/*
* Dropbear - a SSH2 server
*
* Copyright (c) 2002,2003 Matt Johnston
* All rights reserved.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE. */
/* This file (auth.c) handles authentication requests, passing it to the
* particular type (auth-passwd, auth-pubkey). */
#include "includes.h"
#include "dbutil.h"
#include "session.h"
#include "buffer.h"
#include "ssh.h"
#include "packet.h"
#include "auth.h"
#include "runopts.h"
static void authclear();
static int checkusername(unsigned char *username, unsigned int userlen);
static void send_msg_userauth_banner();
/* initialise the first time for a session, resetting all parameters */
void svr_authinitialise() {
ses.authstate.failcount = 0;
authclear();
}
/* Reset the auth state, but don't reset the failcount. This is for if the
* user decides to try with a different username etc, and is also invoked
* on initialisation */
static void authclear() {
memset(&ses.authstate, 0, sizeof(ses.authstate));
#ifdef ENABLE_SVR_PUBKEY_AUTH
ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
#endif
#if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
if (!svr_opts.noauthpass) {
ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
}
#endif
}
/* Send a banner message if specified to the client. The client might
* ignore this, but possibly serves as a legal "no trespassing" sign */
static void send_msg_userauth_banner() {
TRACE(("enter send_msg_userauth_banner"))
if (svr_opts.banner == NULL) {
TRACE(("leave send_msg_userauth_banner: banner is NULL"))
return;
}
CHECKCLEARTOWRITE();
buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER);
buf_putstring(ses.writepayload, buf_getptr(svr_opts.banner,
svr_opts.banner->len), svr_opts.banner->len);
buf_putstring(ses.writepayload, "en", 2);
encrypt_packet();
buf_free(svr_opts.banner);
svr_opts.banner = NULL;
TRACE(("leave send_msg_userauth_banner"))
}
/* handle a userauth request, check validity, pass to password or pubkey
* checking, and handle success or failure */
void recv_msg_userauth_request() {
unsigned char *username = NULL, *servicename = NULL, *methodname = NULL;
unsigned int userlen, servicelen, methodlen;
TRACE(("enter recv_msg_userauth_request"))
/* ignore packets if auth is already done */
if (ses.authstate.authdone == 1) {
TRACE(("leave recv_msg_userauth_request: authdone already"))
return;
}
/* send the banner if it exists, it will only exist once */
if (svr_opts.banner) {
send_msg_userauth_banner();
}
username = buf_getstring(ses.payload, &userlen);
servicename = buf_getstring(ses.payload, &servicelen);
methodname = buf_getstring(ses.payload, &methodlen);
/* only handle 'ssh-connection' currently */
if (servicelen != SSH_SERVICE_CONNECTION_LEN
&& (strncmp(servicename, SSH_SERVICE_CONNECTION,
SSH_SERVICE_CONNECTION_LEN) != 0)) {
/* TODO - disconnect here */
m_free(username);
m_free(servicename);
m_free(methodname);
dropbear_exit("unknown service in auth");
}
/* user wants to know what methods are supported */
if (methodlen == AUTH_METHOD_NONE_LEN &&
strncmp(methodname, AUTH_METHOD_NONE,
AUTH_METHOD_NONE_LEN) == 0) {
TRACE(("recv_msg_userauth_request: 'none' request"))
send_msg_userauth_failure(0, 0);
goto out;
}
/* check username is good before continuing */
if (checkusername(username, userlen) == DROPBEAR_FAILURE) {
/* username is invalid/no shell/etc - send failure */
TRACE(("sending checkusername failure"))
send_msg_userauth_failure(0, 1);
goto out;
}
#ifdef ENABLE_SVR_PASSWORD_AUTH
if (!svr_opts.noauthpass &&
!(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
/* user wants to try password auth */
if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
strncmp(methodname, AUTH_METHOD_PASSWORD,
AUTH_METHOD_PASSWORD_LEN) == 0) {
svr_auth_password();
goto out;
}
}
#endif
#ifdef ENABLE_SVR_PAM_AUTH
if (!svr_opts.noauthpass &&
!(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
/* user wants to try password auth */
if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
strncmp(methodname, AUTH_METHOD_PASSWORD,
AUTH_METHOD_PASSWORD_LEN) == 0) {
svr_auth_pam();
goto out;
}
}
#endif
#ifdef ENABLE_SVR_PUBKEY_AUTH
/* user wants to try pubkey auth */
if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
strncmp(methodname, AUTH_METHOD_PUBKEY,
AUTH_METHOD_PUBKEY_LEN) == 0) {
svr_auth_pubkey();
goto out;
}
#endif
/* nothing matched, we just fail */
send_msg_userauth_failure(0, 1);
out:
m_free(username);
m_free(servicename);
m_free(methodname);
}
/* Check that the username exists, has a non-empty password, and has a valid
* shell.
* returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */
static int checkusername(unsigned char *username, unsigned int userlen) {
char* listshell = NULL;
char* usershell = NULL;
TRACE(("enter checkusername"))
if (userlen > MAX_USERNAME_LEN) {
return DROPBEAR_FAILURE;
}
/* new user or username has changed */
if (ses.authstate.username == NULL ||
strcmp(username, ses.authstate.username) != 0) {
/* the username needs resetting */
if (ses.authstate.username != NULL) {
dropbear_log(LOG_WARNING, "client trying multiple usernames from %s",
svr_ses.addrstring);
m_free(ses.authstate.username);
}
authclear();
ses.authstate.pw = getpwnam((char*)username);
ses.authstate.username = m_strdup(username);
m_free(ses.authstate.printableuser);
}
/* check that user exists */
if (ses.authstate.pw == NULL) {
TRACE(("leave checkusername: user '%s' doesn't exist", username))
dropbear_log(LOG_WARNING,
"login attempt for nonexistent user from %s",
svr_ses.addrstring);
send_msg_userauth_failure(0, 1);
return DROPBEAR_FAILURE;
}
/* We can set it once we know its a real user */
ses.authstate.printableuser = m_strdup(ses.authstate.pw->pw_name);
/* check for non-root if desired */
if (svr_opts.norootlogin && ses.authstate.pw->pw_uid == 0) {
TRACE(("leave checkusername: root login disabled"))
dropbear_log(LOG_WARNING, "root login rejected");
send_msg_userauth_failure(0, 1);
return DROPBEAR_FAILURE;
}
/* check for an empty password */
if (ses.authstate.pw->pw_passwd[0] == '\0') {
TRACE(("leave checkusername: empty pword"))
dropbear_log(LOG_WARNING, "user '%s' has blank password, rejected",
ses.authstate.printableuser);
send_msg_userauth_failure(0, 1);
return DROPBEAR_FAILURE;
}
TRACE(("shell is %s", ses.authstate.pw->pw_shell))
/* check that the shell is set */
usershell = ses.authstate.pw->pw_shell;
if (usershell[0] == '\0') {
/* empty shell in /etc/passwd means /bin/sh according to passwd(5) */
usershell = "/bin/sh";
}
/* check the shell is valid. If /etc/shells doesn't exist, getusershell()
* should return some standard shells like "/bin/sh" and "/bin/csh" (this
* is platform-specific) */
setusershell();
while ((listshell = getusershell()) != NULL) {
TRACE(("test shell is '%s'", listshell))
if (strcmp(listshell, usershell) == 0) {
/* have a match */
goto goodshell;
}
}
/* no matching shell */
endusershell();
TRACE(("no matching shell"))
dropbear_log(LOG_WARNING, "user '%s' has invalid shell, rejected",
ses.authstate.printableuser);
send_msg_userauth_failure(0, 1);
return DROPBEAR_FAILURE;
goodshell:
endusershell();
TRACE(("matching shell"))
TRACE(("uid = %d", ses.authstate.pw->pw_uid))
TRACE(("leave checkusername"))
return DROPBEAR_SUCCESS;
}
/* Send a failure message to the client, in responds to a userauth_request.
* Partial indicates whether to set the "partial success" flag,
* incrfail is whether to count this failure in the failure count (which
* is limited. This function also handles disconnection after too many
* failures */
void send_msg_userauth_failure(int partial, int incrfail) {
buffer *typebuf = NULL;
TRACE(("enter send_msg_userauth_failure"))
CHECKCLEARTOWRITE();
buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_FAILURE);
/* put a list of allowed types */
typebuf = buf_new(30); /* long enough for PUBKEY and PASSWORD */
if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) {
buf_putbytes(typebuf, AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN);
if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) {
buf_putbyte(typebuf, ',');
}
}
if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) {
buf_putbytes(typebuf, AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN);
}
buf_setpos(typebuf, 0);
buf_putstring(ses.writepayload, buf_getptr(typebuf, typebuf->len),
typebuf->len);
TRACE(("auth fail: methods %d, '%s'", ses.authstate.authtypes,
buf_getptr(typebuf, typebuf->len)));
buf_free(typebuf);
buf_putbyte(ses.writepayload, partial ? 1 : 0);
encrypt_packet();
if (incrfail) {
usleep(300000); /* XXX improve this */
ses.authstate.failcount++;
}
if (ses.authstate.failcount >= MAX_AUTH_TRIES) {
char * userstr;
/* XXX - send disconnect ? */
TRACE(("Max auth tries reached, exiting"))
if (ses.authstate.printableuser == NULL) {
userstr = "is invalid";
} else {
userstr = ses.authstate.printableuser;
}
dropbear_exit("Max auth tries reached - user '%s' from %s",
userstr, svr_ses.addrstring);
}
TRACE(("leave send_msg_userauth_failure"))
}
/* Send a success message to the user, and set the "authdone" flag */
void send_msg_userauth_success() {
TRACE(("enter send_msg_userauth_success"))
CHECKCLEARTOWRITE();
buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_SUCCESS);
encrypt_packet();
ses.authstate.authdone = 1;
ses.connecttimeout = 0;
if (ses.authstate.pw->pw_uid == 0) {
ses.allowprivport = 1;
}
/* Remove from the list of pre-auth sockets. Should be m_close(), since if
* we fail, we might end up leaking connection slots, and disallow new
* logins - a nasty situation. */
m_close(svr_ses.childpipe);
TRACE(("leave send_msg_userauth_success"))
}