version 1.83, 2002/01/29 14:32:03 |
version 1.84, 2002/02/04 11:58:10 |
|
|
userauth_pubkey(Authctxt *authctxt) |
userauth_pubkey(Authctxt *authctxt) |
{ |
{ |
Buffer b; |
Buffer b; |
Key *key; |
Key *key = NULL; |
char *pkalg, *pkblob, *sig; |
char *pkalg, *pkblob, *sig; |
u_int alen, blen, slen; |
u_int alen, blen, slen; |
int have_sig, pktype; |
int have_sig, pktype; |
|
|
pktype = key_type_from_name(pkalg); |
pktype = key_type_from_name(pkalg); |
if (pktype == KEY_UNSPEC) { |
if (pktype == KEY_UNSPEC) { |
/* this is perfectly legal */ |
/* this is perfectly legal */ |
log("userauth_pubkey: unsupported public key algorithm: %s", pkalg); |
log("userauth_pubkey: unsupported public key algorithm: %s", |
xfree(pkalg); |
pkalg); |
xfree(pkblob); |
goto done; |
return 0; |
|
} |
} |
key = key_from_blob(pkblob, blen); |
key = key_from_blob(pkblob, blen); |
if (key != NULL) { |
if (key == NULL) { |
if (have_sig) { |
error("userauth_pubkey: cannot decode key: %s", pkalg); |
sig = packet_get_string(&slen); |
goto done; |
packet_check_eom(); |
} |
buffer_init(&b); |
if (key->type != pktype) { |
if (datafellows & SSH_OLD_SESSIONID) { |
error("userauth_pubkey: type mismatch for decoded key " |
buffer_append(&b, session_id2, session_id2_len); |
"(received %d, expected %d)", key->type, pktype); |
} else { |
goto done; |
buffer_put_string(&b, session_id2, session_id2_len); |
} |
} |
if (have_sig) { |
/* reconstruct packet */ |
sig = packet_get_string(&slen); |
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); |
packet_check_eom(); |
buffer_put_cstring(&b, authctxt->user); |
buffer_init(&b); |
buffer_put_cstring(&b, |
if (datafellows & SSH_OLD_SESSIONID) { |
datafellows & SSH_BUG_PKSERVICE ? |
buffer_append(&b, session_id2, session_id2_len); |
"ssh-userauth" : |
} else { |
authctxt->service); |
buffer_put_string(&b, session_id2, session_id2_len); |
if (datafellows & SSH_BUG_PKAUTH) { |
} |
buffer_put_char(&b, have_sig); |
/* reconstruct packet */ |
} else { |
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); |
buffer_put_cstring(&b, "publickey"); |
buffer_put_cstring(&b, authctxt->user); |
buffer_put_char(&b, have_sig); |
buffer_put_cstring(&b, |
buffer_put_cstring(&b, pkalg); |
datafellows & SSH_BUG_PKSERVICE ? |
} |
"ssh-userauth" : |
buffer_put_string(&b, pkblob, blen); |
authctxt->service); |
|
if (datafellows & SSH_BUG_PKAUTH) { |
|
buffer_put_char(&b, have_sig); |
|
} else { |
|
buffer_put_cstring(&b, "publickey"); |
|
buffer_put_char(&b, have_sig); |
|
buffer_put_cstring(&b, pkalg); |
|
} |
|
buffer_put_string(&b, pkblob, blen); |
#ifdef DEBUG_PK |
#ifdef DEBUG_PK |
buffer_dump(&b); |
buffer_dump(&b); |
#endif |
#endif |
/* test for correct signature */ |
/* test for correct signature */ |
if (user_key_allowed(authctxt->pw, key) && |
if (user_key_allowed(authctxt->pw, key) && |
key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) |
key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) |
authenticated = 1; |
authenticated = 1; |
buffer_clear(&b); |
buffer_clear(&b); |
xfree(sig); |
xfree(sig); |
} else { |
} else { |
debug("test whether pkalg/pkblob are acceptable"); |
debug("test whether pkalg/pkblob are acceptable"); |
packet_check_eom(); |
packet_check_eom(); |
|
|
/* XXX fake reply and always send PK_OK ? */ |
/* XXX fake reply and always send PK_OK ? */ |
/* |
/* |
* XXX this allows testing whether a user is allowed |
* XXX this allows testing whether a user is allowed |
* to login: if you happen to have a valid pubkey this |
* to login: if you happen to have a valid pubkey this |
* message is sent. the message is NEVER sent at all |
* message is sent. the message is NEVER sent at all |
* if a user is not allowed to login. is this an |
* if a user is not allowed to login. is this an |
* issue? -markus |
* issue? -markus |
*/ |
*/ |
if (user_key_allowed(authctxt->pw, key)) { |
if (user_key_allowed(authctxt->pw, key)) { |
packet_start(SSH2_MSG_USERAUTH_PK_OK); |
packet_start(SSH2_MSG_USERAUTH_PK_OK); |
packet_put_string(pkalg, alen); |
packet_put_string(pkalg, alen); |
packet_put_string(pkblob, blen); |
packet_put_string(pkblob, blen); |
packet_send(); |
packet_send(); |
packet_write_wait(); |
packet_write_wait(); |
authctxt->postponed = 1; |
authctxt->postponed = 1; |
} |
|
} |
} |
if (authenticated != 1) |
|
auth_clear_options(); |
|
key_free(key); |
|
} |
} |
|
if (authenticated != 1) |
|
auth_clear_options(); |
|
done: |
debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); |
debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); |
|
if (key != NULL) |
|
key_free(key); |
xfree(pkalg); |
xfree(pkalg); |
xfree(pkblob); |
xfree(pkblob); |
return authenticated; |
return authenticated; |
|
|
userauth_hostbased(Authctxt *authctxt) |
userauth_hostbased(Authctxt *authctxt) |
{ |
{ |
Buffer b; |
Buffer b; |
Key *key; |
Key *key = NULL; |
char *pkalg, *pkblob, *sig, *cuser, *chost, *service; |
char *pkalg, *pkblob, *sig, *cuser, *chost, *service; |
u_int alen, blen, slen; |
u_int alen, blen, slen; |
int pktype; |
int pktype; |
|
|
} |
} |
key = key_from_blob(pkblob, blen); |
key = key_from_blob(pkblob, blen); |
if (key == NULL) { |
if (key == NULL) { |
debug("userauth_hostbased: cannot decode key: %s", pkalg); |
error("userauth_hostbased: cannot decode key: %s", pkalg); |
goto done; |
goto done; |
} |
} |
|
if (key->type != pktype) { |
|
error("userauth_hostbased: type mismatch for decoded key " |
|
"(received %d, expected %d)", key->type, pktype); |
|
goto done; |
|
} |
service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : |
service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : |
authctxt->service; |
authctxt->service; |
buffer_init(&b); |
buffer_init(&b); |
|
|
authenticated = 1; |
authenticated = 1; |
|
|
buffer_clear(&b); |
buffer_clear(&b); |
key_free(key); |
|
|
|
done: |
done: |
debug2("userauth_hostbased: authenticated %d", authenticated); |
debug2("userauth_hostbased: authenticated %d", authenticated); |
|
if (key != NULL) |
|
key_free(key); |
xfree(pkalg); |
xfree(pkalg); |
xfree(pkblob); |
xfree(pkblob); |
xfree(cuser); |
xfree(cuser); |