mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-10 04:04:42 +00:00
upstream commit
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration. prompted by Solar Designer; ok markus dtucker Upstream-ID: 6eb3f89332b3546d41d6dbf5a8e6ff920142b553
This commit is contained in:
parent
b38b95f5bc
commit
7fd0ea8a1d
20
monitor.c
20
monitor.c
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: monitor.c,v 1.163 2016/08/19 03:18:06 djm Exp $ */
|
/* $OpenBSD: monitor.c,v 1.164 2016/08/30 07:50:21 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||||
@ -844,6 +844,8 @@ mm_answer_authpassword(int sock, Buffer *m)
|
|||||||
int authenticated;
|
int authenticated;
|
||||||
u_int plen;
|
u_int plen;
|
||||||
|
|
||||||
|
if (!options.password_authentication)
|
||||||
|
fatal("%s: password authentication not enabled", __func__);
|
||||||
passwd = buffer_get_string(m, &plen);
|
passwd = buffer_get_string(m, &plen);
|
||||||
/* Only authenticate if the context is valid */
|
/* Only authenticate if the context is valid */
|
||||||
authenticated = options.password_authentication &&
|
authenticated = options.password_authentication &&
|
||||||
@ -880,6 +882,8 @@ mm_answer_bsdauthquery(int sock, Buffer *m)
|
|||||||
char **prompts;
|
char **prompts;
|
||||||
u_int success;
|
u_int success;
|
||||||
|
|
||||||
|
if (!options.kbd_interactive_authentication)
|
||||||
|
fatal("%s: kbd-int authentication not enabled", __func__);
|
||||||
success = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
|
success = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
|
||||||
&prompts, &echo_on) < 0 ? 0 : 1;
|
&prompts, &echo_on) < 0 ? 0 : 1;
|
||||||
|
|
||||||
@ -907,6 +911,8 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
|
|||||||
char *response;
|
char *response;
|
||||||
int authok;
|
int authok;
|
||||||
|
|
||||||
|
if (!options.kbd_interactive_authentication)
|
||||||
|
fatal("%s: kbd-int authentication not enabled", __func__);
|
||||||
if (authctxt->as == NULL)
|
if (authctxt->as == NULL)
|
||||||
fatal("%s: no bsd auth session", __func__);
|
fatal("%s: no bsd auth session", __func__);
|
||||||
|
|
||||||
@ -1716,6 +1722,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
|
|||||||
OM_uint32 major;
|
OM_uint32 major;
|
||||||
u_int len;
|
u_int len;
|
||||||
|
|
||||||
|
if (!options.gss_authentication)
|
||||||
|
fatal("%s: GSSAPI authentication not enabled", __func__);
|
||||||
|
|
||||||
goid.elements = buffer_get_string(m, &len);
|
goid.elements = buffer_get_string(m, &len);
|
||||||
goid.length = len;
|
goid.length = len;
|
||||||
|
|
||||||
@ -1743,6 +1752,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
|
|||||||
OM_uint32 flags = 0; /* GSI needs this */
|
OM_uint32 flags = 0; /* GSI needs this */
|
||||||
u_int len;
|
u_int len;
|
||||||
|
|
||||||
|
if (!options.gss_authentication)
|
||||||
|
fatal("%s: GSSAPI authentication not enabled", __func__);
|
||||||
|
|
||||||
in.value = buffer_get_string(m, &len);
|
in.value = buffer_get_string(m, &len);
|
||||||
in.length = len;
|
in.length = len;
|
||||||
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
|
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
|
||||||
@ -1771,6 +1783,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
|
|||||||
OM_uint32 ret;
|
OM_uint32 ret;
|
||||||
u_int len;
|
u_int len;
|
||||||
|
|
||||||
|
if (!options.gss_authentication)
|
||||||
|
fatal("%s: GSSAPI authentication not enabled", __func__);
|
||||||
|
|
||||||
gssbuf.value = buffer_get_string(m, &len);
|
gssbuf.value = buffer_get_string(m, &len);
|
||||||
gssbuf.length = len;
|
gssbuf.length = len;
|
||||||
mic.value = buffer_get_string(m, &len);
|
mic.value = buffer_get_string(m, &len);
|
||||||
@ -1797,6 +1812,9 @@ mm_answer_gss_userok(int sock, Buffer *m)
|
|||||||
{
|
{
|
||||||
int authenticated;
|
int authenticated;
|
||||||
|
|
||||||
|
if (!options.gss_authentication)
|
||||||
|
fatal("%s: GSSAPI authentication not enabled", __func__);
|
||||||
|
|
||||||
authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
|
authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
|
||||||
|
|
||||||
buffer_clear(m);
|
buffer_clear(m);
|
||||||
|
Loading…
Reference in New Issue
Block a user