version 1.28, 2017/05/30 14:10:53 |
version 1.29, 2017/05/30 14:25:42 |
|
|
#include "misc.h" |
#include "misc.h" |
#include "servconf.h" |
#include "servconf.h" |
#include "compat.h" |
#include "compat.h" |
#include "key.h" |
#include "sshkey.h" |
#include "hostfile.h" |
#include "hostfile.h" |
#include "auth.h" |
#include "auth.h" |
#include "canohost.h" |
#include "canohost.h" |
|
|
#endif |
#endif |
#include "monitor_wrap.h" |
#include "monitor_wrap.h" |
#include "pathnames.h" |
#include "pathnames.h" |
|
#include "ssherr.h" |
#include "match.h" |
#include "match.h" |
|
|
/* import */ |
/* import */ |
|
|
static int |
static int |
userauth_hostbased(Authctxt *authctxt) |
userauth_hostbased(Authctxt *authctxt) |
{ |
{ |
Buffer b; |
struct ssh *ssh = active_state; /* XXX */ |
|
struct sshbuf *b; |
struct sshkey *key = NULL; |
struct sshkey *key = NULL; |
char *pkalg, *cuser, *chost, *service; |
char *pkalg, *cuser, *chost, *service; |
u_char *pkblob, *sig; |
u_char *pkblob, *sig; |
u_int alen, blen, slen; |
size_t alen, blen, slen; |
int pktype; |
int r, pktype, authenticated = 0; |
int authenticated = 0; |
|
|
|
if (!authctxt->valid) { |
if (!authctxt->valid) { |
debug2("userauth_hostbased: disabled because of invalid user"); |
debug2("%s: disabled because of invalid user", __func__); |
return 0; |
return 0; |
} |
} |
pkalg = packet_get_string(&alen); |
/* XXX use sshkey_froms() */ |
pkblob = packet_get_string(&blen); |
if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 || |
chost = packet_get_string(NULL); |
(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 || |
cuser = packet_get_string(NULL); |
(r = sshpkt_get_cstring(ssh, &chost, NULL)) != 0 || |
sig = packet_get_string(&slen); |
(r = sshpkt_get_cstring(ssh, &cuser, NULL)) != 0 || |
|
(r = sshpkt_get_string(ssh, &sig, &slen)) != 0) |
|
fatal("%s: packet parsing: %s", __func__, ssh_err(r)); |
|
|
debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d", |
debug("%s: cuser %s chost %s pkalg %s slen %zu", __func__, |
cuser, chost, pkalg, slen); |
cuser, chost, pkalg, slen); |
#ifdef DEBUG_PK |
#ifdef DEBUG_PK |
debug("signature:"); |
debug("signature:"); |
buffer_init(&b); |
sshbuf_dump_data(sig, siglen, stderr); |
buffer_append(&b, sig, slen); |
|
buffer_dump(&b); |
|
buffer_free(&b); |
|
#endif |
#endif |
pktype = key_type_from_name(pkalg); |
pktype = sshkey_type_from_name(pkalg); |
if (pktype == KEY_UNSPEC) { |
if (pktype == KEY_UNSPEC) { |
/* this is perfectly legal */ |
/* this is perfectly legal */ |
logit("userauth_hostbased: unsupported " |
logit("%s: unsupported public key algorithm: %s", |
"public key algorithm: %s", pkalg); |
__func__, pkalg); |
goto done; |
goto done; |
} |
} |
key = key_from_blob(pkblob, blen); |
if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { |
|
error("%s: key_from_blob: %s", __func__, ssh_err(r)); |
|
goto done; |
|
} |
if (key == NULL) { |
if (key == NULL) { |
error("userauth_hostbased: cannot decode key: %s", pkalg); |
error("%s: cannot decode key: %s", __func__, pkalg); |
goto done; |
goto done; |
} |
} |
if (key->type != pktype) { |
if (key->type != pktype) { |
error("userauth_hostbased: type mismatch for decoded key " |
error("%s: type mismatch for decoded key " |
"(received %d, expected %d)", key->type, pktype); |
"(received %d, expected %d)", __func__, key->type, pktype); |
goto done; |
goto done; |
} |
} |
if (key_type_plain(key->type) == KEY_RSA && |
if (sshkey_type_plain(key->type) == KEY_RSA && |
(datafellows & SSH_BUG_RSASIGMD5) != 0) { |
(ssh->compat & SSH_BUG_RSASIGMD5) != 0) { |
error("Refusing RSA key because peer uses unsafe " |
error("Refusing RSA key because peer uses unsafe " |
"signature format"); |
"signature format"); |
goto done; |
goto done; |
|
|
goto done; |
goto done; |
} |
} |
|
|
service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : |
service = ssh->compat & SSH_BUG_HBSERVICE ? "ssh-userauth" : |
authctxt->service; |
authctxt->service; |
buffer_init(&b); |
if ((b = sshbuf_new()) == NULL) |
buffer_put_string(&b, session_id2, session_id2_len); |
fatal("%s: sshbuf_new failed", __func__); |
/* reconstruct packet */ |
/* reconstruct packet */ |
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); |
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 || |
buffer_put_cstring(&b, authctxt->user); |
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || |
buffer_put_cstring(&b, service); |
(r = sshbuf_put_cstring(b, authctxt->user)) != 0 || |
buffer_put_cstring(&b, "hostbased"); |
(r = sshbuf_put_cstring(b, service)) != 0 || |
buffer_put_string(&b, pkalg, alen); |
(r = sshbuf_put_cstring(b, "hostbased")) != 0 || |
buffer_put_string(&b, pkblob, blen); |
(r = sshbuf_put_string(b, pkalg, alen)) != 0 || |
buffer_put_cstring(&b, chost); |
(r = sshbuf_put_string(b, pkblob, blen)) != 0 || |
buffer_put_cstring(&b, cuser); |
(r = sshbuf_put_cstring(b, chost)) != 0 || |
|
(r = sshbuf_put_cstring(b, cuser)) != 0) |
|
fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
#ifdef DEBUG_PK |
#ifdef DEBUG_PK |
buffer_dump(&b); |
sshbuf_dump(b, stderr); |
#endif |
#endif |
|
|
pubkey_auth_info(authctxt, key, |
pubkey_auth_info(authctxt, key, |
|
|
/* test for allowed key and correct signature */ |
/* test for allowed key and correct signature */ |
authenticated = 0; |
authenticated = 0; |
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && |
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && |
PRIVSEP(sshkey_verify(key, sig, slen, buffer_ptr(&b), |
PRIVSEP(sshkey_verify(key, sig, slen, |
buffer_len(&b), 0)) == 0) |
sshbuf_ptr(b), sshbuf_len(b), ssh->compat)) == 0) |
authenticated = 1; |
authenticated = 1; |
|
|
buffer_free(&b); |
sshbuf_free(b); |
done: |
done: |
debug2("userauth_hostbased: authenticated %d", authenticated); |
debug2("%s: authenticated %d", __func__, authenticated); |
if (key != NULL) |
if (key != NULL) |
key_free(key); |
sshkey_free(key); |
free(pkalg); |
free(pkalg); |
free(pkblob); |
free(pkblob); |
free(cuser); |
free(cuser); |
|
|
} |
} |
debug2("%s: access allowed by auth_rhosts2", __func__); |
debug2("%s: access allowed by auth_rhosts2", __func__); |
|
|
if (key_is_cert(key) && |
if (sshkey_is_cert(key) && |
key_cert_check_authority(key, 1, 0, lookup, &reason)) { |
sshkey_cert_check_authority(key, 1, 0, lookup, &reason)) { |
error("%s", reason); |
error("%s", reason); |
auth_debug_add("%s", reason); |
auth_debug_add("%s", reason); |
return 0; |
return 0; |
|
|
} |
} |
|
|
if (host_status == HOST_OK) { |
if (host_status == HOST_OK) { |
if (key_is_cert(key)) { |
if (sshkey_is_cert(key)) { |
if ((fp = sshkey_fingerprint(key->cert->signature_key, |
if ((fp = sshkey_fingerprint(key->cert->signature_key, |
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) |
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) |
fatal("%s: sshkey_fingerprint fail", __func__); |
fatal("%s: sshkey_fingerprint fail", __func__); |
verbose("Accepted certificate ID \"%s\" signed by " |
verbose("Accepted certificate ID \"%s\" signed by " |
"%s CA %s from %s@%s", key->cert->key_id, |
"%s CA %s from %s@%s", key->cert->key_id, |
key_type(key->cert->signature_key), fp, |
sshkey_type(key->cert->signature_key), fp, |
cuser, lookup); |
cuser, lookup); |
} else { |
} else { |
if ((fp = sshkey_fingerprint(key, |
if ((fp = sshkey_fingerprint(key, |
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) |
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) |
fatal("%s: sshkey_fingerprint fail", __func__); |
fatal("%s: sshkey_fingerprint fail", __func__); |
verbose("Accepted %s public key %s from %s@%s", |
verbose("Accepted %s public key %s from %s@%s", |
key_type(key), fp, cuser, lookup); |
sshkey_type(key), fp, cuser, lookup); |
} |
} |
free(fp); |
free(fp); |
} |
} |