X-Git-Url: http://www.project-moonshot.org/gitweb/?p=openssh.git;a=blobdiff_plain;f=auth2.c;h=d3fe0b414cc639bdb658aaea853ea09a12f7222a;hp=95820f96fa088ca4958710ac572c5f15d676001b;hb=991c385d7c6b1c8592b4057bf2e0708ddf9854e9;hpb=0bf87176543b3874dfd9e1a2ad928fe78388669d diff --git a/auth2.c b/auth2.c index 95820f9..d3fe0b4 100644 --- a/auth2.c +++ b/auth2.c @@ -69,6 +69,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; #ifdef GSSAPI +extern Authmethod method_gsskeyex; extern Authmethod method_gssapi; #endif #ifdef JPAKE @@ -79,6 +80,7 @@ Authmethod *authmethods[] = { &method_none, &method_pubkey, #ifdef GSSAPI + &method_gsskeyex, &method_gssapi, #endif #ifdef JPAKE @@ -230,11 +232,32 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) if ((style = strchr(user, ':')) != NULL) *style++ = 0; - if (authctxt->attempt++ == 0) { - /* setup auth context */ + /* If first time or username changed or empty username, + setup/reset authentication context. */ + if ((authctxt->attempt++ == 0) || + (strcmp(user, authctxt->user) != 0) || + (strcmp(user, "") == 0)) { + if (authctxt->user) { + xfree(authctxt->user); + authctxt->user = NULL; + } + authctxt->valid = 0; + authctxt->user = xstrdup(user); + if (strcmp(service, "ssh-connection") != 0) { + packet_disconnect("Unsupported service %s", service); + } +#ifdef GSSAPI + /* If we're going to set the username based on the + GSSAPI context later, then wait until then to + verify it. Just put in placeholders for now. */ + if ((strcmp(user, "") == 0) && + (strcmp(method, "gssapi-with-mic") == 0 || + strcmp(method, "gssapi-keyex") == 0)) { + authctxt->pw = fakepw(); + } else { +#endif authctxt->pw = PRIVSEP(getpwnamallow(user)); - authctxt->user = xstrdup(user); - if (authctxt->pw && strcmp(service, "ssh-connection")==0) { + if (authctxt->pw) { authctxt->valid = 1; debug2("input_userauth_request: setting up authctxt for %s", user); } else { @@ -248,15 +271,20 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) if (options.use_pam) PRIVSEP(start_pam(authctxt)); #endif +#ifdef GSSAPI + } /* endif for setting username based on GSSAPI context */ +#endif setproctitle("%s%s", authctxt->valid ? user : "unknown", use_privsep ? " [net]" : ""); - authctxt->service = xstrdup(service); - authctxt->style = style ? xstrdup(style) : NULL; - if (use_privsep) - mm_inform_authserv(service, style); - userauth_banner(); - } else if (strcmp(user, authctxt->user) != 0 || - strcmp(service, authctxt->service) != 0) { + if (authctxt->attempt == 1) { + authctxt->service = xstrdup(service); + authctxt->style = style ? xstrdup(style) : NULL; + if (use_privsep) + mm_inform_authserv(service, style); + userauth_banner(); + } + } + if (strcmp(service, authctxt->service) != 0) { packet_disconnect("Change of username or service not allowed: " "(%s,%s) -> (%s,%s)", authctxt->user, authctxt->service, user, service); @@ -274,6 +302,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) #endif authctxt->postponed = 0; + authctxt->server_caused_failure = 0; /* try to authenticate user */ m = authmethod_lookup(method); @@ -346,7 +375,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) } else { /* Allow initial try of "none" auth without failure penalty */ - if (authctxt->attempt > 1 || strcmp(method, "none") != 0) + if (!authctxt->server_caused_failure && + (authctxt->attempt > 1 || strcmp(method, "none") != 0)) authctxt->failures++; if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS