version 1.13, 1999/11/24 00:26:00 |
version 1.14, 1999/11/24 19:53:44 |
|
|
extern char *forced_command; |
extern char *forced_command; |
extern struct envstring *custom_environment; |
extern struct envstring *custom_environment; |
|
|
/* Session identifier that is used to bind key exchange and authentication |
/* |
responses to a particular session. */ |
* Session identifier that is used to bind key exchange and authentication |
|
* responses to a particular session. |
|
*/ |
extern unsigned char session_id[16]; |
extern unsigned char session_id[16]; |
|
|
/* The .ssh/authorized_keys file contains public keys, one per line, in the |
/* |
following format: |
* The .ssh/authorized_keys file contains public keys, one per line, in the |
options bits e n comment |
* following format: |
where bits, e and n are decimal numbers, |
* options bits e n comment |
and comment is any string of characters up to newline. The maximum |
* where bits, e and n are decimal numbers, |
length of a line is 8000 characters. See the documentation for a |
* and comment is any string of characters up to newline. The maximum |
description of the options. |
* length of a line is 8000 characters. See the documentation for a |
*/ |
* description of the options. |
|
*/ |
|
|
/* Performs the RSA authentication challenge-response dialog with the client, |
/* |
and returns true (non-zero) if the client gave the correct answer to |
* Performs the RSA authentication challenge-response dialog with the client, |
our challenge; returns zero if the client gives a wrong answer. */ |
* and returns true (non-zero) if the client gave the correct answer to |
|
* our challenge; returns zero if the client gives a wrong answer. |
|
*/ |
|
|
int |
int |
auth_rsa_challenge_dialog(BIGNUM *e, BIGNUM *n) |
auth_rsa_challenge_dialog(BIGNUM *e, BIGNUM *n) |
|
|
return 1; |
return 1; |
} |
} |
|
|
/* Performs the RSA authentication dialog with the client. This returns |
/* |
0 if the client could not be authenticated, and 1 if authentication was |
* Performs the RSA authentication dialog with the client. This returns |
successful. This may exit if there is a serious protocol violation. */ |
* 0 if the client could not be authenticated, and 1 if authentication was |
|
* successful. This may exit if there is a serious protocol violation. |
|
*/ |
|
|
int |
int |
auth_rsa(struct passwd *pw, BIGNUM *client_n) |
auth_rsa(struct passwd *pw, BIGNUM *client_n) |
|
|
/* Flag indicating whether authentication has succeeded. */ |
/* Flag indicating whether authentication has succeeded. */ |
authenticated = 0; |
authenticated = 0; |
|
|
/* Initialize mp-int variables. */ |
|
e = BN_new(); |
e = BN_new(); |
n = BN_new(); |
n = BN_new(); |
|
|
/* Go though the accepted keys, looking for the current key. If |
/* |
found, perform a challenge-response dialog to verify that the |
* Go though the accepted keys, looking for the current key. If |
user really has the corresponding private key. */ |
* found, perform a challenge-response dialog to verify that the |
|
* user really has the corresponding private key. |
|
*/ |
while (fgets(line, sizeof(line), f)) { |
while (fgets(line, sizeof(line), f)) { |
char *cp; |
char *cp; |
char *options; |
char *options; |
|
|
linenum++; |
linenum++; |
|
|
/* Skip leading whitespace. */ |
/* Skip leading whitespace, empty and comment lines. */ |
for (cp = line; *cp == ' ' || *cp == '\t'; cp++); |
for (cp = line; *cp == ' ' || *cp == '\t'; cp++) |
|
; |
/* Skip empty and comment lines. */ |
|
if (!*cp || *cp == '\n' || *cp == '#') |
if (!*cp || *cp == '\n' || *cp == '#') |
continue; |
continue; |
|
|
/* Check if there are options for this key, and if so, |
/* |
save their starting address and skip the option part |
* Check if there are options for this key, and if so, |
for now. If there are no options, set the starting |
* save their starting address and skip the option part |
address to NULL. */ |
* for now. If there are no options, set the starting |
|
* address to NULL. |
|
*/ |
if (*cp < '0' || *cp > '9') { |
if (*cp < '0' || *cp > '9') { |
int quoted = 0; |
int quoted = 0; |
options = cp; |
options = cp; |
|
|
|
|
/* Check if the we have found the desired key (identified by its modulus). */ |
/* Check if the we have found the desired key (identified by its modulus). */ |
if (BN_cmp(n, client_n) != 0) |
if (BN_cmp(n, client_n) != 0) |
continue; /* Wrong key. */ |
continue; |
|
|
/* We have found the desired key. */ |
/* We have found the desired key. */ |
|
|
|
|
packet_send_debug("Wrong response to RSA authentication challenge."); |
packet_send_debug("Wrong response to RSA authentication challenge."); |
continue; |
continue; |
} |
} |
/* Correct response. The client has been successfully |
/* |
authenticated. Note that we have not yet processed the |
* Correct response. The client has been successfully |
options; this will be reset if the options cause the |
* authenticated. Note that we have not yet processed the |
authentication to be rejected. */ |
* options; this will be reset if the options cause the |
|
* authentication to be rejected. |
|
*/ |
authenticated = 1; |
authenticated = 1; |
|
|
/* RSA part of authentication was accepted. Now process the options. */ |
/* RSA part of authentication was accepted. Now process the options. */ |
|
|
goto next_option; |
goto next_option; |
} |
} |
bad_option: |
bad_option: |
/* Unknown option. */ |
|
log("Bad options in %.100s file, line %lu: %.50s", |
log("Bad options in %.100s file, line %lu: %.50s", |
SSH_USER_PERMITTED_KEYS, linenum, options); |
SSH_USER_PERMITTED_KEYS, linenum, options); |
packet_send_debug("Bad options in %.100s file, line %lu: %.50s", |
packet_send_debug("Bad options in %.100s file, line %lu: %.50s", |
|
|
break; |
break; |
|
|
next_option: |
next_option: |
/* Skip the comma, and move to the next option |
/* |
(or break out if there are no more). */ |
* Skip the comma, and move to the next option |
|
* (or break out if there are no more). |
|
*/ |
if (!*options) |
if (!*options) |
fatal("Bugs in auth-rsa.c option processing."); |
fatal("Bugs in auth-rsa.c option processing."); |
if (*options == ' ' || *options == '\t') |
if (*options == ' ' || *options == '\t') |
break; /* End of options. */ |
break; /* End of options. */ |
if (*options != ',') |
if (*options != ',') |
goto bad_option; |
goto bad_option; |
options++; |
options++; |
|
|
continue; |
continue; |
} |
} |
} |
} |
/* Break out of the loop if authentication was successful; |
/* |
otherwise continue searching. */ |
* Break out of the loop if authentication was successful; |
|
* otherwise continue searching. |
|
*/ |
if (authenticated) |
if (authenticated) |
break; |
break; |
} |
} |
|
|
/* Close the file. */ |
/* Close the file. */ |
fclose(f); |
fclose(f); |
|
|
/* Clear any mp-int variables. */ |
|
BN_clear_free(n); |
BN_clear_free(n); |
BN_clear_free(e); |
BN_clear_free(e); |
|
|