RepoMirrors
/
openssh
mirror of git://anongit.mindrot.org/openssh.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream commit 

restrict monitor auth calls to be allowed only when their
respective authentication methods are enabled in the configuration.

prompted by Solar Designer; ok markus dtucker

Upstream-ID: 6eb3f89332b3546d41d6dbf5a8e6ff920142b553
This commit is contained in:
djm@openbsd.org 2016-08-30 07:50:21 +00:00 committed by Damien Miller
parent b38b95f5bc
commit 7fd0ea8a1d
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
monitor.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor.c,v 1.163 2016/08/19 03:18:06 djm Exp $ */ /* $OpenBSD: monitor.c,v 1.164 2016/08/30 07:50:21 djm Exp $ */
/* /*
* Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org> * Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -844,6 +844,8 @@ mm_answer_authpassword(int sock, Buffer *m)
int authenticated; int authenticated;
u_int plen; u_int plen;
if (!options.password_authentication)
fatal("%s: password authentication not enabled", __func__);
passwd = buffer_get_string(m, &plen); passwd = buffer_get_string(m, &plen);
/* Only authenticate if the context is valid */ /* Only authenticate if the context is valid */
authenticated = options.password_authentication && authenticated = options.password_authentication &&
@ -880,6 +882,8 @@ mm_answer_bsdauthquery(int sock, Buffer *m)
char **prompts; char **prompts;
u_int success; u_int success;
if (!options.kbd_interactive_authentication)
fatal("%s: kbd-int authentication not enabled", __func__);
success = bsdauth_query(authctxt, &name, &infotxt, &numprompts, success = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
&prompts, &echo_on) < 0 ? 0 : 1; &prompts, &echo_on) < 0 ? 0 : 1;
@ -907,6 +911,8 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
char *response; char *response;
int authok; int authok;
if (!options.kbd_interactive_authentication)
fatal("%s: kbd-int authentication not enabled", __func__);
if (authctxt->as == NULL) if (authctxt->as == NULL)
fatal("%s: no bsd auth session", __func__); fatal("%s: no bsd auth session", __func__);
@ -1716,6 +1722,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
OM_uint32 major; OM_uint32 major;
u_int len; u_int len;
if (!options.gss_authentication)
fatal("%s: GSSAPI authentication not enabled", __func__);
goid.elements = buffer_get_string(m, &len); goid.elements = buffer_get_string(m, &len);
goid.length = len; goid.length = len;
@ -1743,6 +1752,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
OM_uint32 flags = 0; /* GSI needs this */ OM_uint32 flags = 0; /* GSI needs this */
u_int len; u_int len;
if (!options.gss_authentication)
fatal("%s: GSSAPI authentication not enabled", __func__);
in.value = buffer_get_string(m, &len); in.value = buffer_get_string(m, &len);
in.length = len; in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@ -1771,6 +1783,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
OM_uint32 ret; OM_uint32 ret;
u_int len; u_int len;
if (!options.gss_authentication)
fatal("%s: GSSAPI authentication not enabled", __func__);
gssbuf.value = buffer_get_string(m, &len); gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len; gssbuf.length = len;
mic.value = buffer_get_string(m, &len); mic.value = buffer_get_string(m, &len);
@ -1797,6 +1812,9 @@ mm_answer_gss_userok(int sock, Buffer *m)
{ {
int authenticated; int authenticated;
if (!options.gss_authentication)
fatal("%s: GSSAPI authentication not enabled", __func__);
authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
buffer_clear(m); buffer_clear(m);