=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshconnect2.c,v retrieving revision 1.99.2.3 retrieving revision 1.100 diff -u -r1.99.2.3 -r1.100 --- src/usr.bin/ssh/sshconnect2.c 2003/04/03 22:35:18 1.99.2.3 +++ src/usr.bin/ssh/sshconnect2.c 2002/05/23 19:24:30 1.100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.99.2.3 2003/04/03 22:35:18 miod Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.100 2002/05/23 19:24:30 markus Exp $"); #include "ssh.h" #include "ssh2.h" @@ -95,10 +95,10 @@ compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); if (options.compression) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = - myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib,none"; + myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib"; } else { myproposal[PROPOSAL_COMP_ALGS_CTOS] = - myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib"; + myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; } if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = @@ -110,8 +110,6 @@ /* start key exchange */ kex = kex_setup(myproposal); - kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client; - kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; kex->verify_host_key=&verify_host_key_callback; @@ -130,6 +128,7 @@ packet_send(); packet_write_wait(); #endif + debug("done: ssh_kex2."); } /* @@ -225,23 +224,24 @@ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; + debug("send SSH2_MSG_SERVICE_REQUEST"); packet_start(SSH2_MSG_SERVICE_REQUEST); packet_put_cstring("ssh-userauth"); packet_send(); - debug("SSH2_MSG_SERVICE_REQUEST sent"); packet_write_wait(); type = packet_read(); - if (type != SSH2_MSG_SERVICE_ACCEPT) - fatal("Server denied authentication request: %d", type); + if (type != SSH2_MSG_SERVICE_ACCEPT) { + fatal("denied SSH2_MSG_SERVICE_ACCEPT: %d", type); + } if (packet_remaining() > 0) { char *reply = packet_get_string(NULL); - debug2("service_accept: %s", reply); + debug("service_accept: %s", reply); xfree(reply); } else { - debug2("buggy server: service_accept w/o service"); + debug("buggy server: service_accept w/o service"); } packet_check_eom(); - debug("SSH2_MSG_SERVICE_ACCEPT received"); + debug("got SSH2_MSG_SERVICE_ACCEPT"); if (options.preferred_authentications == NULL) options.preferred_authentications = authmethods_get(); @@ -273,7 +273,7 @@ if (authctxt.agent != NULL) ssh_close_authentication_connection(authctxt.agent); - debug("Authentication succeeded (%s).", authctxt.method->name); + debug("ssh-userauth2 successful: method %s", authctxt.method->name); } void userauth(Authctxt *authctxt, char *authlist) @@ -299,14 +299,12 @@ } } } - void input_userauth_error(int type, u_int32_t seq, void *ctxt) { fatal("input_userauth_error: bad message during authentication: " "type %d", type); } - void input_userauth_banner(int type, u_int32_t seq, void *ctxt) { @@ -318,7 +316,6 @@ xfree(msg); xfree(lang); } - void input_userauth_success(int type, u_int32_t seq, void *ctxt) { @@ -330,7 +327,6 @@ clear_auth_state(authctxt); authctxt->success = 1; /* break out */ } - void input_userauth_failure(int type, u_int32_t seq, void *ctxt) { @@ -347,7 +343,7 @@ if (partial != 0) log("Authenticated with partial success."); - debug("Authentications that can continue: %s", authlist); + debug("authentications that can continue: %s", authlist); clear_auth_state(authctxt); userauth(authctxt, authlist); @@ -379,7 +375,7 @@ } packet_check_eom(); - debug("Server accepts key: pkalg %s blen %u lastkey %p hint %d", + debug("input_userauth_pk_ok: pkalg %s blen %d lastkey %p hint %d", pkalg, blen, authctxt->last_key, authctxt->last_key_hint); do { @@ -399,7 +395,7 @@ if (key->type != pktype) { error("input_userauth_pk_ok: type mismatch " "for decoded key (received %d, expected %d)", - key->type, pktype); + key->type, pktype); break; } fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); @@ -422,7 +418,7 @@ clear_auth_state(authctxt); dispatch_set(SSH2_MSG_USERAUTH_PK_OK, NULL); - /* try another method if we did not send a packet */ + /* try another method if we did not send a packet*/ if (sent == 0) userauth(authctxt, NULL); @@ -467,7 +463,7 @@ packet_add_padding(64); packet_send(); - dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, + dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, &input_userauth_passwd_changereq); return 1; @@ -499,7 +495,7 @@ packet_put_cstring(authctxt->service); packet_put_cstring(authctxt->method->name); packet_put_char(1); /* additional info */ - snprintf(prompt, sizeof(prompt), + snprintf(prompt, sizeof(prompt), "Enter %.30s@%.128s's old password: ", authctxt->server_user, authctxt->host); password = read_passphrase(prompt, 0); @@ -508,7 +504,7 @@ xfree(password); password = NULL; while (password == NULL) { - snprintf(prompt, sizeof(prompt), + snprintf(prompt, sizeof(prompt), "Enter %.30s@%.128s's new password: ", authctxt->server_user, authctxt->host); password = read_passphrase(prompt, RP_ALLOW_EOF); @@ -516,7 +512,7 @@ /* bail out */ return; } - snprintf(prompt, sizeof(prompt), + snprintf(prompt, sizeof(prompt), "Retype %.30s@%.128s's new password: ", authctxt->server_user, authctxt->host); retype = read_passphrase(prompt, 0); @@ -534,8 +530,8 @@ xfree(password); packet_add_padding(64); packet_send(); - - dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, + + dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, &input_userauth_passwd_changereq); } @@ -764,7 +760,7 @@ if (k == NULL) { debug2("userauth_pubkey_agent: no more keys"); } else { - debug("Offering agent key: %s", comment); + debug("userauth_pubkey_agent: testing agent key %s", comment); xfree(comment); ret = send_pubkey_test(authctxt, k, agent_sign_cb, -1); if (ret == 0) @@ -792,7 +788,7 @@ key = options.identity_keys[idx]; filename = options.identity_files[idx]; if (key == NULL) { - debug("Trying private key: %s", filename); + debug("try privkey: %s", filename); key = load_identity_file(filename); if (key != NULL) { sent = sign_and_send_pubkey(authctxt, key, @@ -800,7 +796,7 @@ key_free(key); } } else if (key->type != KEY_RSA1) { - debug("Offering public key: %s", filename); + debug("try pubkey: %s", filename); sent = send_pubkey_test(authctxt, key, identity_sign_cb, idx); } @@ -898,20 +894,17 @@ } static int -ssh_keysign(Key *key, u_char **sigp, u_int *lenp, +ssh_keysign( + Key *key, + u_char **sigp, u_int *lenp, u_char *data, u_int datalen) { Buffer b; - struct stat st; pid_t pid; - int to[2], from[2], status, version = 2; + int to[2], from[2], status, version = 1; - debug2("ssh_keysign called"); + debug("ssh_keysign called"); - if (stat(_PATH_SSH_KEY_SIGN, &st) < 0) { - error("ssh_keysign: no installed: %s", strerror(errno)); - return -1; - } if (fflush(stdout) != 0) error("ssh_keysign: fflush: %s", strerror(errno)); if (pipe(to) < 0) { @@ -935,9 +928,7 @@ close(to[1]); if (dup2(to[0], STDIN_FILENO) < 0) fatal("ssh_keysign: dup2: %s", strerror(errno)); - close(from[1]); - close(to[0]); - execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *) 0); + execlp(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *) 0); fatal("ssh_keysign: exec(%s): %s", _PATH_SSH_KEY_SIGN, strerror(errno)); } @@ -945,33 +936,36 @@ close(to[0]); buffer_init(&b); - buffer_put_int(&b, packet_get_connection_in()); /* send # of socket */ buffer_put_string(&b, data, datalen); - ssh_msg_send(to[1], version, &b); + msg_send(to[1], version, &b); - if (ssh_msg_recv(from[0], &b) < 0) { - error("ssh_keysign: no reply"); + if (msg_recv(from[0], &b) < 0) { + debug("ssh_keysign: no reply"); buffer_clear(&b); return -1; } - close(from[0]); - close(to[1]); - - while (waitpid(pid, &status, 0) < 0) - if (errno != EINTR) - break; - if (buffer_get_char(&b) != version) { - error("ssh_keysign: bad version"); + debug("ssh_keysign: bad version"); buffer_clear(&b); return -1; } *sigp = buffer_get_string(&b, lenp); buffer_clear(&b); + close(from[0]); + close(to[1]); + + while (waitpid(pid, &status, 0) < 0) + if (errno != EINTR) + break; + return 0; } +/* + * this will be move to an external program (ssh-keysign) ASAP. ssh-keysign + * will be setuid-root and the sbit can be removed from /usr/bin/ssh. + */ int userauth_hostbased(Authctxt *authctxt) { @@ -995,7 +989,7 @@ } } if (!found) { - debug("No more client hostkeys for hostbased authentication."); + debug("userauth_hostbased: no more client hostkeys"); return 0; } if (key_to_blob(private, &blob, &blen) == 0) { @@ -1014,7 +1008,6 @@ strlcpy(chost, p, len); strlcat(chost, ".", len); debug2("userauth_hostbased: chost %s", chost); - xfree(p); service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : authctxt->service; @@ -1101,7 +1094,6 @@ static Authmethod *current = NULL; static char *supported = NULL; static char *preferred = NULL; - /* * Given the authentication method list sent by the server, return the * next method we should try. If the server initially sends a nil list, @@ -1110,6 +1102,7 @@ static Authmethod * authmethod_get(char *authlist) { + char *name = NULL; u_int next; @@ -1130,7 +1123,7 @@ for (;;) { if ((name = match_list(preferred, supported, &next)) == NULL) { - debug("No more authentication methods to try."); + debug("no more auth methods to try"); current = NULL; return NULL; } @@ -1140,7 +1133,7 @@ if ((current = authmethod_lookup(name)) != NULL && authmethod_is_enabled(current)) { debug3("authmethod_is_enabled %s", name); - debug("Next authentication method: %s", name); + debug("next auth method to try is %s", name); return current; } }