summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2016-08-30 07:50:22 +0000
committerDamien Miller <djm@cvs.openbsd.org>2016-08-30 07:50:22 +0000
commitd1a50c426f987bfc642904bf2753c3e31667044a (patch)
tree6662d38d04e3e20d1aab8a99a75be1d38df9be80
parentf5cd36234cc6f10e37a70894e0666b79f5c63ce9 (diff)
restrict monitor auth calls to be allowed only when their
respective authentication methods are enabled in the configuration. prompted by Solar Designer; ok markus dtucker
-rw-r--r--usr.bin/ssh/monitor.c20
1 files changed, 19 insertions, 1 deletions
diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c
index f253d0a7c27..0701b4cb41f 100644
--- a/usr.bin/ssh/monitor.c
+++ b/usr.bin/ssh/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.163 2016/08/19 03:18:06 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.164 2016/08/30 07:50:21 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -759,6 +759,8 @@ mm_answer_authpassword(int sock, Buffer *m)
int authenticated;
u_int plen;
+ if (!options.password_authentication)
+ fatal("%s: password authentication not enabled", __func__);
passwd = buffer_get_string(m, &plen);
/* Only authenticate if the context is valid */
authenticated = options.password_authentication &&
@@ -791,6 +793,8 @@ mm_answer_bsdauthquery(int sock, Buffer *m)
char **prompts;
u_int success;
+ if (!options.kbd_interactive_authentication)
+ fatal("%s: kbd-int authentication not enabled", __func__);
success = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
&prompts, &echo_on) < 0 ? 0 : 1;
@@ -818,6 +822,8 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
char *response;
int authok;
+ if (!options.kbd_interactive_authentication)
+ fatal("%s: kbd-int authentication not enabled", __func__);
if (authctxt->as == NULL)
fatal("%s: no bsd auth session", __func__);
@@ -1380,6 +1386,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
OM_uint32 major;
u_int len;
+ if (!options.gss_authentication)
+ fatal("%s: GSSAPI authentication not enabled", __func__);
+
goid.elements = buffer_get_string(m, &len);
goid.length = len;
@@ -1407,6 +1416,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
OM_uint32 flags = 0; /* GSI needs this */
u_int len;
+ if (!options.gss_authentication)
+ fatal("%s: GSSAPI authentication not enabled", __func__);
+
in.value = buffer_get_string(m, &len);
in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -1435,6 +1447,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
OM_uint32 ret;
u_int len;
+ if (!options.gss_authentication)
+ fatal("%s: GSSAPI authentication not enabled", __func__);
+
gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len;
mic.value = buffer_get_string(m, &len);
@@ -1461,6 +1476,9 @@ mm_answer_gss_userok(int sock, Buffer *m)
{
int authenticated;
+ if (!options.gss_authentication)
+ fatal("%s: GSSAPI authentication not enabled", __func__);
+
authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
buffer_clear(m);