Annotation of src/usr.bin/ssh/sshconnect2.c, Revision 1.121
1.1 markus 1: /*
2: * Copyright (c) 2000 Markus Friedl. All rights reserved.
3: *
4: * Redistribution and use in source and binary forms, with or without
5: * modification, are permitted provided that the following conditions
6: * are met:
7: * 1. Redistributions of source code must retain the above copyright
8: * notice, this list of conditions and the following disclaimer.
9: * 2. Redistributions in binary form must reproduce the above copyright
10: * notice, this list of conditions and the following disclaimer in the
11: * documentation and/or other materials provided with the distribution.
12: *
13: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23: */
24:
25: #include "includes.h"
1.121 ! markus 26: RCSID("$OpenBSD: sshconnect2.c,v 1.120 2003/06/24 08:23:46 markus Exp $");
1.118 markus 27:
28: #ifdef KRB5
29: #include <krb5.h>
30: #endif
1.1 markus 31:
32: #include "ssh.h"
1.37 markus 33: #include "ssh2.h"
1.1 markus 34: #include "xmalloc.h"
35: #include "buffer.h"
36: #include "packet.h"
37: #include "compat.h"
38: #include "bufaux.h"
1.37 markus 39: #include "cipher.h"
1.1 markus 40: #include "kex.h"
41: #include "myproposal.h"
42: #include "sshconnect.h"
43: #include "authfile.h"
1.57 provos 44: #include "dh.h"
1.17 markus 45: #include "authfd.h"
1.37 markus 46: #include "log.h"
47: #include "readconf.h"
48: #include "readpass.h"
1.53 markus 49: #include "match.h"
1.61 markus 50: #include "dispatch.h"
1.68 markus 51: #include "canohost.h"
1.100 markus 52: #include "msg.h"
53: #include "pathnames.h"
1.22 provos 54:
1.121 ! markus 55: #ifdef GSSAPI
! 56: #include "ssh-gss.h"
! 57: #endif
! 58:
1.1 markus 59: /* import */
60: extern char *client_version_string;
61: extern char *server_version_string;
62: extern Options options;
63:
64: /*
65: * SSH2 key exchange
66: */
67:
1.32 markus 68: u_char *session_id2 = NULL;
1.120 markus 69: u_int session_id2_len = 0;
1.1 markus 70:
1.61 markus 71: char *xxx_host;
72: struct sockaddr *xxx_hostaddr;
73:
1.63 markus 74: Kex *xxx_kex = NULL;
75:
1.76 itojun 76: static int
1.75 markus 77: verify_host_key_callback(Key *hostkey)
1.61 markus 78: {
1.75 markus 79: if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1)
1.83 markus 80: fatal("Host key verification failed.");
1.61 markus 81: return 0;
82: }
83:
1.1 markus 84: void
1.22 provos 85: ssh_kex2(char *host, struct sockaddr *hostaddr)
86: {
87: Kex *kex;
1.61 markus 88:
89: xxx_host = host;
90: xxx_hostaddr = hostaddr;
1.22 provos 91:
1.29 markus 92: if (options.ciphers == (char *)-1) {
1.116 itojun 93: logit("No valid ciphers for protocol version 2 given, using defaults.");
1.29 markus 94: options.ciphers = NULL;
1.24 markus 95: }
1.22 provos 96: if (options.ciphers != NULL) {
97: myproposal[PROPOSAL_ENC_ALGS_CTOS] =
98: myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
99: }
1.60 stevesk 100: myproposal[PROPOSAL_ENC_ALGS_CTOS] =
101: compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
102: myproposal[PROPOSAL_ENC_ALGS_STOC] =
103: compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
1.22 provos 104: if (options.compression) {
1.47 markus 105: myproposal[PROPOSAL_COMP_ALGS_CTOS] =
1.107 markus 106: myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib,none";
1.22 provos 107: } else {
1.47 markus 108: myproposal[PROPOSAL_COMP_ALGS_CTOS] =
1.107 markus 109: myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib";
1.47 markus 110: }
111: if (options.macs != NULL) {
112: myproposal[PROPOSAL_MAC_ALGS_CTOS] =
113: myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
1.22 provos 114: }
1.70 markus 115: if (options.hostkeyalgorithms != NULL)
1.88 deraadt 116: myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
1.70 markus 117: options.hostkeyalgorithms;
1.115 markus 118:
119: if (options.rekey_limit)
120: packet_set_rekey_limit(options.rekey_limit);
1.22 provos 121:
1.65 markus 122: /* start key exchange */
1.64 markus 123: kex = kex_setup(myproposal);
1.111 markus 124: kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
125: kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
1.61 markus 126: kex->client_version_string=client_version_string;
127: kex->server_version_string=server_version_string;
1.75 markus 128: kex->verify_host_key=&verify_host_key_callback;
1.63 markus 129:
130: xxx_kex = kex;
1.22 provos 131:
1.66 markus 132: dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
1.62 markus 133:
134: session_id2 = kex->session_id;
135: session_id2_len = kex->session_id_len;
1.22 provos 136:
137: #ifdef DEBUG_KEXDH
138: /* send 1st encrypted/maced/compressed message */
139: packet_start(SSH2_MSG_IGNORE);
140: packet_put_cstring("markus");
141: packet_send();
142: packet_write_wait();
143: #endif
1.1 markus 144: }
1.11 markus 145:
1.1 markus 146: /*
147: * Authenticate user
148: */
1.20 markus 149:
150: typedef struct Authctxt Authctxt;
151: typedef struct Authmethod Authmethod;
1.117 markus 152: typedef struct identity Identity;
153: typedef struct idlist Idlist;
1.20 markus 154:
1.117 markus 155: struct identity {
156: TAILQ_ENTRY(identity) next;
157: AuthenticationConnection *ac; /* set if agent supports key */
158: Key *key; /* public/private key */
159: char *filename; /* comment for agent-only keys */
160: int tried;
161: int isprivate; /* key points to the private key */
162: };
163: TAILQ_HEAD(idlist, identity);
1.20 markus 164:
165: struct Authctxt {
166: const char *server_user;
1.68 markus 167: const char *local_user;
1.20 markus 168: const char *host;
169: const char *service;
1.23 markus 170: Authmethod *method;
1.20 markus 171: int success;
1.51 markus 172: char *authlist;
1.68 markus 173: /* pubkey */
1.117 markus 174: Idlist keys;
1.68 markus 175: AuthenticationConnection *agent;
176: /* hostbased */
1.100 markus 177: Sensitive *sensitive;
1.82 markus 178: /* kbd-interactive */
179: int info_req_seen;
1.121 ! markus 180: /* generic */
! 181: void *methoddata;
1.20 markus 182: };
183: struct Authmethod {
184: char *name; /* string to compare against server's list */
185: int (*userauth)(Authctxt *authctxt);
186: int *enabled; /* flag in option struct that enables method */
187: int *batch_flag; /* flag in option struct that disables method */
188: };
189:
1.92 markus 190: void input_userauth_success(int, u_int32_t, void *);
191: void input_userauth_failure(int, u_int32_t, void *);
192: void input_userauth_banner(int, u_int32_t, void *);
193: void input_userauth_error(int, u_int32_t, void *);
194: void input_userauth_info_req(int, u_int32_t, void *);
195: void input_userauth_pk_ok(int, u_int32_t, void *);
1.99 markus 196: void input_userauth_passwd_changereq(int, u_int32_t, void *);
1.86 itojun 197:
198: int userauth_none(Authctxt *);
199: int userauth_pubkey(Authctxt *);
200: int userauth_passwd(Authctxt *);
201: int userauth_kbdint(Authctxt *);
202: int userauth_hostbased(Authctxt *);
1.118 markus 203: int userauth_kerberos(Authctxt *);
1.20 markus 204:
1.121 ! markus 205: #ifdef GSSAPI
! 206: int userauth_gssapi(Authctxt *authctxt);
! 207: void input_gssapi_response(int type, u_int32_t, void *);
! 208: void input_gssapi_token(int type, u_int32_t, void *);
! 209: void input_gssapi_hash(int type, u_int32_t, void *);
! 210: void input_gssapi_error(int, u_int32_t, void *);
! 211: void input_gssapi_errtok(int, u_int32_t, void *);
! 212: #endif
! 213:
1.86 itojun 214: void userauth(Authctxt *, char *);
1.51 markus 215:
1.117 markus 216: static int sign_and_send_pubkey(Authctxt *, Identity *);
217: static void pubkey_prepare(Authctxt *);
218: static void pubkey_cleanup(Authctxt *);
219: static Key *load_identity_file(char *);
1.76 itojun 220:
221: static Authmethod *authmethod_get(char *authlist);
222: static Authmethod *authmethod_lookup(const char *name);
223: static char *authmethods_get(void);
1.20 markus 224:
225: Authmethod authmethods[] = {
1.121 ! markus 226: #ifdef GSSAPI
! 227: {"gssapi",
! 228: userauth_gssapi,
! 229: &options.gss_authentication,
! 230: NULL},
! 231: #endif
1.81 markus 232: {"hostbased",
233: userauth_hostbased,
234: &options.hostbased_authentication,
235: NULL},
1.118 markus 236: #if KRB5
237: {"kerberos-2@ssh.com",
238: userauth_kerberos,
239: &options.kerberos_authentication,
240: NULL},
241: #endif
1.20 markus 242: {"publickey",
243: userauth_pubkey,
1.28 markus 244: &options.pubkey_authentication,
1.20 markus 245: NULL},
1.81 markus 246: {"keyboard-interactive",
247: userauth_kbdint,
248: &options.kbd_interactive_authentication,
249: &options.batch_mode},
1.20 markus 250: {"password",
251: userauth_passwd,
252: &options.password_authentication,
1.23 markus 253: &options.batch_mode},
254: {"none",
255: userauth_none,
256: NULL,
257: NULL},
1.20 markus 258: {NULL, NULL, NULL, NULL}
259: };
260:
261: void
1.68 markus 262: ssh_userauth2(const char *local_user, const char *server_user, char *host,
1.100 markus 263: Sensitive *sensitive)
1.20 markus 264: {
265: Authctxt authctxt;
266: int type;
1.39 markus 267:
1.73 markus 268: if (options.challenge_response_authentication)
1.39 markus 269: options.kbd_interactive_authentication = 1;
1.20 markus 270:
271: packet_start(SSH2_MSG_SERVICE_REQUEST);
272: packet_put_cstring("ssh-userauth");
273: packet_send();
1.108 markus 274: debug("SSH2_MSG_SERVICE_REQUEST sent");
1.20 markus 275: packet_write_wait();
1.91 markus 276: type = packet_read();
1.108 markus 277: if (type != SSH2_MSG_SERVICE_ACCEPT)
278: fatal("Server denied authentication request: %d", type);
1.20 markus 279: if (packet_remaining() > 0) {
1.91 markus 280: char *reply = packet_get_string(NULL);
1.108 markus 281: debug2("service_accept: %s", reply);
1.20 markus 282: xfree(reply);
283: } else {
1.109 markus 284: debug2("buggy server: service_accept w/o service");
1.20 markus 285: }
1.90 markus 286: packet_check_eom();
1.108 markus 287: debug("SSH2_MSG_SERVICE_ACCEPT received");
1.20 markus 288:
1.53 markus 289: if (options.preferred_authentications == NULL)
290: options.preferred_authentications = authmethods_get();
291:
1.20 markus 292: /* setup authentication context */
1.82 markus 293: memset(&authctxt, 0, sizeof(authctxt));
1.117 markus 294: pubkey_prepare(&authctxt);
1.20 markus 295: authctxt.server_user = server_user;
1.68 markus 296: authctxt.local_user = local_user;
1.20 markus 297: authctxt.host = host;
298: authctxt.service = "ssh-connection"; /* service name */
299: authctxt.success = 0;
1.23 markus 300: authctxt.method = authmethod_lookup("none");
1.51 markus 301: authctxt.authlist = NULL;
1.121 ! markus 302: authctxt.methoddata = NULL;
1.100 markus 303: authctxt.sensitive = sensitive;
1.82 markus 304: authctxt.info_req_seen = 0;
1.23 markus 305: if (authctxt.method == NULL)
306: fatal("ssh_userauth2: internal error: cannot send userauth none request");
1.20 markus 307:
308: /* initial userauth request */
1.23 markus 309: userauth_none(&authctxt);
1.20 markus 310:
1.65 markus 311: dispatch_init(&input_userauth_error);
1.20 markus 312: dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
313: dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure);
1.35 markus 314: dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);
1.20 markus 315: dispatch_run(DISPATCH_BLOCK, &authctxt.success, &authctxt); /* loop until success */
316:
1.117 markus 317: pubkey_cleanup(&authctxt);
1.119 markus 318: dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
319:
1.109 markus 320: debug("Authentication succeeded (%s).", authctxt.method->name);
1.20 markus 321: }
1.119 markus 322:
1.20 markus 323: void
1.51 markus 324: userauth(Authctxt *authctxt, char *authlist)
325: {
1.121 ! markus 326: if (authctxt->methoddata) {
! 327: xfree(authctxt->methoddata);
! 328: authctxt->methoddata = NULL;
! 329: }
1.51 markus 330: if (authlist == NULL) {
331: authlist = authctxt->authlist;
332: } else {
333: if (authctxt->authlist)
334: xfree(authctxt->authlist);
335: authctxt->authlist = authlist;
336: }
337: for (;;) {
338: Authmethod *method = authmethod_get(authlist);
339: if (method == NULL)
340: fatal("Permission denied (%s).", authlist);
341: authctxt->method = method;
1.119 markus 342:
343: /* reset the per method handler */
344: dispatch_range(SSH2_MSG_USERAUTH_PER_METHOD_MIN,
345: SSH2_MSG_USERAUTH_PER_METHOD_MAX, NULL);
346:
347: /* and try new method */
1.51 markus 348: if (method->userauth(authctxt) != 0) {
349: debug2("we sent a %s packet, wait for reply", method->name);
350: break;
351: } else {
352: debug2("we did not send a packet, disable method");
353: method->enabled = NULL;
354: }
355: }
356: }
1.105 deraadt 357:
1.51 markus 358: void
1.92 markus 359: input_userauth_error(int type, u_int32_t seq, void *ctxt)
1.20 markus 360: {
1.35 markus 361: fatal("input_userauth_error: bad message during authentication: "
362: "type %d", type);
363: }
1.105 deraadt 364:
1.35 markus 365: void
1.92 markus 366: input_userauth_banner(int type, u_int32_t seq, void *ctxt)
1.35 markus 367: {
368: char *msg, *lang;
369: debug3("input_userauth_banner");
370: msg = packet_get_string(NULL);
371: lang = packet_get_string(NULL);
372: fprintf(stderr, "%s", msg);
373: xfree(msg);
374: xfree(lang);
1.20 markus 375: }
1.105 deraadt 376:
1.20 markus 377: void
1.92 markus 378: input_userauth_success(int type, u_int32_t seq, void *ctxt)
1.20 markus 379: {
380: Authctxt *authctxt = ctxt;
381: if (authctxt == NULL)
382: fatal("input_userauth_success: no authentication context");
1.51 markus 383: if (authctxt->authlist)
384: xfree(authctxt->authlist);
1.121 ! markus 385: if (authctxt->methoddata)
! 386: xfree(authctxt->methoddata);
1.20 markus 387: authctxt->success = 1; /* break out */
388: }
1.105 deraadt 389:
1.20 markus 390: void
1.92 markus 391: input_userauth_failure(int type, u_int32_t seq, void *ctxt)
1.20 markus 392: {
393: Authctxt *authctxt = ctxt;
394: char *authlist = NULL;
395: int partial;
396:
397: if (authctxt == NULL)
398: fatal("input_userauth_failure: no authentication context");
399:
1.23 markus 400: authlist = packet_get_string(NULL);
1.20 markus 401: partial = packet_get_char();
1.90 markus 402: packet_check_eom();
1.20 markus 403:
404: if (partial != 0)
1.116 itojun 405: logit("Authenticated with partial success.");
1.109 markus 406: debug("Authentications that can continue: %s", authlist);
1.20 markus 407:
1.51 markus 408: userauth(authctxt, authlist);
409: }
410: void
1.92 markus 411: input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
1.51 markus 412: {
413: Authctxt *authctxt = ctxt;
414: Key *key = NULL;
1.117 markus 415: Identity *id = NULL;
1.51 markus 416: Buffer b;
1.96 markus 417: int pktype, sent = 0;
418: u_int alen, blen;
419: char *pkalg, *fp;
420: u_char *pkblob;
1.51 markus 421:
422: if (authctxt == NULL)
423: fatal("input_userauth_pk_ok: no authentication context");
424: if (datafellows & SSH_BUG_PKOK) {
425: /* this is similar to SSH_BUG_PKAUTH */
426: debug2("input_userauth_pk_ok: SSH_BUG_PKOK");
427: pkblob = packet_get_string(&blen);
428: buffer_init(&b);
429: buffer_append(&b, pkblob, blen);
430: pkalg = buffer_get_string(&b, &alen);
431: buffer_free(&b);
432: } else {
433: pkalg = packet_get_string(&alen);
434: pkblob = packet_get_string(&blen);
435: }
1.90 markus 436: packet_check_eom();
1.51 markus 437:
1.117 markus 438: debug("Server accepts key: pkalg %s blen %u", pkalg, blen);
1.51 markus 439:
1.117 markus 440: if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) {
441: debug("unknown pkalg %s", pkalg);
442: goto done;
443: }
444: if ((key = key_from_blob(pkblob, blen)) == NULL) {
445: debug("no key from blob. pkalg %s", pkalg);
446: goto done;
447: }
448: if (key->type != pktype) {
449: error("input_userauth_pk_ok: type mismatch "
450: "for decoded key (received %d, expected %d)",
451: key->type, pktype);
452: goto done;
453: }
454: fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
455: debug2("input_userauth_pk_ok: fp %s", fp);
456: xfree(fp);
457:
458: TAILQ_FOREACH(id, &authctxt->keys, next) {
459: if (key_equal(key, id->key)) {
460: sent = sign_and_send_pubkey(authctxt, id);
1.51 markus 461: break;
462: }
1.117 markus 463: }
464: done:
1.51 markus 465: if (key != NULL)
466: key_free(key);
467: xfree(pkalg);
468: xfree(pkblob);
469:
1.106 deraadt 470: /* try another method if we did not send a packet */
1.51 markus 471: if (sent == 0)
472: userauth(authctxt, NULL);
1.20 markus 473: }
1.121 ! markus 474:
! 475: #ifdef GSSAPI
! 476: int
! 477: userauth_gssapi(Authctxt *authctxt)
! 478: {
! 479: Gssctxt *gssctxt = NULL;
! 480: static gss_OID_set supported = NULL;
! 481: static int mech = 0;
! 482: OM_uint32 min;
! 483: int ok = 0;
! 484:
! 485: /* Try one GSSAPI method at a time, rather than sending them all at
! 486: * once. */
! 487:
! 488: if (supported == NULL)
! 489: gss_indicate_mechs(&min, &supported);
! 490:
! 491: /* Check to see if the mechanism is usable before we offer it */
! 492: while (mech<supported->count && !ok) {
! 493: if (gssctxt)
! 494: ssh_gssapi_delete_ctx(&gssctxt);
! 495: ssh_gssapi_build_ctx(&gssctxt);
! 496: ssh_gssapi_set_oid(gssctxt, &supported->elements[mech]);
! 497:
! 498: /* My DER encoding requires length<128 */
! 499: if (supported->elements[mech].length < 128 &&
! 500: !GSS_ERROR(ssh_gssapi_import_name(gssctxt,
! 501: authctxt->host))) {
! 502: ok = 1; /* Mechanism works */
! 503: } else {
! 504: mech++;
! 505: }
! 506: }
! 507:
! 508: if (!ok) return 0;
! 509:
! 510: authctxt->methoddata=(void *)gssctxt;
! 511:
! 512: packet_start(SSH2_MSG_USERAUTH_REQUEST);
! 513: packet_put_cstring(authctxt->server_user);
! 514: packet_put_cstring(authctxt->service);
! 515: packet_put_cstring(authctxt->method->name);
! 516:
! 517: packet_put_int(1);
! 518:
! 519: /* Some servers encode the OID incorrectly (as we used to) */
! 520: if (datafellows & SSH_BUG_GSSAPI_BER) {
! 521: packet_put_string(supported->elements[mech].elements,
! 522: supported->elements[mech].length);
! 523: } else {
! 524: packet_put_int((supported->elements[mech].length)+2);
! 525: packet_put_char(SSH_GSS_OIDTYPE);
! 526: packet_put_char(supported->elements[mech].length);
! 527: packet_put_raw(supported->elements[mech].elements,
! 528: supported->elements[mech].length);
! 529: }
! 530:
! 531: packet_send();
! 532:
! 533: dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE, &input_gssapi_response);
! 534: dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
! 535: dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERROR, &input_gssapi_error);
! 536: dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
! 537:
! 538: mech++; /* Move along to next candidate */
! 539:
! 540: return 1;
! 541: }
! 542:
! 543: void
! 544: input_gssapi_response(int type, u_int32_t plen, void *ctxt)
! 545: {
! 546: Authctxt *authctxt = ctxt;
! 547: Gssctxt *gssctxt;
! 548: OM_uint32 status, ms;
! 549: int oidlen;
! 550: char *oidv;
! 551: gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
! 552:
! 553: if (authctxt == NULL)
! 554: fatal("input_gssapi_response: no authentication context");
! 555: gssctxt = authctxt->methoddata;
! 556:
! 557: /* Setup our OID */
! 558: oidv = packet_get_string(&oidlen);
! 559:
! 560: if (datafellows & SSH_BUG_GSSAPI_BER) {
! 561: if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
! 562: fatal("Server returned different OID than expected");
! 563: } else {
! 564: if(oidv[0] != SSH_GSS_OIDTYPE || oidv[1] != oidlen-2) {
! 565: debug("Badly encoded mechanism OID received");
! 566: userauth(authctxt, NULL);
! 567: xfree(oidv);
! 568: return;
! 569: }
! 570: if (!ssh_gssapi_check_oid(gssctxt, oidv+2, oidlen-2))
! 571: fatal("Server returned different OID than expected");
! 572: }
! 573:
! 574: packet_check_eom();
! 575:
! 576: xfree(oidv);
! 577:
! 578: status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
! 579: GSS_C_NO_BUFFER, &send_tok, NULL);
! 580: if (GSS_ERROR(status)) {
! 581: if (send_tok.length > 0) {
! 582: packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
! 583: packet_put_string(send_tok.value, send_tok.length);
! 584: packet_send();
! 585: gss_release_buffer(&ms, &send_tok);
! 586: }
! 587: /* Start again with next method on list */
! 588: debug("Trying to start again");
! 589: userauth(authctxt, NULL);
! 590: return;
! 591: }
! 592:
! 593: /* We must have data to send */
! 594: packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
! 595: packet_put_string(send_tok.value, send_tok.length);
! 596: packet_send();
! 597: gss_release_buffer(&ms, &send_tok);
! 598: }
! 599:
! 600: void
! 601: input_gssapi_token(int type, u_int32_t plen, void *ctxt)
! 602: {
! 603: Authctxt *authctxt = ctxt;
! 604: Gssctxt *gssctxt;
! 605: gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
! 606: gss_buffer_desc recv_tok;
! 607: OM_uint32 status, ms;
! 608: u_int slen;
! 609:
! 610: if (authctxt == NULL)
! 611: fatal("input_gssapi_response: no authentication context");
! 612: gssctxt = authctxt->methoddata;
! 613:
! 614: recv_tok.value = packet_get_string(&slen);
! 615: recv_tok.length = slen; /* safe typecast */
! 616:
! 617: packet_check_eom();
! 618:
! 619: status=ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
! 620: &recv_tok, &send_tok, NULL);
! 621:
! 622: xfree(recv_tok.value);
! 623:
! 624: if (GSS_ERROR(status)) {
! 625: if (send_tok.length > 0) {
! 626: packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
! 627: packet_put_string(send_tok.value, send_tok.length);
! 628: packet_send();
! 629: gss_release_buffer(&ms, &send_tok);
! 630: }
! 631: /* Start again with the next method in the list */
! 632: userauth(authctxt, NULL);
! 633: return;
! 634: }
! 635:
! 636: if (send_tok.length > 0) {
! 637: packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
! 638: packet_put_string(send_tok.value, send_tok.length);
! 639: packet_send();
! 640: gss_release_buffer(&ms, &send_tok);
! 641: }
! 642:
! 643: if (status == GSS_S_COMPLETE) {
! 644: /* If that succeeded, send a exchange complete message */
! 645: packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
! 646: packet_send();
! 647: }
! 648: }
! 649:
! 650: void
! 651: input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
! 652: {
! 653: Authctxt *authctxt = ctxt;
! 654: Gssctxt *gssctxt;
! 655: gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
! 656: gss_buffer_desc recv_tok;
! 657: OM_uint32 status, ms;
! 658:
! 659: if (authctxt == NULL)
! 660: fatal("input_gssapi_response: no authentication context");
! 661: gssctxt = authctxt->methoddata;
! 662:
! 663: recv_tok.value = packet_get_string(&recv_tok.length);
! 664:
! 665: packet_check_eom();
! 666:
! 667: /* Stick it into GSSAPI and see what it says */
! 668: status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
! 669: &recv_tok, &send_tok, NULL);
! 670:
! 671: xfree(recv_tok.value);
! 672: gss_release_buffer(&ms, &send_tok);
! 673:
! 674: /* Server will be returning a failed packet after this one */
! 675: }
! 676:
! 677: void
! 678: input_gssapi_error(int type, u_int32_t plen, void *ctxt)
! 679: {
! 680: OM_uint32 maj, min;
! 681: char *msg;
! 682: char *lang;
! 683:
! 684: maj=packet_get_int();
! 685: min=packet_get_int();
! 686: msg=packet_get_string(NULL);
! 687: lang=packet_get_string(NULL);
! 688:
! 689: packet_check_eom();
! 690:
! 691: debug("Server GSSAPI Error:\n%s\n", msg);
! 692: xfree(msg);
! 693: xfree(lang);
! 694: }
! 695: #endif /* GSSAPI */
1.20 markus 696:
1.1 markus 697: int
1.23 markus 698: userauth_none(Authctxt *authctxt)
699: {
700: /* initial userauth request */
701: packet_start(SSH2_MSG_USERAUTH_REQUEST);
702: packet_put_cstring(authctxt->server_user);
703: packet_put_cstring(authctxt->service);
704: packet_put_cstring(authctxt->method->name);
705: packet_send();
706: return 1;
707: }
708:
709: int
1.20 markus 710: userauth_passwd(Authctxt *authctxt)
1.1 markus 711: {
1.6 markus 712: static int attempt = 0;
1.99 markus 713: char prompt[150];
1.1 markus 714: char *password;
1.6 markus 715:
1.13 todd 716: if (attempt++ >= options.number_of_password_prompts)
1.6 markus 717: return 0;
1.13 todd 718:
1.87 deraadt 719: if (attempt != 1)
1.13 todd 720: error("Permission denied, please try again.");
1.1 markus 721:
1.43 itojun 722: snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
1.20 markus 723: authctxt->server_user, authctxt->host);
1.1 markus 724: password = read_passphrase(prompt, 0);
725: packet_start(SSH2_MSG_USERAUTH_REQUEST);
1.20 markus 726: packet_put_cstring(authctxt->server_user);
727: packet_put_cstring(authctxt->service);
1.23 markus 728: packet_put_cstring(authctxt->method->name);
1.1 markus 729: packet_put_char(0);
1.49 markus 730: packet_put_cstring(password);
1.1 markus 731: memset(password, 0, strlen(password));
732: xfree(password);
1.85 markus 733: packet_add_padding(64);
1.1 markus 734: packet_send();
1.99 markus 735:
1.104 deraadt 736: dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
1.99 markus 737: &input_userauth_passwd_changereq);
738:
1.1 markus 739: return 1;
740: }
1.99 markus 741: /*
742: * parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST
743: */
744: void
745: input_userauth_passwd_changereq(int type, uint32_t seqnr, void *ctxt)
746: {
747: Authctxt *authctxt = ctxt;
748: char *info, *lang, *password = NULL, *retype = NULL;
749: char prompt[150];
750:
751: debug2("input_userauth_passwd_changereq");
752:
753: if (authctxt == NULL)
754: fatal("input_userauth_passwd_changereq: "
755: "no authentication context");
756:
757: info = packet_get_string(NULL);
758: lang = packet_get_string(NULL);
759: if (strlen(info) > 0)
1.116 itojun 760: logit("%s", info);
1.99 markus 761: xfree(info);
762: xfree(lang);
763: packet_start(SSH2_MSG_USERAUTH_REQUEST);
764: packet_put_cstring(authctxt->server_user);
765: packet_put_cstring(authctxt->service);
766: packet_put_cstring(authctxt->method->name);
767: packet_put_char(1); /* additional info */
1.104 deraadt 768: snprintf(prompt, sizeof(prompt),
1.99 markus 769: "Enter %.30s@%.128s's old password: ",
770: authctxt->server_user, authctxt->host);
771: password = read_passphrase(prompt, 0);
772: packet_put_cstring(password);
773: memset(password, 0, strlen(password));
774: xfree(password);
775: password = NULL;
776: while (password == NULL) {
1.104 deraadt 777: snprintf(prompt, sizeof(prompt),
1.99 markus 778: "Enter %.30s@%.128s's new password: ",
779: authctxt->server_user, authctxt->host);
780: password = read_passphrase(prompt, RP_ALLOW_EOF);
781: if (password == NULL) {
782: /* bail out */
783: return;
784: }
1.104 deraadt 785: snprintf(prompt, sizeof(prompt),
1.99 markus 786: "Retype %.30s@%.128s's new password: ",
787: authctxt->server_user, authctxt->host);
788: retype = read_passphrase(prompt, 0);
789: if (strcmp(password, retype) != 0) {
790: memset(password, 0, strlen(password));
791: xfree(password);
1.116 itojun 792: logit("Mismatch; try again, EOF to quit.");
1.99 markus 793: password = NULL;
794: }
795: memset(retype, 0, strlen(retype));
796: xfree(retype);
797: }
798: packet_put_cstring(password);
799: memset(password, 0, strlen(password));
800: xfree(password);
801: packet_add_padding(64);
802: packet_send();
1.104 deraadt 803:
804: dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
1.99 markus 805: &input_userauth_passwd_changereq);
1.117 markus 806: }
807:
808: static int
809: identity_sign(Identity *id, u_char **sigp, u_int *lenp,
810: u_char *data, u_int datalen)
811: {
812: Key *prv;
813: int ret;
1.99 markus 814:
1.117 markus 815: /* the agent supports this key */
816: if (id->ac)
817: return (ssh_agent_sign(id->ac, id->key, sigp, lenp,
818: data, datalen));
819: /*
820: * we have already loaded the private key or
821: * the private key is stored in external hardware
822: */
823: if (id->isprivate || (id->key->flags & KEY_FLAG_EXT))
824: return (key_sign(id->key, sigp, lenp, data, datalen));
825: /* load the private key from the file */
826: if ((prv = load_identity_file(id->filename)) == NULL)
827: return (-1);
828: ret = key_sign(prv, sigp, lenp, data, datalen);
829: key_free(prv);
830: return (ret);
1.51 markus 831: }
832:
1.76 itojun 833: static int
1.117 markus 834: sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
1.1 markus 835: {
836: Buffer b;
1.32 markus 837: u_char *blob, *signature;
1.96 markus 838: u_int bloblen, slen;
1.120 markus 839: u_int skip = 0;
1.17 markus 840: int ret = -1;
1.23 markus 841: int have_sig = 1;
1.1 markus 842:
1.30 markus 843: debug3("sign_and_send_pubkey");
1.51 markus 844:
1.117 markus 845: if (key_to_blob(id->key, &blob, &bloblen) == 0) {
1.28 markus 846: /* we cannot handle this key */
1.30 markus 847: debug3("sign_and_send_pubkey: cannot handle key");
1.28 markus 848: return 0;
849: }
1.1 markus 850: /* data to be signed */
851: buffer_init(&b);
1.26 markus 852: if (datafellows & SSH_OLD_SESSIONID) {
853: buffer_append(&b, session_id2, session_id2_len);
1.41 stevesk 854: skip = session_id2_len;
1.26 markus 855: } else {
1.14 markus 856: buffer_put_string(&b, session_id2, session_id2_len);
857: skip = buffer_len(&b);
858: }
1.1 markus 859: buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
1.20 markus 860: buffer_put_cstring(&b, authctxt->server_user);
1.10 markus 861: buffer_put_cstring(&b,
1.30 markus 862: datafellows & SSH_BUG_PKSERVICE ?
1.10 markus 863: "ssh-userauth" :
1.20 markus 864: authctxt->service);
1.30 markus 865: if (datafellows & SSH_BUG_PKAUTH) {
866: buffer_put_char(&b, have_sig);
867: } else {
868: buffer_put_cstring(&b, authctxt->method->name);
869: buffer_put_char(&b, have_sig);
1.117 markus 870: buffer_put_cstring(&b, key_ssh_name(id->key));
1.30 markus 871: }
1.1 markus 872: buffer_put_string(&b, blob, bloblen);
873:
874: /* generate signature */
1.117 markus 875: ret = identity_sign(id, &signature, &slen,
1.51 markus 876: buffer_ptr(&b), buffer_len(&b));
1.17 markus 877: if (ret == -1) {
878: xfree(blob);
879: buffer_free(&b);
880: return 0;
881: }
1.28 markus 882: #ifdef DEBUG_PK
1.1 markus 883: buffer_dump(&b);
884: #endif
1.30 markus 885: if (datafellows & SSH_BUG_PKSERVICE) {
1.10 markus 886: buffer_clear(&b);
887: buffer_append(&b, session_id2, session_id2_len);
1.51 markus 888: skip = session_id2_len;
1.10 markus 889: buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
1.20 markus 890: buffer_put_cstring(&b, authctxt->server_user);
891: buffer_put_cstring(&b, authctxt->service);
1.23 markus 892: buffer_put_cstring(&b, authctxt->method->name);
893: buffer_put_char(&b, have_sig);
1.30 markus 894: if (!(datafellows & SSH_BUG_PKAUTH))
1.117 markus 895: buffer_put_cstring(&b, key_ssh_name(id->key));
1.10 markus 896: buffer_put_string(&b, blob, bloblen);
897: }
898: xfree(blob);
1.51 markus 899:
1.1 markus 900: /* append signature */
901: buffer_put_string(&b, signature, slen);
902: xfree(signature);
903:
904: /* skip session id and packet type */
1.14 markus 905: if (buffer_len(&b) < skip + 1)
1.20 markus 906: fatal("userauth_pubkey: internal error");
1.14 markus 907: buffer_consume(&b, skip + 1);
1.1 markus 908:
909: /* put remaining data from buffer into packet */
910: packet_start(SSH2_MSG_USERAUTH_REQUEST);
911: packet_put_raw(buffer_ptr(&b), buffer_len(&b));
912: buffer_free(&b);
913: packet_send();
1.17 markus 914:
915: return 1;
1.16 markus 916: }
917:
1.76 itojun 918: static int
1.117 markus 919: send_pubkey_test(Authctxt *authctxt, Identity *id)
1.20 markus 920: {
1.51 markus 921: u_char *blob;
1.97 markus 922: u_int bloblen, have_sig = 0;
1.20 markus 923:
1.51 markus 924: debug3("send_pubkey_test");
1.16 markus 925:
1.117 markus 926: if (key_to_blob(id->key, &blob, &bloblen) == 0) {
1.51 markus 927: /* we cannot handle this key */
928: debug3("send_pubkey_test: cannot handle key");
1.16 markus 929: return 0;
930: }
1.51 markus 931: /* register callback for USERAUTH_PK_OK message */
932: dispatch_set(SSH2_MSG_USERAUTH_PK_OK, &input_userauth_pk_ok);
933:
934: packet_start(SSH2_MSG_USERAUTH_REQUEST);
935: packet_put_cstring(authctxt->server_user);
936: packet_put_cstring(authctxt->service);
937: packet_put_cstring(authctxt->method->name);
938: packet_put_char(have_sig);
939: if (!(datafellows & SSH_BUG_PKAUTH))
1.117 markus 940: packet_put_cstring(key_ssh_name(id->key));
1.51 markus 941: packet_put_string(blob, bloblen);
942: xfree(blob);
943: packet_send();
944: return 1;
945: }
946:
1.76 itojun 947: static Key *
1.51 markus 948: load_identity_file(char *filename)
949: {
950: Key *private;
951: char prompt[300], *passphrase;
1.56 markus 952: int quit, i;
1.52 markus 953: struct stat st;
1.16 markus 954:
1.52 markus 955: if (stat(filename, &st) < 0) {
956: debug3("no such identity: %s", filename);
957: return NULL;
958: }
1.56 markus 959: private = key_load_private_type(KEY_UNSPEC, filename, "", NULL);
960: if (private == NULL) {
961: if (options.batch_mode)
1.51 markus 962: return NULL;
1.16 markus 963: snprintf(prompt, sizeof prompt,
1.88 deraadt 964: "Enter passphrase for key '%.100s': ", filename);
1.20 markus 965: for (i = 0; i < options.number_of_password_prompts; i++) {
966: passphrase = read_passphrase(prompt, 0);
967: if (strcmp(passphrase, "") != 0) {
1.56 markus 968: private = key_load_private_type(KEY_UNSPEC, filename,
969: passphrase, NULL);
1.51 markus 970: quit = 0;
1.20 markus 971: } else {
972: debug2("no passphrase given, try next key");
1.51 markus 973: quit = 1;
1.20 markus 974: }
975: memset(passphrase, 0, strlen(passphrase));
976: xfree(passphrase);
1.56 markus 977: if (private != NULL || quit)
1.20 markus 978: break;
979: debug2("bad passphrase given, try again...");
1.16 markus 980: }
981: }
1.51 markus 982: return private;
983: }
984:
1.117 markus 985: /*
986: * try keys in the following order:
987: * 1. agent keys that are found in the config file
988: * 2. other agent keys
989: * 3. keys that are only listed in the config file
990: */
991: static void
992: pubkey_prepare(Authctxt *authctxt)
1.51 markus 993: {
1.117 markus 994: Identity *id;
995: Idlist agent, files, *preferred;
996: Key *key;
997: AuthenticationConnection *ac;
998: char *comment;
999: int i, found;
1.51 markus 1000:
1.117 markus 1001: TAILQ_INIT(&agent); /* keys from the agent */
1002: TAILQ_INIT(&files); /* keys from the config file */
1003: preferred = &authctxt->keys;
1004: TAILQ_INIT(preferred); /* preferred order of keys */
1005:
1006: /* list of keys stored in the filesystem */
1007: for (i = 0; i < options.num_identity_files; i++) {
1008: key = options.identity_keys[i];
1009: if (key && key->type == KEY_RSA1)
1010: continue;
1011: options.identity_keys[i] = NULL;
1012: id = xmalloc(sizeof(*id));
1013: memset(id, 0, sizeof(*id));
1014: id->key = key;
1015: id->filename = xstrdup(options.identity_files[i]);
1016: TAILQ_INSERT_TAIL(&files, id, next);
1017: }
1018: /* list of keys supported by the agent */
1019: if ((ac = ssh_get_authentication_connection())) {
1020: for (key = ssh_get_first_identity(ac, &comment, 2);
1021: key != NULL;
1022: key = ssh_get_next_identity(ac, &comment, 2)) {
1023: found = 0;
1024: TAILQ_FOREACH(id, &files, next) {
1025: /* agent keys from the config file are preferred */
1026: if (key_equal(key, id->key)) {
1027: key_free(key);
1028: xfree(comment);
1029: TAILQ_REMOVE(&files, id, next);
1030: TAILQ_INSERT_TAIL(preferred, id, next);
1031: id->ac = ac;
1032: found = 1;
1033: break;
1034: }
1035: }
1036: if (!found) {
1037: id = xmalloc(sizeof(*id));
1038: memset(id, 0, sizeof(*id));
1039: id->key = key;
1040: id->filename = comment;
1041: id->ac = ac;
1042: TAILQ_INSERT_TAIL(&agent, id, next);
1043: }
1044: }
1045: /* append remaining agent keys */
1046: for (id = TAILQ_FIRST(&agent); id; id = TAILQ_FIRST(&agent)) {
1047: TAILQ_REMOVE(&agent, id, next);
1048: TAILQ_INSERT_TAIL(preferred, id, next);
1049: }
1050: authctxt->agent = ac;
1051: }
1052: /* append remaining keys from the config file */
1053: for (id = TAILQ_FIRST(&files); id; id = TAILQ_FIRST(&files)) {
1054: TAILQ_REMOVE(&files, id, next);
1055: TAILQ_INSERT_TAIL(preferred, id, next);
1056: }
1057: TAILQ_FOREACH(id, preferred, next) {
1058: debug2("key: %s (%p)", id->filename, id->key);
1059: }
1.17 markus 1060: }
1061:
1.117 markus 1062: static void
1063: pubkey_cleanup(Authctxt *authctxt)
1.51 markus 1064: {
1.117 markus 1065: Identity *id;
1.51 markus 1066:
1.117 markus 1067: if (authctxt->agent != NULL)
1068: ssh_close_authentication_connection(authctxt->agent);
1069: for (id = TAILQ_FIRST(&authctxt->keys); id;
1070: id = TAILQ_FIRST(&authctxt->keys)) {
1071: TAILQ_REMOVE(&authctxt->keys, id, next);
1072: if (id->key)
1073: key_free(id->key);
1074: if (id->filename)
1075: xfree(id->filename);
1076: xfree(id);
1077: }
1.1 markus 1078: }
1079:
1.20 markus 1080: int
1081: userauth_pubkey(Authctxt *authctxt)
1082: {
1.117 markus 1083: Identity *id;
1.20 markus 1084: int sent = 0;
1085:
1.117 markus 1086: while ((id = TAILQ_FIRST(&authctxt->keys))) {
1087: if (id->tried++)
1088: return (0);
1089: TAILQ_REMOVE(&authctxt->keys, id, next);
1090: TAILQ_INSERT_TAIL(&authctxt->keys, id, next);
1091: /*
1092: * send a test message if we have the public key. for
1093: * encrypted keys we cannot do this and have to load the
1094: * private key instead
1095: */
1096: if (id->key && id->key->type != KEY_RSA1) {
1097: debug("Offering public key: %s", id->filename);
1098: sent = send_pubkey_test(authctxt, id);
1099: } else if (id->key == NULL) {
1100: debug("Trying private key: %s", id->filename);
1101: id->key = load_identity_file(id->filename);
1102: if (id->key != NULL) {
1103: id->isprivate = 1;
1104: sent = sign_and_send_pubkey(authctxt, id);
1105: key_free(id->key);
1106: id->key = NULL;
1.51 markus 1107: }
1108: }
1.117 markus 1109: if (sent)
1110: return (sent);
1.28 markus 1111: }
1.117 markus 1112: return (0);
1.20 markus 1113: }
1114:
1.23 markus 1115: /*
1116: * Send userauth request message specifying keyboard-interactive method.
1117: */
1118: int
1119: userauth_kbdint(Authctxt *authctxt)
1120: {
1121: static int attempt = 0;
1122:
1123: if (attempt++ >= options.number_of_password_prompts)
1124: return 0;
1.82 markus 1125: /* disable if no SSH2_MSG_USERAUTH_INFO_REQUEST has been seen */
1126: if (attempt > 1 && !authctxt->info_req_seen) {
1127: debug3("userauth_kbdint: disable: no info_req_seen");
1128: dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, NULL);
1129: return 0;
1130: }
1.23 markus 1131:
1132: debug2("userauth_kbdint");
1133: packet_start(SSH2_MSG_USERAUTH_REQUEST);
1134: packet_put_cstring(authctxt->server_user);
1135: packet_put_cstring(authctxt->service);
1136: packet_put_cstring(authctxt->method->name);
1137: packet_put_cstring(""); /* lang */
1138: packet_put_cstring(options.kbd_interactive_devices ?
1139: options.kbd_interactive_devices : "");
1140: packet_send();
1141:
1142: dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, &input_userauth_info_req);
1143: return 1;
1144: }
1145:
1146: /*
1.46 markus 1147: * parse INFO_REQUEST, prompt user and send INFO_RESPONSE
1.23 markus 1148: */
1149: void
1.92 markus 1150: input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
1.23 markus 1151: {
1152: Authctxt *authctxt = ctxt;
1.46 markus 1153: char *name, *inst, *lang, *prompt, *response;
1.32 markus 1154: u_int num_prompts, i;
1.23 markus 1155: int echo = 0;
1156:
1157: debug2("input_userauth_info_req");
1158:
1159: if (authctxt == NULL)
1160: fatal("input_userauth_info_req: no authentication context");
1.82 markus 1161:
1162: authctxt->info_req_seen = 1;
1.23 markus 1163:
1164: name = packet_get_string(NULL);
1165: inst = packet_get_string(NULL);
1166: lang = packet_get_string(NULL);
1167: if (strlen(name) > 0)
1.116 itojun 1168: logit("%s", name);
1.23 markus 1169: if (strlen(inst) > 0)
1.116 itojun 1170: logit("%s", inst);
1.46 markus 1171: xfree(name);
1.23 markus 1172: xfree(inst);
1.46 markus 1173: xfree(lang);
1.23 markus 1174:
1175: num_prompts = packet_get_int();
1176: /*
1177: * Begin to build info response packet based on prompts requested.
1178: * We commit to providing the correct number of responses, so if
1179: * further on we run into a problem that prevents this, we have to
1180: * be sure and clean this up and send a correct error response.
1181: */
1182: packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);
1183: packet_put_int(num_prompts);
1184:
1.73 markus 1185: debug2("input_userauth_info_req: num_prompts %d", num_prompts);
1.23 markus 1186: for (i = 0; i < num_prompts; i++) {
1187: prompt = packet_get_string(NULL);
1188: echo = packet_get_char();
1189:
1.77 markus 1190: response = read_passphrase(prompt, echo ? RP_ECHO : 0);
1.23 markus 1191:
1.49 markus 1192: packet_put_cstring(response);
1.23 markus 1193: memset(response, 0, strlen(response));
1194: xfree(response);
1195: xfree(prompt);
1196: }
1.90 markus 1197: packet_check_eom(); /* done with parsing incoming message. */
1.23 markus 1198:
1.85 markus 1199: packet_add_padding(64);
1.23 markus 1200: packet_send();
1.68 markus 1201: }
1202:
1.100 markus 1203: static int
1.105 deraadt 1204: ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
1.100 markus 1205: u_char *data, u_int datalen)
1206: {
1207: Buffer b;
1.101 markus 1208: struct stat st;
1.100 markus 1209: pid_t pid;
1.103 markus 1210: int to[2], from[2], status, version = 2;
1.100 markus 1211:
1.109 markus 1212: debug2("ssh_keysign called");
1.100 markus 1213:
1.101 markus 1214: if (stat(_PATH_SSH_KEY_SIGN, &st) < 0) {
1215: error("ssh_keysign: no installed: %s", strerror(errno));
1216: return -1;
1217: }
1.100 markus 1218: if (fflush(stdout) != 0)
1219: error("ssh_keysign: fflush: %s", strerror(errno));
1220: if (pipe(to) < 0) {
1221: error("ssh_keysign: pipe: %s", strerror(errno));
1222: return -1;
1223: }
1224: if (pipe(from) < 0) {
1225: error("ssh_keysign: pipe: %s", strerror(errno));
1226: return -1;
1227: }
1228: if ((pid = fork()) < 0) {
1229: error("ssh_keysign: fork: %s", strerror(errno));
1230: return -1;
1231: }
1232: if (pid == 0) {
1233: seteuid(getuid());
1234: setuid(getuid());
1235: close(from[0]);
1236: if (dup2(from[1], STDOUT_FILENO) < 0)
1237: fatal("ssh_keysign: dup2: %s", strerror(errno));
1238: close(to[1]);
1239: if (dup2(to[0], STDIN_FILENO) < 0)
1240: fatal("ssh_keysign: dup2: %s", strerror(errno));
1.103 markus 1241: close(from[1]);
1242: close(to[0]);
1.102 markus 1243: execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *) 0);
1.100 markus 1244: fatal("ssh_keysign: exec(%s): %s", _PATH_SSH_KEY_SIGN,
1245: strerror(errno));
1246: }
1247: close(from[1]);
1248: close(to[0]);
1249:
1250: buffer_init(&b);
1.103 markus 1251: buffer_put_int(&b, packet_get_connection_in()); /* send # of socket */
1.100 markus 1252: buffer_put_string(&b, data, datalen);
1.110 djm 1253: ssh_msg_send(to[1], version, &b);
1.100 markus 1254:
1.110 djm 1255: if (ssh_msg_recv(from[0], &b) < 0) {
1.101 markus 1256: error("ssh_keysign: no reply");
1.100 markus 1257: buffer_clear(&b);
1258: return -1;
1259: }
1.101 markus 1260: close(from[0]);
1261: close(to[1]);
1262:
1.103 markus 1263: while (waitpid(pid, &status, 0) < 0)
1264: if (errno != EINTR)
1265: break;
1.101 markus 1266:
1.100 markus 1267: if (buffer_get_char(&b) != version) {
1.101 markus 1268: error("ssh_keysign: bad version");
1.100 markus 1269: buffer_clear(&b);
1270: return -1;
1271: }
1272: *sigp = buffer_get_string(&b, lenp);
1273: buffer_clear(&b);
1274:
1275: return 0;
1276: }
1277:
1.68 markus 1278: int
1279: userauth_hostbased(Authctxt *authctxt)
1280: {
1281: Key *private = NULL;
1.100 markus 1282: Sensitive *sensitive = authctxt->sensitive;
1.68 markus 1283: Buffer b;
1284: u_char *signature, *blob;
1285: char *chost, *pkalg, *p;
1.72 markus 1286: const char *service;
1.68 markus 1287: u_int blen, slen;
1.71 markus 1288: int ok, i, len, found = 0;
1.68 markus 1289:
1290: /* check for a useful key */
1.100 markus 1291: for (i = 0; i < sensitive->nkeys; i++) {
1292: private = sensitive->keys[i];
1.68 markus 1293: if (private && private->type != KEY_RSA1) {
1294: found = 1;
1295: /* we take and free the key */
1.100 markus 1296: sensitive->keys[i] = NULL;
1.68 markus 1297: break;
1298: }
1299: }
1300: if (!found) {
1.109 markus 1301: debug("No more client hostkeys for hostbased authentication.");
1.68 markus 1302: return 0;
1303: }
1304: if (key_to_blob(private, &blob, &blen) == 0) {
1305: key_free(private);
1306: return 0;
1307: }
1.84 markus 1308: /* figure out a name for the client host */
1309: p = get_local_name(packet_get_connection_in());
1310: if (p == NULL) {
1311: error("userauth_hostbased: cannot get local ipaddr/name");
1312: key_free(private);
1313: return 0;
1314: }
1315: len = strlen(p) + 2;
1316: chost = xmalloc(len);
1317: strlcpy(chost, p, len);
1318: strlcat(chost, ".", len);
1319: debug2("userauth_hostbased: chost %s", chost);
1.112 markus 1320: xfree(p);
1.84 markus 1321:
1.72 markus 1322: service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
1323: authctxt->service;
1.68 markus 1324: pkalg = xstrdup(key_ssh_name(private));
1325: buffer_init(&b);
1326: /* construct data */
1.72 markus 1327: buffer_put_string(&b, session_id2, session_id2_len);
1.68 markus 1328: buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
1329: buffer_put_cstring(&b, authctxt->server_user);
1.72 markus 1330: buffer_put_cstring(&b, service);
1.68 markus 1331: buffer_put_cstring(&b, authctxt->method->name);
1332: buffer_put_cstring(&b, pkalg);
1333: buffer_put_string(&b, blob, blen);
1334: buffer_put_cstring(&b, chost);
1335: buffer_put_cstring(&b, authctxt->local_user);
1336: #ifdef DEBUG_PK
1337: buffer_dump(&b);
1338: #endif
1.100 markus 1339: if (sensitive->external_keysign)
1340: ok = ssh_keysign(private, &signature, &slen,
1341: buffer_ptr(&b), buffer_len(&b));
1342: else
1343: ok = key_sign(private, &signature, &slen,
1344: buffer_ptr(&b), buffer_len(&b));
1.68 markus 1345: key_free(private);
1346: buffer_free(&b);
1347: if (ok != 0) {
1348: error("key_sign failed");
1349: xfree(chost);
1350: xfree(pkalg);
1351: return 0;
1352: }
1353: packet_start(SSH2_MSG_USERAUTH_REQUEST);
1354: packet_put_cstring(authctxt->server_user);
1355: packet_put_cstring(authctxt->service);
1356: packet_put_cstring(authctxt->method->name);
1357: packet_put_cstring(pkalg);
1358: packet_put_string(blob, blen);
1359: packet_put_cstring(chost);
1360: packet_put_cstring(authctxt->local_user);
1361: packet_put_string(signature, slen);
1362: memset(signature, 's', slen);
1363: xfree(signature);
1364: xfree(chost);
1365: xfree(pkalg);
1366:
1367: packet_send();
1368: return 1;
1.23 markus 1369: }
1.118 markus 1370:
1371: #if KRB5
1372: static int
1373: ssh_krb5_helper(krb5_data *ap)
1374: {
1375: krb5_context xcontext = NULL; /* XXX share with ssh1 */
1376: krb5_auth_context xauth_context = NULL;
1377:
1378: krb5_context *context;
1379: krb5_auth_context *auth_context;
1380: krb5_error_code problem;
1381: const char *tkfile;
1382: struct stat buf;
1383: krb5_ccache ccache = NULL;
1384: const char *remotehost;
1385: int ret;
1386:
1387: memset(ap, 0, sizeof(*ap));
1388:
1389: context = &xcontext;
1390: auth_context = &xauth_context;
1391:
1392: problem = krb5_init_context(context);
1393: if (problem) {
1394: debug("Kerberos v5: krb5_init_context failed");
1395: ret = 0;
1396: goto out;
1397: }
1398:
1399: tkfile = krb5_cc_default_name(*context);
1400: if (strncmp(tkfile, "FILE:", 5) == 0)
1401: tkfile += 5;
1402:
1403: if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
1404: debug("Kerberos v5: could not get default ccache (permission denied).");
1405: ret = 0;
1406: goto out;
1407: }
1408:
1409: problem = krb5_cc_default(*context, &ccache);
1410: if (problem) {
1411: debug("Kerberos v5: krb5_cc_default failed: %s",
1412: krb5_get_err_text(*context, problem));
1413: ret = 0;
1414: goto out;
1415: }
1416:
1417: remotehost = get_canonical_hostname(1);
1418:
1419: problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
1420: "host", remotehost, NULL, ccache, ap);
1421: if (problem) {
1422: debug("Kerberos v5: krb5_mk_req failed: %s",
1423: krb5_get_err_text(*context, problem));
1424: ret = 0;
1425: goto out;
1426: }
1427: ret = 1;
1428:
1429: out:
1430: if (ccache != NULL)
1431: krb5_cc_close(*context, ccache);
1432: if (*auth_context)
1433: krb5_auth_con_free(*context, *auth_context);
1434: if (*context)
1435: krb5_free_context(*context);
1436: return (ret);
1437: }
1438:
1439: int
1440: userauth_kerberos(Authctxt *authctxt)
1441: {
1442: krb5_data ap;
1443:
1444: if (ssh_krb5_helper(&ap) == 0)
1445: return (0);
1446:
1447: packet_start(SSH2_MSG_USERAUTH_REQUEST);
1448: packet_put_cstring(authctxt->server_user);
1449: packet_put_cstring(authctxt->service);
1450: packet_put_cstring(authctxt->method->name);
1451: packet_put_string(ap.data, ap.length);
1452: packet_send();
1453:
1454: krb5_data_free(&ap);
1455: return (1);
1456: }
1457: #endif
1.20 markus 1458:
1459: /* find auth method */
1460:
1461: /*
1462: * given auth method name, if configurable options permit this method fill
1463: * in auth_ident field and return true, otherwise return false.
1464: */
1.76 itojun 1465: static int
1.20 markus 1466: authmethod_is_enabled(Authmethod *method)
1467: {
1468: if (method == NULL)
1469: return 0;
1470: /* return false if options indicate this method is disabled */
1471: if (method->enabled == NULL || *method->enabled == 0)
1472: return 0;
1473: /* return false if batch mode is enabled but method needs interactive mode */
1474: if (method->batch_flag != NULL && *method->batch_flag != 0)
1475: return 0;
1476: return 1;
1477: }
1478:
1.76 itojun 1479: static Authmethod *
1.20 markus 1480: authmethod_lookup(const char *name)
1.1 markus 1481: {
1.20 markus 1482: Authmethod *method = NULL;
1483: if (name != NULL)
1484: for (method = authmethods; method->name != NULL; method++)
1485: if (strcmp(name, method->name) == 0)
1486: return method;
1487: debug2("Unrecognized authentication method name: %s", name ? name : "NULL");
1488: return NULL;
1489: }
1.1 markus 1490:
1.53 markus 1491: /* XXX internal state */
1492: static Authmethod *current = NULL;
1493: static char *supported = NULL;
1494: static char *preferred = NULL;
1.105 deraadt 1495:
1.20 markus 1496: /*
1497: * Given the authentication method list sent by the server, return the
1498: * next method we should try. If the server initially sends a nil list,
1.67 markus 1499: * use a built-in default list.
1.41 stevesk 1500: */
1.76 itojun 1501: static Authmethod *
1.20 markus 1502: authmethod_get(char *authlist)
1503: {
1.53 markus 1504: char *name = NULL;
1.97 markus 1505: u_int next;
1.41 stevesk 1506:
1.20 markus 1507: /* Use a suitable default if we're passed a nil list. */
1508: if (authlist == NULL || strlen(authlist) == 0)
1.53 markus 1509: authlist = options.preferred_authentications;
1.20 markus 1510:
1.53 markus 1511: if (supported == NULL || strcmp(authlist, supported) != 0) {
1512: debug3("start over, passed a different list %s", authlist);
1513: if (supported != NULL)
1514: xfree(supported);
1515: supported = xstrdup(authlist);
1516: preferred = options.preferred_authentications;
1517: debug3("preferred %s", preferred);
1518: current = NULL;
1519: } else if (current != NULL && authmethod_is_enabled(current))
1520: return current;
1.20 markus 1521:
1.53 markus 1522: for (;;) {
1523: if ((name = match_list(preferred, supported, &next)) == NULL) {
1.109 markus 1524: debug("No more authentication methods to try.");
1.53 markus 1525: current = NULL;
1526: return NULL;
1527: }
1528: preferred += next;
1.23 markus 1529: debug3("authmethod_lookup %s", name);
1.53 markus 1530: debug3("remaining preferred: %s", preferred);
1531: if ((current = authmethod_lookup(name)) != NULL &&
1532: authmethod_is_enabled(current)) {
1.23 markus 1533: debug3("authmethod_is_enabled %s", name);
1.109 markus 1534: debug("Next authentication method: %s", name);
1.53 markus 1535: return current;
1.23 markus 1536: }
1.1 markus 1537: }
1.53 markus 1538: }
1.1 markus 1539:
1.79 stevesk 1540: static char *
1.53 markus 1541: authmethods_get(void)
1542: {
1543: Authmethod *method = NULL;
1.93 markus 1544: Buffer b;
1545: char *list;
1.27 provos 1546:
1.93 markus 1547: buffer_init(&b);
1.53 markus 1548: for (method = authmethods; method->name != NULL; method++) {
1549: if (authmethod_is_enabled(method)) {
1.93 markus 1550: if (buffer_len(&b) > 0)
1551: buffer_append(&b, ",", 1);
1552: buffer_append(&b, method->name, strlen(method->name));
1.53 markus 1553: }
1554: }
1.93 markus 1555: buffer_append(&b, "\0", 1);
1556: list = xstrdup(buffer_ptr(&b));
1557: buffer_free(&b);
1558: return list;
1.1 markus 1559: }