Blame - auth.c - platform/external/openssh

blob: d9ee0362fe4888af4b43e783fc56a1988d505438 [file] [log] [blame]

Damien Miller	116e6df	2002-05-22 15:06:28 +1000	[diff] [blame]	1	/*
Ben Lindstrom	92a2e38	2001-03-05 06:59:27 +0000	[diff] [blame]	2	* Copyright (c) 2000 Markus Friedl. All rights reserved.
Damien Miller	e4340be	2000-09-16 13:29:08 +1100	[diff] [blame]	3	*
				4	* Redistribution and use in source and binary forms, with or without
				5	* modification, are permitted provided that the following conditions
				6	* are met:
				7	* 1. Redistributions of source code must retain the above copyright
				8	* notice, this list of conditions and the following disclaimer.
				9	* 2. Redistributions in binary form must reproduce the above copyright
				10	* notice, this list of conditions and the following disclaimer in the
				11	* documentation and/or other materials provided with the distribution.
				12	*
				13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
				14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
				15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
				16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
				17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
				18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
				19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
				20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
				21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
				22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	23	*/
				24
				25	#include "includes.h"
Darren Tucker	89413db	2004-05-24 10:36:23 +1000	[diff] [blame]	26	RCSID("$OpenBSD: auth.c,v 1.54 2004/05/23 23:59:53 dtucker Exp $");
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	27
Damien Miller	d2c208a	2000-05-17 22:00:02 +1000	[diff] [blame]	28	#ifdef HAVE_LOGIN_H
				29	#include <login.h>
				30	#endif
Darren Tucker	15ee748	2004-02-22 09:43:15 +1100	[diff] [blame]	31	#ifdef USE_SHADOW
Damien Miller	1f335fb	2000-06-26 11:31:33 +1000	[diff] [blame]	32	#include <shadow.h>
Darren Tucker	15ee748	2004-02-22 09:43:15 +1100	[diff] [blame]	33	#endif
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	34
Ben Lindstrom	68c3ce1	2001-06-10 17:24:51 +0000	[diff] [blame]	35	#ifdef HAVE_LIBGEN_H
Ben Lindstrom	bfb3a0e	2001-06-05 20:25:05 +0000	[diff] [blame]	36	#include <libgen.h>
Ben Lindstrom	68c3ce1	2001-06-10 17:24:51 +0000	[diff] [blame]	37	#endif
Ben Lindstrom	bfb3a0e	2001-06-05 20:25:05 +0000	[diff] [blame]	38
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	39	#include "xmalloc.h"
				40	#include "match.h"
				41	#include "groupaccess.h"
				42	#include "log.h"
				43	#include "servconf.h"
Damien Miller	efb4afe	2000-04-12 18:45:05 +1000	[diff] [blame]	44	#include "auth.h"
Ben Lindstrom	db65e8f	2001-01-19 04:26:52 +0000	[diff] [blame]	45	#include "auth-options.h"
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	46	#include "canohost.h"
Ben Lindstrom	bfb3a0e	2001-06-05 20:25:05 +0000	[diff] [blame]	47	#include "buffer.h"
				48	#include "bufaux.h"
Ben Lindstrom	83647ce	2001-06-25 04:30:16 +0000	[diff] [blame]	49	#include "uidswap.h"
Ben Lindstrom	7ebb635	2002-03-22 03:04:08 +0000	[diff] [blame]	50	#include "misc.h"
Ben Lindstrom	a574cda	2002-05-15 16:16:14 +0000	[diff] [blame]	51	#include "bufaux.h"
				52	#include "packet.h"
Damien Miller	efb4afe	2000-04-12 18:45:05 +1000	[diff] [blame]	53
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	54	/* import */
				55	extern ServerOptions options;
Darren Tucker	b9aa0a0	2003-07-08 22:59:59 +1000	[diff] [blame]	56	extern Buffer loginmsg;
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	57
Ben Lindstrom	a574cda	2002-05-15 16:16:14 +0000	[diff] [blame]	58	/* Debugging messages */
				59	Buffer auth_debug;
				60	int auth_debug_init;
				61
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	62	/*
Kevin Steves	7b61cfa	2001-01-14 19:11:00 +0000	[diff] [blame]	63	* Check if the user is allowed to log in via ssh. If user is listed
				64	* in DenyUsers or one of user's groups is listed in DenyGroups, false
				65	* will be returned. If AllowUsers isn't empty and user isn't listed
				66	* there, or if AllowGroups isn't empty and one of user's groups isn't
				67	* listed there, false will be returned.
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	68	* If the user's shell is not executable, false will be returned.
Damien Miller	4af5130	2000-04-16 11:18:38 +1000	[diff] [blame]	69	* Otherwise true is returned.
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	70	*/
Damien Miller	eba71ba	2000-04-29 23:57:08 +1000	[diff] [blame]	71	int
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	72	allowed_user(struct passwd * pw)
				73	{
				74	struct stat st;
Darren Tucker	43a0dc6	2003-08-26 14:22:12 +1000	[diff] [blame]	75	const char hostname = NULL, ipaddr = NULL, *passwd = NULL;
Damien Miller	e7cf07c	2001-03-20 09:15:57 +1100	[diff] [blame]	76	char *shell;
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	77	int i;
Darren Tucker	15ee748	2004-02-22 09:43:15 +1100	[diff] [blame]	78	#ifdef USE_SHADOW
Darren Tucker	e41bba5	2003-08-25 11:51:19 +1000	[diff] [blame]	79	struct spwd *spw = NULL;
Tim Rice	458c6bf	2003-01-08 20:04:27 -0800	[diff] [blame]	80	#endif
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	81
				82	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
Kevin Steves	7b61cfa	2001-01-14 19:11:00 +0000	[diff] [blame]	83	if (!pw \|\| !pw->pw_name)
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	84	return 0;
				85
Darren Tucker	15ee748	2004-02-22 09:43:15 +1100	[diff] [blame]	86	#ifdef USE_SHADOW
Darren Tucker	e41bba5	2003-08-25 11:51:19 +1000	[diff] [blame]	87	if (!options.use_pam)
				88	spw = getspnam(pw->pw_name);
				89	#ifdef HAS_SHADOW_EXPIRE
Darren Tucker	15ee748	2004-02-22 09:43:15 +1100	[diff] [blame]	90	if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
				91	return 0;
Darren Tucker	e41bba5	2003-08-25 11:51:19 +1000	[diff] [blame]	92	#endif /* HAS_SHADOW_EXPIRE */
Darren Tucker	15ee748	2004-02-22 09:43:15 +1100	[diff] [blame]	93	#endif /* USE_SHADOW */
Darren Tucker	e41bba5	2003-08-25 11:51:19 +1000	[diff] [blame]	94
Damien Miller	a8e06ce	2003-11-21 23:48:55 +1100	[diff] [blame]	95	/* grab passwd field for locked account check */
Darren Tucker	15ee748	2004-02-22 09:43:15 +1100	[diff] [blame]	96	#ifdef USE_SHADOW
Darren Tucker	e41bba5	2003-08-25 11:51:19 +1000	[diff] [blame]	97	if (spw != NULL)
				98	passwd = spw->sp_pwdp;
				99	#else
				100	passwd = pw->pw_passwd;
Damien Miller	06817f9	2003-01-07 23:55:59 +1100	[diff] [blame]	101	#endif
				102
Damien Miller	a8e06ce	2003-11-21 23:48:55 +1100	[diff] [blame]	103	/* check for locked account */
Darren Tucker	43a0dc6	2003-08-26 14:22:12 +1000	[diff] [blame]	104	if (!options.use_pam && passwd && *passwd) {
Darren Tucker	e41bba5	2003-08-25 11:51:19 +1000	[diff] [blame]	105	int locked = 0;
				106
				107	#ifdef LOCKED_PASSWD_STRING
				108	if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
				109	locked = 1;
				110	#endif
				111	#ifdef LOCKED_PASSWD_PREFIX
				112	if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
				113	strlen(LOCKED_PASSWD_PREFIX)) == 0)
				114	locked = 1;
				115	#endif
				116	#ifdef LOCKED_PASSWD_SUBSTR
				117	if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
				118	locked = 1;
				119	#endif
				120	if (locked) {
				121	logit("User %.100s not allowed because account is locked",
				122	pw->pw_name);
				123	return 0;
				124	}
				125	}
				126
Damien Miller	ef7df54	2000-05-19 00:03:23 +1000	[diff] [blame]	127	/*
				128	* Get the shell from the password data. An empty shell field is
				129	* legal, and means /bin/sh.
				130	*/
				131	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
				132
				133	/* deny if shell does not exists or is not executable */
Ben Lindstrom	6ef9ec6	2002-03-05 01:40:37 +0000	[diff] [blame]	134	if (stat(shell, &st) != 0) {
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	135	logit("User %.100s not allowed because shell %.100s does not exist",
Ben Lindstrom	6ef9ec6	2002-03-05 01:40:37 +0000	[diff] [blame]	136	pw->pw_name, shell);
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	137	return 0;
Ben Lindstrom	6ef9ec6	2002-03-05 01:40:37 +0000	[diff] [blame]	138	}
Ben Lindstrom	b61e6df	2002-03-22 01:15:33 +0000	[diff] [blame]	139	if (S_ISREG(st.st_mode) == 0 \|\|
				140	(st.st_mode & (S_IXOTH\|S_IXUSR\|S_IXGRP)) == 0) {
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	141	logit("User %.100s not allowed because shell %.100s is not executable",
Ben Lindstrom	6ef9ec6	2002-03-05 01:40:37 +0000	[diff] [blame]	142	pw->pw_name, shell);
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	143	return 0;
Ben Lindstrom	6ef9ec6	2002-03-05 01:40:37 +0000	[diff] [blame]	144	}
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	145
Ben Lindstrom	3fb5d00	2002-03-05 01:42:42 +0000	[diff] [blame]	146	if (options.num_deny_users > 0 \|\| options.num_allow_users > 0) {
Damien Miller	3a961dc	2003-06-03 10:25:48 +1000	[diff] [blame]	147	hostname = get_canonical_hostname(options.use_dns);
Ben Lindstrom	3fb5d00	2002-03-05 01:42:42 +0000	[diff] [blame]	148	ipaddr = get_remote_ipaddr();
				149	}
				150
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	151	/* Return false if user is listed in DenyUsers */
				152	if (options.num_deny_users > 0) {
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	153	for (i = 0; i < options.num_deny_users; i++)
Ben Lindstrom	6328ab3	2002-03-22 02:54:23 +0000	[diff] [blame]	154	if (match_user(pw->pw_name, hostname, ipaddr,
Ben Lindstrom	6ef9ec6	2002-03-05 01:40:37 +0000	[diff] [blame]	155	options.deny_users[i])) {
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	156	logit("User %.100s not allowed because listed in DenyUsers",
Ben Lindstrom	6328ab3	2002-03-22 02:54:23 +0000	[diff] [blame]	157	pw->pw_name);
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	158	return 0;
Ben Lindstrom	6ef9ec6	2002-03-05 01:40:37 +0000	[diff] [blame]	159	}
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	160	}
				161	/* Return false if AllowUsers isn't empty and user isn't listed there */
				162	if (options.num_allow_users > 0) {
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	163	for (i = 0; i < options.num_allow_users; i++)
Ben Lindstrom	6328ab3	2002-03-22 02:54:23 +0000	[diff] [blame]	164	if (match_user(pw->pw_name, hostname, ipaddr,
Ben Lindstrom	6026002	2001-07-04 04:56:44 +0000	[diff] [blame]	165	options.allow_users[i]))
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	166	break;
				167	/* i < options.num_allow_users iff we break for loop */
Ben Lindstrom	6ef9ec6	2002-03-05 01:40:37 +0000	[diff] [blame]	168	if (i >= options.num_allow_users) {
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	169	logit("User %.100s not allowed because not listed in AllowUsers",
Ben Lindstrom	6ef9ec6	2002-03-05 01:40:37 +0000	[diff] [blame]	170	pw->pw_name);
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	171	return 0;
Ben Lindstrom	6ef9ec6	2002-03-05 01:40:37 +0000	[diff] [blame]	172	}
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	173	}
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	174	if (options.num_deny_groups > 0 \|\| options.num_allow_groups > 0) {
Kevin Steves	7b61cfa	2001-01-14 19:11:00 +0000	[diff] [blame]	175	/* Get the user's group access list (primary and supplementary) */
Ben Lindstrom	6ef9ec6	2002-03-05 01:40:37 +0000	[diff] [blame]	176	if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	177	logit("User %.100s not allowed because not in any group",
Ben Lindstrom	6ef9ec6	2002-03-05 01:40:37 +0000	[diff] [blame]	178	pw->pw_name);
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	179	return 0;
Ben Lindstrom	6ef9ec6	2002-03-05 01:40:37 +0000	[diff] [blame]	180	}
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	181
Kevin Steves	7b61cfa	2001-01-14 19:11:00 +0000	[diff] [blame]	182	/* Return false if one of user's groups is listed in DenyGroups */
				183	if (options.num_deny_groups > 0)
				184	if (ga_match(options.deny_groups,
				185	options.num_deny_groups)) {
				186	ga_free();
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	187	logit("User %.100s not allowed because a group is listed in DenyGroups",
Ben Lindstrom	6ef9ec6	2002-03-05 01:40:37 +0000	[diff] [blame]	188	pw->pw_name);
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	189	return 0;
Kevin Steves	7b61cfa	2001-01-14 19:11:00 +0000	[diff] [blame]	190	}
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	191	/*
Kevin Steves	7b61cfa	2001-01-14 19:11:00 +0000	[diff] [blame]	192	* Return false if AllowGroups isn't empty and one of user's groups
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	193	* isn't listed there
				194	*/
Kevin Steves	7b61cfa	2001-01-14 19:11:00 +0000	[diff] [blame]	195	if (options.num_allow_groups > 0)
				196	if (!ga_match(options.allow_groups,
				197	options.num_allow_groups)) {
				198	ga_free();
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	199	logit("User %.100s not allowed because none of user's groups are listed in AllowGroups",
Ben Lindstrom	6ef9ec6	2002-03-05 01:40:37 +0000	[diff] [blame]	200	pw->pw_name);
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	201	return 0;
Kevin Steves	7b61cfa	2001-01-14 19:11:00 +0000	[diff] [blame]	202	}
				203	ga_free();
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	204	}
				205
Darren Tucker	0a9d43d	2004-06-23 13:45:24 +1000	[diff] [blame]	206	#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
				207	if (!sys_auth_allowed_user(pw))
				208	return 0;
				209	#endif
Damien Miller	b38eff8	2000-04-01 11:09:21 +1000	[diff] [blame]	210
				211	/* We found no reason not to let this user try to log on... */
				212	return 1;
				213	}
Ben Lindstrom	db65e8f	2001-01-19 04:26:52 +0000	[diff] [blame]	214
Ben Lindstrom	db65e8f	2001-01-19 04:26:52 +0000	[diff] [blame]	215	void
				216	auth_log(Authctxt authctxt, int authenticated, char method, char *info)
				217	{
				218	void (authlog) (const char fmt,...) = verbose;
				219	char *authmsg;
				220
				221	/* Raise logging level */
				222	if (authenticated == 1 \|\|
				223	!authctxt->valid \|\|
Darren Tucker	89413db	2004-05-24 10:36:23 +1000	[diff] [blame]	224	authctxt->failures >= options.max_authtries / 2 \|\|
Ben Lindstrom	db65e8f	2001-01-19 04:26:52 +0000	[diff] [blame]	225	strcmp(method, "password") == 0)
Damien Miller	2a3f20e	2003-04-09 21:12:00 +1000	[diff] [blame]	226	authlog = logit;
Ben Lindstrom	db65e8f	2001-01-19 04:26:52 +0000	[diff] [blame]	227
				228	if (authctxt->postponed)
				229	authmsg = "Postponed";
				230	else
				231	authmsg = authenticated ? "Accepted" : "Failed";
				232
				233	authlog("%s %s for %s%.100s from %.200s port %d%s",
				234	authmsg,
				235	method,
				236	authctxt->valid ? "" : "illegal user ",
Damien Miller	f655207	2001-11-12 11:06:06 +1100	[diff] [blame]	237	authctxt->user,
Ben Lindstrom	db65e8f	2001-01-19 04:26:52 +0000	[diff] [blame]	238	get_remote_ipaddr(),
				239	get_remote_port(),
				240	info);
Ben Lindstrom	e06eb68	2002-07-04 00:27:21 +0000	[diff] [blame]	241
Darren Tucker	97363a8	2003-05-02 23:42:25 +1000	[diff] [blame]	242	#ifdef CUSTOM_FAILED_LOGIN
Ben Lindstrom	e06eb68	2002-07-04 00:27:21 +0000	[diff] [blame]	243	if (authenticated == 0 && strcmp(method, "password") == 0)
Darren Tucker	97363a8	2003-05-02 23:42:25 +1000	[diff] [blame]	244	record_failed_login(authctxt->user, "ssh");
				245	#endif
Ben Lindstrom	db65e8f	2001-01-19 04:26:52 +0000	[diff] [blame]	246	}
				247
				248	/*
Ben Lindstrom	d8a9021	2001-02-15 03:08:27 +0000	[diff] [blame]	249	* Check whether root logins are disallowed.
Ben Lindstrom	db65e8f	2001-01-19 04:26:52 +0000	[diff] [blame]	250	*/
				251	int
Ben Lindstrom	d8a9021	2001-02-15 03:08:27 +0000	[diff] [blame]	252	auth_root_allowed(char *method)
Ben Lindstrom	db65e8f	2001-01-19 04:26:52 +0000	[diff] [blame]	253	{
Ben Lindstrom	d8a9021	2001-02-15 03:08:27 +0000	[diff] [blame]	254	switch (options.permit_root_login) {
				255	case PERMIT_YES:
Ben Lindstrom	db65e8f	2001-01-19 04:26:52 +0000	[diff] [blame]	256	return 1;
Ben Lindstrom	d8a9021	2001-02-15 03:08:27 +0000	[diff] [blame]	257	break;
				258	case PERMIT_NO_PASSWD:
				259	if (strcmp(method, "password") != 0)
				260	return 1;
				261	break;
				262	case PERMIT_FORCED_ONLY:
				263	if (forced_command) {
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	264	logit("Root login accepted for forced command.");
Ben Lindstrom	d8a9021	2001-02-15 03:08:27 +0000	[diff] [blame]	265	return 1;
				266	}
				267	break;
Ben Lindstrom	db65e8f	2001-01-19 04:26:52 +0000	[diff] [blame]	268	}
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	269	logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
Ben Lindstrom	d8a9021	2001-02-15 03:08:27 +0000	[diff] [blame]	270	return 0;
Ben Lindstrom	db65e8f	2001-01-19 04:26:52 +0000	[diff] [blame]	271	}
Ben Lindstrom	bfb3a0e	2001-06-05 20:25:05 +0000	[diff] [blame]	272
				273
				274	/*
				275	* Given a template and a passwd structure, build a filename
				276	* by substituting % tokenised options. Currently, %% becomes '%',
				277	* %h becomes the home directory and %u the username.
				278	*
				279	* This returns a buffer allocated by xmalloc.
				280	*/
				281	char *
				282	expand_filename(const char filename, struct passwd pw)
				283	{
				284	Buffer buffer;
				285	char *file;
				286	const char *cp;
				287
				288	/*
				289	* Build the filename string in the buffer by making the appropriate
				290	* substitutions to the given file name.
				291	*/
				292	buffer_init(&buffer);
				293	for (cp = filename; *cp; cp++) {
				294	if (cp[0] == '%' && cp[1] == '%') {
				295	buffer_append(&buffer, "%", 1);
				296	cp++;
				297	continue;
				298	}
				299	if (cp[0] == '%' && cp[1] == 'h') {
				300	buffer_append(&buffer, pw->pw_dir, strlen(pw->pw_dir));
				301	cp++;
				302	continue;
				303	}
				304	if (cp[0] == '%' && cp[1] == 'u') {
				305	buffer_append(&buffer, pw->pw_name,
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	306	strlen(pw->pw_name));
Ben Lindstrom	bfb3a0e	2001-06-05 20:25:05 +0000	[diff] [blame]	307	cp++;
				308	continue;
				309	}
				310	buffer_append(&buffer, cp, 1);
				311	}
				312	buffer_append(&buffer, "\0", 1);
				313
				314	/*
				315	* Ensure that filename starts anchored. If not, be backward
				316	* compatible and prepend the '%h/'
				317	*/
				318	file = xmalloc(MAXPATHLEN);
				319	cp = buffer_ptr(&buffer);
				320	if (*cp != '/')
				321	snprintf(file, MAXPATHLEN, "%s/%s", pw->pw_dir, cp);
				322	else
				323	strlcpy(file, cp, MAXPATHLEN);
				324
				325	buffer_free(&buffer);
				326	return file;
				327	}
				328
				329	char *
				330	authorized_keys_file(struct passwd *pw)
				331	{
				332	return expand_filename(options.authorized_keys_file, pw);
				333	}
				334
				335	char *
				336	authorized_keys_file2(struct passwd *pw)
				337	{
				338	return expand_filename(options.authorized_keys_file2, pw);
				339	}
				340
Ben Lindstrom	83647ce	2001-06-25 04:30:16 +0000	[diff] [blame]	341	/* return ok if key exists in sysfile or userfile */
				342	HostStatus
				343	check_key_in_hostfiles(struct passwd pw, Key key, const char *host,
				344	const char sysfile, const char userfile)
				345	{
				346	Key *found;
				347	char *user_hostfile;
				348	struct stat st;
Ben Lindstrom	65366a8	2001-12-06 16:32:47 +0000	[diff] [blame]	349	HostStatus host_status;
Ben Lindstrom	83647ce	2001-06-25 04:30:16 +0000	[diff] [blame]	350
				351	/* Check if we know the host and its host key. */
				352	found = key_new(key->type);
				353	host_status = check_host_in_hostfile(sysfile, host, key, found, NULL);
				354
				355	if (host_status != HOST_OK && userfile != NULL) {
				356	user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
				357	if (options.strict_modes &&
				358	(stat(user_hostfile, &st) == 0) &&
				359	((st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	360	(st.st_mode & 022) != 0)) {
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	361	logit("Authentication refused for %.100s: "
Ben Lindstrom	83647ce	2001-06-25 04:30:16 +0000	[diff] [blame]	362	"bad owner or modes for %.200s",
				363	pw->pw_name, user_hostfile);
				364	} else {
				365	temporarily_use_uid(pw);
				366	host_status = check_host_in_hostfile(user_hostfile,
				367	host, key, found, NULL);
				368	restore_uid();
				369	}
				370	xfree(user_hostfile);
				371	}
				372	key_free(found);
				373
				374	debug2("check_key_in_hostfiles: key %s for %s", host_status == HOST_OK ?
				375	"ok" : "not found", host);
				376	return host_status;
				377	}
				378
				379
Ben Lindstrom	bfb3a0e	2001-06-05 20:25:05 +0000	[diff] [blame]	380	/*
				381	* Check a given file for security. This is defined as all components
Ben Lindstrom	d4ee349	2002-08-20 18:42:13 +0000	[diff] [blame]	382	* of the path to the file must be owned by either the owner of
Ben Lindstrom	60567ff	2001-06-05 20:27:53 +0000	[diff] [blame]	383	* of the file or root and no directories must be group or world writable.
Ben Lindstrom	bfb3a0e	2001-06-05 20:25:05 +0000	[diff] [blame]	384	*
				385	* XXX Should any specific check be done for sym links ?
				386	*
				387	* Takes an open file descriptor, the file name, a uid and and
				388	* error buffer plus max size as arguments.
				389	*
				390	* Returns 0 on success and -1 on failure
				391	*/
				392	int
Ben Lindstrom	248c078	2001-07-04 03:40:39 +0000	[diff] [blame]	393	secure_filename(FILE f, const char file, struct passwd *pw,
				394	char *err, size_t errlen)
Ben Lindstrom	bfb3a0e	2001-06-05 20:25:05 +0000	[diff] [blame]	395	{
Ben Lindstrom	248c078	2001-07-04 03:40:39 +0000	[diff] [blame]	396	uid_t uid = pw->pw_uid;
Ben Lindstrom	c3e49e7	2001-10-03 17:55:26 +0000	[diff] [blame]	397	char buf[MAXPATHLEN], homedir[MAXPATHLEN];
Ben Lindstrom	bfb3a0e	2001-06-05 20:25:05 +0000	[diff] [blame]	398	char *cp;
Ben Lindstrom	485075e	2002-11-09 15:45:12 +0000	[diff] [blame]	399	int comparehome = 0;
Ben Lindstrom	bfb3a0e	2001-06-05 20:25:05 +0000	[diff] [blame]	400	struct stat st;
				401
				402	if (realpath(file, buf) == NULL) {
				403	snprintf(err, errlen, "realpath %s failed: %s", file,
				404	strerror(errno));
				405	return -1;
				406	}
Ben Lindstrom	485075e	2002-11-09 15:45:12 +0000	[diff] [blame]	407	if (realpath(pw->pw_dir, homedir) != NULL)
				408	comparehome = 1;
Ben Lindstrom	bfb3a0e	2001-06-05 20:25:05 +0000	[diff] [blame]	409
				410	/* check the open file to avoid races */
				411	if (fstat(fileno(f), &st) < 0 \|\|
				412	(st.st_uid != 0 && st.st_uid != uid) \|\|
				413	(st.st_mode & 022) != 0) {
				414	snprintf(err, errlen, "bad ownership or modes for file %s",
				415	buf);
				416	return -1;
				417	}
				418
				419	/* for each component of the canonical path, walking upwards */
				420	for (;;) {
				421	if ((cp = dirname(buf)) == NULL) {
				422	snprintf(err, errlen, "dirname() failed");
				423	return -1;
				424	}
				425	strlcpy(buf, cp, sizeof(buf));
				426
				427	debug3("secure_filename: checking '%s'", buf);
				428	if (stat(buf, &st) < 0 \|\|
				429	(st.st_uid != 0 && st.st_uid != uid) \|\|
				430	(st.st_mode & 022) != 0) {
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	431	snprintf(err, errlen,
Ben Lindstrom	bfb3a0e	2001-06-05 20:25:05 +0000	[diff] [blame]	432	"bad ownership or modes for directory %s", buf);
				433	return -1;
				434	}
				435
Damien Miller	0ae6e00	2001-07-14 12:21:34 +1000	[diff] [blame]	436	/* If are passed the homedir then we can stop */
Ben Lindstrom	485075e	2002-11-09 15:45:12 +0000	[diff] [blame]	437	if (comparehome && strcmp(homedir, buf) == 0) {
Damien Miller	0ae6e00	2001-07-14 12:21:34 +1000	[diff] [blame]	438	debug3("secure_filename: terminating check at '%s'",
				439	buf);
				440	break;
				441	}
Ben Lindstrom	bfb3a0e	2001-06-05 20:25:05 +0000	[diff] [blame]	442	/*
				443	* dirname should always complete with a "/" path,
				444	* but we can be paranoid and check for "." too
				445	*/
				446	if ((strcmp("/", buf) == 0) \|\| (strcmp(".", buf) == 0))
				447	break;
				448	}
				449	return 0;
				450	}
Ben Lindstrom	2ae18f4	2002-03-22 01:24:38 +0000	[diff] [blame]	451
				452	struct passwd *
				453	getpwnamallow(const char *user)
				454	{
Ben Lindstrom	b481e13	2002-03-22 01:35:47 +0000	[diff] [blame]	455	#ifdef HAVE_LOGIN_CAP
				456	extern login_cap_t *lc;
				457	#ifdef BSD_AUTH
				458	auth_session_t *as;
				459	#endif
				460	#endif
Ben Lindstrom	2ae18f4	2002-03-22 01:24:38 +0000	[diff] [blame]	461	struct passwd *pw;
				462
				463	pw = getpwnam(user);
Damien Miller	6f0a188	2002-09-22 01:26:51 +1000	[diff] [blame]	464	if (pw == NULL) {
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	465	logit("Illegal user %.100s from %.100s",
Damien Miller	6f0a188	2002-09-22 01:26:51 +1000	[diff] [blame]	466	user, get_remote_ipaddr());
Darren Tucker	97363a8	2003-05-02 23:42:25 +1000	[diff] [blame]	467	#ifdef CUSTOM_FAILED_LOGIN
				468	record_failed_login(user, "ssh");
Ben Lindstrom	f5397c0	2002-11-09 16:11:10 +0000	[diff] [blame]	469	#endif
Damien Miller	6f0a188	2002-09-22 01:26:51 +1000	[diff] [blame]	470	return (NULL);
				471	}
				472	if (!allowed_user(pw))
Ben Lindstrom	b481e13	2002-03-22 01:35:47 +0000	[diff] [blame]	473	return (NULL);
				474	#ifdef HAVE_LOGIN_CAP
				475	if ((lc = login_getclass(pw->pw_class)) == NULL) {
				476	debug("unable to get login class: %s", user);
				477	return (NULL);
				478	}
				479	#ifdef BSD_AUTH
				480	if ((as = auth_open()) == NULL \|\| auth_setpwd(as, pw) != 0 \|\|
Damien Miller	13e35a0	2002-05-22 14:04:11 +1000	[diff] [blame]	481	auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
Ben Lindstrom	b481e13	2002-03-22 01:35:47 +0000	[diff] [blame]	482	debug("Approval failure for %s", user);
Ben Lindstrom	2ae18f4	2002-03-22 01:24:38 +0000	[diff] [blame]	483	pw = NULL;
Ben Lindstrom	b481e13	2002-03-22 01:35:47 +0000	[diff] [blame]	484	}
				485	if (as != NULL)
				486	auth_close(as);
				487	#endif
				488	#endif
Ben Lindstrom	f34e4eb	2002-03-22 03:08:30 +0000	[diff] [blame]	489	if (pw != NULL)
				490	return (pwcopy(pw));
				491	return (NULL);
Ben Lindstrom	2ae18f4	2002-03-22 01:24:38 +0000	[diff] [blame]	492	}
Ben Lindstrom	a574cda	2002-05-15 16:16:14 +0000	[diff] [blame]	493
				494	void
				495	auth_debug_add(const char *fmt,...)
				496	{
				497	char buf[1024];
				498	va_list args;
				499
				500	if (!auth_debug_init)
				501	return;
				502
				503	va_start(args, fmt);
				504	vsnprintf(buf, sizeof(buf), fmt, args);
				505	va_end(args);
				506	buffer_put_cstring(&auth_debug, buf);
				507	}
				508
				509	void
				510	auth_debug_send(void)
				511	{
				512	char *msg;
				513
				514	if (!auth_debug_init)
				515	return;
				516	while (buffer_len(&auth_debug)) {
				517	msg = buffer_get_string(&auth_debug, NULL);
				518	packet_send_debug("%s", msg);
				519	xfree(msg);
				520	}
				521	}
				522
				523	void
				524	auth_debug_reset(void)
				525	{
				526	if (auth_debug_init)
				527	buffer_clear(&auth_debug);
				528	else {
				529	buffer_init(&auth_debug);
				530	auth_debug_init = 1;
				531	}
				532	}
Damien Miller	856f0be	2003-09-03 07:32:45 +1000	[diff] [blame]	533
				534	struct passwd *
				535	fakepw(void)
				536	{
				537	static struct passwd fake;
				538
				539	memset(&fake, 0, sizeof(fake));
				540	fake.pw_name = "NOUSER";
				541	fake.pw_passwd =
Damien Miller	787b2ec	2003-11-21 23:56:47 +1100	[diff] [blame]	542	"$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
Damien Miller	856f0be	2003-09-03 07:32:45 +1000	[diff] [blame]	543	fake.pw_gecos = "NOUSER";
Darren Tucker	1f8311c	2004-05-13 16:39:33 +1000	[diff] [blame]	544	fake.pw_uid = (uid_t)-1;
				545	fake.pw_gid = (gid_t)-1;
Damien Miller	856f0be	2003-09-03 07:32:45 +1000	[diff] [blame]	546	#ifdef HAVE_PW_CLASS_IN_PASSWD
				547	fake.pw_class = "";
				548	#endif
				549	fake.pw_dir = "/nonexist";
				550	fake.pw_shell = "/nonexist";
				551
				552	return (&fake);
				553	}