[openssh-unix-dev] auth*.c

[David Bronder]

Markus Friedl wrote:
> 
> On Fri, Dec 28, 2001 at 11:26:23AM -0600, David Bronder wrote:
> > My question to the developers is this:  Should login attempts by an
> > invalid user behave this way?  Or should the invalid user check be
> > made after a successful authentication instead of before, and then
> > cause the disconnect?  The latter seems more correct to me.
> 
> how can a non existing user authenticate successful?
> 

True.  I should have been more explicit.  You're overloading the
authctxt->valid flag to mean either the user doesn't exist or the
user does exist but isn't allowed to log in for policy reasons.

The problem is calling allowed_user(), which only occurs if the
getpwname() call was successful (i.e. the user exists).  If a user
isn't allowed to log in (as determined by allowed_user() before
any authentication method is tried), then you know in advance that
you're going to deny the session regardless of the result of any
auth methods you try.

For the case of a non-existant user, you want to hide the fact
that the user doesn't exist from the client.

For the case of a disallowed (but existing) user, you want to let
the user know they're disallowed (or so I would expect).  But you
don't want to do that until after they've authenticated, or you'll
be giving away info to username-guessers.

So I'm thinking either keep authctxt->valid overloaded, but don't
check it until after a successful authentication, if one happens
(a grossly oversimplified statement, but concept first and code
later); or split the allowed_user() call out and move it until
after successful authentication.

(This still doesn't directly help the AIX nologin issue, but one
thing at a time...)

=Dave

-- 
Hello World.                                    David Bronder - Systems Admin
Segmentation Fault                                     ITS-SPA, Univ. of Iowa
Core dumped, disk trashed, quota filled, soda warm.   david-bronder at uiowa.edu