mirror of
https://github.com/opnsense/src.git
synced 2026-02-18 18:20:26 -05:00
ff2fd01609
Highlights from the release notes are reproduced below. Some security and bug fixes were previously merged into FreeBSD and have been elided. See the upstream release notes for full details (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 New features ------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 --- Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48914 (cherry picked from commit 0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e) (cherry picked from commit b4bb480ae9294d7e4b375f0ead9ae57517c79ef3) (cherry picked from commit e95979047aec384852102cf8bb1d55278ea77eeb) (cherry picked from commit dcb4ae528d357f34e4a4b4882c2757c67c98e395) Approved by: re (accelerated MFC)
248 lines
8.1 KiB
C
248 lines
8.1 KiB
C
/* $OpenBSD: auth.h,v 1.108 2024/05/17 06:42:04 jsg Exp $ */
|
|
|
|
/*
|
|
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*
|
|
*/
|
|
|
|
#ifndef AUTH_H
|
|
#define AUTH_H
|
|
|
|
#include <signal.h>
|
|
#include <stdio.h>
|
|
|
|
#ifdef HAVE_LOGIN_CAP
|
|
#include <login_cap.h>
|
|
#endif
|
|
#ifdef BSD_AUTH
|
|
#include <bsd_auth.h>
|
|
#endif
|
|
#ifdef KRB5
|
|
#include <krb5.h>
|
|
#endif
|
|
|
|
struct passwd;
|
|
struct ssh;
|
|
struct sshbuf;
|
|
struct sshkey;
|
|
struct sshkey_cert;
|
|
struct sshauthopt;
|
|
|
|
typedef struct Authctxt Authctxt;
|
|
typedef struct Authmethod Authmethod;
|
|
typedef struct KbdintDevice KbdintDevice;
|
|
|
|
struct Authctxt {
|
|
sig_atomic_t success;
|
|
int authenticated; /* authenticated and alarms cancelled */
|
|
int postponed; /* authentication needs another step */
|
|
int valid; /* user exists and is allowed to login */
|
|
int attempt;
|
|
int failures;
|
|
int server_caused_failure;
|
|
int force_pwchange;
|
|
char *user; /* username sent by the client */
|
|
char *service;
|
|
struct passwd *pw; /* set if 'valid' */
|
|
char *style;
|
|
|
|
/* Method lists for multiple authentication */
|
|
char **auth_methods; /* modified from server config */
|
|
u_int num_auth_methods;
|
|
|
|
/* Authentication method-specific data */
|
|
void *methoddata;
|
|
void *kbdintctxt;
|
|
#ifdef BSD_AUTH
|
|
auth_session_t *as;
|
|
#endif
|
|
#ifdef KRB5
|
|
krb5_context krb5_ctx;
|
|
krb5_ccache krb5_fwd_ccache;
|
|
krb5_principal krb5_user;
|
|
char *krb5_ticket_file;
|
|
char *krb5_ccname;
|
|
#endif
|
|
struct sshbuf *loginmsg;
|
|
|
|
/* Authentication keys already used; these will be refused henceforth */
|
|
struct sshkey **prev_keys;
|
|
u_int nprev_keys;
|
|
|
|
/* Last used key and ancillary information from active auth method */
|
|
struct sshkey *auth_method_key;
|
|
char *auth_method_info;
|
|
|
|
/* Information exposed to session */
|
|
struct sshbuf *session_info; /* Auth info for environment */
|
|
};
|
|
|
|
/*
|
|
* Every authentication method has to handle authentication requests for
|
|
* non-existing users, or for users that are not allowed to login. In this
|
|
* case 'valid' is set to 0, but 'user' points to the username requested by
|
|
* the client.
|
|
*/
|
|
|
|
struct authmethod_cfg {
|
|
const char *name;
|
|
const char *synonym;
|
|
int *enabled;
|
|
};
|
|
|
|
struct Authmethod {
|
|
struct authmethod_cfg *cfg;
|
|
int (*userauth)(struct ssh *, const char *);
|
|
};
|
|
|
|
/*
|
|
* Keyboard interactive device:
|
|
* init_ctx returns: non NULL upon success
|
|
* query returns: 0 - success, otherwise failure
|
|
* respond returns: 0 - success, 1 - need further interaction,
|
|
* otherwise - failure
|
|
*/
|
|
struct KbdintDevice
|
|
{
|
|
const char *name;
|
|
void* (*init_ctx)(Authctxt*);
|
|
int (*query)(void *ctx, char **name, char **infotxt,
|
|
u_int *numprompts, char ***prompts, u_int **echo_on);
|
|
int (*respond)(void *ctx, u_int numresp, char **responses);
|
|
void (*free_ctx)(void *ctx);
|
|
};
|
|
|
|
int
|
|
auth_rhosts2(struct passwd *, const char *, const char *, const char *);
|
|
|
|
int auth_password(struct ssh *, const char *);
|
|
|
|
int hostbased_key_allowed(struct ssh *, struct passwd *,
|
|
const char *, char *, struct sshkey *);
|
|
int user_key_allowed(struct ssh *ssh, struct passwd *, struct sshkey *,
|
|
int, struct sshauthopt **);
|
|
int auth2_key_already_used(Authctxt *, const struct sshkey *);
|
|
|
|
/*
|
|
* Handling auth method-specific information for logging and prevention
|
|
* of key reuse during multiple authentication.
|
|
*/
|
|
void auth2_authctxt_reset_info(Authctxt *);
|
|
void auth2_record_key(Authctxt *, int, const struct sshkey *);
|
|
void auth2_record_info(Authctxt *authctxt, const char *, ...)
|
|
__attribute__((__format__ (printf, 2, 3)))
|
|
__attribute__((__nonnull__ (2)));
|
|
void auth2_update_session_info(Authctxt *, const char *, const char *);
|
|
|
|
#ifdef KRB5
|
|
int auth_krb5_password(Authctxt *authctxt, const char *password);
|
|
void krb5_cleanup_proc(Authctxt *authctxt);
|
|
#endif /* KRB5 */
|
|
|
|
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
|
|
#include <shadow.h>
|
|
int auth_shadow_acctexpired(struct spwd *);
|
|
int auth_shadow_pwexpired(Authctxt *);
|
|
#endif
|
|
|
|
#include "auth-pam.h"
|
|
#include "audit.h"
|
|
void remove_kbdint_device(const char *);
|
|
|
|
void do_authentication2(struct ssh *);
|
|
|
|
void auth_log(struct ssh *, int, int, const char *, const char *);
|
|
void auth_maxtries_exceeded(struct ssh *) __attribute__((noreturn));
|
|
void userauth_finish(struct ssh *, int, const char *, const char *);
|
|
int auth_root_allowed(struct ssh *, const char *);
|
|
|
|
char *auth2_read_banner(void);
|
|
int auth2_methods_valid(const char *, int);
|
|
int auth2_update_methods_lists(Authctxt *, const char *, const char *);
|
|
int auth2_setup_methods_lists(Authctxt *);
|
|
int auth2_method_allowed(Authctxt *, const char *, const char *);
|
|
|
|
void privsep_challenge_enable(void);
|
|
|
|
int auth2_challenge(struct ssh *, char *);
|
|
void auth2_challenge_stop(struct ssh *);
|
|
int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
|
|
int bsdauth_respond(void *, u_int, char **);
|
|
|
|
int allowed_user(struct ssh *, struct passwd *);
|
|
struct passwd * getpwnamallow(struct ssh *, const char *user);
|
|
|
|
char *expand_authorized_keys(const char *, struct passwd *pw);
|
|
char *authorized_principals_file(struct passwd *);
|
|
|
|
int auth_key_is_revoked(struct sshkey *);
|
|
|
|
const char *auth_get_canonical_hostname(struct ssh *, int);
|
|
|
|
HostStatus
|
|
check_key_in_hostfiles(struct passwd *, struct sshkey *, const char *,
|
|
const char *, const char *);
|
|
|
|
/* hostkey handling */
|
|
struct sshkey *get_hostkey_by_index(int);
|
|
struct sshkey *get_hostkey_public_by_index(int, struct ssh *);
|
|
struct sshkey *get_hostkey_public_by_type(int, int, struct ssh *);
|
|
struct sshkey *get_hostkey_private_by_type(int, int, struct ssh *);
|
|
int get_hostkey_index(struct sshkey *, int, struct ssh *);
|
|
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
|
|
u_char **, size_t *, const u_char *, size_t, const char *);
|
|
|
|
/* Key / cert options linkage to auth layer */
|
|
int auth_activate_options(struct ssh *, struct sshauthopt *);
|
|
void auth_restrict_session(struct ssh *);
|
|
void auth_log_authopts(const char *, const struct sshauthopt *, int);
|
|
|
|
/* debug messages during authentication */
|
|
void auth_debug_add(const char *fmt,...)
|
|
__attribute__((format(printf, 1, 2)));
|
|
void auth_debug_send(struct ssh *);
|
|
void auth_debug_reset(void);
|
|
|
|
struct passwd *fakepw(void);
|
|
|
|
/* auth2-pubkeyfile.c */
|
|
int auth_authorise_keyopts(struct passwd *, struct sshauthopt *, int,
|
|
const char *, const char *, const char *);
|
|
int auth_check_principals_line(char *, const struct sshkey_cert *,
|
|
const char *, struct sshauthopt **);
|
|
int auth_process_principals(FILE *, const char *,
|
|
const struct sshkey_cert *, struct sshauthopt **);
|
|
int auth_check_authkey_line(struct passwd *, struct sshkey *,
|
|
char *, const char *, const char *, const char *, struct sshauthopt **);
|
|
int auth_check_authkeys_file(struct passwd *, FILE *, char *,
|
|
struct sshkey *, const char *, const char *, struct sshauthopt **);
|
|
FILE *auth_openkeyfile(const char *, struct passwd *, int);
|
|
FILE *auth_openprincipals(const char *, struct passwd *, int);
|
|
|
|
int sys_auth_passwd(struct ssh *, const char *);
|
|
|
|
#if defined(KRB5) && !defined(HEIMDAL)
|
|
krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
|
|
#endif
|
|
|
|
#endif /* AUTH_H */
|