Annotation of src/usr.bin/ssh/sshconnect1.c, Revision 1.26
1.1 markus 1: /*
2: * Author: Tatu Ylonen <ylo@cs.hut.fi>
3: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4: * All rights reserved
5: * Code to connect to a remote host, and to perform the client side of the
6: * login (authentication) dialog.
7: *
1.6 deraadt 8: * As far as I am concerned, the code I have written for this software
9: * can be used freely for any purpose. Any derived versions of this
10: * software must be clearly marked as such, and if the derived work is
11: * incompatible with the protocol description in the RFC file, it must be
12: * called by a name other than "ssh" or "Secure Shell".
1.1 markus 13: */
14:
15: #include "includes.h"
1.26 ! markus 16: RCSID("$OpenBSD: sshconnect1.c,v 1.25 2001/02/08 23:11:43 dugsong Exp $");
1.1 markus 17:
18: #include <openssl/bn.h>
19: #include <openssl/evp.h>
20:
1.18 markus 21: #ifdef KRB4
22: #include <krb.h>
23: #endif
24: #ifdef AFS
25: #include <kafs.h>
1.19 markus 26: #include "radix.h"
1.18 markus 27: #endif
28:
29: #include "ssh.h"
30: #include "ssh1.h"
1.1 markus 31: #include "xmalloc.h"
32: #include "rsa.h"
33: #include "buffer.h"
34: #include "packet.h"
35: #include "mpaux.h"
36: #include "uidswap.h"
1.18 markus 37: #include "log.h"
1.1 markus 38: #include "readconf.h"
39: #include "key.h"
1.4 markus 40: #include "authfd.h"
1.1 markus 41: #include "sshconnect.h"
42: #include "authfile.h"
1.18 markus 43: #include "readpass.h"
44: #include "cipher.h"
45: #include "canohost.h"
1.1 markus 46:
47: /* Session id for the current session. */
1.13 markus 48: u_char session_id[16];
49: u_int supported_authentications = 0;
1.1 markus 50:
51: extern Options options;
52: extern char *__progname;
53:
1.25 dugsong 54: void
55: ssh1_put_password(char *password)
56: {
57: int size;
58: char *padded;
59:
1.26 ! markus 60: size = roundup(strlen(password) + 1, 32);
1.25 dugsong 61: padded = xmalloc(size);
62: strlcpy(padded, password, size);
63: packet_put_string(padded, size);
64: memset(padded, 0, size);
65: xfree(padded);
66: }
67:
1.1 markus 68: /*
69: * Checks if the user has an authentication agent, and if so, tries to
70: * authenticate using the agent.
71: */
72: int
1.24 itojun 73: try_agent_authentication(void)
1.1 markus 74: {
1.5 markus 75: int type;
1.1 markus 76: char *comment;
77: AuthenticationConnection *auth;
1.13 markus 78: u_char response[16];
79: u_int i;
1.5 markus 80: int plen, clen;
81: Key *key;
82: BIGNUM *challenge;
1.1 markus 83:
84: /* Get connection to the agent. */
85: auth = ssh_get_authentication_connection();
86: if (!auth)
87: return 0;
88:
89: challenge = BN_new();
90:
91: /* Loop through identities served by the agent. */
1.5 markus 92: for (key = ssh_get_first_identity(auth, &comment, 1);
93: key != NULL;
94: key = ssh_get_next_identity(auth, &comment, 1)) {
1.1 markus 95:
96: /* Try this identity. */
97: debug("Trying RSA authentication via agent with '%.100s'", comment);
98: xfree(comment);
99:
100: /* Tell the server that we are willing to authenticate using this key. */
101: packet_start(SSH_CMSG_AUTH_RSA);
1.5 markus 102: packet_put_bignum(key->rsa->n);
1.1 markus 103: packet_send();
104: packet_write_wait();
105:
106: /* Wait for server's response. */
107: type = packet_read(&plen);
108:
109: /* The server sends failure if it doesn\'t like our key or
110: does not support RSA authentication. */
111: if (type == SSH_SMSG_FAILURE) {
112: debug("Server refused our key.");
1.5 markus 113: key_free(key);
1.1 markus 114: continue;
115: }
116: /* Otherwise it should have sent a challenge. */
117: if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
118: packet_disconnect("Protocol error during RSA authentication: %d",
119: type);
120:
121: packet_get_bignum(challenge, &clen);
122:
123: packet_integrity_check(plen, clen, type);
124:
125: debug("Received RSA challenge from server.");
126:
127: /* Ask the agent to decrypt the challenge. */
1.5 markus 128: if (!ssh_decrypt_challenge(auth, key, challenge, session_id, 1, response)) {
129: /*
130: * The agent failed to authenticate this identifier
131: * although it advertised it supports this. Just
132: * return a wrong value.
133: */
1.1 markus 134: log("Authentication agent failed to decrypt challenge.");
135: memset(response, 0, sizeof(response));
136: }
1.5 markus 137: key_free(key);
1.1 markus 138: debug("Sending response to RSA challenge.");
139:
140: /* Send the decrypted challenge back to the server. */
141: packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
142: for (i = 0; i < 16; i++)
143: packet_put_char(response[i]);
144: packet_send();
145: packet_write_wait();
146:
147: /* Wait for response from the server. */
148: type = packet_read(&plen);
149:
150: /* The server returns success if it accepted the authentication. */
151: if (type == SSH_SMSG_SUCCESS) {
1.14 markus 152: ssh_close_authentication_connection(auth);
1.5 markus 153: BN_clear_free(challenge);
1.1 markus 154: debug("RSA authentication accepted by server.");
155: return 1;
156: }
157: /* Otherwise it should return failure. */
158: if (type != SSH_SMSG_FAILURE)
159: packet_disconnect("Protocol error waiting RSA auth response: %d",
160: type);
161: }
1.14 markus 162: ssh_close_authentication_connection(auth);
1.1 markus 163: BN_clear_free(challenge);
164: debug("RSA authentication using agent refused.");
165: return 0;
166: }
167:
168: /*
169: * Computes the proper response to a RSA challenge, and sends the response to
170: * the server.
171: */
172: void
173: respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
174: {
1.13 markus 175: u_char buf[32], response[16];
1.1 markus 176: MD5_CTX md;
177: int i, len;
178:
179: /* Decrypt the challenge using the private key. */
1.21 markus 180: /* XXX think about Bleichenbacher, too */
181: if (rsa_private_decrypt(challenge, challenge, prv) <= 0)
182: packet_disconnect(
183: "respond_to_rsa_challenge: rsa_private_decrypt failed");
1.1 markus 184:
185: /* Compute the response. */
186: /* The response is MD5 of decrypted challenge plus session id. */
187: len = BN_num_bytes(challenge);
188: if (len <= 0 || len > sizeof(buf))
1.21 markus 189: packet_disconnect(
190: "respond_to_rsa_challenge: bad challenge length %d", len);
1.1 markus 191:
192: memset(buf, 0, sizeof(buf));
193: BN_bn2bin(challenge, buf + sizeof(buf) - len);
194: MD5_Init(&md);
195: MD5_Update(&md, buf, 32);
196: MD5_Update(&md, session_id, 16);
197: MD5_Final(response, &md);
198:
199: debug("Sending response to host key RSA challenge.");
200:
201: /* Send the response back to the server. */
202: packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
203: for (i = 0; i < 16; i++)
204: packet_put_char(response[i]);
205: packet_send();
206: packet_write_wait();
207:
208: memset(buf, 0, sizeof(buf));
209: memset(response, 0, sizeof(response));
210: memset(&md, 0, sizeof(md));
211: }
212:
213: /*
214: * Checks if the user has authentication file, and if so, tries to authenticate
215: * the user using it.
216: */
217: int
218: try_rsa_authentication(const char *authfile)
219: {
220: BIGNUM *challenge;
221: Key *public;
222: Key *private;
223: char *passphrase, *comment;
224: int type, i;
225: int plen, clen;
226:
227: /* Try to load identification for the authentication key. */
1.9 markus 228: public = key_new(KEY_RSA1);
1.1 markus 229: if (!load_public_key(authfile, public, &comment)) {
230: key_free(public);
231: /* Could not load it. Fail. */
232: return 0;
233: }
234: debug("Trying RSA authentication with key '%.100s'", comment);
235:
236: /* Tell the server that we are willing to authenticate using this key. */
237: packet_start(SSH_CMSG_AUTH_RSA);
238: packet_put_bignum(public->rsa->n);
239: packet_send();
240: packet_write_wait();
241:
242: /* We no longer need the public key. */
243: key_free(public);
244:
245: /* Wait for server's response. */
246: type = packet_read(&plen);
247:
248: /*
249: * The server responds with failure if it doesn\'t like our key or
250: * doesn\'t support RSA authentication.
251: */
252: if (type == SSH_SMSG_FAILURE) {
253: debug("Server refused our key.");
254: xfree(comment);
255: return 0;
256: }
257: /* Otherwise, the server should respond with a challenge. */
258: if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
259: packet_disconnect("Protocol error during RSA authentication: %d", type);
260:
261: /* Get the challenge from the packet. */
262: challenge = BN_new();
263: packet_get_bignum(challenge, &clen);
264:
265: packet_integrity_check(plen, clen, type);
266:
267: debug("Received RSA challenge from server.");
268:
1.9 markus 269: private = key_new(KEY_RSA1);
1.1 markus 270: /*
271: * Load the private key. Try first with empty passphrase; if it
272: * fails, ask for a passphrase.
273: */
274: if (!load_private_key(authfile, "", private, NULL)) {
275: char buf[300];
276: snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ",
277: comment);
278: if (!options.batch_mode)
279: passphrase = read_passphrase(buf, 0);
280: else {
281: debug("Will not query passphrase for %.100s in batch mode.",
282: comment);
283: passphrase = xstrdup("");
284: }
285:
286: /* Load the authentication file using the pasphrase. */
287: if (!load_private_key(authfile, passphrase, private, NULL)) {
288: memset(passphrase, 0, strlen(passphrase));
289: xfree(passphrase);
290: error("Bad passphrase.");
291:
292: /* Send a dummy response packet to avoid protocol error. */
293: packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
294: for (i = 0; i < 16; i++)
295: packet_put_char(0);
296: packet_send();
297: packet_write_wait();
298:
299: /* Expect the server to reject it... */
300: packet_read_expect(&plen, SSH_SMSG_FAILURE);
301: xfree(comment);
1.14 markus 302: key_free(private);
303: BN_clear_free(challenge);
1.1 markus 304: return 0;
305: }
306: /* Destroy the passphrase. */
307: memset(passphrase, 0, strlen(passphrase));
308: xfree(passphrase);
309: }
310: /* We no longer need the comment. */
311: xfree(comment);
312:
313: /* Compute and send a response to the challenge. */
314: respond_to_rsa_challenge(challenge, private->rsa);
315:
316: /* Destroy the private key. */
317: key_free(private);
318:
319: /* We no longer need the challenge. */
320: BN_clear_free(challenge);
321:
322: /* Wait for response from the server. */
323: type = packet_read(&plen);
324: if (type == SSH_SMSG_SUCCESS) {
325: debug("RSA authentication accepted by server.");
326: return 1;
327: }
328: if (type != SSH_SMSG_FAILURE)
329: packet_disconnect("Protocol error waiting RSA auth response: %d", type);
330: debug("RSA authentication refused.");
331: return 0;
332: }
333:
334: /*
335: * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv
336: * authentication and RSA host authentication.
337: */
338: int
339: try_rhosts_rsa_authentication(const char *local_user, RSA * host_key)
340: {
341: int type;
342: BIGNUM *challenge;
343: int plen, clen;
344:
345: debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication.");
346:
347: /* Tell the server that we are willing to authenticate using this key. */
348: packet_start(SSH_CMSG_AUTH_RHOSTS_RSA);
349: packet_put_string(local_user, strlen(local_user));
350: packet_put_int(BN_num_bits(host_key->n));
351: packet_put_bignum(host_key->e);
352: packet_put_bignum(host_key->n);
353: packet_send();
354: packet_write_wait();
355:
356: /* Wait for server's response. */
357: type = packet_read(&plen);
358:
359: /* The server responds with failure if it doesn't admit our
360: .rhosts authentication or doesn't know our host key. */
361: if (type == SSH_SMSG_FAILURE) {
362: debug("Server refused our rhosts authentication or host key.");
363: return 0;
364: }
365: /* Otherwise, the server should respond with a challenge. */
366: if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
367: packet_disconnect("Protocol error during RSA authentication: %d", type);
368:
369: /* Get the challenge from the packet. */
370: challenge = BN_new();
371: packet_get_bignum(challenge, &clen);
372:
373: packet_integrity_check(plen, clen, type);
374:
375: debug("Received RSA challenge for host key from server.");
376:
377: /* Compute a response to the challenge. */
378: respond_to_rsa_challenge(challenge, host_key);
379:
380: /* We no longer need the challenge. */
381: BN_clear_free(challenge);
382:
383: /* Wait for response from the server. */
384: type = packet_read(&plen);
385: if (type == SSH_SMSG_SUCCESS) {
386: debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server.");
387: return 1;
388: }
389: if (type != SSH_SMSG_FAILURE)
390: packet_disconnect("Protocol error waiting RSA auth response: %d", type);
391: debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused.");
392: return 0;
393: }
394:
395: #ifdef KRB4
396: int
1.24 itojun 397: try_kerberos_authentication(void)
1.1 markus 398: {
399: KTEXT_ST auth; /* Kerberos data */
400: char *reply;
401: char inst[INST_SZ];
402: char *realm;
403: CREDENTIALS cred;
404: int r, type, plen;
405: socklen_t slen;
406: Key_schedule schedule;
407: u_long checksum, cksum;
408: MSG_DAT msg_data;
409: struct sockaddr_in local, foreign;
410: struct stat st;
411:
412: /* Don't do anything if we don't have any tickets. */
413: if (stat(tkt_string(), &st) < 0)
414: return 0;
415:
1.22 markus 416: strncpy(inst, (char *) krb_get_phost(get_canonical_hostname(1)), INST_SZ);
1.1 markus 417:
1.22 markus 418: realm = (char *) krb_realmofhost(get_canonical_hostname(1));
1.1 markus 419: if (!realm) {
1.22 markus 420: debug("Kerberos V4: no realm for %s", get_canonical_hostname(1));
1.1 markus 421: return 0;
422: }
423: /* This can really be anything. */
424: checksum = (u_long) getpid();
425:
426: r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
427: if (r != KSUCCESS) {
428: debug("Kerberos V4 krb_mk_req failed: %s", krb_err_txt[r]);
429: return 0;
430: }
431: /* Get session key to decrypt the server's reply with. */
432: r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
433: if (r != KSUCCESS) {
434: debug("get_cred failed: %s", krb_err_txt[r]);
435: return 0;
436: }
437: des_key_sched((des_cblock *) cred.session, schedule);
438:
439: /* Send authentication info to server. */
440: packet_start(SSH_CMSG_AUTH_KERBEROS);
441: packet_put_string((char *) auth.dat, auth.length);
442: packet_send();
443: packet_write_wait();
444:
445: /* Zero the buffer. */
446: (void) memset(auth.dat, 0, MAX_KTXT_LEN);
447:
448: slen = sizeof(local);
449: memset(&local, 0, sizeof(local));
450: if (getsockname(packet_get_connection_in(),
451: (struct sockaddr *) & local, &slen) < 0)
452: debug("getsockname failed: %s", strerror(errno));
453:
454: slen = sizeof(foreign);
455: memset(&foreign, 0, sizeof(foreign));
456: if (getpeername(packet_get_connection_in(),
457: (struct sockaddr *) & foreign, &slen) < 0) {
458: debug("getpeername failed: %s", strerror(errno));
459: fatal_cleanup();
460: }
461: /* Get server reply. */
462: type = packet_read(&plen);
463: switch (type) {
464: case SSH_SMSG_FAILURE:
465: /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
466: debug("Kerberos V4 authentication failed.");
467: return 0;
468: break;
469:
470: case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
471: /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
472: debug("Kerberos V4 authentication accepted.");
473:
474: /* Get server's response. */
1.13 markus 475: reply = packet_get_string((u_int *) &auth.length);
1.1 markus 476: memcpy(auth.dat, reply, auth.length);
477: xfree(reply);
478:
479: packet_integrity_check(plen, 4 + auth.length, type);
480:
481: /*
482: * If his response isn't properly encrypted with the session
483: * key, and the decrypted checksum fails to match, he's
484: * bogus. Bail out.
485: */
486: r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
487: &foreign, &local, &msg_data);
488: if (r != KSUCCESS) {
489: debug("Kerberos V4 krb_rd_priv failed: %s", krb_err_txt[r]);
490: packet_disconnect("Kerberos V4 challenge failed!");
491: }
492: /* Fetch the (incremented) checksum that we supplied in the request. */
493: (void) memcpy((char *) &cksum, (char *) msg_data.app_data, sizeof(cksum));
494: cksum = ntohl(cksum);
495:
496: /* If it matches, we're golden. */
497: if (cksum == checksum + 1) {
498: debug("Kerberos V4 challenge successful.");
499: return 1;
500: } else
501: packet_disconnect("Kerberos V4 challenge failed!");
502: break;
503:
504: default:
505: packet_disconnect("Protocol error on Kerberos V4 response: %d", type);
506: }
507: return 0;
508: }
509:
510: #endif /* KRB4 */
511:
512: #ifdef AFS
513: int
1.24 itojun 514: send_kerberos_tgt(void)
1.1 markus 515: {
516: CREDENTIALS *creds;
517: char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
518: int r, type, plen;
519: char buffer[8192];
520: struct stat st;
521:
522: /* Don't do anything if we don't have any tickets. */
523: if (stat(tkt_string(), &st) < 0)
524: return 0;
525:
526: creds = xmalloc(sizeof(*creds));
527:
528: if ((r = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm)) != KSUCCESS) {
529: debug("Kerberos V4 tf_fullname failed: %s", krb_err_txt[r]);
530: return 0;
531: }
532: if ((r = krb_get_cred("krbtgt", prealm, prealm, creds)) != GC_OK) {
533: debug("Kerberos V4 get_cred failed: %s", krb_err_txt[r]);
534: return 0;
535: }
536: if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
537: debug("Kerberos V4 ticket expired: %s", TKT_FILE);
538: return 0;
539: }
1.13 markus 540: creds_to_radix(creds, (u_char *)buffer, sizeof buffer);
1.1 markus 541: xfree(creds);
542:
543: packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
544: packet_put_string(buffer, strlen(buffer));
545: packet_send();
546: packet_write_wait();
547:
548: type = packet_read(&plen);
549:
550: if (type == SSH_SMSG_FAILURE)
551: debug("Kerberos TGT for realm %s rejected.", prealm);
552: else if (type != SSH_SMSG_SUCCESS)
553: packet_disconnect("Protocol error on Kerberos TGT response: %d", type);
554:
555: return 1;
556: }
557:
558: void
559: send_afs_tokens(void)
560: {
561: CREDENTIALS creds;
562: struct ViceIoctl parms;
563: struct ClearToken ct;
564: int i, type, len, plen;
565: char buf[2048], *p, *server_cell;
566: char buffer[8192];
567:
568: /* Move over ktc_GetToken, here's something leaner. */
569: for (i = 0; i < 100; i++) { /* just in case */
570: parms.in = (char *) &i;
571: parms.in_size = sizeof(i);
572: parms.out = buf;
573: parms.out_size = sizeof(buf);
574: if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
575: break;
576: p = buf;
577:
578: /* Get secret token. */
1.13 markus 579: memcpy(&creds.ticket_st.length, p, sizeof(u_int));
1.1 markus 580: if (creds.ticket_st.length > MAX_KTXT_LEN)
581: break;
1.13 markus 582: p += sizeof(u_int);
1.1 markus 583: memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
584: p += creds.ticket_st.length;
585:
586: /* Get clear token. */
587: memcpy(&len, p, sizeof(len));
588: if (len != sizeof(struct ClearToken))
589: break;
590: p += sizeof(len);
591: memcpy(&ct, p, len);
592: p += len;
593: p += sizeof(len); /* primary flag */
594: server_cell = p;
595:
596: /* Flesh out our credentials. */
597: strlcpy(creds.service, "afs", sizeof creds.service);
598: creds.instance[0] = '\0';
599: strlcpy(creds.realm, server_cell, REALM_SZ);
600: memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
601: creds.issue_date = ct.BeginTimestamp;
602: creds.lifetime = krb_time_to_life(creds.issue_date, ct.EndTimestamp);
603: creds.kvno = ct.AuthHandle;
604: snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
605: creds.pinst[0] = '\0';
606:
607: /* Encode token, ship it off. */
1.15 deraadt 608: if (creds_to_radix(&creds, (u_char *) buffer, sizeof buffer) <= 0)
1.1 markus 609: break;
610: packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
611: packet_put_string(buffer, strlen(buffer));
612: packet_send();
613: packet_write_wait();
614:
615: /* Roger, Roger. Clearance, Clarence. What's your vector,
616: Victor? */
617: type = packet_read(&plen);
618:
619: if (type == SSH_SMSG_FAILURE)
620: debug("AFS token for cell %s rejected.", server_cell);
621: else if (type != SSH_SMSG_SUCCESS)
622: packet_disconnect("Protocol error on AFS token response: %d", type);
623: }
624: }
625:
626: #endif /* AFS */
627:
628: /*
629: * Tries to authenticate with any string-based challenge/response system.
630: * Note that the client code is not tied to s/key or TIS.
631: */
632: int
1.24 itojun 633: try_challenge_reponse_authentication(void)
1.1 markus 634: {
635: int type, i;
636: int payload_len;
1.13 markus 637: u_int clen;
1.12 markus 638: char prompt[1024];
1.1 markus 639: char *challenge, *response;
640:
1.20 markus 641: debug("Doing challenge reponse authentication.");
1.1 markus 642:
1.12 markus 643: for (i = 0; i < options.number_of_password_prompts; i++) {
644: /* request a challenge */
645: packet_start(SSH_CMSG_AUTH_TIS);
646: packet_send();
647: packet_write_wait();
1.1 markus 648:
1.12 markus 649: type = packet_read(&payload_len);
650: if (type != SSH_SMSG_FAILURE &&
651: type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
652: packet_disconnect("Protocol error: got %d in response "
1.20 markus 653: "to SSH_CMSG_AUTH_TIS", type);
1.12 markus 654: }
655: if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
1.20 markus 656: debug("No challenge.");
1.12 markus 657: return 0;
658: }
659: challenge = packet_get_string(&clen);
660: packet_integrity_check(payload_len, (4 + clen), type);
1.16 markus 661: snprintf(prompt, sizeof prompt, "%s%s", challenge,
662: strchr(challenge, '\n') ? "" : "\nResponse: ");
1.12 markus 663: xfree(challenge);
1.1 markus 664: if (i != 0)
665: error("Permission denied, please try again.");
1.12 markus 666: if (options.cipher == SSH_CIPHER_NONE)
667: log("WARNING: Encryption is disabled! "
668: "Reponse will be transmitted in clear text.");
669: response = read_passphrase(prompt, 0);
670: if (strcmp(response, "") == 0) {
671: xfree(response);
672: break;
673: }
1.1 markus 674: packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
1.25 dugsong 675: ssh1_put_password(response);
1.1 markus 676: memset(response, 0, strlen(response));
677: xfree(response);
678: packet_send();
679: packet_write_wait();
680: type = packet_read(&payload_len);
681: if (type == SSH_SMSG_SUCCESS)
682: return 1;
683: if (type != SSH_SMSG_FAILURE)
684: packet_disconnect("Protocol error: got %d in response "
1.20 markus 685: "to SSH_CMSG_AUTH_TIS_RESPONSE", type);
1.1 markus 686: }
687: /* failure */
688: return 0;
689: }
690:
691: /*
692: * Tries to authenticate with plain passwd authentication.
693: */
694: int
695: try_password_authentication(char *prompt)
696: {
697: int type, i, payload_len;
698: char *password;
699:
700: debug("Doing password authentication.");
701: if (options.cipher == SSH_CIPHER_NONE)
702: log("WARNING: Encryption is disabled! Password will be transmitted in clear text.");
703: for (i = 0; i < options.number_of_password_prompts; i++) {
704: if (i != 0)
705: error("Permission denied, please try again.");
706: password = read_passphrase(prompt, 0);
707: packet_start(SSH_CMSG_AUTH_PASSWORD);
1.25 dugsong 708: ssh1_put_password(password);
1.1 markus 709: memset(password, 0, strlen(password));
710: xfree(password);
711: packet_send();
712: packet_write_wait();
713:
714: type = packet_read(&payload_len);
715: if (type == SSH_SMSG_SUCCESS)
716: return 1;
717: if (type != SSH_SMSG_FAILURE)
718: packet_disconnect("Protocol error: got %d in response to passwd auth", type);
719: }
720: /* failure */
721: return 0;
722: }
723:
724: /*
725: * SSH1 key exchange
726: */
727: void
728: ssh_kex(char *host, struct sockaddr *hostaddr)
729: {
730: int i;
731: BIGNUM *key;
732: RSA *host_key;
733: RSA *public_key;
734: Key k;
735: int bits, rbits;
736: int ssh_cipher_default = SSH_CIPHER_3DES;
1.13 markus 737: u_char session_key[SSH_SESSION_KEY_LENGTH];
738: u_char cookie[8];
739: u_int supported_ciphers;
740: u_int server_flags, client_flags;
1.1 markus 741: int payload_len, clen, sum_len = 0;
742: u_int32_t rand = 0;
743:
744: debug("Waiting for server public key.");
745:
746: /* Wait for a public key packet from the server. */
747: packet_read_expect(&payload_len, SSH_SMSG_PUBLIC_KEY);
748:
749: /* Get cookie from the packet. */
750: for (i = 0; i < 8; i++)
751: cookie[i] = packet_get_char();
752:
753: /* Get the public key. */
754: public_key = RSA_new();
755: bits = packet_get_int();/* bits */
756: public_key->e = BN_new();
757: packet_get_bignum(public_key->e, &clen);
758: sum_len += clen;
759: public_key->n = BN_new();
760: packet_get_bignum(public_key->n, &clen);
761: sum_len += clen;
762:
763: rbits = BN_num_bits(public_key->n);
764: if (bits != rbits) {
765: log("Warning: Server lies about size of server public key: "
766: "actual size is %d bits vs. announced %d.", rbits, bits);
767: log("Warning: This may be due to an old implementation of ssh.");
768: }
769: /* Get the host key. */
770: host_key = RSA_new();
771: bits = packet_get_int();/* bits */
772: host_key->e = BN_new();
773: packet_get_bignum(host_key->e, &clen);
774: sum_len += clen;
775: host_key->n = BN_new();
776: packet_get_bignum(host_key->n, &clen);
777: sum_len += clen;
778:
779: rbits = BN_num_bits(host_key->n);
780: if (bits != rbits) {
781: log("Warning: Server lies about size of server host key: "
782: "actual size is %d bits vs. announced %d.", rbits, bits);
783: log("Warning: This may be due to an old implementation of ssh.");
784: }
785:
786: /* Get protocol flags. */
787: server_flags = packet_get_int();
788: packet_set_protocol_flags(server_flags);
789:
790: supported_ciphers = packet_get_int();
791: supported_authentications = packet_get_int();
792:
793: debug("Received server public key (%d bits) and host key (%d bits).",
794: BN_num_bits(public_key->n), BN_num_bits(host_key->n));
795:
796: packet_integrity_check(payload_len,
797: 8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4,
798: SSH_SMSG_PUBLIC_KEY);
1.9 markus 799: k.type = KEY_RSA1;
1.1 markus 800: k.rsa = host_key;
801: check_host_key(host, hostaddr, &k,
802: options.user_hostfile, options.system_hostfile);
803:
804: client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN;
805:
806: compute_session_id(session_id, cookie, host_key->n, public_key->n);
807:
808: /* Generate a session key. */
809: arc4random_stir();
810:
811: /*
812: * Generate an encryption key for the session. The key is a 256 bit
813: * random number, interpreted as a 32-byte key, with the least
814: * significant 8 bits being the first byte of the key.
815: */
816: for (i = 0; i < 32; i++) {
817: if (i % 4 == 0)
818: rand = arc4random();
819: session_key[i] = rand & 0xff;
820: rand >>= 8;
821: }
822:
823: /*
824: * According to the protocol spec, the first byte of the session key
825: * is the highest byte of the integer. The session key is xored with
826: * the first 16 bytes of the session id.
827: */
828: key = BN_new();
829: BN_set_word(key, 0);
830: for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
831: BN_lshift(key, key, 8);
832: if (i < 16)
833: BN_add_word(key, session_key[i] ^ session_id[i]);
834: else
835: BN_add_word(key, session_key[i]);
836: }
837:
838: /*
839: * Encrypt the integer using the public key and host key of the
840: * server (key with smaller modulus first).
841: */
842: if (BN_cmp(public_key->n, host_key->n) < 0) {
843: /* Public key has smaller modulus. */
844: if (BN_num_bits(host_key->n) <
845: BN_num_bits(public_key->n) + SSH_KEY_BITS_RESERVED) {
846: fatal("respond_to_rsa_challenge: host_key %d < public_key %d + "
847: "SSH_KEY_BITS_RESERVED %d",
848: BN_num_bits(host_key->n),
849: BN_num_bits(public_key->n),
850: SSH_KEY_BITS_RESERVED);
851: }
852: rsa_public_encrypt(key, key, public_key);
853: rsa_public_encrypt(key, key, host_key);
854: } else {
855: /* Host key has smaller modulus (or they are equal). */
856: if (BN_num_bits(public_key->n) <
857: BN_num_bits(host_key->n) + SSH_KEY_BITS_RESERVED) {
858: fatal("respond_to_rsa_challenge: public_key %d < host_key %d + "
859: "SSH_KEY_BITS_RESERVED %d",
860: BN_num_bits(public_key->n),
861: BN_num_bits(host_key->n),
862: SSH_KEY_BITS_RESERVED);
863: }
864: rsa_public_encrypt(key, key, host_key);
865: rsa_public_encrypt(key, key, public_key);
866: }
867:
868: /* Destroy the public keys since we no longer need them. */
869: RSA_free(public_key);
870: RSA_free(host_key);
871:
1.11 markus 872: if (options.cipher == SSH_CIPHER_NOT_SET) {
873: if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default))
874: options.cipher = ssh_cipher_default;
875: } else if (options.cipher == SSH_CIPHER_ILLEGAL ||
1.10 markus 876: !(cipher_mask_ssh1(1) & (1 << options.cipher))) {
1.3 markus 877: log("No valid SSH1 cipher, using %.100s instead.",
1.7 markus 878: cipher_name(ssh_cipher_default));
879: options.cipher = ssh_cipher_default;
1.1 markus 880: }
881: /* Check that the selected cipher is supported. */
882: if (!(supported_ciphers & (1 << options.cipher)))
883: fatal("Selected cipher type %.100s not supported by server.",
884: cipher_name(options.cipher));
885:
886: debug("Encryption type: %.100s", cipher_name(options.cipher));
887:
888: /* Send the encrypted session key to the server. */
889: packet_start(SSH_CMSG_SESSION_KEY);
890: packet_put_char(options.cipher);
891:
892: /* Send the cookie back to the server. */
893: for (i = 0; i < 8; i++)
894: packet_put_char(cookie[i]);
895:
896: /* Send and destroy the encrypted encryption key integer. */
897: packet_put_bignum(key);
898: BN_clear_free(key);
899:
900: /* Send protocol flags. */
901: packet_put_int(client_flags);
902:
903: /* Send the packet now. */
904: packet_send();
905: packet_write_wait();
906:
907: debug("Sent encrypted session key.");
908:
909: /* Set the encryption key. */
910: packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher);
911:
912: /* We will no longer need the session key here. Destroy any extra copies. */
913: memset(session_key, 0, sizeof(session_key));
914:
915: /*
916: * Expect a success message from the server. Note that this message
917: * will be received in encrypted form.
918: */
919: packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
920:
921: debug("Received encrypted confirmation.");
922: }
923:
924: /*
925: * Authenticate user
926: */
927: void
928: ssh_userauth(
1.15 deraadt 929: const char *local_user,
930: const char *server_user,
1.1 markus 931: char *host,
932: int host_key_valid, RSA *own_host_key)
933: {
934: int i, type;
935: int payload_len;
936:
937: if (supported_authentications == 0)
938: fatal("ssh_userauth: server supports no auth methods");
939:
940: /* Send the name of the user to log in as on the server. */
941: packet_start(SSH_CMSG_USER);
942: packet_put_string(server_user, strlen(server_user));
943: packet_send();
944: packet_write_wait();
945:
946: /*
947: * The server should respond with success if no authentication is
948: * needed (the user has no password). Otherwise the server responds
949: * with failure.
950: */
951: type = packet_read(&payload_len);
952:
953: /* check whether the connection was accepted without authentication. */
954: if (type == SSH_SMSG_SUCCESS)
955: return;
956: if (type != SSH_SMSG_FAILURE)
957: packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER",
958: type);
959:
960: #ifdef AFS
961: /* Try Kerberos tgt passing if the server supports it. */
962: if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
963: options.kerberos_tgt_passing) {
964: if (options.cipher == SSH_CIPHER_NONE)
965: log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
966: (void) send_kerberos_tgt();
967: }
968: /* Try AFS token passing if the server supports it. */
969: if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
970: options.afs_token_passing && k_hasafs()) {
971: if (options.cipher == SSH_CIPHER_NONE)
972: log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
973: send_afs_tokens();
974: }
975: #endif /* AFS */
976:
977: #ifdef KRB4
978: if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
979: options.kerberos_authentication) {
980: debug("Trying Kerberos authentication.");
981: if (try_kerberos_authentication()) {
982: /* The server should respond with success or failure. */
983: type = packet_read(&payload_len);
984: if (type == SSH_SMSG_SUCCESS)
985: return;
986: if (type != SSH_SMSG_FAILURE)
987: packet_disconnect("Protocol error: got %d in response to Kerberos auth", type);
988: }
989: }
990: #endif /* KRB4 */
991:
992: /*
993: * Use rhosts authentication if running in privileged socket and we
994: * do not wish to remain anonymous.
995: */
996: if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) &&
997: options.rhosts_authentication) {
998: debug("Trying rhosts authentication.");
999: packet_start(SSH_CMSG_AUTH_RHOSTS);
1000: packet_put_string(local_user, strlen(local_user));
1001: packet_send();
1002: packet_write_wait();
1003:
1004: /* The server should respond with success or failure. */
1005: type = packet_read(&payload_len);
1006: if (type == SSH_SMSG_SUCCESS)
1007: return;
1008: if (type != SSH_SMSG_FAILURE)
1009: packet_disconnect("Protocol error: got %d in response to rhosts auth",
1010: type);
1011: }
1012: /*
1013: * Try .rhosts or /etc/hosts.equiv authentication with RSA host
1014: * authentication.
1015: */
1016: if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) &&
1017: options.rhosts_rsa_authentication && host_key_valid) {
1018: if (try_rhosts_rsa_authentication(local_user, own_host_key))
1019: return;
1020: }
1021: /* Try RSA authentication if the server supports it. */
1022: if ((supported_authentications & (1 << SSH_AUTH_RSA)) &&
1023: options.rsa_authentication) {
1024: /*
1025: * Try RSA authentication using the authentication agent. The
1026: * agent is tried first because no passphrase is needed for
1027: * it, whereas identity files may require passphrases.
1028: */
1029: if (try_agent_authentication())
1030: return;
1031:
1032: /* Try RSA authentication for each identity. */
1033: for (i = 0; i < options.num_identity_files; i++)
1.9 markus 1034: if (options.identity_files_type[i] == KEY_RSA1 &&
1035: try_rsa_authentication(options.identity_files[i]))
1.1 markus 1036: return;
1037: }
1.20 markus 1038: /* Try challenge response authentication if the server supports it. */
1.1 markus 1039: if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
1.20 markus 1040: options.challenge_reponse_authentication && !options.batch_mode) {
1041: if (try_challenge_reponse_authentication())
1.1 markus 1042: return;
1043: }
1044: /* Try password authentication if the server supports it. */
1045: if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) &&
1046: options.password_authentication && !options.batch_mode) {
1047: char prompt[80];
1048:
1.23 itojun 1049: snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
1.1 markus 1050: server_user, host);
1051: if (try_password_authentication(prompt))
1052: return;
1053: }
1054: /* All authentication methods have failed. Exit with an error message. */
1055: fatal("Permission denied.");
1056: /* NOTREACHED */
1057: }