version 1.42, 1999/12/01 14:07:22 |
version 1.43, 1999/12/01 14:24:38 |
|
|
/* Session id for the current session. */ |
/* Session id for the current session. */ |
unsigned char session_id[16]; |
unsigned char session_id[16]; |
|
|
|
extern Options options; |
|
|
/* |
/* |
* Connect to the given ssh server using a proxy command. |
* Connect to the given ssh server using a proxy command. |
*/ |
*/ |
|
|
* the user using it. |
* the user using it. |
*/ |
*/ |
int |
int |
try_rsa_authentication(struct passwd * pw, const char *authfile) |
try_rsa_authentication(const char *authfile) |
{ |
{ |
extern Options options; |
|
BIGNUM *challenge; |
BIGNUM *challenge; |
RSA *private_key; |
RSA *private_key; |
RSA *public_key; |
RSA *public_key; |
|
|
public_key = RSA_new(); |
public_key = RSA_new(); |
if (!load_public_key(authfile, public_key, &comment)) { |
if (!load_public_key(authfile, public_key, &comment)) { |
RSA_free(public_key); |
RSA_free(public_key); |
return 0; /* Could not load it. Fail. */ |
/* Could not load it. Fail. */ |
|
return 0; |
} |
} |
debug("Trying RSA authentication with key '%.100s'", comment); |
debug("Trying RSA authentication with key '%.100s'", comment); |
|
|
|
|
if (type == SSH_SMSG_FAILURE) { |
if (type == SSH_SMSG_FAILURE) { |
debug("Server refused our key."); |
debug("Server refused our key."); |
xfree(comment); |
xfree(comment); |
return 0; /* Server refuses to authenticate with |
return 0; |
this key. */ |
|
} |
} |
/* Otherwise, the server should respond with a challenge. */ |
/* Otherwise, the server should respond with a challenge. */ |
if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) |
if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) |
|
|
#endif /* AFS */ |
#endif /* AFS */ |
|
|
/* |
/* |
|
* Tries to authenticate with any string-based challenge/response system. |
|
* Note that the client code is not tied to s/key or TIS. |
|
*/ |
|
int |
|
try_skey_authentication() |
|
{ |
|
int type, i, payload_len; |
|
char *challenge, *response; |
|
|
|
debug("Doing skey authentication."); |
|
|
|
/* request a challenge */ |
|
packet_start(SSH_CMSG_AUTH_TIS); |
|
packet_send(); |
|
packet_write_wait(); |
|
|
|
type = packet_read(&payload_len); |
|
if (type != SSH_SMSG_FAILURE && |
|
type != SSH_SMSG_AUTH_TIS_CHALLENGE) { |
|
packet_disconnect("Protocol error: got %d in response " |
|
"to skey-auth", type); |
|
} |
|
if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) { |
|
debug("No challenge for skey authentication."); |
|
return 0; |
|
} |
|
challenge = packet_get_string(&payload_len); |
|
if (options.cipher == SSH_CIPHER_NONE) |
|
log("WARNING: Encryption is disabled! " |
|
"Reponse will be transmitted in clear text."); |
|
fprintf(stderr, "%s\n", challenge); |
|
fflush(stderr); |
|
for (i = 0; i < options.number_of_password_prompts; i++) { |
|
if (i != 0) |
|
error("Permission denied, please try again."); |
|
response = read_passphrase("Response: ", 0); |
|
packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); |
|
packet_put_string(response, strlen(response)); |
|
memset(response, 0, strlen(response)); |
|
xfree(response); |
|
packet_send(); |
|
packet_write_wait(); |
|
type = packet_read(&payload_len); |
|
if (type == SSH_SMSG_SUCCESS) |
|
return 1; |
|
if (type != SSH_SMSG_FAILURE) |
|
packet_disconnect("Protocol error: got %d in response " |
|
"to skey-auth-reponse", type); |
|
} |
|
/* failure */ |
|
return 0; |
|
} |
|
|
|
/* |
|
* Tries to authenticate with plain passwd authentication. |
|
*/ |
|
int |
|
try_password_authentication(char *prompt) |
|
{ |
|
int type, i, payload_len; |
|
char *password; |
|
|
|
debug("Doing password authentication."); |
|
if (options.cipher == SSH_CIPHER_NONE) |
|
log("WARNING: Encryption is disabled! Password will be transmitted in clear text."); |
|
for (i = 0; i < options.number_of_password_prompts; i++) { |
|
if (i != 0) |
|
error("Permission denied, please try again."); |
|
password = read_passphrase(prompt, 0); |
|
packet_start(SSH_CMSG_AUTH_PASSWORD); |
|
packet_put_string(password, strlen(password)); |
|
memset(password, 0, strlen(password)); |
|
xfree(password); |
|
packet_send(); |
|
packet_write_wait(); |
|
|
|
type = packet_read(&payload_len); |
|
if (type == SSH_SMSG_SUCCESS) |
|
return 1; |
|
if (type != SSH_SMSG_FAILURE) |
|
packet_disconnect("Protocol error: got %d in response to passwd auth", type); |
|
} |
|
/* failure */ |
|
return 0; |
|
} |
|
|
|
/* |
* Waits for the server identification string, and sends our own |
* Waits for the server identification string, and sends our own |
* identification string. |
* identification string. |
*/ |
*/ |
|
|
int remote_major, remote_minor, i; |
int remote_major, remote_minor, i; |
int connection_in = packet_get_connection_in(); |
int connection_in = packet_get_connection_in(); |
int connection_out = packet_get_connection_out(); |
int connection_out = packet_get_connection_out(); |
extern Options options; |
|
|
|
/* Read other side\'s version identification. */ |
/* Read other side\'s version identification. */ |
for (i = 0; i < sizeof(buf) - 1; i++) { |
for (i = 0; i < sizeof(buf) - 1; i++) { |
|
|
struct sockaddr_in *hostaddr, |
struct sockaddr_in *hostaddr, |
uid_t original_real_uid) |
uid_t original_real_uid) |
{ |
{ |
extern Options options; |
|
int i, type; |
int i, type; |
char *password; |
|
struct passwd *pw; |
struct passwd *pw; |
BIGNUM *key; |
BIGNUM *key; |
RSA *host_key, *file_key; |
RSA *host_key, *file_key; |
|
|
|
|
/* Try RSA authentication for each identity. */ |
/* Try RSA authentication for each identity. */ |
for (i = 0; i < options.num_identity_files; i++) |
for (i = 0; i < options.num_identity_files; i++) |
if (try_rsa_authentication(pw, options.identity_files[i])) |
if (try_rsa_authentication(options.identity_files[i])) |
return; |
return; |
} |
} |
/* Try skey authentication if the server supports it. */ |
/* Try skey authentication if the server supports it. */ |
if ((supported_authentications & (1 << SSH_AUTH_TIS)) && |
if ((supported_authentications & (1 << SSH_AUTH_TIS)) && |
options.skey_authentication && !options.batch_mode) { |
options.skey_authentication && !options.batch_mode) { |
debug("Doing skey authentication."); |
if (try_skey_authentication()) |
|
return; |
/* request a challenge */ |
|
packet_start(SSH_CMSG_AUTH_TIS); |
|
packet_send(); |
|
packet_write_wait(); |
|
|
|
type = packet_read(&payload_len); |
|
if (type != SSH_SMSG_FAILURE && |
|
type != SSH_SMSG_AUTH_TIS_CHALLENGE) { |
|
packet_disconnect("Protocol error: got %d in response " |
|
"to skey auth", type); |
|
} |
|
if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) { |
|
debug("No challenge for skey authentication."); |
|
} else { |
|
char *challenge, *response; |
|
challenge = packet_get_string(&payload_len); |
|
if (options.cipher == SSH_CIPHER_NONE) |
|
log("WARNING: Encryption is disabled! " |
|
"Reponse will be transmitted in clear text."); |
|
fprintf(stderr, "%s\n", challenge); |
|
fflush(stderr); |
|
for (i = 0; i < options.number_of_password_prompts; i++) { |
|
if (i != 0) |
|
error("Permission denied, please try again."); |
|
response = read_passphrase("Response: ", 0); |
|
packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); |
|
packet_put_string(response, strlen(response)); |
|
memset(response, 0, strlen(response)); |
|
xfree(response); |
|
packet_send(); |
|
packet_write_wait(); |
|
type = packet_read(&payload_len); |
|
if (type == SSH_SMSG_SUCCESS) |
|
return; |
|
if (type != SSH_SMSG_FAILURE) |
|
packet_disconnect("Protocol error: got %d in response " |
|
"to skey auth", type); |
|
} |
|
} |
|
} |
} |
/* Try password authentication if the server supports it. */ |
/* Try password authentication if the server supports it. */ |
if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) && |
if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) && |
options.password_authentication && !options.batch_mode) { |
options.password_authentication && !options.batch_mode) { |
char prompt[80]; |
char prompt[80]; |
snprintf(prompt, sizeof(prompt), "%.30s@%.30s's password: ", |
snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ", |
server_user, host); |
server_user, host); |
debug("Doing password authentication."); |
if (try_password_authentication(prompt)) |
if (options.cipher == SSH_CIPHER_NONE) |
return; |
log("WARNING: Encryption is disabled! Password will be transmitted in clear text."); |
|
for (i = 0; i < options.number_of_password_prompts; i++) { |
|
if (i != 0) |
|
error("Permission denied, please try again."); |
|
password = read_passphrase(prompt, 0); |
|
packet_start(SSH_CMSG_AUTH_PASSWORD); |
|
packet_put_string(password, strlen(password)); |
|
memset(password, 0, strlen(password)); |
|
xfree(password); |
|
packet_send(); |
|
packet_write_wait(); |
|
|
|
type = packet_read(&payload_len); |
|
if (type == SSH_SMSG_SUCCESS) |
|
return; |
|
if (type != SSH_SMSG_FAILURE) |
|
packet_disconnect("Protocol error: got %d in response to passwd auth", type); |
|
} |
|
} |
} |
/* All authentication methods have failed. Exit with an error message. */ |
/* All authentication methods have failed. Exit with an error message. */ |
fatal("Permission denied."); |
fatal("Permission denied."); |