Grid Community Toolkit  6.2.1705709074 (tag: v6.2.20240202)
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
auth.h
1 /* $OpenBSD: auth.h,v 1.106 2022/06/15 16:08:25 djm Exp $ */
2 
3 /*
4  * Copyright (c) 2000 Markus Friedl. All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  * notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  * notice, this list of conditions and the following disclaimer in the
13  * documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  *
26  */
27 
28 #ifndef AUTH_H
29 #define AUTH_H
30 
31 #include <signal.h>
32 #include <stdio.h>
33 
34 #ifdef HAVE_LOGIN_CAP
35 #include <login_cap.h>
36 #endif
37 #ifdef BSD_AUTH
38 #include <bsd_auth.h>
39 #endif
40 #ifdef KRB5
41 #include <krb5.h>
42 #endif
43 
44 struct passwd;
45 struct ssh;
46 struct sshbuf;
47 struct sshkey;
48 struct sshkey_cert;
49 struct sshauthopt;
50 
51 typedef struct Authctxt Authctxt;
52 typedef struct Authmethod Authmethod;
53 typedef struct KbdintDevice KbdintDevice;
54 
55 struct Authctxt {
56  sig_atomic_t success;
57  int authenticated; /* authenticated and alarms cancelled */
58  int postponed; /* authentication needs another step */
59  int valid; /* user exists and is allowed to login */
60  int attempt;
61  int failures;
62  int server_caused_failure;
63  int force_pwchange;
64  char *user; /* username sent by the client */
65  char *service;
66  struct passwd *pw; /* set if 'valid' */
67  char *style;
68 #ifdef WITH_SELINUX
69  char *role;
70 #endif
71 
72  /* Method lists for multiple authentication */
73  char **auth_methods; /* modified from server config */
74  u_int num_auth_methods;
75 
76  /* Authentication method-specific data */
77  void *methoddata;
78  void *kbdintctxt;
79 #ifdef BSD_AUTH
80  auth_session_t *as;
81 #endif
82 #ifdef KRB5
83  krb5_context krb5_ctx;
84  krb5_ccache krb5_fwd_ccache;
85  krb5_principal krb5_user;
86  char *krb5_ticket_file;
87  char *krb5_ccname;
88 #endif
89 #ifdef GSSAPI
90  int krb5_set_env;
91 #endif
92  struct sshbuf *loginmsg;
93 
94  /* Authentication keys already used; these will be refused henceforth */
95  struct sshkey **prev_keys;
96  u_int nprev_keys;
97 
98  /* Last used key and ancillary information from active auth method */
99  struct sshkey *auth_method_key;
100  char *auth_method_info;
101 
102  /* Information exposed to session */
103  struct sshbuf *session_info; /* Auth info for environment */
104 };
105 
106 /*
107  * Every authentication method has to handle authentication requests for
108  * non-existing users, or for users that are not allowed to login. In this
109  * case 'valid' is set to 0, but 'user' points to the username requested by
110  * the client.
111  */
112 
113 struct Authmethod {
114  char *name;
115  char *synonym;
116  int (*userauth)(struct ssh *, const char *);
117  int *enabled;
118 };
119 
120 /*
121  * Keyboard interactive device:
122  * init_ctx returns: non NULL upon success
123  * query returns: 0 - success, otherwise failure
124  * respond returns: 0 - success, 1 - need further interaction,
125  * otherwise - failure
126  */
127 struct KbdintDevice
128 {
129  const char *name;
130  void* (*init_ctx)(Authctxt*);
131  int (*query)(void *ctx, char **name, char **infotxt,
132  u_int *numprompts, char ***prompts, u_int **echo_on);
133  int (*respond)(void *ctx, u_int numresp, char **responses);
134  void (*free_ctx)(void *ctx);
135 };
136 
137 int
138 auth_rhosts2(struct passwd *, const char *, const char *, const char *);
139 
140 int auth_password(struct ssh *, const char *);
141 
142 int hostbased_key_allowed(struct ssh *, struct passwd *,
143  const char *, char *, struct sshkey *);
144 int user_key_allowed(struct ssh *ssh, struct passwd *, struct sshkey *,
145  int, struct sshauthopt **);
146 int auth2_key_already_used(Authctxt *, const struct sshkey *);
147 
148 /*
149  * Handling auth method-specific information for logging and prevention
150  * of key reuse during multiple authentication.
151  */
152 void auth2_authctxt_reset_info(Authctxt *);
153 void auth2_record_key(Authctxt *, int, const struct sshkey *);
154 void auth2_record_info(Authctxt *authctxt, const char *, ...)
155  __attribute__((__format__ (printf, 2, 3)))
156  __attribute__((__nonnull__ (2)));
157 void auth2_update_session_info(Authctxt *, const char *, const char *);
158 
159 #ifdef KRB5
160 int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
161 int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
162 int auth_krb5_password(Authctxt *authctxt, const char *password);
163 void krb5_cleanup_proc(Authctxt *authctxt);
164 #endif /* KRB5 */
165 
166 #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
167 #include <shadow.h>
168 int auth_shadow_acctexpired(struct spwd *);
169 int auth_shadow_pwexpired(Authctxt *);
170 #endif
171 
172 #include "auth-pam.h"
173 #include "audit.h"
174 void remove_kbdint_device(const char *);
175 
176 void do_authentication2(struct ssh *);
177 
178 void auth_log(struct ssh *, int, int, const char *, const char *);
179 void auth_maxtries_exceeded(struct ssh *) __attribute__((noreturn));
180 void userauth_finish(struct ssh *, int, const char *, const char *);
181 int auth_root_allowed(struct ssh *, const char *);
182 
183 char *auth2_read_banner(void);
184 int auth2_methods_valid(const char *, int);
185 int auth2_update_methods_lists(Authctxt *, const char *, const char *);
186 int auth2_setup_methods_lists(Authctxt *);
187 int auth2_method_allowed(Authctxt *, const char *, const char *);
188 
189 void privsep_challenge_enable(void);
190 
191 int auth2_challenge(struct ssh *, char *);
192 void auth2_challenge_stop(struct ssh *);
193 int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
194 int bsdauth_respond(void *, u_int, char **);
195 
196 int allowed_user(struct ssh *, struct passwd *);
197 struct passwd * getpwnamallow(struct ssh *, const char *user);
198 
199 char *expand_authorized_keys(const char *, struct passwd *pw);
200 char *authorized_principals_file(struct passwd *);
201 
202 int auth_key_is_revoked(struct sshkey *);
203 
204 const char *auth_get_canonical_hostname(struct ssh *, int);
205 
206 HostStatus
207 check_key_in_hostfiles(struct passwd *, struct sshkey *, const char *,
208  const char *, const char *);
209 
210 /* hostkey handling */
211 struct sshkey *get_hostkey_by_index(int);
212 struct sshkey *get_hostkey_public_by_index(int, struct ssh *);
213 struct sshkey *get_hostkey_public_by_type(int, int, struct ssh *);
214 struct sshkey *get_hostkey_private_by_type(int, int, struct ssh *);
215 int get_hostkey_index(struct sshkey *, int, struct ssh *);
216 int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
217  u_char **, size_t *, const u_char *, size_t, const char *);
218 int hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
219  const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
220 
221 /* Key / cert options linkage to auth layer */
222 const struct sshauthopt *auth_options(struct ssh *);
223 int auth_activate_options(struct ssh *, struct sshauthopt *);
224 void auth_restrict_session(struct ssh *);
225 void auth_log_authopts(const char *, const struct sshauthopt *, int);
226 
227 /* debug messages during authentication */
228 void auth_debug_add(const char *fmt,...)
229  __attribute__((format(printf, 1, 2)));
230 void auth_debug_send(struct ssh *);
231 void auth_debug_reset(void);
232 
233 struct passwd *fakepw(void);
234 
235 /* auth2-pubkeyfile.c */
236 int auth_authorise_keyopts(struct passwd *, struct sshauthopt *, int,
237  const char *, const char *, const char *);
238 int auth_check_principals_line(char *, const struct sshkey_cert *,
239  const char *, struct sshauthopt **);
240 int auth_process_principals(FILE *, const char *,
241  const struct sshkey_cert *, struct sshauthopt **);
242 int auth_check_authkey_line(struct passwd *, struct sshkey *,
243  char *, const char *, const char *, const char *, struct sshauthopt **);
244 int auth_check_authkeys_file(struct passwd *, FILE *, char *,
245  struct sshkey *, const char *, const char *, struct sshauthopt **);
246 int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
247  const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
248 FILE *auth_openkeyfile(const char *, struct passwd *, int);
249 FILE *auth_openprincipals(const char *, struct passwd *, int);
250 
251 int sys_auth_passwd(struct ssh *, const char *);
252 
253 #if defined(KRB5) && !defined(HEIMDAL)
254 krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
255 krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
256  char **k5login_directory);
257 #endif
258 
259 #endif /* AUTH_H */