diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2021-12-19 23:12:07 +0100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2021-12-19 23:28:07 +0100 |
| commit | dbb339f015c33d63484261d140c84ad875a9e548 (patch) | |
| tree | 31867902b32100b1098df953746277f4a74a8dc4 /auth2.c | |
| parent | upstream: ssh-agent side of destination constraints (diff) | |
| download | openssh-dbb339f015c33d63484261d140c84ad875a9e548.tar.xz openssh-dbb339f015c33d63484261d140c84ad875a9e548.zip | |
upstream: prepare for multiple names for authmethods
allow authentication methods to have one additional name beyond their
primary name.
allow lookup by this synonym
Use primary name for authentication decisions, e.g. for
PermitRootLogin=publickey
Pass actual invoked name to the authmethods, so they can tell whether they
were requested via the their primary name or synonym.
ok markus@
OpenBSD-Commit-ID: 9e613fcb44b8168823195602ed3d09ffd7994559
Diffstat (limited to 'auth2.c')
| -rw-r--r-- | auth2.c | 28 |
1 files changed, 19 insertions, 9 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.161 2021/04/03 06:18:40 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.162 2021/12/19 22:12:07 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -331,7 +331,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) m = authmethod_lookup(authctxt, method); if (m != NULL && authctxt->failures < options.max_authtries) { debug2("input_userauth_request: try method %s", method); - authenticated = m->userauth(ssh); + authenticated = m->userauth(ssh, method); } if (!authctxt->authenticated) ensure_minimum_time_since(tstart, @@ -346,18 +346,26 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) } void -userauth_finish(struct ssh *ssh, int authenticated, const char *method, +userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method, const char *submethod) { Authctxt *authctxt = ssh->authctxt; + Authmethod *m = NULL; + const char *method = packet_method; char *methods; int r, partial = 0; - if (!authctxt->valid && authenticated) - fatal("INTERNAL ERROR: authenticated invalid user %s", - authctxt->user); - if (authenticated && authctxt->postponed) - fatal("INTERNAL ERROR: authenticated and postponed"); + if (authenticated) { + if (!authctxt->valid) { + fatal("INTERNAL ERROR: authenticated invalid user %s", + authctxt->user); + } + if (authctxt->postponed) + fatal("INTERNAL ERROR: authenticated and postponed"); + if ((m = authmethod_lookup(authctxt, method)) == NULL) + fatal("INTERNAL ERROR: bad method %s", method); + method = m->name; /* prefer primary name to possible synonym */ + } /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && @@ -504,7 +512,9 @@ authmethod_lookup(Authctxt *authctxt, const char *name) for (i = 0; authmethods[i] != NULL; i++) if (authmethods[i]->enabled != NULL && *(authmethods[i]->enabled) != 0 && - strcmp(name, authmethods[i]->name) == 0 && + (strcmp(name, authmethods[i]->name) == 0 || + (authmethods[i]->synonym != NULL && + strcmp(name, authmethods[i]->synonym) == 0)) && auth2_method_allowed(authctxt, authmethods[i]->name, NULL)) return authmethods[i]; |