { 00047 struct stat st; 00048 char *banner = NULL; 00049 size_t len, n; 00050 int fd; 00051 00052 if ((fd = open(options.banner, O_RDONLY)) == -1) 00053 return (NULL); 00054 if (fstat(fd, &st) == -1) { 00055 close(fd); 00056 return (NULL); 00057 } 00058 if (st.st_size > 1*1024*1024) { 00059 close(fd); 00060 return (NULL); 00061 } 00062 00063 len = (size_t)st.st_size; /* truncate */ 00064 banner = xmalloc(len + 1); 00065 n = atomicio(read, fd, banner, len); 00066 close(fd); 00067 00068 if (n != len) { 00069 xfree(banner); 00070 return (NULL); 00071 } 00072 banner[n] = '\0'; 00073 00074 return (banner); 00075 }
|
|
||||||||||||
|
|
|
|
Definition at line 560 of file auth.c. References auth_debug_init, buffer_clear(), and buffer_init(). Referenced by auth_clear_options(), and auth_rhosts2(). 00561 { 00562 if (auth_debug_init) 00563 buffer_clear(&auth_debug); 00564 else { 00565 buffer_init(&auth_debug); 00566 auth_debug_init = 1; 00567 } 00568 }
|
|
|
Definition at line 546 of file auth.c. References auth_debug_init, buffer_get_string(), buffer_len(), packet_send_debug(), and xfree(). Referenced by auth_parse_options(), and auth_rhosts2(). 00547 { 00548 char *msg; 00549 00550 if (!auth_debug_init) 00551 return; 00552 while (buffer_len(&auth_debug)) { 00553 msg = buffer_get_string(&auth_debug, NULL); 00554 packet_send_debug("%s", msg); 00555 xfree(msg); 00556 } 00557 }
|
|
||||||||||||||||||||
|
Definition at line 229 of file auth.c. References debug3(), error(), Authctxt::failures, get_canonical_hostname(), get_remote_ipaddr(), get_remote_port(), logit(), ServerOptions::max_authtries, Authctxt::postponed, PRIVSEP, record_failed_login(), ServerOptions::use_dns, Authctxt::user, Authctxt::valid, and verbose(). Referenced by do_authloop(), monitor_child_preauth(), and userauth_finish(). 00230 { 00231 void (*authlog) (const char *fmt,...) = verbose; 00232 char *authmsg; 00233 00234 /* Raise logging level */ 00235 if (authenticated == 1 || 00236 !authctxt->valid || 00237 authctxt->failures >= options.max_authtries / 2 || 00238 strcmp(method, "password") == 0) 00239 authlog = logit; 00240 00241 if (authctxt->postponed) 00242 authmsg = "Postponed"; 00243 else 00244 authmsg = authenticated ? "Accepted" : "Failed"; 00245 00246 authlog("%s %s for %s%.100s from %.200s port %d%s", 00247 authmsg, 00248 method, 00249 authctxt->valid ? "" : "invalid user ", 00250 authctxt->user, 00251 get_remote_ipaddr(), 00252 get_remote_port(), 00253 info); 00254 00255 #ifdef CUSTOM_FAILED_LOGIN 00256 if (authenticated == 0 && !authctxt->postponed && 00257 (strcmp(method, "password") == 0 || 00258 strncmp(method, "keyboard-interactive", 20) == 0 || 00259 strcmp(method, "challenge-response") == 0)) 00260 record_failed_login(authctxt->user, 00261 get_canonical_hostname(options.use_dns), "ssh"); 00262 #endif 00263 #ifdef SSH_AUDIT_EVENTS 00264 if (authenticated == 0 && !authctxt->postponed) { 00265 ssh_audit_event_t event; 00266 00267 debug3("audit failed auth attempt, method %s euid %d", 00268 method, (int)geteuid()); 00269 /* 00270 * Because the auth loop is used in both monitor and slave, 00271 * we must be careful to send each event only once and with 00272 * enough privs to write the event. 00273 */ 00274 event = audit_classify_auth(method); 00275 switch(event) { 00276 case SSH_AUTH_FAIL_NONE: 00277 case SSH_AUTH_FAIL_PASSWD: 00278 case SSH_AUTH_FAIL_KBDINT: 00279 if (geteuid() == 0) 00280 audit_event(event); 00281 break; 00282 case SSH_AUTH_FAIL_PUBKEY: 00283 case SSH_AUTH_FAIL_HOSTBASED: 00284 case SSH_AUTH_FAIL_GSSAPI: 00285 /* 00286 * This is required to handle the case where privsep 00287 * is enabled but it's root logging in, since 00288 * use_privsep won't be cleared until after a 00289 * successful login. 00290 */ 00291 if (geteuid() == 0) 00292 audit_event(event); 00293 else 00294 PRIVSEP(audit_event(event)); 00295 break; 00296 default: 00297 error("unknown authentication audit event %d", event); 00298 } 00299 } 00300 #endif 00301 }
|
|
||||||||||||
|
Definition at line 72 of file auth-passwd.c. References disable_forwarding(), Authctxt::force_pwchange, ServerOptions::kerberos_authentication, ServerOptions::permit_empty_passwd, ServerOptions::permit_root_login, PERMIT_YES, Authctxt::pw, sys_auth_passwd(), ServerOptions::use_pam, and Authctxt::valid. Referenced by auth1_process_password(), do_authloop(), mm_answer_authpassword(), userauth_none(), and userauth_passwd(). 00073 { 00074 struct passwd * pw = authctxt->pw; 00075 int result, ok = authctxt->valid; 00076 #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) 00077 static int expire_checked = 0; 00078 #endif 00079 00080 #ifndef HAVE_CYGWIN 00081 if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) 00082 ok = 0; 00083 #endif 00084 if (*password == '\0' && options.permit_empty_passwd == 0) 00085 return 0; 00086 00087 #ifdef KRB5 00088 if (options.kerberos_authentication == 1) { 00089 int ret = auth_krb5_password(authctxt, password); 00090 if (ret == 1 || ret == 0) 00091 return ret && ok; 00092 /* Fall back to ordinary passwd authentication. */ 00093 } 00094 #endif 00095 #ifdef HAVE_CYGWIN 00096 if (is_winnt) { 00097 HANDLE hToken = cygwin_logon_user(pw, password); 00098 00099 if (hToken == INVALID_HANDLE_VALUE) 00100 return 0; 00101 cygwin_set_impersonation_token(hToken); 00102 return ok; 00103 } 00104 #endif 00105 #ifdef USE_PAM 00106 if (options.use_pam) 00107 return (sshpam_auth_passwd(authctxt, password) && ok); 00108 #endif 00109 #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) 00110 if (!expire_checked) { 00111 expire_checked = 1; 00112 if (auth_shadow_pwexpired(authctxt)) 00113 authctxt->force_pwchange = 1; 00114 } 00115 #endif 00116 result = sys_auth_passwd(authctxt, password); 00117 if (authctxt->force_pwchange) 00118 disable_forwarding(); 00119 return (result && ok); 00120 }
|
|
||||||||||||
|
Definition at line 155 of file auth-rhosts.c. References auth_rhosts2(), get_canonical_hostname(), get_remote_ipaddr(), hostname, and ServerOptions::use_dns. Referenced by auth_rhosts_rsa_key_allowed(). 00156 { 00157 const char *hostname, *ipaddr; 00158 00159 hostname = get_canonical_hostname(options.use_dns); 00160 ipaddr = get_remote_ipaddr(); 00161 return auth_rhosts2(pw, client_user, hostname, ipaddr); 00162 }
|
|
||||||||||||||||||||
|
Definition at line 285 of file auth-rhosts.c. References auth_debug_reset(), auth_debug_send(), auth_rhosts2_raw(), and use_privsep. Referenced by auth_rhosts(), and hostbased_key_allowed(). 00287 { 00288 int ret; 00289 00290 auth_debug_reset(); 00291 ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr); 00292 if (!use_privsep) 00293 auth_debug_send(); 00294 return ret; 00295 }
|
|
||||||||||||||||
|
Definition at line 55 of file auth-rh-rsa.c. References auth_rhosts_rsa_key_allowed(), auth_rsa_challenge_dialog(), debug(), get_canonical_hostname(), logit(), packet_send_debug(), PRIVSEP, Authctxt::pw, Key::rsa, ServerOptions::use_dns, Authctxt::valid, and verbose(). Referenced by auth1_process_rhosts_rsa(). 00056 { 00057 char *chost; 00058 struct passwd *pw = authctxt->pw; 00059 00060 debug("Trying rhosts with RSA host authentication for client user %.100s", 00061 cuser); 00062 00063 if (!authctxt->valid || client_host_key == NULL || 00064 client_host_key->rsa == NULL) 00065 return 0; 00066 00067 chost = (char *)get_canonical_hostname(options.use_dns); 00068 debug("Rhosts RSA authentication: canonical host %.900s", chost); 00069 00070 if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) { 00071 debug("Rhosts with RSA host authentication denied: unknown or invalid host key"); 00072 packet_send_debug("Your host key cannot be verified: unknown or invalid host key."); 00073 return 0; 00074 } 00075 /* A matching host key was found and is known. */ 00076 00077 /* Perform the challenge-response dialog with the client for the host key. */ 00078 if (!auth_rsa_challenge_dialog(client_host_key)) { 00079 logit("Client on %.800s failed to respond correctly to host authentication.", 00080 chost); 00081 return 0; 00082 } 00083 /* 00084 * We have authenticated the user using .rhosts or /etc/hosts.equiv, 00085 * and the host using RSA. We accept the authentication. 00086 */ 00087 00088 verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.", 00089 pw->pw_name, cuser, chost); 00090 packet_send_debug("Rhosts with RSA host authentication accepted."); 00091 return 1; 00092 }
|
|
||||||||||||||||||||
|
Definition at line 34 of file auth-rh-rsa.c. References _PATH_SSH_SYSTEM_HOSTFILE, _PATH_SSH_USER_HOSTFILE, auth_rhosts(), check_key_in_hostfiles(), HOST_OK, and ServerOptions::ignore_user_known_hosts. Referenced by auth_rhosts_rsa(), and mm_answer_keyallowed(). 00036 { 00037 HostStatus host_status; 00038 00039 /* Check if we would accept it using rhosts authentication. */ 00040 if (!auth_rhosts(pw, cuser)) 00041 return 0; 00042 00043 host_status = check_key_in_hostfiles(pw, client_host_key, 00044 chost, _PATH_SSH_SYSTEM_HOSTFILE, 00045 options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE); 00046 00047 return (host_status == HOST_OK); 00048 }
|
|
|
Definition at line 307 of file auth.c. References forced_command, get_remote_ipaddr(), logit(), PERMIT_FORCED_ONLY, PERMIT_NO_PASSWD, ServerOptions::permit_root_login, and PERMIT_YES. Referenced by do_authloop(), monitor_child_preauth(), and userauth_finish(). 00308 { 00309 switch (options.permit_root_login) { 00310 case PERMIT_YES: 00311 return 1; 00312 break; 00313 case PERMIT_NO_PASSWD: 00314 if (strcmp(method, "password") != 0) 00315 return 1; 00316 break; 00317 case PERMIT_FORCED_ONLY: 00318 if (forced_command) { 00319 logit("Root login accepted for forced command."); 00320 return 1; 00321 } 00322 break; 00323 } 00324 logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr()); 00325 return 0; 00326 }
|
|
||||||||||||
|
Definition at line 287 of file auth-rsa.c. References auth_clear_options(), auth_rsa_challenge_dialog(), auth_rsa_key_allowed(), key_fingerprint(), key_free(), key_type(), packet_send_debug(), PRIVSEP, Authctxt::pw, SSH_FP_HEX, SSH_FP_MD5, Authctxt::valid, verbose(), and xfree(). Referenced by auth1_process_rsa(). 00288 { 00289 Key *key; 00290 char *fp; 00291 struct passwd *pw = authctxt->pw; 00292 00293 /* no user given */ 00294 if (!authctxt->valid) 00295 return 0; 00296 00297 if (!PRIVSEP(auth_rsa_key_allowed(pw, client_n, &key))) { 00298 auth_clear_options(); 00299 return (0); 00300 } 00301 00302 /* Perform the challenge-response dialog for this key. */ 00303 if (!auth_rsa_challenge_dialog(key)) { 00304 /* Wrong response. */ 00305 verbose("Wrong response to RSA authentication challenge."); 00306 packet_send_debug("Wrong response to RSA authentication challenge."); 00307 /* 00308 * Break out of the loop. Otherwise we might send 00309 * another challenge and break the protocol. 00310 */ 00311 key_free(key); 00312 return (0); 00313 } 00314 /* 00315 * Correct response. The client has been successfully 00316 * authenticated. Note that we have not yet processed the 00317 * options; this will be reset if the options cause the 00318 * authentication to be rejected. 00319 */ 00320 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 00321 verbose("Found matching %s key: %s", 00322 key_type(key), fp); 00323 xfree(fp); 00324 key_free(key); 00325 00326 packet_send_debug("RSA authentication accepted."); 00327 return (1); 00328 }
|
|
|
Definition at line 116 of file auth-rsa.c. References auth_rsa_generate_challenge(), auth_rsa_verify_response(), fatal(), packet_check_eom, packet_get_char(), packet_put_bignum(), packet_read_expect(), packet_send(), packet_start(), packet_write_wait(), PRIVSEP, response(), Key::rsa, rsa_public_encrypt(), SSH_CMSG_AUTH_RSA_RESPONSE, and SSH_SMSG_AUTH_RSA_CHALLENGE. Referenced by auth_rhosts_rsa(), and auth_rsa(). 00117 { 00118 BIGNUM *challenge, *encrypted_challenge; 00119 u_char response[16]; 00120 int i, success; 00121 00122 if ((encrypted_challenge = BN_new()) == NULL) 00123 fatal("auth_rsa_challenge_dialog: BN_new() failed"); 00124 00125 challenge = PRIVSEP(auth_rsa_generate_challenge(key)); 00126 00127 /* Encrypt the challenge with the public key. */ 00128 rsa_public_encrypt(encrypted_challenge, challenge, key->rsa); 00129 00130 /* Send the encrypted challenge to the client. */ 00131 packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE); 00132 packet_put_bignum(encrypted_challenge); 00133 packet_send(); 00134 BN_clear_free(encrypted_challenge); 00135 packet_write_wait(); 00136 00137 /* Wait for a response. */ 00138 packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE); 00139 for (i = 0; i < 16; i++) 00140 response[i] = packet_get_char(); 00141 packet_check_eom(); 00142 00143 success = PRIVSEP(auth_rsa_verify_response(key, challenge, response)); 00144 BN_clear_free(challenge); 00145 return (success); 00146 }
|
|
|
Definition at line 58 of file auth-rsa.c. References fatal(), and Key::rsa. Referenced by auth_rsa_challenge_dialog(), and mm_answer_rsa_challenge(). 00059 { 00060 BIGNUM *challenge; 00061 BN_CTX *ctx; 00062 00063 if ((challenge = BN_new()) == NULL) 00064 fatal("auth_rsa_generate_challenge: BN_new() failed"); 00065 /* Generate a random challenge. */ 00066 BN_rand(challenge, 256, 0, 0); 00067 if ((ctx = BN_CTX_new()) == NULL) 00068 fatal("auth_rsa_generate_challenge: BN_CTX_new() failed"); 00069 BN_mod(challenge, challenge, key->rsa->n, ctx); 00070 BN_CTX_free(ctx); 00071 00072 return challenge; 00073 }
|
|
||||||||||||||||
|
Definition at line 154 of file auth-rsa.c. References auth_parse_options(), authorized_keys_file(), bits, debug(), file, hostfile_read_key(), key_free(), key_new(), KEY_RSA1, logit(), read_keyfile_line(), restore_uid(), secure_filename(), SSH_MAX_PUBKEY_BYTES, ServerOptions::strict_modes, temporarily_use_uid(), and xfree(). Referenced by auth_rsa(), and mm_answer_rsa_keyallowed(). 00155 { 00156 char line[SSH_MAX_PUBKEY_BYTES], *file; 00157 int allowed = 0; 00158 u_int bits; 00159 FILE *f; 00160 u_long linenum = 0; 00161 struct stat st; 00162 Key *key; 00163 00164 /* Temporarily use the user's uid. */ 00165 temporarily_use_uid(pw); 00166 00167 /* The authorized keys. */ 00168 file = authorized_keys_file(pw); 00169 debug("trying public RSA key file %s", file); 00170 00171 /* Fail quietly if file does not exist */ 00172 if (stat(file, &st) < 0) { 00173 /* Restore the privileged uid. */ 00174 restore_uid(); 00175 xfree(file); 00176 return (0); 00177 } 00178 /* Open the file containing the authorized keys. */ 00179 f = fopen(file, "r"); 00180 if (!f) { 00181 /* Restore the privileged uid. */ 00182 restore_uid(); 00183 xfree(file); 00184 return (0); 00185 } 00186 if (options.strict_modes && 00187 secure_filename(f, file, pw, line, sizeof(line)) != 0) { 00188 xfree(file); 00189 fclose(f); 00190 logit("Authentication refused: %s", line); 00191 restore_uid(); 00192 return (0); 00193 } 00194 00195 /* Flag indicating whether the key is allowed. */ 00196 allowed = 0; 00197 00198 key = key_new(KEY_RSA1); 00199 00200 /* 00201 * Go though the accepted keys, looking for the current key. If 00202 * found, perform a challenge-response dialog to verify that the 00203 * user really has the corresponding private key. 00204 */ 00205 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 00206 char *cp; 00207 char *key_options; 00208 int keybits; 00209 00210 /* Skip leading whitespace, empty and comment lines. */ 00211 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 00212 ; 00213 if (!*cp || *cp == '\n' || *cp == '#') 00214 continue; 00215 00216 /* 00217 * Check if there are options for this key, and if so, 00218 * save their starting address and skip the option part 00219 * for now. If there are no options, set the starting 00220 * address to NULL. 00221 */ 00222 if (*cp < '0' || *cp > '9') { 00223 int quoted = 0; 00224 key_options = cp; 00225 for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { 00226 if (*cp == '\\' && cp[1] == '"') 00227 cp++; /* Skip both */ 00228 else if (*cp == '"') 00229 quoted = !quoted; 00230 } 00231 } else 00232 key_options = NULL; 00233 00234 /* Parse the key from the line. */ 00235 if (hostfile_read_key(&cp, &bits, key) == 0) { 00236 debug("%.100s, line %lu: non ssh1 key syntax", 00237 file, linenum); 00238 continue; 00239 } 00240 /* cp now points to the comment part. */ 00241 00242 /* Check if the we have found the desired key (identified by its modulus). */ 00243 if (BN_cmp(key->rsa->n, client_n) != 0) 00244 continue; 00245 00246 /* check the real bits */ 00247 keybits = BN_num_bits(key->rsa->n); 00248 if (keybits < 0 || bits != (u_int)keybits) 00249 logit("Warning: %s, line %lu: keysize mismatch: " 00250 "actual %d vs. announced %d.", 00251 file, linenum, BN_num_bits(key->rsa->n), bits); 00252 00253 /* We have found the desired key. */ 00254 /* 00255 * If our options do not allow this key to be used, 00256 * do not send challenge. 00257 */ 00258 if (!auth_parse_options(pw, key_options, file, linenum)) 00259 continue; 00260 00261 /* break out, this key is allowed */ 00262 allowed = 1; 00263 break; 00264 } 00265 00266 /* Restore the privileged uid. */ 00267 restore_uid(); 00268 00269 /* Close the file. */ 00270 xfree(file); 00271 fclose(f); 00272 00273 /* return key if allowed */ 00274 if (allowed && rkey != NULL) 00275 *rkey = key; 00276 else 00277 key_free(key); 00278 return (allowed); 00279 }
|
|