Home | History | Annotate | Download | only in dropbear
      1 /*
      2  * Dropbear - a SSH2 server
      3  *
      4  * Copyright (c) 2002,2003 Matt Johnston
      5  * All rights reserved.
      6  *
      7  * Permission is hereby granted, free of charge, to any person obtaining a copy
      8  * of this software and associated documentation files (the "Software"), to deal
      9  * in the Software without restriction, including without limitation the rights
     10  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
     11  * copies of the Software, and to permit persons to whom the Software is
     12  * furnished to do so, subject to the following conditions:
     13  *
     14  * The above copyright notice and this permission notice shall be included in
     15  * all copies or substantial portions of the Software.
     16  *
     17  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
     18  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
     19  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
     20  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
     21  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
     22  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
     23  * SOFTWARE. */
     24 
     25 /* This file (auth.c) handles authentication requests, passing it to the
     26  * particular type (auth-passwd, auth-pubkey). */
     27 
     28 #include "includes.h"
     29 #include "dbutil.h"
     30 #include "session.h"
     31 #include "buffer.h"
     32 #include "ssh.h"
     33 #include "packet.h"
     34 #include "auth.h"
     35 #include "runopts.h"
     36 
     37 static void authclear();
     38 static int checkusername(unsigned char *username, unsigned int userlen);
     39 static void send_msg_userauth_banner();
     40 
     41 /* initialise the first time for a session, resetting all parameters */
     42 void svr_authinitialise() {
     43 
     44 	ses.authstate.failcount = 0;
     45 	authclear();
     46 
     47 }
     48 
     49 /* Reset the auth state, but don't reset the failcount. This is for if the
     50  * user decides to try with a different username etc, and is also invoked
     51  * on initialisation */
     52 static void authclear() {
     53 
     54 	memset(&ses.authstate, 0, sizeof(ses.authstate));
     55 #ifdef ENABLE_SVR_PUBKEY_AUTH
     56 	ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
     57 #endif
     58 #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
     59 	if (!svr_opts.noauthpass) {
     60 		ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
     61 	}
     62 #endif
     63 
     64 }
     65 
     66 /* Send a banner message if specified to the client. The client might
     67  * ignore this, but possibly serves as a legal "no trespassing" sign */
     68 static void send_msg_userauth_banner() {
     69 
     70 	TRACE(("enter send_msg_userauth_banner"))
     71 	if (svr_opts.banner == NULL) {
     72 		TRACE(("leave send_msg_userauth_banner: banner is NULL"))
     73 		return;
     74 	}
     75 
     76 	CHECKCLEARTOWRITE();
     77 
     78 	buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER);
     79 	buf_putstring(ses.writepayload, buf_getptr(svr_opts.banner,
     80 				svr_opts.banner->len), svr_opts.banner->len);
     81 	buf_putstring(ses.writepayload, "en", 2);
     82 
     83 	encrypt_packet();
     84 	buf_free(svr_opts.banner);
     85 	svr_opts.banner = NULL;
     86 
     87 	TRACE(("leave send_msg_userauth_banner"))
     88 }
     89 
     90 /* handle a userauth request, check validity, pass to password or pubkey
     91  * checking, and handle success or failure */
     92 void recv_msg_userauth_request() {
     93 
     94 	unsigned char *username = NULL, *servicename = NULL, *methodname = NULL;
     95 	unsigned int userlen, servicelen, methodlen;
     96 
     97 	TRACE(("enter recv_msg_userauth_request"))
     98 
     99 	/* ignore packets if auth is already done */
    100 	if (ses.authstate.authdone == 1) {
    101 		TRACE(("leave recv_msg_userauth_request: authdone already"))
    102 		return;
    103 	}
    104 
    105 	/* send the banner if it exists, it will only exist once */
    106 	if (svr_opts.banner) {
    107 		send_msg_userauth_banner();
    108 	}
    109 
    110 
    111 	username = buf_getstring(ses.payload, &userlen);
    112 	servicename = buf_getstring(ses.payload, &servicelen);
    113 	methodname = buf_getstring(ses.payload, &methodlen);
    114 
    115 	/* only handle 'ssh-connection' currently */
    116 	if (servicelen != SSH_SERVICE_CONNECTION_LEN
    117 			&& (strncmp(servicename, SSH_SERVICE_CONNECTION,
    118 					SSH_SERVICE_CONNECTION_LEN) != 0)) {
    119 
    120 		/* TODO - disconnect here */
    121 		m_free(username);
    122 		m_free(servicename);
    123 		m_free(methodname);
    124 		dropbear_exit("unknown service in auth");
    125 	}
    126 
    127 	/* user wants to know what methods are supported */
    128 	if (methodlen == AUTH_METHOD_NONE_LEN &&
    129 			strncmp(methodname, AUTH_METHOD_NONE,
    130 				AUTH_METHOD_NONE_LEN) == 0) {
    131 		TRACE(("recv_msg_userauth_request: 'none' request"))
    132 		send_msg_userauth_failure(0, 0);
    133 		goto out;
    134 	}
    135 
    136 	/* check username is good before continuing */
    137 	if (checkusername(username, userlen) == DROPBEAR_FAILURE) {
    138 		/* username is invalid/no shell/etc - send failure */
    139 		TRACE(("sending checkusername failure"))
    140 		send_msg_userauth_failure(0, 1);
    141 		goto out;
    142 	}
    143 
    144 #ifdef ENABLE_SVR_PASSWORD_AUTH
    145 	if (!svr_opts.noauthpass &&
    146 			!(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
    147 		/* user wants to try password auth */
    148 		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
    149 				strncmp(methodname, AUTH_METHOD_PASSWORD,
    150 					AUTH_METHOD_PASSWORD_LEN) == 0) {
    151 			svr_auth_password();
    152 			goto out;
    153 		}
    154 	}
    155 #endif
    156 
    157 #ifdef ENABLE_SVR_PAM_AUTH
    158 	if (!svr_opts.noauthpass &&
    159 			!(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
    160 		/* user wants to try password auth */
    161 		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
    162 				strncmp(methodname, AUTH_METHOD_PASSWORD,
    163 					AUTH_METHOD_PASSWORD_LEN) == 0) {
    164 			svr_auth_pam();
    165 			goto out;
    166 		}
    167 	}
    168 #endif
    169 
    170 #ifdef ENABLE_SVR_PUBKEY_AUTH
    171 	/* user wants to try pubkey auth */
    172 	if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
    173 			strncmp(methodname, AUTH_METHOD_PUBKEY,
    174 				AUTH_METHOD_PUBKEY_LEN) == 0) {
    175 		svr_auth_pubkey();
    176 		goto out;
    177 	}
    178 #endif
    179 
    180 	/* nothing matched, we just fail */
    181 	send_msg_userauth_failure(0, 1);
    182 
    183 out:
    184 
    185 	m_free(username);
    186 	m_free(servicename);
    187 	m_free(methodname);
    188 }
    189 
    190 /* Check that the username exists, has a non-empty password, and has a valid
    191  * shell.
    192  * returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */
    193 static int checkusername(unsigned char *username, unsigned int userlen) {
    194 
    195 	char* listshell = NULL;
    196 	char* usershell = NULL;
    197 
    198 	TRACE(("enter checkusername"))
    199 	if (userlen > MAX_USERNAME_LEN) {
    200 		return DROPBEAR_FAILURE;
    201 	}
    202 
    203 	/* new user or username has changed */
    204 	if (ses.authstate.username == NULL ||
    205 		strcmp(username, ses.authstate.username) != 0) {
    206 			/* the username needs resetting */
    207 			if (ses.authstate.username != NULL) {
    208 				dropbear_log(LOG_WARNING, "client trying multiple usernames from %s",
    209 							svr_ses.addrstring);
    210 				m_free(ses.authstate.username);
    211 			}
    212 			authclear();
    213 			ses.authstate.pw = getpwnam((char*)username);
    214 			ses.authstate.username = m_strdup(username);
    215 			m_free(ses.authstate.printableuser);
    216 	}
    217 
    218 	/* check that user exists */
    219 	if (ses.authstate.pw == NULL) {
    220 		TRACE(("leave checkusername: user '%s' doesn't exist", username))
    221 		dropbear_log(LOG_WARNING,
    222 				"login attempt for nonexistent user from %s",
    223 				svr_ses.addrstring);
    224 		send_msg_userauth_failure(0, 1);
    225 		return DROPBEAR_FAILURE;
    226 	}
    227 
    228 	/* We can set it once we know its a real user */
    229 	ses.authstate.printableuser = m_strdup(ses.authstate.pw->pw_name);
    230 
    231 	/* check for non-root if desired */
    232 	if (svr_opts.norootlogin && ses.authstate.pw->pw_uid == 0) {
    233 		TRACE(("leave checkusername: root login disabled"))
    234 		dropbear_log(LOG_WARNING, "root login rejected");
    235 		send_msg_userauth_failure(0, 1);
    236 		return DROPBEAR_FAILURE;
    237 	}
    238 
    239 	/* check for an empty password */
    240 	if (ses.authstate.pw->pw_passwd[0] == '\0') {
    241 		TRACE(("leave checkusername: empty pword"))
    242 		dropbear_log(LOG_WARNING, "user '%s' has blank password, rejected",
    243 				ses.authstate.printableuser);
    244 		send_msg_userauth_failure(0, 1);
    245 		return DROPBEAR_FAILURE;
    246 	}
    247 
    248 	TRACE(("shell is %s", ses.authstate.pw->pw_shell))
    249 
    250 	/* check that the shell is set */
    251 	usershell = ses.authstate.pw->pw_shell;
    252 	if (usershell[0] == '\0') {
    253 		/* empty shell in /etc/passwd means /bin/sh according to passwd(5) */
    254 		usershell = "/bin/sh";
    255 	}
    256 
    257 	/* check the shell is valid. If /etc/shells doesn't exist, getusershell()
    258 	 * should return some standard shells like "/bin/sh" and "/bin/csh" (this
    259 	 * is platform-specific) */
    260 	setusershell();
    261 	while ((listshell = getusershell()) != NULL) {
    262 		TRACE(("test shell is '%s'", listshell))
    263 		if (strcmp(listshell, usershell) == 0) {
    264 			/* have a match */
    265 			goto goodshell;
    266 		}
    267 	}
    268 	/* no matching shell */
    269 	endusershell();
    270 	TRACE(("no matching shell"))
    271 	dropbear_log(LOG_WARNING, "user '%s' has invalid shell, rejected",
    272 				ses.authstate.printableuser);
    273 	send_msg_userauth_failure(0, 1);
    274 	return DROPBEAR_FAILURE;
    275 
    276 goodshell:
    277 	endusershell();
    278 	TRACE(("matching shell"))
    279 
    280 	TRACE(("uid = %d", ses.authstate.pw->pw_uid))
    281 	TRACE(("leave checkusername"))
    282 	return DROPBEAR_SUCCESS;
    283 
    284 }
    285 
    286 /* Send a failure message to the client, in responds to a userauth_request.
    287  * Partial indicates whether to set the "partial success" flag,
    288  * incrfail is whether to count this failure in the failure count (which
    289  * is limited. This function also handles disconnection after too many
    290  * failures */
    291 void send_msg_userauth_failure(int partial, int incrfail) {
    292 
    293 	buffer *typebuf = NULL;
    294 
    295 	TRACE(("enter send_msg_userauth_failure"))
    296 
    297 	CHECKCLEARTOWRITE();
    298 
    299 	buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_FAILURE);
    300 
    301 	/* put a list of allowed types */
    302 	typebuf = buf_new(30); /* long enough for PUBKEY and PASSWORD */
    303 
    304 	if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) {
    305 		buf_putbytes(typebuf, AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN);
    306 		if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) {
    307 			buf_putbyte(typebuf, ',');
    308 		}
    309 	}
    310 
    311 	if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) {
    312 		buf_putbytes(typebuf, AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN);
    313 	}
    314 
    315 	buf_setpos(typebuf, 0);
    316 	buf_putstring(ses.writepayload, buf_getptr(typebuf, typebuf->len),
    317 			typebuf->len);
    318 
    319 	TRACE(("auth fail: methods %d, '%s'", ses.authstate.authtypes,
    320 				buf_getptr(typebuf, typebuf->len)));
    321 
    322 	buf_free(typebuf);
    323 
    324 	buf_putbyte(ses.writepayload, partial ? 1 : 0);
    325 	encrypt_packet();
    326 
    327 	if (incrfail) {
    328 		usleep(300000); /* XXX improve this */
    329 		ses.authstate.failcount++;
    330 	}
    331 
    332 	if (ses.authstate.failcount >= MAX_AUTH_TRIES) {
    333 		char * userstr;
    334 		/* XXX - send disconnect ? */
    335 		TRACE(("Max auth tries reached, exiting"))
    336 
    337 		if (ses.authstate.printableuser == NULL) {
    338 			userstr = "is invalid";
    339 		} else {
    340 			userstr = ses.authstate.printableuser;
    341 		}
    342 		dropbear_exit("Max auth tries reached - user '%s' from %s",
    343 				userstr, svr_ses.addrstring);
    344 	}
    345 
    346 	TRACE(("leave send_msg_userauth_failure"))
    347 }
    348 
    349 /* Send a success message to the user, and set the "authdone" flag */
    350 void send_msg_userauth_success() {
    351 
    352 	TRACE(("enter send_msg_userauth_success"))
    353 
    354 	CHECKCLEARTOWRITE();
    355 
    356 	buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_SUCCESS);
    357 	encrypt_packet();
    358 
    359 	ses.authstate.authdone = 1;
    360 	ses.connecttimeout = 0;
    361 
    362 
    363 	if (ses.authstate.pw->pw_uid == 0) {
    364 		ses.allowprivport = 1;
    365 	}
    366 
    367 	/* Remove from the list of pre-auth sockets. Should be m_close(), since if
    368 	 * we fail, we might end up leaking connection slots, and disallow new
    369 	 * logins - a nasty situation. */
    370 	m_close(svr_ses.childpipe);
    371 
    372 	TRACE(("leave send_msg_userauth_success"))
    373 
    374 }
    375