usr.bin/ssh/auth2-methods.c at jcs · jcs.org/openbsd-src

jcs.org / openbsd-src
fork atom
jcs's openbsd hax
openbsd
fork atom
openbsd-src / usr.bin / ssh / auth2-methods.c
at jcs 132 lines 3.4 kB view raw
wrap content
djm typos 2y ago
a14ca28d
  1/*
  2 * Copyright (c) 2012,2023 Damien Miller <djm@mindrot.org>
  3 *
  4 * Permission to use, copy, modify, and distribute this software for any
  5 * purpose with or without fee is hereby granted, provided that the above
  6 * copyright notice and this permission notice appear in all copies.
  7 *
  8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 15 */
 16
 17#include <sys/types.h>
 18
 19#include <stdlib.h>
 20#include <string.h>
 21
 22#include "log.h"
 23#include "misc.h"
 24#include "servconf.h"
 25#include "xmalloc.h"
 26#include "hostfile.h"
 27#include "auth.h"
 28
 29extern ServerOptions options;
 30
 31/*
 32 * Configuration of enabled authentication methods. Separate from the rest of
 33 * auth2-*.c because we want to query it during server configuration validity
 34 * checking in the sshd listener process without pulling all the auth code in
 35 * too.
 36 */
 37
 38/* "none" is allowed only one time and it is cleared by userauth_none() later */
 39int none_enabled = 1;
 40struct authmethod_cfg methodcfg_none = {
 41	"none",
 42	NULL,
 43	&none_enabled
 44};
 45struct authmethod_cfg methodcfg_pubkey = {
 46	"publickey",
 47	"publickey-hostbound-v00@openssh.com",
 48	&options.pubkey_authentication
 49};
 50#ifdef GSSAPI
 51struct authmethod_cfg methodcfg_gssapi = {
 52	"gssapi-with-mic",
 53	NULL,
 54	&options.gss_authentication
 55};
 56#endif
 57struct authmethod_cfg methodcfg_passwd = {
 58	"password",
 59	NULL,
 60	&options.password_authentication
 61};
 62struct authmethod_cfg methodcfg_kbdint = {
 63	"keyboard-interactive",
 64	NULL,
 65	&options.kbd_interactive_authentication
 66};
 67struct authmethod_cfg methodcfg_hostbased = {
 68	"hostbased",
 69	NULL,
 70	&options.hostbased_authentication
 71};
 72
 73static struct authmethod_cfg *authmethod_cfgs[] = {
 74	&methodcfg_none,
 75	&methodcfg_pubkey,
 76#ifdef GSSAPI
 77	&methodcfg_gssapi,
 78#endif
 79	&methodcfg_passwd,
 80	&methodcfg_kbdint,
 81	&methodcfg_hostbased,
 82	NULL
 83};
 84
 85/*
 86 * Check a comma-separated list of methods for validity. If need_enable is
 87 * non-zero, then also require that the methods are enabled.
 88 * Returns 0 on success or -1 if the methods list is invalid.
 89 */
 90int
 91auth2_methods_valid(const char *_methods, int need_enable)
 92{
 93	char *methods, *omethods, *method, *p;
 94	u_int i, found;
 95	int ret = -1;
 96	const struct authmethod_cfg *cfg;
 97
 98	if (*_methods == '\0') {
 99		error("empty authentication method list");
100		return -1;
101	}
102	omethods = methods = xstrdup(_methods);
103	while ((method = strsep(&methods, ",")) != NULL) {
104		for (found = i = 0; !found && authmethod_cfgs[i] != NULL; i++) {
105			cfg = authmethod_cfgs[i];
106			if ((p = strchr(method, ':')) != NULL)
107				*p = '\0';
108			if (strcmp(method, cfg->name) != 0)
109				continue;
110			if (need_enable) {
111				if (cfg->enabled == NULL ||
112				    *(cfg->enabled) == 0) {
113					error("Disabled method \"%s\" in "
114					    "AuthenticationMethods list \"%s\"",
115					    method, _methods);
116					goto out;
117				}
118			}
119			found = 1;
120			break;
121		}
122		if (!found) {
123			error("Unknown authentication method \"%s\" in list",
124			    method);
125			goto out;
126		}
127	}
128	ret = 0;
129 out:
130	free(omethods);
131	return ret;
132}