Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 7a2073c50b92c053594d48a651ebafae052a71ed^! / . / auth2.c
commit7a2073c50b92c053594d48a651ebafae052a71ed[log] [tgz]
authorBen Lindstrom <mouring@eviladmin.org>Fri Mar 22 02:30:41 2002 +0000
committerBen Lindstrom <mouring@eviladmin.org>Fri Mar 22 02:30:41 2002 +0000
tree7cfceb925262a07a356b0667e19f33eec497b602
parent0f345f5ee1e71e1e9f8780ec13b2da23b6a9f7f8 [diff] [blame]
   - provos@cvs.openbsd.org 2002/03/18 17:50:31
     [auth-bsdauth.c auth-options.c auth-rh-rsa.c auth-rsa.c auth-skey.c auth.h
      auth1.c auth2-chall.c auth2.c kex.c kex.h kexdh.c kexgex.c servconf.c
      session.h servconf.h serverloop.c session.c sshd.c]
     integrate privilege separated openssh; its turned off by default for now.
     work done by me and markus@

applied, but outside of ensure that smaller code bits migrated with
their owners.. no work was tried to 'fix' it to work. =)  Later project!

diff --git a/auth2.c b/auth2.c
index b57fda2..9bfcde5 100644
--- a/auth2.c
+++ b/auth2.c

@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.87 2002/03/18 01:12:14 provos Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.88 2002/03/18 17:50:31 provos Exp $");
 
 #include <openssl/evp.h>
 
@@ -51,13 +51,14 @@
 #include "hostfile.h"
 #include "canohost.h"
 #include "match.h"
+#include "monitor_wrap.h"
 
 /* import */
 extern ServerOptions options;
 extern u_char *session_id2;
 extern int session_id2_len;
 
-static Authctxt	*x_authctxt = NULL;
+Authctxt *x_authctxt = NULL;
 static int one = 1;
 
 typedef struct Authmethod Authmethod;
@@ -75,8 +76,8 @@
 /* helper */
 static Authmethod *authmethod_lookup(const char *);
 static char *authmethods_get(void);
-static int user_key_allowed(struct passwd *, Key *);
-static int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
+int user_key_allowed(struct passwd *, Key *);
+int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
 
 /* auth */
 static void userauth_banner(void);
@@ -185,7 +186,7 @@
 	if (authctxt->attempt++ == 0) {
 		/* setup auth context */
 		struct passwd *pw = NULL;
-		pw = getpwnamallow(user);
+		pw = PRIVSEP(getpwnamallow(user));
 		if (pw && strcmp(service, "ssh-connection")==0) {
 			authctxt->pw = pwcopy(pw);
 			authctxt->valid = 1;
@@ -199,10 +200,18 @@
 			start_pam("NOUSER");
 #endif
 		}
-		setproctitle("%s", pw ? user : "unknown");
+		/* Free memory */
+		if (use_privsep && pw != NULL)
+			pwfree(pw);
+
+		setproctitle("%s%s", pw ? user : "unknown",
+		    use_privsep ? " [net]" : "");
 		authctxt->user = xstrdup(user);
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
+
+		if (use_privsep)
+			mm_inform_authserv(service, style);
 	} else if (strcmp(user, authctxt->user) != 0 ||
 	    strcmp(service, authctxt->service) != 0) {
 		packet_disconnect("Change of username or service not allowed: "
@@ -333,7 +342,7 @@
 #elif defined(HAVE_OSF_SIA)
 	return 0;
 #else /* !HAVE_OSF_SIA && !USE_PAM */
-	return auth_password(authctxt, "");
+	return PRIVSEP(auth_password(authctxt, ""));
 #endif /* USE_PAM */
 }
 
@@ -358,7 +367,7 @@
 #elif defined(HAVE_OSF_SIA)
 	    auth_sia_password(authctxt->user, password) == 1)
 #else /* !USE_PAM && !HAVE_OSF_SIA */
-	    auth_password(authctxt, password) == 1)
+	    PRIVSEP(auth_password(authctxt, password)) == 1)
 #endif /* USE_PAM */
 		authenticated = 1;
 	memset(password, 0, len);
@@ -468,8 +477,10 @@
 		buffer_dump(&b);
 #endif
 		/* test for correct signature */
-		if (user_key_allowed(authctxt->pw, key) &&
-		    key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
+		authenticated = 0;
+		if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
+		    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
+				buffer_len(&b))) == 1)
 			authenticated = 1;
 		buffer_clear(&b);
 		xfree(sig);
@@ -485,7 +496,7 @@
 		 * if a user is not allowed to login. is this an
 		 * issue? -markus
 		 */
-		if (user_key_allowed(authctxt->pw, key)) {
+		if (PRIVSEP(user_key_allowed(authctxt->pw, key))) {
 			packet_start(SSH2_MSG_USERAUTH_PK_OK);
 			packet_put_string(pkalg, alen);
 			packet_put_string(pkblob, blen);
@@ -573,8 +584,10 @@
 	buffer_dump(&b);
 #endif
 	/* test for allowed key and correct signature */
-	if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) &&
-	    key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
+	authenticated = 0;
+	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
+	    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
+			buffer_len(&b))) == 1)
 		authenticated = 1;
 
 	buffer_clear(&b);
@@ -731,7 +744,7 @@
 }
 
 /* check whether given key is in .ssh/authorized_keys* */
-static int
+int
 user_key_allowed(struct passwd *pw, Key *key)
 {
 	int success;
@@ -751,7 +764,7 @@
 }
 
 /* return 1 if given hostkey is allowed */
-static int
+int
 hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
     Key *key)
 {