xref: /dragonfly/crypto/openssh/auth2-methods.c (revision ba1276acd1c8c22d225b1bcf370a14c878644f44)
1 /*
2  * Copyright (c) 2012,2023 Damien Miller <djm@mindrot.org>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "includes.h"
18 
19 #include <sys/types.h>
20 
21 #include <stdlib.h>
22 #include <string.h>
23 
24 #include "log.h"
25 #include "misc.h"
26 #include "servconf.h"
27 #include "xmalloc.h"
28 #include "hostfile.h"
29 #include "auth.h"
30 
31 extern ServerOptions options;
32 
33 /*
34  * Configuration of enabled authentication methods. Separate from the rest of
35  * auth2-*.c because we want to query it during server configuration validity
36  * checking in the sshd listener process without pulling all the auth code in
37  * too.
38  */
39 
40 /* "none" is allowed only one time and it is cleared by userauth_none() later */
41 int none_enabled = 1;
42 struct authmethod_cfg methodcfg_none = {
43           "none",
44           NULL,
45           &none_enabled
46 };
47 struct authmethod_cfg methodcfg_pubkey = {
48           "publickey",
49           "publickey-hostbound-v00@openssh.com",
50           &options.pubkey_authentication
51 };
52 #ifdef GSSAPI
53 struct authmethod_cfg methodcfg_gssapi = {
54           "gssapi-with-mic",
55           NULL,
56           &options.gss_authentication
57 };
58 #endif
59 struct authmethod_cfg methodcfg_passwd = {
60           "password",
61           NULL,
62           &options.password_authentication
63 };
64 struct authmethod_cfg methodcfg_kbdint = {
65           "keyboard-interactive",
66           NULL,
67           &options.kbd_interactive_authentication
68 };
69 struct authmethod_cfg methodcfg_hostbased = {
70           "hostbased",
71           NULL,
72           &options.hostbased_authentication
73 };
74 
75 static struct authmethod_cfg *authmethod_cfgs[] = {
76           &methodcfg_none,
77           &methodcfg_pubkey,
78 #ifdef GSSAPI
79           &methodcfg_gssapi,
80 #endif
81           &methodcfg_passwd,
82           &methodcfg_kbdint,
83           &methodcfg_hostbased,
84           NULL
85 };
86 
87 /*
88  * Check a comma-separated list of methods for validity. If need_enable is
89  * non-zero, then also require that the methods are enabled.
90  * Returns 0 on success or -1 if the methods list is invalid.
91  */
92 int
auth2_methods_valid(const char * _methods,int need_enable)93 auth2_methods_valid(const char *_methods, int need_enable)
94 {
95           char *methods, *omethods, *method, *p;
96           u_int i, found;
97           int ret = -1;
98           const struct authmethod_cfg *cfg;
99 
100           if (*_methods == '\0') {
101                     error("empty authentication method list");
102                     return -1;
103           }
104           omethods = methods = xstrdup(_methods);
105           while ((method = strsep(&methods, ",")) != NULL) {
106                     for (found = i = 0; !found && authmethod_cfgs[i] != NULL; i++) {
107                               cfg = authmethod_cfgs[i];
108                               if ((p = strchr(method, ':')) != NULL)
109                                         *p = '\0';
110                               if (strcmp(method, cfg->name) != 0)
111                                         continue;
112                               if (need_enable) {
113                                         if (cfg->enabled == NULL ||
114                                             *(cfg->enabled) == 0) {
115                                                   error("Disabled method \"%s\" in "
116                                                       "AuthenticationMethods list \"%s\"",
117                                                       method, _methods);
118                                                   goto out;
119                                         }
120                               }
121                               found = 1;
122                               break;
123                     }
124                     if (!found) {
125                               error("Unknown authentication method \"%s\" in list",
126                                   method);
127                               goto out;
128                     }
129           }
130           ret = 0;
131  out:
132           free(omethods);
133           return ret;
134 }
135