mirror of
https://github.com/clearml/dropbear
synced 2025-03-03 18:52:00 +00:00
merge
This commit is contained in:
Matt Johnston
commit
e05b7f0b76
48
svr-auth.c
48
svr-auth.c
@ -110,6 +110,7 @@ void recv_msg_userauth_request() {
|
||||
|
||||
unsigned char *username = NULL, *servicename = NULL, *methodname = NULL;
|
||||
unsigned int userlen, servicelen, methodlen;
|
||||
int valid_user = 0;
|
||||
|
||||
TRACE(("enter recv_msg_userauth_request"))
|
||||
|
||||
@ -124,7 +125,6 @@ void recv_msg_userauth_request() {
|
||||
send_msg_userauth_banner();
|
||||
}
|
||||
|
||||
|
||||
username = buf_getstring(ses.payload, &userlen);
|
||||
servicename = buf_getstring(ses.payload, &servicelen);
|
||||
methodname = buf_getstring(ses.payload, &methodlen);
|
||||
@ -141,12 +141,12 @@ void recv_msg_userauth_request() {
|
||||
dropbear_exit("unknown service in auth");
|
||||
}
|
||||
|
||||
/* check username is good before continuing */
|
||||
if (checkusername(username, userlen) == DROPBEAR_FAILURE) {
|
||||
/* username is invalid/no shell/etc - send failure */
|
||||
TRACE(("sending checkusername failure"))
|
||||
send_msg_userauth_failure(0, 1);
|
||||
goto out;
|
||||
/* check username is good before continuing.
|
||||
* the 'incrfail' varies depending on the auth method to
|
||||
* avoid giving away which users exist on the system through
|
||||
* the time delay. */
|
||||
if (checkusername(username, userlen) == DROPBEAR_SUCCESS) {
|
||||
valid_user = 1;
|
||||
}
|
||||
|
||||
/* user wants to know what methods are supported */
|
||||
@ -154,7 +154,8 @@ void recv_msg_userauth_request() {
|
||||
strncmp(methodname, AUTH_METHOD_NONE,
|
||||
AUTH_METHOD_NONE_LEN) == 0) {
|
||||
TRACE(("recv_msg_userauth_request: 'none' request"))
|
||||
if (svr_opts.allowblankpass
|
||||
if (valid_user
|
||||
&& svr_opts.allowblankpass
|
||||
&& !svr_opts.noauthpass
|
||||
&& !(svr_opts.norootpass && ses.authstate.pw_uid == 0)
|
||||
&& ses.authstate.pw_passwd[0] == '\0')
|
||||
@ -168,6 +169,7 @@ void recv_msg_userauth_request() {
|
||||
}
|
||||
else
|
||||
{
|
||||
/* 'none' has no failure delay */
|
||||
send_msg_userauth_failure(0, 0);
|
||||
goto out;
|
||||
}
|
||||
@ -180,8 +182,10 @@ void recv_msg_userauth_request() {
|
||||
if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
|
||||
strncmp(methodname, AUTH_METHOD_PASSWORD,
|
||||
AUTH_METHOD_PASSWORD_LEN) == 0) {
|
||||
svr_auth_password();
|
||||
goto out;
|
||||
if (valid_user) {
|
||||
svr_auth_password();
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif
|
||||
@ -193,8 +197,10 @@ void recv_msg_userauth_request() {
|
||||
if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
|
||||
strncmp(methodname, AUTH_METHOD_PASSWORD,
|
||||
AUTH_METHOD_PASSWORD_LEN) == 0) {
|
||||
svr_auth_pam();
|
||||
goto out;
|
||||
if (valid_user) {
|
||||
svr_auth_pam();
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif
|
||||
@ -204,12 +210,17 @@ void recv_msg_userauth_request() {
|
||||
if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
|
||||
strncmp(methodname, AUTH_METHOD_PUBKEY,
|
||||
AUTH_METHOD_PUBKEY_LEN) == 0) {
|
||||
svr_auth_pubkey();
|
||||
if (valid_user) {
|
||||
svr_auth_pubkey();
|
||||
} else {
|
||||
/* pubkey has no failure delay */
|
||||
send_msg_userauth_failure(0, 0);
|
||||
}
|
||||
goto out;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* nothing matched, we just fail */
|
||||
/* nothing matched, we just fail with a delay */
|
||||
send_msg_userauth_failure(0, 1);
|
||||
|
||||
out:
|
||||
@ -252,7 +263,6 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
|
||||
dropbear_log(LOG_WARNING,
|
||||
"Login attempt for nonexistent user from %s",
|
||||
svr_ses.addrstring);
|
||||
send_msg_userauth_failure(0, 1);
|
||||
return DROPBEAR_FAILURE;
|
||||
}
|
||||
|
||||
@ -264,7 +274,6 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
|
||||
"Login attempt with wrong user %s from %s",
|
||||
ses.authstate.pw_name,
|
||||
svr_ses.addrstring);
|
||||
send_msg_userauth_failure(0, 1);
|
||||
return DROPBEAR_FAILURE;
|
||||
}
|
||||
|
||||
@ -272,7 +281,6 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
|
||||
if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) {
|
||||
TRACE(("leave checkusername: root login disabled"))
|
||||
dropbear_log(LOG_WARNING, "root login rejected");
|
||||
send_msg_userauth_failure(0, 1);
|
||||
return DROPBEAR_FAILURE;
|
||||
}
|
||||
|
||||
@ -301,7 +309,6 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
|
||||
TRACE(("no matching shell"))
|
||||
dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected",
|
||||
ses.authstate.pw_name);
|
||||
send_msg_userauth_failure(0, 1);
|
||||
return DROPBEAR_FAILURE;
|
||||
|
||||
goodshell:
|
||||
@ -311,7 +318,6 @@ goodshell:
|
||||
TRACE(("uid = %d", ses.authstate.pw_uid))
|
||||
TRACE(("leave checkusername"))
|
||||
return DROPBEAR_SUCCESS;
|
||||
|
||||
}
|
||||
|
||||
/* Send a failure message to the client, in responds to a userauth_request.
|
||||
@ -358,8 +364,8 @@ void send_msg_userauth_failure(int partial, int incrfail) {
|
||||
if (incrfail) {
|
||||
unsigned int delay;
|
||||
genrandom((unsigned char*)&delay, sizeof(delay));
|
||||
/* We delay for 300ms +- 50ms, 0.1ms granularity */
|
||||
delay = 250000 + (delay % 1000)*100;
|
||||
/* We delay for 300ms +- 50ms */
|
||||
delay = 250000 + (delay % 100000);
|
||||
usleep(delay);
|
||||
ses.authstate.failcount++;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user