1
/*
2
 * Copyright (c) 2012,2023 Damien Miller <[email protected]>
3
 *
4
 * Permission to use, copy, modify, and distribute this software for any
5
 * purpose with or without fee is hereby granted, provided that the above
6
 * copyright notice and this permission notice appear in all copies.
7
 *
8
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
 */
16

17
#include "includes.h"
18

19
#include <sys/types.h>
20

21
#include <stdlib.h>
22
#include <string.h>
23

24
#include "log.h"
25
#include "misc.h"
26
#include "servconf.h"
27
#include "xmalloc.h"
28
#include "hostfile.h"
29
#include "auth.h"
30

31
extern ServerOptions options;
32

33
/*
34
 * Configuration of enabled authentication methods. Separate from the rest of
35
 * auth2-*.c because we want to query it during server configuration validity
36
 * checking in the sshd listener process without pulling all the auth code in
37
 * too.
38
 */
39

40
/* "none" is allowed only one time and it is cleared by userauth_none() later */
41
int none_enabled = 1;
42
struct authmethod_cfg methodcfg_none = {
43
	"none",
44
	NULL,
45
	&none_enabled
46
};
47
struct authmethod_cfg methodcfg_pubkey = {
48
	"publickey",
49
	"[email protected]",
50
	&options.pubkey_authentication
51
};
52
#ifdef GSSAPI
53
struct authmethod_cfg methodcfg_gssapi = {
54
	"gssapi-with-mic",
55
	NULL,
56
	&options.gss_authentication
57
};
58
#endif
59
struct authmethod_cfg methodcfg_passwd = {
60
	"password",
61
	NULL,
62
	&options.password_authentication
63
};
64
struct authmethod_cfg methodcfg_kbdint = {
65
	"keyboard-interactive",
66
	NULL,
67
	&options.kbd_interactive_authentication
68
};
69
struct authmethod_cfg methodcfg_hostbased = {
70
	"hostbased",
71
	NULL,
72
	&options.hostbased_authentication
73
};
74

75
static struct authmethod_cfg *authmethod_cfgs[] = {
76
	&methodcfg_none,
77
	&methodcfg_pubkey,
78
#ifdef GSSAPI
79
	&methodcfg_gssapi,
80
#endif
81
	&methodcfg_passwd,
82
	&methodcfg_kbdint,
83
	&methodcfg_hostbased,
84
	NULL
85
};
86

87
/*
88
 * Check a comma-separated list of methods for validity. If need_enable is
89
 * non-zero, then also require that the methods are enabled.
90
 * Returns 0 on success or -1 if the methods list is invalid.
91
 */
92
int
93
auth2_methods_valid(const char *_methods, int need_enable)
94
{
95
	char *methods, *omethods, *method, *p;
96
	u_int i, found;
97
	int ret = -1;
98
	const struct authmethod_cfg *cfg;
99

100
	if (*_methods == '\0') {
101
		error("empty authentication method list");
102
		return -1;
103
	}
104
	omethods = methods = xstrdup(_methods);
105
	while ((method = strsep(&methods, ",")) != NULL) {
106
		for (found = i = 0; !found && authmethod_cfgs[i] != NULL; i++) {
107
			cfg = authmethod_cfgs[i];
108
			if ((p = strchr(method, ':')) != NULL)
109
				*p = '\0';
110
			if (strcmp(method, cfg->name) != 0)
111
				continue;
112
			if (need_enable) {
113
				if (cfg->enabled == NULL ||
114
				    *(cfg->enabled) == 0) {
115
					error("Disabled method \"%s\" in "
116
					    "AuthenticationMethods list \"%s\"",
117
					    method, _methods);
118
					goto out;
119
				}
120
			}
121
			found = 1;
122
			break;
123
		}
124
		if (!found) {
125
			error("Unknown authentication method \"%s\" in list",
126
			    method);
127
			goto out;
128
		}
129
	}
130
	ret = 0;
131
 out:
132
	free(omethods);
133
	return ret;
134
}
135

136