version 1.42, 2019/11/25 00:51:37 |
version 1.43, 2020/10/18 11:32:01 |
|
|
(r = sshpkt_get_cstring(ssh, &chost, NULL)) != 0 || |
(r = sshpkt_get_cstring(ssh, &chost, NULL)) != 0 || |
(r = sshpkt_get_cstring(ssh, &cuser, NULL)) != 0 || |
(r = sshpkt_get_cstring(ssh, &cuser, NULL)) != 0 || |
(r = sshpkt_get_string(ssh, &sig, &slen)) != 0) |
(r = sshpkt_get_string(ssh, &sig, &slen)) != 0) |
fatal("%s: packet parsing: %s", __func__, ssh_err(r)); |
fatal_fr(r, "parse packet"); |
|
|
debug("%s: cuser %s chost %s pkalg %s slen %zu", __func__, |
debug_f("cuser %s chost %s pkalg %s slen %zu", |
cuser, chost, pkalg, slen); |
cuser, chost, pkalg, slen); |
#ifdef DEBUG_PK |
#ifdef DEBUG_PK |
debug("signature:"); |
debug("signature:"); |
|
|
pktype = sshkey_type_from_name(pkalg); |
pktype = sshkey_type_from_name(pkalg); |
if (pktype == KEY_UNSPEC) { |
if (pktype == KEY_UNSPEC) { |
/* this is perfectly legal */ |
/* this is perfectly legal */ |
logit("%s: unsupported public key algorithm: %s", |
logit_f("unsupported public key algorithm: %s", |
__func__, pkalg); |
pkalg); |
goto done; |
goto done; |
} |
} |
if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { |
if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { |
error("%s: key_from_blob: %s", __func__, ssh_err(r)); |
error_fr(r, "key_from_blob"); |
goto done; |
goto done; |
} |
} |
if (key == NULL) { |
if (key == NULL) { |
error("%s: cannot decode key: %s", __func__, pkalg); |
error_f("cannot decode key: %s", pkalg); |
goto done; |
goto done; |
} |
} |
if (key->type != pktype) { |
if (key->type != pktype) { |
error("%s: type mismatch for decoded key " |
error_f("type mismatch for decoded key " |
"(received %d, expected %d)", __func__, key->type, pktype); |
"(received %d, expected %d)", key->type, pktype); |
goto done; |
goto done; |
} |
} |
if (sshkey_type_plain(key->type) == KEY_RSA && |
if (sshkey_type_plain(key->type) == KEY_RSA && |
|
|
goto done; |
goto done; |
} |
} |
if (match_pattern_list(pkalg, options.hostbased_key_types, 0) != 1) { |
if (match_pattern_list(pkalg, options.hostbased_key_types, 0) != 1) { |
logit("%s: key type %s not in HostbasedAcceptedKeyTypes", |
logit_f("key type %s not in HostbasedAcceptedKeyTypes", |
__func__, sshkey_type(key)); |
sshkey_type(key)); |
goto done; |
goto done; |
} |
} |
if ((r = sshkey_check_cert_sigtype(key, |
if ((r = sshkey_check_cert_sigtype(key, |
options.ca_sign_algorithms)) != 0) { |
options.ca_sign_algorithms)) != 0) { |
logit("%s: certificate signature algorithm %s: %s", __func__, |
logit_fr(r, "certificate signature algorithm %s", |
(key->cert == NULL || key->cert->signature_type == NULL) ? |
(key->cert == NULL || key->cert->signature_type == NULL) ? |
"(null)" : key->cert->signature_type, ssh_err(r)); |
"(null)" : key->cert->signature_type); |
goto done; |
goto done; |
} |
} |
|
|
if (!authctxt->valid || authctxt->user == NULL) { |
if (!authctxt->valid || authctxt->user == NULL) { |
debug2("%s: disabled because of invalid user", __func__); |
debug2_f("disabled because of invalid user"); |
goto done; |
goto done; |
} |
} |
|
|
if ((b = sshbuf_new()) == NULL) |
if ((b = sshbuf_new()) == NULL) |
fatal("%s: sshbuf_new failed", __func__); |
fatal_f("sshbuf_new failed"); |
/* reconstruct packet */ |
/* reconstruct packet */ |
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 || |
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 || |
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || |
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || |
|
|
(r = sshbuf_put_string(b, pkblob, blen)) != 0 || |
(r = sshbuf_put_string(b, pkblob, blen)) != 0 || |
(r = sshbuf_put_cstring(b, chost)) != 0 || |
(r = sshbuf_put_cstring(b, chost)) != 0 || |
(r = sshbuf_put_cstring(b, cuser)) != 0) |
(r = sshbuf_put_cstring(b, cuser)) != 0) |
fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
fatal_fr(r, "reconstruct packet"); |
#ifdef DEBUG_PK |
#ifdef DEBUG_PK |
sshbuf_dump(b, stderr); |
sshbuf_dump(b, stderr); |
#endif |
#endif |
|
|
auth2_record_key(authctxt, authenticated, key); |
auth2_record_key(authctxt, authenticated, key); |
sshbuf_free(b); |
sshbuf_free(b); |
done: |
done: |
debug2("%s: authenticated %d", __func__, authenticated); |
debug2_f("authenticated %d", authenticated); |
sshkey_free(key); |
sshkey_free(key); |
free(pkalg); |
free(pkalg); |
free(pkblob); |
free(pkblob); |
|
|
resolvedname = auth_get_canonical_hostname(ssh, options.use_dns); |
resolvedname = auth_get_canonical_hostname(ssh, options.use_dns); |
ipaddr = ssh_remote_ipaddr(ssh); |
ipaddr = ssh_remote_ipaddr(ssh); |
|
|
debug2("%s: chost %s resolvedname %s ipaddr %s", __func__, |
debug2_f("chost %s resolvedname %s ipaddr %s", |
chost, resolvedname, ipaddr); |
chost, resolvedname, ipaddr); |
|
|
if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') { |
if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') { |
|
|
|
|
if (options.hostbased_uses_name_from_packet_only) { |
if (options.hostbased_uses_name_from_packet_only) { |
if (auth_rhosts2(pw, cuser, chost, chost) == 0) { |
if (auth_rhosts2(pw, cuser, chost, chost) == 0) { |
debug2("%s: auth_rhosts2 refused " |
debug2_f("auth_rhosts2 refused user \"%.100s\" " |
"user \"%.100s\" host \"%.100s\" (from packet)", |
"host \"%.100s\" (from packet)", cuser, chost); |
__func__, cuser, chost); |
|
return 0; |
return 0; |
} |
} |
lookup = chost; |
lookup = chost; |
|
|
"client sends %s, but we resolve %s to %s", |
"client sends %s, but we resolve %s to %s", |
chost, ipaddr, resolvedname); |
chost, ipaddr, resolvedname); |
if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) { |
if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) { |
debug2("%s: auth_rhosts2 refused " |
debug2_f("auth_rhosts2 refused " |
"user \"%.100s\" host \"%.100s\" addr \"%.100s\"", |
"user \"%.100s\" host \"%.100s\" addr \"%.100s\"", |
__func__, cuser, resolvedname, ipaddr); |
cuser, resolvedname, ipaddr); |
return 0; |
return 0; |
} |
} |
lookup = resolvedname; |
lookup = resolvedname; |
} |
} |
debug2("%s: access allowed by auth_rhosts2", __func__); |
debug2_f("access allowed by auth_rhosts2"); |
|
|
if (sshkey_is_cert(key) && |
if (sshkey_is_cert(key) && |
sshkey_cert_check_authority(key, 1, 0, lookup, &reason)) { |
sshkey_cert_check_authority(key, 1, 0, lookup, &reason)) { |
|
|
if (sshkey_is_cert(key)) { |
if (sshkey_is_cert(key)) { |
if ((fp = sshkey_fingerprint(key->cert->signature_key, |
if ((fp = sshkey_fingerprint(key->cert->signature_key, |
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) |
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) |
fatal("%s: sshkey_fingerprint fail", __func__); |
fatal_f("sshkey_fingerprint fail"); |
verbose("Accepted certificate ID \"%s\" signed by " |
verbose("Accepted certificate ID \"%s\" signed by " |
"%s CA %s from %s@%s", key->cert->key_id, |
"%s CA %s from %s@%s", key->cert->key_id, |
sshkey_type(key->cert->signature_key), fp, |
sshkey_type(key->cert->signature_key), fp, |
|
|
} else { |
} else { |
if ((fp = sshkey_fingerprint(key, |
if ((fp = sshkey_fingerprint(key, |
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) |
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) |
fatal("%s: sshkey_fingerprint fail", __func__); |
fatal_f("sshkey_fingerprint fail"); |
verbose("Accepted %s public key %s from %s@%s", |
verbose("Accepted %s public key %s from %s@%s", |
sshkey_type(key), fp, cuser, lookup); |
sshkey_type(key), fp, cuser, lookup); |
} |
} |