1/* $OpenBSD: auth.h,v 1.106 2022/06/15 16:08:25 djm Exp $ */
2
3/*
4 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 *    notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in the
13 *    documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 *
26 */
27
28#ifndef AUTH_H
29#define AUTH_H
30
31#include <signal.h>
32#include <stdio.h>
33
34#ifdef HAVE_LOGIN_CAP
35#include <login_cap.h>
36#endif
37#ifdef BSD_AUTH
38#include <bsd_auth.h>
39#endif
40#ifdef KRB5
41#include <krb5.h>
42#endif
43
44struct passwd;
45struct ssh;
46struct sshbuf;
47struct sshkey;
48struct sshkey_cert;
49struct sshauthopt;
50
51typedef struct Authctxt Authctxt;
52typedef struct Authmethod Authmethod;
53typedef struct KbdintDevice KbdintDevice;
54
55struct Authctxt {
56	sig_atomic_t	 success;
57	int		 authenticated;	/* authenticated and alarms cancelled */
58	int		 postponed;	/* authentication needs another step */
59	int		 valid;		/* user exists and is allowed to login */
60	int		 attempt;
61	int		 failures;
62	int		 server_caused_failure;
63	int		 force_pwchange;
64	char		*user;		/* username sent by the client */
65	char		*service;
66	struct passwd	*pw;		/* set if 'valid' */
67	char		*style;
68
69	/* Method lists for multiple authentication */
70	char		**auth_methods;	/* modified from server config */
71	u_int		 num_auth_methods;
72
73	/* Authentication method-specific data */
74	void		*methoddata;
75	void		*kbdintctxt;
76#ifdef BSD_AUTH
77	auth_session_t	*as;
78#endif
79#ifdef KRB5
80	krb5_context	 krb5_ctx;
81	krb5_ccache	 krb5_fwd_ccache;
82	krb5_principal	 krb5_user;
83	char		*krb5_ticket_file;
84	char		*krb5_ccname;
85#endif
86	struct sshbuf	*loginmsg;
87
88	/* Authentication keys already used; these will be refused henceforth */
89	struct sshkey	**prev_keys;
90	u_int		 nprev_keys;
91
92	/* Last used key and ancillary information from active auth method */
93	struct sshkey	*auth_method_key;
94	char		*auth_method_info;
95
96	/* Information exposed to session */
97	struct sshbuf	*session_info;	/* Auth info for environment */
98};
99
100/*
101 * Every authentication method has to handle authentication requests for
102 * non-existing users, or for users that are not allowed to login. In this
103 * case 'valid' is set to 0, but 'user' points to the username requested by
104 * the client.
105 */
106
107struct Authmethod {
108	char	*name;
109	char	*synonym;
110	int	(*userauth)(struct ssh *, const char *);
111	int	*enabled;
112};
113
114/*
115 * Keyboard interactive device:
116 * init_ctx	returns: non NULL upon success
117 * query	returns: 0 - success, otherwise failure
118 * respond	returns: 0 - success, 1 - need further interaction,
119 *		otherwise - failure
120 */
121struct KbdintDevice
122{
123	const char *name;
124	void*	(*init_ctx)(Authctxt*);
125	int	(*query)(void *ctx, char **name, char **infotxt,
126		    u_int *numprompts, char ***prompts, u_int **echo_on);
127	int	(*respond)(void *ctx, u_int numresp, char **responses);
128	void	(*free_ctx)(void *ctx);
129};
130
131int
132auth_rhosts2(struct passwd *, const char *, const char *, const char *);
133
134int      auth_password(struct ssh *, const char *);
135
136int	 hostbased_key_allowed(struct ssh *, struct passwd *,
137	    const char *, char *, struct sshkey *);
138int	 user_key_allowed(struct ssh *ssh, struct passwd *, struct sshkey *,
139    int, struct sshauthopt **);
140int	 auth2_key_already_used(Authctxt *, const struct sshkey *);
141
142/*
143 * Handling auth method-specific information for logging and prevention
144 * of key reuse during multiple authentication.
145 */
146void	 auth2_authctxt_reset_info(Authctxt *);
147void	 auth2_record_key(Authctxt *, int, const struct sshkey *);
148void	 auth2_record_info(Authctxt *authctxt, const char *, ...)
149	    __attribute__((__format__ (printf, 2, 3)))
150	    __attribute__((__nonnull__ (2)));
151void	 auth2_update_session_info(Authctxt *, const char *, const char *);
152
153#ifdef KRB5
154int	auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
155int	auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
156int	auth_krb5_password(Authctxt *authctxt, const char *password);
157void	krb5_cleanup_proc(Authctxt *authctxt);
158#endif /* KRB5 */
159
160#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
161#include <shadow.h>
162int auth_shadow_acctexpired(struct spwd *);
163int auth_shadow_pwexpired(Authctxt *);
164#endif
165
166#include "auth-pam.h"
167#include "audit.h"
168void remove_kbdint_device(const char *);
169
170void	do_authentication2(struct ssh *);
171
172void	auth_log(struct ssh *, int, int, const char *, const char *);
173void	auth_maxtries_exceeded(struct ssh *) __attribute__((noreturn));
174void	userauth_finish(struct ssh *, int, const char *, const char *);
175int	auth_root_allowed(struct ssh *, const char *);
176
177char	*auth2_read_banner(void);
178int	 auth2_methods_valid(const char *, int);
179int	 auth2_update_methods_lists(Authctxt *, const char *, const char *);
180int	 auth2_setup_methods_lists(Authctxt *);
181int	 auth2_method_allowed(Authctxt *, const char *, const char *);
182
183void	privsep_challenge_enable(void);
184
185int	auth2_challenge(struct ssh *, char *);
186void	auth2_challenge_stop(struct ssh *);
187int	bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
188int	bsdauth_respond(void *, u_int, char **);
189
190int	allowed_user(struct ssh *, struct passwd *);
191struct passwd * getpwnamallow(struct ssh *, const char *user);
192
193char	*expand_authorized_keys(const char *, struct passwd *pw);
194char	*authorized_principals_file(struct passwd *);
195
196int	 auth_key_is_revoked(struct sshkey *);
197
198const char	*auth_get_canonical_hostname(struct ssh *, int);
199
200HostStatus
201check_key_in_hostfiles(struct passwd *, struct sshkey *, const char *,
202    const char *, const char *);
203
204/* hostkey handling */
205struct sshkey	*get_hostkey_by_index(int);
206struct sshkey	*get_hostkey_public_by_index(int, struct ssh *);
207struct sshkey	*get_hostkey_public_by_type(int, int, struct ssh *);
208struct sshkey	*get_hostkey_private_by_type(int, int, struct ssh *);
209int	 get_hostkey_index(struct sshkey *, int, struct ssh *);
210int	 sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
211    u_char **, size_t *, const u_char *, size_t, const char *);
212
213/* Key / cert options linkage to auth layer */
214const struct sshauthopt *auth_options(struct ssh *);
215int	 auth_activate_options(struct ssh *, struct sshauthopt *);
216void	 auth_restrict_session(struct ssh *);
217void	 auth_log_authopts(const char *, const struct sshauthopt *, int);
218
219/* debug messages during authentication */
220void	 auth_debug_add(const char *fmt,...)
221    __attribute__((format(printf, 1, 2)));
222void	 auth_debug_send(struct ssh *);
223void	 auth_debug_reset(void);
224
225struct passwd *fakepw(void);
226
227/* auth2-pubkeyfile.c */
228int	 auth_authorise_keyopts(struct passwd *, struct sshauthopt *, int,
229    const char *, const char *, const char *);
230int	 auth_check_principals_line(char *, const struct sshkey_cert *,
231    const char *, struct sshauthopt **);
232int	 auth_process_principals(FILE *, const char *,
233    const struct sshkey_cert *, struct sshauthopt **);
234int	 auth_check_authkey_line(struct passwd *, struct sshkey *,
235    char *, const char *, const char *, const char *, struct sshauthopt **);
236int	 auth_check_authkeys_file(struct passwd *, FILE *, char *,
237    struct sshkey *, const char *, const char *, struct sshauthopt **);
238FILE	*auth_openkeyfile(const char *, struct passwd *, int);
239FILE	*auth_openprincipals(const char *, struct passwd *, int);
240
241int	 sys_auth_passwd(struct ssh *, const char *);
242
243#if defined(KRB5) && !defined(HEIMDAL)
244krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
245#endif
246
247#endif /* AUTH_H */
248