version 1.40.2.3, 2002/06/02 22:56:09 |
version 1.41, 2001/05/20 17:20:35 |
|
|
#include "log.h" |
#include "log.h" |
#include "servconf.h" |
#include "servconf.h" |
#include "auth.h" |
#include "auth.h" |
#include "hostfile.h" |
|
#include "monitor_wrap.h" |
|
#include "ssh.h" |
|
|
|
/* import */ |
/* import */ |
extern ServerOptions options; |
extern ServerOptions options; |
|
|
* description of the options. |
* description of the options. |
*/ |
*/ |
|
|
BIGNUM * |
|
auth_rsa_generate_challenge(Key *key) |
|
{ |
|
BIGNUM *challenge; |
|
BN_CTX *ctx; |
|
|
|
if ((challenge = BN_new()) == NULL) |
|
fatal("auth_rsa_generate_challenge: BN_new() failed"); |
|
/* Generate a random challenge. */ |
|
BN_rand(challenge, 256, 0, 0); |
|
if ((ctx = BN_CTX_new()) == NULL) |
|
fatal("auth_rsa_generate_challenge: BN_CTX_new() failed"); |
|
BN_mod(challenge, challenge, key->rsa->n, ctx); |
|
BN_CTX_free(ctx); |
|
|
|
return challenge; |
|
} |
|
|
|
int |
|
auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) |
|
{ |
|
u_char buf[32], mdbuf[16]; |
|
MD5_CTX md; |
|
int len; |
|
|
|
/* don't allow short keys */ |
|
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { |
|
error("auth_rsa_verify_response: n too small: %d bits", |
|
BN_num_bits(key->rsa->n)); |
|
return (0); |
|
} |
|
|
|
/* The response is MD5 of decrypted challenge plus session id. */ |
|
len = BN_num_bytes(challenge); |
|
if (len <= 0 || len > 32) |
|
fatal("auth_rsa_verify_response: bad challenge length %d", len); |
|
memset(buf, 0, 32); |
|
BN_bn2bin(challenge, buf + 32 - len); |
|
MD5_Init(&md); |
|
MD5_Update(&md, buf, 32); |
|
MD5_Update(&md, session_id, 16); |
|
MD5_Final(mdbuf, &md); |
|
|
|
/* Verify that the response is the original challenge. */ |
|
if (memcmp(response, mdbuf, 16) != 0) { |
|
/* Wrong answer. */ |
|
return (0); |
|
} |
|
/* Correct answer. */ |
|
return (1); |
|
} |
|
|
|
/* |
/* |
* Performs the RSA authentication challenge-response dialog with the client, |
* Performs the RSA authentication challenge-response dialog with the client, |
* and returns true (non-zero) if the client gave the correct answer to |
* and returns true (non-zero) if the client gave the correct answer to |
|
|
*/ |
*/ |
|
|
int |
int |
auth_rsa_challenge_dialog(Key *key) |
auth_rsa_challenge_dialog(RSA *pk) |
{ |
{ |
BIGNUM *challenge, *encrypted_challenge; |
BIGNUM *challenge, *encrypted_challenge; |
u_char response[16]; |
BN_CTX *ctx; |
int i, success; |
u_char buf[32], mdbuf[16], response[16]; |
|
MD5_CTX md; |
|
u_int i; |
|
int plen, len; |
|
|
if ((encrypted_challenge = BN_new()) == NULL) |
encrypted_challenge = BN_new(); |
fatal("auth_rsa_challenge_dialog: BN_new() failed"); |
challenge = BN_new(); |
|
|
challenge = PRIVSEP(auth_rsa_generate_challenge(key)); |
/* Generate a random challenge. */ |
|
BN_rand(challenge, 256, 0, 0); |
|
ctx = BN_CTX_new(); |
|
BN_mod(challenge, challenge, pk->n, ctx); |
|
BN_CTX_free(ctx); |
|
|
/* Encrypt the challenge with the public key. */ |
/* Encrypt the challenge with the public key. */ |
rsa_public_encrypt(encrypted_challenge, challenge, key->rsa); |
rsa_public_encrypt(encrypted_challenge, challenge, pk); |
|
|
/* Send the encrypted challenge to the client. */ |
/* Send the encrypted challenge to the client. */ |
packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE); |
packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE); |
|
|
packet_write_wait(); |
packet_write_wait(); |
|
|
/* Wait for a response. */ |
/* Wait for a response. */ |
packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE); |
packet_read_expect(&plen, SSH_CMSG_AUTH_RSA_RESPONSE); |
|
packet_integrity_check(plen, 16, SSH_CMSG_AUTH_RSA_RESPONSE); |
for (i = 0; i < 16; i++) |
for (i = 0; i < 16; i++) |
response[i] = packet_get_char(); |
response[i] = packet_get_char(); |
packet_check_eom(); |
|
|
|
success = PRIVSEP(auth_rsa_verify_response(key, challenge, response)); |
/* The response is MD5 of decrypted challenge plus session id. */ |
|
len = BN_num_bytes(challenge); |
|
if (len <= 0 || len > 32) |
|
fatal("auth_rsa_challenge_dialog: bad challenge length %d", len); |
|
memset(buf, 0, 32); |
|
BN_bn2bin(challenge, buf + 32 - len); |
|
MD5_Init(&md); |
|
MD5_Update(&md, buf, 32); |
|
MD5_Update(&md, session_id, 16); |
|
MD5_Final(mdbuf, &md); |
BN_clear_free(challenge); |
BN_clear_free(challenge); |
return (success); |
|
|
/* Verify that the response is the original challenge. */ |
|
if (memcmp(response, mdbuf, 16) != 0) { |
|
/* Wrong answer. */ |
|
return 0; |
|
} |
|
/* Correct answer. */ |
|
return 1; |
} |
} |
|
|
/* |
/* |
* check if there's user key matching client_n, |
* Performs the RSA authentication dialog with the client. This returns |
* return key if login is allowed, NULL otherwise |
* 0 if the client could not be authenticated, and 1 if authentication was |
|
* successful. This may exit if there is a serious protocol violation. |
*/ |
*/ |
|
|
int |
int |
auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) |
auth_rsa(struct passwd *pw, BIGNUM *client_n) |
{ |
{ |
char line[8192], *file; |
char line[8192], *file; |
int allowed = 0; |
int authenticated; |
u_int bits; |
u_int bits; |
FILE *f; |
FILE *f; |
u_long linenum = 0; |
u_long linenum = 0; |
struct stat st; |
struct stat st; |
Key *key; |
RSA *pk; |
|
|
|
/* no user given */ |
|
if (pw == NULL) |
|
return 0; |
|
|
/* Temporarily use the user's uid. */ |
/* Temporarily use the user's uid. */ |
temporarily_use_uid(pw); |
temporarily_use_uid(pw); |
|
|
|
|
/* Restore the privileged uid. */ |
/* Restore the privileged uid. */ |
restore_uid(); |
restore_uid(); |
xfree(file); |
xfree(file); |
return (0); |
return 0; |
} |
} |
/* Open the file containing the authorized keys. */ |
/* Open the file containing the authorized keys. */ |
f = fopen(file, "r"); |
f = fopen(file, "r"); |
if (!f) { |
if (!f) { |
/* Restore the privileged uid. */ |
/* Restore the privileged uid. */ |
restore_uid(); |
restore_uid(); |
|
packet_send_debug("Could not open %.900s for reading.", file); |
|
packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); |
xfree(file); |
xfree(file); |
return (0); |
return 0; |
} |
} |
if (options.strict_modes && |
if (options.strict_modes && |
secure_filename(f, file, pw, line, sizeof(line)) != 0) { |
secure_filename(f, file, pw->pw_uid, line, sizeof(line)) != 0) { |
xfree(file); |
xfree(file); |
fclose(f); |
fclose(f); |
log("Authentication refused: %s", line); |
log("Authentication refused: %s", line); |
|
packet_send_debug("Authentication refused: %s", line); |
restore_uid(); |
restore_uid(); |
return (0); |
return 0; |
} |
} |
|
/* Flag indicating whether authentication has succeeded. */ |
|
authenticated = 0; |
|
|
/* Flag indicating whether the key is allowed. */ |
pk = RSA_new(); |
allowed = 0; |
pk->e = BN_new(); |
|
pk->n = BN_new(); |
|
|
key = key_new(KEY_RSA1); |
|
|
|
/* |
/* |
* Go though the accepted keys, looking for the current key. If |
* Go though the accepted keys, looking for the current key. If |
* found, perform a challenge-response dialog to verify that the |
* found, perform a challenge-response dialog to verify that the |
|
|
options = NULL; |
options = NULL; |
|
|
/* Parse the key from the line. */ |
/* Parse the key from the line. */ |
if (hostfile_read_key(&cp, &bits, key) == 0) { |
if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) { |
debug("%.100s, line %lu: non ssh1 key syntax", |
debug("%.100s, line %lu: bad key syntax", |
file, linenum); |
file, linenum); |
|
packet_send_debug("%.100s, line %lu: bad key syntax", |
|
file, linenum); |
continue; |
continue; |
} |
} |
/* cp now points to the comment part. */ |
/* cp now points to the comment part. */ |
|
|
/* Check if the we have found the desired key (identified by its modulus). */ |
/* Check if the we have found the desired key (identified by its modulus). */ |
if (BN_cmp(key->rsa->n, client_n) != 0) |
if (BN_cmp(pk->n, client_n) != 0) |
continue; |
continue; |
|
|
/* check the real bits */ |
/* check the real bits */ |
if (bits != BN_num_bits(key->rsa->n)) |
if (bits != BN_num_bits(pk->n)) |
log("Warning: %s, line %lu: keysize mismatch: " |
log("Warning: %s, line %ld: keysize mismatch: " |
"actual %d vs. announced %d.", |
"actual %d vs. announced %d.", |
file, linenum, BN_num_bits(key->rsa->n), bits); |
file, linenum, BN_num_bits(pk->n), bits); |
|
|
/* We have found the desired key. */ |
/* We have found the desired key. */ |
/* |
/* |
|
|
if (!auth_parse_options(pw, options, file, linenum)) |
if (!auth_parse_options(pw, options, file, linenum)) |
continue; |
continue; |
|
|
/* break out, this key is allowed */ |
/* Perform the challenge-response dialog for this key. */ |
allowed = 1; |
if (!auth_rsa_challenge_dialog(pk)) { |
|
/* Wrong response. */ |
|
verbose("Wrong response to RSA authentication challenge."); |
|
packet_send_debug("Wrong response to RSA authentication challenge."); |
|
continue; |
|
} |
|
/* |
|
* Correct response. The client has been successfully |
|
* authenticated. Note that we have not yet processed the |
|
* options; this will be reset if the options cause the |
|
* authentication to be rejected. |
|
* Break out of the loop if authentication was successful; |
|
* otherwise continue searching. |
|
*/ |
|
authenticated = 1; |
break; |
break; |
} |
} |
|
|
|
|
xfree(file); |
xfree(file); |
fclose(f); |
fclose(f); |
|
|
/* return key if allowed */ |
RSA_free(pk); |
if (allowed && rkey != NULL) |
|
*rkey = key; |
|
else |
|
key_free(key); |
|
return (allowed); |
|
} |
|
|
|
/* |
if (authenticated) |
* Performs the RSA authentication dialog with the client. This returns |
packet_send_debug("RSA authentication accepted."); |
* 0 if the client could not be authenticated, and 1 if authentication was |
else |
* successful. This may exit if there is a serious protocol violation. |
|
*/ |
|
int |
|
auth_rsa(struct passwd *pw, BIGNUM *client_n) |
|
{ |
|
Key *key; |
|
char *fp; |
|
|
|
/* no user given */ |
|
if (pw == NULL) |
|
return 0; |
|
|
|
if (!PRIVSEP(auth_rsa_key_allowed(pw, client_n, &key))) { |
|
auth_clear_options(); |
auth_clear_options(); |
return (0); |
|
} |
|
|
|
/* Perform the challenge-response dialog for this key. */ |
/* Return authentication result. */ |
if (!auth_rsa_challenge_dialog(key)) { |
return authenticated; |
/* Wrong response. */ |
|
verbose("Wrong response to RSA authentication challenge."); |
|
packet_send_debug("Wrong response to RSA authentication challenge."); |
|
/* |
|
* Break out of the loop. Otherwise we might send |
|
* another challenge and break the protocol. |
|
*/ |
|
key_free(key); |
|
return (0); |
|
} |
|
/* |
|
* Correct response. The client has been successfully |
|
* authenticated. Note that we have not yet processed the |
|
* options; this will be reset if the options cause the |
|
* authentication to be rejected. |
|
*/ |
|
fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); |
|
verbose("Found matching %s key: %s", |
|
key_type(key), fp); |
|
xfree(fp); |
|
key_free(key); |
|
|
|
packet_send_debug("RSA authentication accepted."); |
|
return (1); |
|
} |
} |