Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/openssh/auth.c
34677 views
1
/* $OpenBSD: auth.c,v 1.162 2024/09/15 01:18:26 djm Exp $ */

2
/*

3
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.

4
 *

5
 * Redistribution and use in source and binary forms, with or without

6
 * modification, are permitted provided that the following conditions

7
 * are met:

8
 * 1. Redistributions of source code must retain the above copyright

9
 *    notice, this list of conditions and the following disclaimer.

10
 * 2. Redistributions in binary form must reproduce the above copyright

11
 *    notice, this list of conditions and the following disclaimer in the

12
 *    documentation and/or other materials provided with the distribution.

13
 *

14
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

15
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

16
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

17
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,

18
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

19
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

20
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

21
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

22
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

23
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

24
 */

25


26
#include "includes.h"

27


28
#include <sys/types.h>

29
#include <sys/stat.h>

30
#include <sys/socket.h>

31
#include <sys/wait.h>

32


33
#include <netinet/in.h>

34


35
#include <stdlib.h>

36
#include <errno.h>

37
#include <fcntl.h>

38
#ifdef HAVE_PATHS_H

39
# include <paths.h>

40
#endif

41
#include <pwd.h>

42
#ifdef HAVE_LOGIN_H

43
#include <login.h>

44
#endif

45
#ifdef USE_SHADOW

46
#include <shadow.h>

47
#endif

48
#include <stdarg.h>

49
#include <stdio.h>

50
#include <string.h>

51
#include <unistd.h>

52
#include <limits.h>

53
#include <netdb.h>

54
#include <time.h>

55


56
#include "xmalloc.h"

57
#include "match.h"

58
#include "groupaccess.h"

59
#include "log.h"

60
#include "sshbuf.h"

61
#include "misc.h"

62
#include "servconf.h"

63
#include "sshkey.h"

64
#include "hostfile.h"

65
#include "auth.h"

66
#include "auth-options.h"

67
#include "canohost.h"

68
#include "uidswap.h"

69
#include "packet.h"

70
#include "loginrec.h"

71
#ifdef GSSAPI

72
#include "ssh-gss.h"

73
#endif

74
#include "authfile.h"

75
#include "monitor_wrap.h"

76
#include "ssherr.h"

77
#include "channels.h"

78
#include "blacklist_client.h"

79


80
/* import */

81
extern ServerOptions options;

82
extern struct include_list includes;

83
extern struct sshbuf *loginmsg;

84
extern struct passwd *privsep_pw;

85
extern struct sshauthopt *auth_opts;

86


87
/* Debugging messages */

88
static struct sshbuf *auth_debug;

89


90
/*

91
 * Check if the user is allowed to log in via ssh. If user is listed

92
 * in DenyUsers or one of user's groups is listed in DenyGroups, false

93
 * will be returned. If AllowUsers isn't empty and user isn't listed

94
 * there, or if AllowGroups isn't empty and one of user's groups isn't

95
 * listed there, false will be returned.

96
 * If the user's shell is not executable, false will be returned.

97
 * Otherwise true is returned.

98
 */

99
int

100
allowed_user(struct ssh *ssh, struct passwd * pw)

101
{

102
	struct stat st;

103
	const char *hostname = NULL, *ipaddr = NULL;

104
	u_int i;

105
	int r;

106


107
	/* Shouldn't be called if pw is NULL, but better safe than sorry... */

108
	if (!pw || !pw->pw_name)

109
		return 0;

110


111
	if (!options.use_pam && platform_locked_account(pw)) {

112
		logit("User %.100s not allowed because account is locked",

113
		    pw->pw_name);

114
		return 0;

115
	}

116


117
	/*

118
	 * Deny if shell does not exist or is not executable unless we

119
	 * are chrooting.

120
	 */

121
	if (options.chroot_directory == NULL ||

122
	    strcasecmp(options.chroot_directory, "none") == 0) {

123
		char *shell = xstrdup((pw->pw_shell[0] == '\0') ?

124
		    _PATH_BSHELL : pw->pw_shell); /* empty = /bin/sh */

125


126
		if (stat(shell, &st) == -1) {

127
			logit("User %.100s not allowed because shell %.100s "

128
			    "does not exist", pw->pw_name, shell);

129
			free(shell);

130
			return 0;

131
		}

132
		if (S_ISREG(st.st_mode) == 0 ||

133
		    (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {

134
			logit("User %.100s not allowed because shell %.100s "

135
			    "is not executable", pw->pw_name, shell);

136
			free(shell);

137
			return 0;

138
		}

139
		free(shell);

140
	}

141


142
	if (options.num_deny_users > 0 || options.num_allow_users > 0 ||

143
	    options.num_deny_groups > 0 || options.num_allow_groups > 0) {

144
		hostname = auth_get_canonical_hostname(ssh, options.use_dns);

145
		ipaddr = ssh_remote_ipaddr(ssh);

146
	}

147


148
	/* Return false if user is listed in DenyUsers */

149
	if (options.num_deny_users > 0) {

150
		for (i = 0; i < options.num_deny_users; i++) {

151
			r = match_user(pw->pw_name, hostname, ipaddr,

152
			    options.deny_users[i]);

153
			if (r < 0) {

154
				fatal("Invalid DenyUsers pattern \"%.100s\"",

155
				    options.deny_users[i]);

156
			} else if (r != 0) {

157
				logit("User %.100s from %.100s not allowed "

158
				    "because listed in DenyUsers",

159
				    pw->pw_name, hostname);

160
				return 0;

161
			}

162
		}

163
	}

164
	/* Return false if AllowUsers isn't empty and user isn't listed there */

165
	if (options.num_allow_users > 0) {

166
		for (i = 0; i < options.num_allow_users; i++) {

167
			r = match_user(pw->pw_name, hostname, ipaddr,

168
			    options.allow_users[i]);

169
			if (r < 0) {

170
				fatal("Invalid AllowUsers pattern \"%.100s\"",

171
				    options.allow_users[i]);

172
			} else if (r == 1)

173
				break;

174
		}

175
		/* i < options.num_allow_users iff we break for loop */

176
		if (i >= options.num_allow_users) {

177
			logit("User %.100s from %.100s not allowed because "

178
			    "not listed in AllowUsers", pw->pw_name, hostname);

179
			return 0;

180
		}

181
	}

182
	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {

183
		/* Get the user's group access list (primary and supplementary) */

184
		if (ga_init(pw->pw_name, pw->pw_gid) == 0) {

185
			logit("User %.100s from %.100s not allowed because "

186
			    "not in any group", pw->pw_name, hostname);

187
			return 0;

188
		}

189


190
		/* Return false if one of user's groups is listed in DenyGroups */

191
		if (options.num_deny_groups > 0)

192
			if (ga_match(options.deny_groups,

193
			    options.num_deny_groups)) {

194
				ga_free();

195
				logit("User %.100s from %.100s not allowed "

196
				    "because a group is listed in DenyGroups",

197
				    pw->pw_name, hostname);

198
				return 0;

199
			}

200
		/*

201
		 * Return false if AllowGroups isn't empty and one of user's groups

202
		 * isn't listed there

203
		 */

204
		if (options.num_allow_groups > 0)

205
			if (!ga_match(options.allow_groups,

206
			    options.num_allow_groups)) {

207
				ga_free();

208
				logit("User %.100s from %.100s not allowed "

209
				    "because none of user's groups are listed "

210
				    "in AllowGroups", pw->pw_name, hostname);

211
				return 0;

212
			}

213
		ga_free();

214
	}

215


216
#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER

217
	if (!sys_auth_allowed_user(pw, loginmsg))

218
		return 0;

219
#endif

220


221
	/* We found no reason not to let this user try to log on... */

222
	return 1;

223
}

224


225
/*

226
 * Formats any key left in authctxt->auth_method_key for inclusion in

227
 * auth_log()'s message. Also includes authxtct->auth_method_info if present.

228
 */

229
static char *

230
format_method_key(Authctxt *authctxt)

231
{

232
	const struct sshkey *key = authctxt->auth_method_key;

233
	const char *methinfo = authctxt->auth_method_info;

234
	char *fp, *cafp, *ret = NULL;

235


236
	if (key == NULL)

237
		return NULL;

238


239
	if (sshkey_is_cert(key)) {

240
		fp = sshkey_fingerprint(key,

241
		    options.fingerprint_hash, SSH_FP_DEFAULT);

242
		cafp = sshkey_fingerprint(key->cert->signature_key,

243
		    options.fingerprint_hash, SSH_FP_DEFAULT);

244
		xasprintf(&ret, "%s %s ID %s (serial %llu) CA %s %s%s%s",

245
		    sshkey_type(key), fp == NULL ? "(null)" : fp,

246
		    key->cert->key_id,

247
		    (unsigned long long)key->cert->serial,

248
		    sshkey_type(key->cert->signature_key),

249
		    cafp == NULL ? "(null)" : cafp,

250
		    methinfo == NULL ? "" : ", ",

251
		    methinfo == NULL ? "" : methinfo);

252
		free(fp);

253
		free(cafp);

254
	} else {

255
		fp = sshkey_fingerprint(key, options.fingerprint_hash,

256
		    SSH_FP_DEFAULT);

257
		xasprintf(&ret, "%s %s%s%s", sshkey_type(key),

258
		    fp == NULL ? "(null)" : fp,

259
		    methinfo == NULL ? "" : ", ",

260
		    methinfo == NULL ? "" : methinfo);

261
		free(fp);

262
	}

263
	return ret;

264
}

265


266
void

267
auth_log(struct ssh *ssh, int authenticated, int partial,

268
    const char *method, const char *submethod)

269
{

270
	Authctxt *authctxt = (Authctxt *)ssh->authctxt;

271
	int level = SYSLOG_LEVEL_VERBOSE;

272
	const char *authmsg;

273
	char *extra = NULL;

274


275
	if (!mm_is_monitor() && !authctxt->postponed)

276
		return;

277


278
	/* Raise logging level */

279
	if (authenticated == 1 ||

280
	    !authctxt->valid ||

281
	    authctxt->failures >= options.max_authtries / 2 ||

282
	    strcmp(method, "password") == 0)

283
		level = SYSLOG_LEVEL_INFO;

284


285
	if (authctxt->postponed)

286
		authmsg = "Postponed";

287
	else if (partial)

288
		authmsg = "Partial";

289
	else {

290
		authmsg = authenticated ? "Accepted" : "Failed";

291
		if (authenticated)

292
			BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK, "ssh");

293
	}

294


295
	if ((extra = format_method_key(authctxt)) == NULL) {

296
		if (authctxt->auth_method_info != NULL)

297
			extra = xstrdup(authctxt->auth_method_info);

298
	}

299


300
	do_log2(level, "%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s",

301
	    authmsg,

302
	    method,

303
	    submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,

304
	    authctxt->valid ? "" : "invalid user ",

305
	    authctxt->user,

306
	    ssh_remote_ipaddr(ssh),

307
	    ssh_remote_port(ssh),

308
	    extra != NULL ? ": " : "",

309
	    extra != NULL ? extra : "");

310


311
	free(extra);

312


313
#if defined(CUSTOM_FAILED_LOGIN) || defined(SSH_AUDIT_EVENTS)

314
	if (authenticated == 0 && !(authctxt->postponed || partial)) {

315
		/* Log failed login attempt */

316
# ifdef CUSTOM_FAILED_LOGIN

317
		if (strcmp(method, "password") == 0 ||

318
		    strncmp(method, "keyboard-interactive", 20) == 0 ||

319
		    strcmp(method, "challenge-response") == 0)

320
			record_failed_login(ssh, authctxt->user,

321
			    auth_get_canonical_hostname(ssh, options.use_dns), "ssh");

322
# endif

323
# ifdef SSH_AUDIT_EVENTS

324
		audit_event(ssh, audit_classify_auth(method));

325
# endif

326
	}

327
#endif

328
#if defined(CUSTOM_FAILED_LOGIN) && defined(WITH_AIXAUTHENTICATE)

329
	if (authenticated)

330
		sys_auth_record_login(authctxt->user,

331
		    auth_get_canonical_hostname(ssh, options.use_dns), "ssh",

332
		    loginmsg);

333
#endif

334
}

335


336
void

337
auth_maxtries_exceeded(struct ssh *ssh)

338
{

339
	Authctxt *authctxt = (Authctxt *)ssh->authctxt;

340


341
	error("maximum authentication attempts exceeded for "

342
	    "%s%.100s from %.200s port %d ssh2",

343
	    authctxt->valid ? "" : "invalid user ",

344
	    authctxt->user,

345
	    ssh_remote_ipaddr(ssh),

346
	    ssh_remote_port(ssh));

347
	ssh_packet_disconnect(ssh, "Too many authentication failures");

348
	/* NOTREACHED */

349
}

350


351
/*

352
 * Check whether root logins are disallowed.

353
 */

354
int

355
auth_root_allowed(struct ssh *ssh, const char *method)

356
{

357
	switch (options.permit_root_login) {

358
	case PERMIT_YES:

359
		return 1;

360
	case PERMIT_NO_PASSWD:

361
		if (strcmp(method, "publickey") == 0 ||

362
		    strcmp(method, "hostbased") == 0 ||

363
		    strcmp(method, "gssapi-with-mic") == 0)

364
			return 1;

365
		break;

366
	case PERMIT_FORCED_ONLY:

367
		if (auth_opts->force_command != NULL) {

368
			logit("Root login accepted for forced command.");

369
			return 1;

370
		}

371
		break;

372
	}

373
	logit("ROOT LOGIN REFUSED FROM %.200s port %d",

374
	    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));

375
	return 0;

376
}

377


378


379
/*

380
 * Given a template and a passwd structure, build a filename

381
 * by substituting % tokenised options. Currently, %% becomes '%',

382
 * %h becomes the home directory and %u the username.

383
 *

384
 * This returns a buffer allocated by xmalloc.

385
 */

386
char *

387
expand_authorized_keys(const char *filename, struct passwd *pw)

388
{

389
	char *file, uidstr[32], ret[PATH_MAX];

390
	int i;

391


392
	snprintf(uidstr, sizeof(uidstr), "%llu",

393
	    (unsigned long long)pw->pw_uid);

394
	file = percent_expand(filename, "h", pw->pw_dir,

395
	    "u", pw->pw_name, "U", uidstr, (char *)NULL);

396


397
	/*

398
	 * Ensure that filename starts anchored. If not, be backward

399
	 * compatible and prepend the '%h/'

400
	 */

401
	if (path_absolute(file))

402
		return (file);

403


404
	i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file);

405
	if (i < 0 || (size_t)i >= sizeof(ret))

406
		fatal("expand_authorized_keys: path too long");

407
	free(file);

408
	return (xstrdup(ret));

409
}

410


411
char *

412
authorized_principals_file(struct passwd *pw)

413
{

414
	if (options.authorized_principals_file == NULL)

415
		return NULL;

416
	return expand_authorized_keys(options.authorized_principals_file, pw);

417
}

418


419
/* return ok if key exists in sysfile or userfile */

420
HostStatus

421
check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,

422
    const char *sysfile, const char *userfile)

423
{

424
	char *user_hostfile;

425
	struct stat st;

426
	HostStatus host_status;

427
	struct hostkeys *hostkeys;

428
	const struct hostkey_entry *found;

429


430
	hostkeys = init_hostkeys();

431
	load_hostkeys(hostkeys, host, sysfile, 0);

432
	if (userfile != NULL) {

433
		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);

434
		if (options.strict_modes &&

435
		    (stat(user_hostfile, &st) == 0) &&

436
		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||

437
		    (st.st_mode & 022) != 0)) {

438
			logit("Authentication refused for %.100s: "

439
			    "bad owner or modes for %.200s",

440
			    pw->pw_name, user_hostfile);

441
			auth_debug_add("Ignored %.200s: bad ownership or modes",

442
			    user_hostfile);

443
		} else {

444
			temporarily_use_uid(pw);

445
			load_hostkeys(hostkeys, host, user_hostfile, 0);

446
			restore_uid();

447
		}

448
		free(user_hostfile);

449
	}

450
	host_status = check_key_in_hostkeys(hostkeys, key, &found);

451
	if (host_status == HOST_REVOKED)

452
		error("WARNING: revoked key for %s attempted authentication",

453
		    host);

454
	else if (host_status == HOST_OK)

455
		debug_f("key for %s found at %s:%ld",

456
		    found->host, found->file, found->line);

457
	else

458
		debug_f("key for host %s not found", host);

459


460
	free_hostkeys(hostkeys);

461


462
	return host_status;

463
}

464


465
struct passwd *

466
getpwnamallow(struct ssh *ssh, const char *user)

467
{

468
#ifdef HAVE_LOGIN_CAP

469
	extern login_cap_t *lc;

470
#ifdef HAVE_AUTH_HOSTOK

471
	const char *from_host, *from_ip;

472
#endif

473
#ifdef BSD_AUTH

474
	auth_session_t *as;

475
#endif

476
#endif

477
	struct passwd *pw;

478
	struct connection_info *ci;

479
	u_int i;

480


481
	ci = server_get_connection_info(ssh, 1, options.use_dns);

482
	ci->user = user;

483
	ci->user_invalid = getpwnam(user) == NULL;

484
	parse_server_match_config(&options, &includes, ci);

485
	log_change_level(options.log_level);

486
	log_verbose_reset();

487
	for (i = 0; i < options.num_log_verbose; i++)

488
		log_verbose_add(options.log_verbose[i]);

489
	server_process_permitopen(ssh);

490


491
#if defined(_AIX) && defined(HAVE_SETAUTHDB)

492
	aix_setauthdb(user);

493
#endif

494


495
	pw = getpwnam(user);

496


497
#if defined(_AIX) && defined(HAVE_SETAUTHDB)

498
	aix_restoreauthdb();

499
#endif

500
	if (pw == NULL) {

501
		BLACKLIST_NOTIFY(ssh, BLACKLIST_BAD_USER, user);

502
		logit("Invalid user %.100s from %.100s port %d",

503
		    user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));

504
#ifdef CUSTOM_FAILED_LOGIN

505
		record_failed_login(ssh, user,

506
		    auth_get_canonical_hostname(ssh, options.use_dns), "ssh");

507
#endif

508
#ifdef SSH_AUDIT_EVENTS

509
		audit_event(ssh, SSH_INVALID_USER);

510
#endif /* SSH_AUDIT_EVENTS */

511
		return (NULL);

512
	}

513
	if (!allowed_user(ssh, pw))

514
		return (NULL);

515
#ifdef HAVE_LOGIN_CAP

516
	if ((lc = login_getpwclass(pw)) == NULL) {

517
		debug("unable to get login class: %s", user);

518
		return (NULL);

519
	}

520
#ifdef HAVE_AUTH_HOSTOK

521
	from_host = auth_get_canonical_hostname(ssh, options.use_dns);

522
	from_ip = ssh_remote_ipaddr(ssh);

523
	if (!auth_hostok(lc, from_host, from_ip)) {

524
		debug("Denied connection for %.200s from %.200s [%.200s].",

525
		      pw->pw_name, from_host, from_ip);

526
		return (NULL);

527
	}

528
#endif /* HAVE_AUTH_HOSTOK */

529
#ifdef HAVE_AUTH_TIMEOK

530
	if (!auth_timeok(lc, time(NULL))) {

531
		debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name);

532
		return (NULL);

533
	}

534
#endif /* HAVE_AUTH_TIMEOK */

535
#ifdef BSD_AUTH

536
	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||

537
	    auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {

538
		debug("Approval failure for %s", user);

539
		pw = NULL;

540
	}

541
	if (as != NULL)

542
		auth_close(as);

543
#endif

544
#endif

545
	if (pw != NULL)

546
		return (pwcopy(pw));

547
	return (NULL);

548
}

549


550
/* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */

551
int

552
auth_key_is_revoked(struct sshkey *key)

553
{

554
	char *fp = NULL;

555
	int r;

556


557
	if (options.revoked_keys_file == NULL)

558
		return 0;

559
	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,

560
	    SSH_FP_DEFAULT)) == NULL) {

561
		r = SSH_ERR_ALLOC_FAIL;

562
		error_fr(r, "fingerprint key");

563
		goto out;

564
	}

565


566
	r = sshkey_check_revoked(key, options.revoked_keys_file);

567
	switch (r) {

568
	case 0:

569
		break; /* not revoked */

570
	case SSH_ERR_KEY_REVOKED:

571
		error("Authentication key %s %s revoked by file %s",

572
		    sshkey_type(key), fp, options.revoked_keys_file);

573
		goto out;

574
	default:

575
		error_r(r, "Error checking authentication key %s %s in "

576
		    "revoked keys file %s", sshkey_type(key), fp,

577
		    options.revoked_keys_file);

578
		goto out;

579
	}

580


581
	/* Success */

582
	r = 0;

583


584
 out:

585
	free(fp);

586
	return r == 0 ? 0 : 1;

587
}

588


589
void

590
auth_debug_add(const char *fmt,...)

591
{

592
	char buf[1024];

593
	va_list args;

594
	int r;

595


596
	va_start(args, fmt);

597
	vsnprintf(buf, sizeof(buf), fmt, args);

598
	va_end(args);

599
	debug3("%s", buf);

600
	if (auth_debug != NULL)

601
		if ((r = sshbuf_put_cstring(auth_debug, buf)) != 0)

602
			fatal_fr(r, "sshbuf_put_cstring");

603
}

604


605
void

606
auth_debug_send(struct ssh *ssh)

607
{

608
	char *msg;

609
	int r;

610


611
	if (auth_debug == NULL)

612
		return;

613
	while (sshbuf_len(auth_debug) != 0) {

614
		if ((r = sshbuf_get_cstring(auth_debug, &msg, NULL)) != 0)

615
			fatal_fr(r, "sshbuf_get_cstring");

616
		ssh_packet_send_debug(ssh, "%s", msg);

617
		free(msg);

618
	}

619
}

620


621
void

622
auth_debug_reset(void)

623
{

624
	if (auth_debug != NULL)

625
		sshbuf_reset(auth_debug);

626
	else if ((auth_debug = sshbuf_new()) == NULL)

627
		fatal_f("sshbuf_new failed");

628
}

629


630
struct passwd *

631
fakepw(void)

632
{

633
	static int done = 0;

634
	static struct passwd fake;

635
	const char hashchars[] = "./ABCDEFGHIJKLMNOPQRSTUVWXYZ"

636
	    "abcdefghijklmnopqrstuvwxyz0123456789"; /* from bcrypt.c */

637
	char *cp;

638


639
	if (done)

640
		return (&fake);

641


642
	memset(&fake, 0, sizeof(fake));

643
	fake.pw_name = "NOUSER";

644
	fake.pw_passwd = xstrdup("$2a$10$"

645
	    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");

646
	for (cp = fake.pw_passwd + 7; *cp != '\0'; cp++)

647
		*cp = hashchars[arc4random_uniform(sizeof(hashchars) - 1)];

648
#ifdef HAVE_STRUCT_PASSWD_PW_GECOS

649
	fake.pw_gecos = "NOUSER";

650
#endif

651
	fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;

652
	fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;

653
#ifdef HAVE_STRUCT_PASSWD_PW_CLASS

654
	fake.pw_class = "";

655
#endif

656
	fake.pw_dir = "/nonexist";

657
	fake.pw_shell = "/nonexist";

658
	done = 1;

659


660
	return (&fake);

661
}

662


663
/*

664
 * Return the canonical name of the host in the other side of the current

665
 * connection.  The host name is cached, so it is efficient to call this

666
 * several times.

667
 */

668


669
const char *

670
auth_get_canonical_hostname(struct ssh *ssh, int use_dns)

671
{

672
	static char *dnsname;

673


674
	if (!use_dns)

675
		return ssh_remote_ipaddr(ssh);

676
	if (dnsname != NULL)

677
		return dnsname;

678
	dnsname = ssh_remote_hostname(ssh);

679
	return dnsname;

680
}

681


682
/* These functions link key/cert options to the auth framework */

683


684
/* Log sshauthopt options locally and (optionally) for remote transmission */

685
void

686
auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote)

687
{

688
	int do_env = options.permit_user_env && opts->nenv > 0;

689
	int do_permitopen = opts->npermitopen > 0 &&

690
	    (options.allow_tcp_forwarding & FORWARD_LOCAL) != 0;

691
	int do_permitlisten = opts->npermitlisten > 0 &&

692
	    (options.allow_tcp_forwarding & FORWARD_REMOTE) != 0;

693
	size_t i;

694
	char msg[1024], buf[64];

695


696
	snprintf(buf, sizeof(buf), "%d", opts->force_tun_device);

697
	/* Try to keep this alphabetically sorted */

698
	snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s",

699
	    opts->permit_agent_forwarding_flag ? " agent-forwarding" : "",

700
	    opts->force_command == NULL ? "" : " command",

701
	    do_env ?  " environment" : "",

702
	    opts->valid_before == 0 ? "" : "expires",

703
	    opts->no_require_user_presence ? " no-touch-required" : "",

704
	    do_permitopen ?  " permitopen" : "",

705
	    do_permitlisten ?  " permitlisten" : "",

706
	    opts->permit_port_forwarding_flag ? " port-forwarding" : "",

707
	    opts->cert_principals == NULL ? "" : " principals",

708
	    opts->permit_pty_flag ? " pty" : "",

709
	    opts->require_verify ? " uv" : "",

710
	    opts->force_tun_device == -1 ? "" : " tun=",

711
	    opts->force_tun_device == -1 ? "" : buf,

712
	    opts->permit_user_rc ? " user-rc" : "",

713
	    opts->permit_x11_forwarding_flag ? " x11-forwarding" : "");

714


715
	debug("%s: %s", loc, msg);

716
	if (do_remote)

717
		auth_debug_add("%s: %s", loc, msg);

718


719
	if (options.permit_user_env) {

720
		for (i = 0; i < opts->nenv; i++) {

721
			debug("%s: environment: %s", loc, opts->env[i]);

722
			if (do_remote) {

723
				auth_debug_add("%s: environment: %s",

724
				    loc, opts->env[i]);

725
			}

726
		}

727
	}

728


729
	/* Go into a little more details for the local logs. */

730
	if (opts->valid_before != 0) {

731
		format_absolute_time(opts->valid_before, buf, sizeof(buf));

732
		debug("%s: expires at %s", loc, buf);

733
	}

734
	if (opts->cert_principals != NULL) {

735
		debug("%s: authorized principals: \"%s\"",

736
		    loc, opts->cert_principals);

737
	}

738
	if (opts->force_command != NULL)

739
		debug("%s: forced command: \"%s\"", loc, opts->force_command);

740
	if (do_permitopen) {

741
		for (i = 0; i < opts->npermitopen; i++) {

742
			debug("%s: permitted open: %s",

743
			    loc, opts->permitopen[i]);

744
		}

745
	}

746
	if (do_permitlisten) {

747
		for (i = 0; i < opts->npermitlisten; i++) {

748
			debug("%s: permitted listen: %s",

749
			    loc, opts->permitlisten[i]);

750
		}

751
	}

752
}

753


754
/* Activate a new set of key/cert options; merging with what is there. */

755
int

756
auth_activate_options(struct ssh *ssh, struct sshauthopt *opts)

757
{

758
	struct sshauthopt *old = auth_opts;

759
	const char *emsg = NULL;

760


761
	debug_f("setting new authentication options");

762
	if ((auth_opts = sshauthopt_merge(old, opts, &emsg)) == NULL) {

763
		error("Inconsistent authentication options: %s", emsg);

764
		return -1;

765
	}

766
	return 0;

767
}

768


769
/* Disable forwarding, etc for the session */

770
void

771
auth_restrict_session(struct ssh *ssh)

772
{

773
	struct sshauthopt *restricted;

774


775
	debug_f("restricting session");

776


777
	/* A blank sshauthopt defaults to permitting nothing */

778
	if ((restricted = sshauthopt_new()) == NULL)

779
		fatal_f("sshauthopt_new failed");

780
	restricted->permit_pty_flag = 1;

781
	restricted->restricted = 1;

782


783
	if (auth_activate_options(ssh, restricted) != 0)

784
		fatal_f("failed to restrict session");

785
	sshauthopt_free(restricted);

786
}

787


788