diff --git a/auth.h b/auth.h index 43c7d3d40..a65d8fd02 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.101 2020/12/22 00:12:22 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.102 2021/12/19 22:12:07 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -104,7 +104,8 @@ struct Authctxt { struct Authmethod { char *name; - int (*userauth)(struct ssh *); + char *synonym; + int (*userauth)(struct ssh *, const char *); int *enabled; }; diff --git a/auth2-gss.c b/auth2-gss.c index 60e36961c..2062609d9 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.33 2021/12/19 22:12:07 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -60,7 +60,7 @@ static int input_gssapi_errtok(int, u_int32_t, struct ssh *); * how to check local user kuserok and the like) */ static int -userauth_gssapi(struct ssh *ssh) +userauth_gssapi(struct ssh *ssh, const char *method) { Authctxt *authctxt = ssh->authctxt; gss_OID_desc goid = {0, NULL}; @@ -329,6 +329,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) Authmethod method_gssapi = { "gssapi-with-mic", + NULL, userauth_gssapi, &options.gss_authentication }; diff --git a/auth2-hostbased.c b/auth2-hostbased.c index 3a29126c3..10f9ea14f 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.47 2021/07/23 03:37:52 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.48 2021/12/19 22:12:07 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -57,7 +57,7 @@ extern ServerOptions options; static int -userauth_hostbased(struct ssh *ssh) +userauth_hostbased(struct ssh *ssh, const char *method) { Authctxt *authctxt = ssh->authctxt; struct sshbuf *b; @@ -132,7 +132,7 @@ userauth_hostbased(struct ssh *ssh) (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || (r = sshbuf_put_cstring(b, authctxt->user)) != 0 || (r = sshbuf_put_cstring(b, authctxt->service)) != 0 || - (r = sshbuf_put_cstring(b, "hostbased")) != 0 || + (r = sshbuf_put_cstring(b, method)) != 0 || (r = sshbuf_put_string(b, pkalg, alen)) != 0 || (r = sshbuf_put_string(b, pkblob, blen)) != 0 || (r = sshbuf_put_cstring(b, chost)) != 0 || @@ -255,6 +255,7 @@ hostbased_key_allowed(struct ssh *ssh, struct passwd *pw, Authmethod method_hostbased = { "hostbased", + NULL, userauth_hostbased, &options.hostbased_authentication }; diff --git a/auth2-kbdint.c b/auth2-kbdint.c index 037139d44..ae7eca3b8 100644 --- a/auth2-kbdint.c +++ b/auth2-kbdint.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-kbdint.c,v 1.13 2021/07/02 05:11:20 dtucker Exp $ */ +/* $OpenBSD: auth2-kbdint.c,v 1.14 2021/12/19 22:12:07 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -44,7 +44,7 @@ extern ServerOptions options; static int -userauth_kbdint(struct ssh *ssh) +userauth_kbdint(struct ssh *ssh, const char *method) { int r, authenticated = 0; char *lang, *devs; @@ -66,6 +66,7 @@ userauth_kbdint(struct ssh *ssh) Authmethod method_kbdint = { "keyboard-interactive", + NULL, userauth_kbdint, &options.kbd_interactive_authentication }; diff --git a/auth2-none.c b/auth2-none.c index 02d6e341c..d9f97223c 100644 --- a/auth2-none.c +++ b/auth2-none.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-none.c,v 1.23 2020/10/18 11:32:01 djm Exp $ */ +/* $OpenBSD: auth2-none.c,v 1.24 2021/12/19 22:12:07 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -59,7 +59,7 @@ extern ServerOptions options; static int none_enabled = 1; static int -userauth_none(struct ssh *ssh) +userauth_none(struct ssh *ssh, const char *method) { int r; @@ -73,6 +73,7 @@ userauth_none(struct ssh *ssh) Authmethod method_none = { "none", + NULL, userauth_none, &none_enabled }; diff --git a/auth2-passwd.c b/auth2-passwd.c index be4b8606a..f8a6dbc19 100644 --- a/auth2-passwd.c +++ b/auth2-passwd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-passwd.c,v 1.19 2020/10/18 11:32:01 djm Exp $ */ +/* $OpenBSD: auth2-passwd.c,v 1.20 2021/12/19 22:12:07 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -49,7 +49,7 @@ extern ServerOptions options; static int -userauth_passwd(struct ssh *ssh) +userauth_passwd(struct ssh *ssh, const char *method) { char *password; int authenticated = 0, r; @@ -72,6 +72,7 @@ userauth_passwd(struct ssh *ssh) Authmethod method_passwd = { "password", + NULL, userauth_passwd, &options.password_authentication }; diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 2adbf5902..ed3e74c3f 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.110 2021/09/29 01:33:32 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.111 2021/12/19 22:12:07 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -86,7 +86,7 @@ format_key(const struct sshkey *key) } static int -userauth_pubkey(struct ssh *ssh) +userauth_pubkey(struct ssh *ssh, const char *method) { Authctxt *authctxt = ssh->authctxt; struct passwd *pw = authctxt->pw; @@ -192,7 +192,7 @@ userauth_pubkey(struct ssh *ssh) if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || (r = sshbuf_put_cstring(b, userstyle)) != 0 || (r = sshbuf_put_cstring(b, authctxt->service)) != 0 || - (r = sshbuf_put_cstring(b, "publickey")) != 0 || + (r = sshbuf_put_cstring(b, method)) != 0 || (r = sshbuf_put_u8(b, have_sig)) != 0 || (r = sshbuf_put_cstring(b, pkalg)) != 0 || (r = sshbuf_put_string(b, pkblob, blen)) != 0) @@ -1067,6 +1067,7 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, Authmethod method_pubkey = { "publickey", + NULL, userauth_pubkey, &options.pubkey_authentication }; diff --git a/auth2.c b/auth2.c index 84d0ed16e..bcc61196f 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.161 2021/04/03 06:18:40 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.162 2021/12/19 22:12:07 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -331,7 +331,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) m = authmethod_lookup(authctxt, method); if (m != NULL && authctxt->failures < options.max_authtries) { debug2("input_userauth_request: try method %s", method); - authenticated = m->userauth(ssh); + authenticated = m->userauth(ssh, method); } if (!authctxt->authenticated) ensure_minimum_time_since(tstart, @@ -346,18 +346,26 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) } void -userauth_finish(struct ssh *ssh, int authenticated, const char *method, +userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method, const char *submethod) { Authctxt *authctxt = ssh->authctxt; + Authmethod *m = NULL; + const char *method = packet_method; char *methods; int r, partial = 0; - if (!authctxt->valid && authenticated) - fatal("INTERNAL ERROR: authenticated invalid user %s", - authctxt->user); - if (authenticated && authctxt->postponed) - fatal("INTERNAL ERROR: authenticated and postponed"); + if (authenticated) { + if (!authctxt->valid) { + fatal("INTERNAL ERROR: authenticated invalid user %s", + authctxt->user); + } + if (authctxt->postponed) + fatal("INTERNAL ERROR: authenticated and postponed"); + if ((m = authmethod_lookup(authctxt, method)) == NULL) + fatal("INTERNAL ERROR: bad method %s", method); + method = m->name; /* prefer primary name to possible synonym */ + } /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && @@ -504,7 +512,9 @@ authmethod_lookup(Authctxt *authctxt, const char *name) for (i = 0; authmethods[i] != NULL; i++) if (authmethods[i]->enabled != NULL && *(authmethods[i]->enabled) != 0 && - strcmp(name, authmethods[i]->name) == 0 && + (strcmp(name, authmethods[i]->name) == 0 || + (authmethods[i]->synonym != NULL && + strcmp(name, authmethods[i]->synonym) == 0)) && auth2_method_allowed(authctxt, authmethods[i]->name, NULL)) return authmethods[i];