1/* $OpenBSD: sshconnect2.c,v 1.186 2010/11/29 23:45:51 djm Exp $ */
2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include <sys/types.h>
28#include <sys/socket.h>
29#include <sys/wait.h>
30#include <sys/queue.h>
31#include <sys/stat.h>
32
33#include <errno.h>
34#include <fcntl.h>
35#include <netdb.h>
36#include <stdio.h>
37#include <string.h>
38#include <signal.h>
39#include <pwd.h>
40#include <unistd.h>
41#include <vis.h>
42
43#include "xmalloc.h"
44#include "ssh.h"
45#include "ssh2.h"
46#include "buffer.h"
47#include "packet.h"
48#include "compat.h"
49#include "cipher.h"
50#include "key.h"
51#include "kex.h"
52#include "myproposal.h"
53#include "sshconnect.h"
54#include "authfile.h"
55#include "dh.h"
56#include "authfd.h"
57#include "log.h"
58#include "readconf.h"
59#include "misc.h"
60#include "match.h"
61#include "dispatch.h"
62#include "canohost.h"
63#include "msg.h"
64#include "pathnames.h"
65#include "uidswap.h"
66#include "hostfile.h"
67#include "schnorr.h"
68#include "jpake.h"
69
70#ifdef GSSAPI
71#include "ssh-gss.h"
72#endif
73
74/* import */
75extern char *client_version_string;
76extern char *server_version_string;
77extern Options options;
78
79/*
80 * SSH2 key exchange
81 */
82
83u_char *session_id2 = NULL;
84u_int session_id2_len = 0;
85
86char *xxx_host;
87struct sockaddr *xxx_hostaddr;
88
89Kex *xxx_kex = NULL;
90
91static int
92verify_host_key_callback(Key *hostkey)
93{
94 if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1)
95 fatal("Host key verification failed.");
96 return 0;
97}
98
99static char *
100order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
101{
102 char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
103 size_t maxlen;
104 struct hostkeys *hostkeys;
105 int ktype;
106
107 /* Find all hostkeys for this hostname */
108 get_hostfile_hostname_ipaddr(host, hostaddr, port, &hostname, NULL);
109 hostkeys = init_hostkeys();
110 load_hostkeys(hostkeys, hostname, options.user_hostfile2);
111 load_hostkeys(hostkeys, hostname, options.system_hostfile2);
112 load_hostkeys(hostkeys, hostname, options.user_hostfile);
113 load_hostkeys(hostkeys, hostname, options.system_hostfile);
114
115 oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
116 maxlen = strlen(avail) + 1;
117 first = xmalloc(maxlen);
118 last = xmalloc(maxlen);
119 *first = *last = '\0';
120
121#define ALG_APPEND(to, from) \
122 do { \
123 if (*to != '\0') \
124 strlcat(to, ",", maxlen); \
125 strlcat(to, from, maxlen); \
126 } while (0)
127
128 while ((alg = strsep(&avail, ",")) && *alg != '\0') {
129 if ((ktype = key_type_from_name(alg)) == KEY_UNSPEC)
130 fatal("%s: unknown alg %s", __func__, alg);
131 if (lookup_key_in_hostkeys_by_type(hostkeys,
132 key_type_plain(ktype), NULL))
133 ALG_APPEND(first, alg);
134 else
135 ALG_APPEND(last, alg);
136 }
137#undef ALG_APPEND
138 xasprintf(&ret, "%s%s%s", first, *first == '\0' ? "" : ",", last);
139 if (*first != '\0')
140 debug3("%s: prefer hostkeyalgs: %s", __func__, first);
141
142 xfree(first);
143 xfree(last);
144 xfree(hostname);
145 xfree(oavail);
146 free_hostkeys(hostkeys);
147
148 return ret;
149}
150
151void
152ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
153{
154 Kex *kex;
155
156 xxx_host = host;
157 xxx_hostaddr = hostaddr;
158
159 if (options.ciphers == (char *)-1) {
160 logit("No valid ciphers for protocol version 2 given, using defaults.");
161 options.ciphers = NULL;
162 }
163 if (options.ciphers != NULL) {
164 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
165 myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
166 }
167 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
168 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
169 myproposal[PROPOSAL_ENC_ALGS_STOC] =
170 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
171 if (options.compression) {
172 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
173 myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none";
174 } else {
175 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
176 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib";
177 }
178 if (options.macs != NULL) {
179 myproposal[PROPOSAL_MAC_ALGS_CTOS] =
180 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
181 }
182 if (options.hostkeyalgorithms != NULL)
183 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
184 options.hostkeyalgorithms;
185 else {
186 /* Prefer algorithms that we already have keys for */
187 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
188 order_hostkeyalgs(host, hostaddr, port);
189 }
190 if (options.kex_algorithms != NULL)
191 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
192
193 if (options.rekey_limit)
194 packet_set_rekey_limit((u_int32_t)options.rekey_limit);
195
196 /* start key exchange */
197 kex = kex_setup(myproposal);
198 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
199 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
200 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
201 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
202 kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
203 kex->client_version_string=client_version_string;
204 kex->server_version_string=server_version_string;
205 kex->verify_host_key=&verify_host_key_callback;
206
207 xxx_kex = kex;
208
209 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
210
211 if (options.use_roaming && !kex->roaming) {
212 debug("Roaming not allowed by server");
213 options.use_roaming = 0;
214 }
215
216 session_id2 = kex->session_id;
217 session_id2_len = kex->session_id_len;
218
219#ifdef DEBUG_KEXDH
220 /* send 1st encrypted/maced/compressed message */
221 packet_start(SSH2_MSG_IGNORE);
222 packet_put_cstring("markus");
223 packet_send();
224 packet_write_wait();
225#endif
226}
227
228/*
229 * Authenticate user
230 */
231
232typedef struct Authctxt Authctxt;
233typedef struct Authmethod Authmethod;
234typedef struct identity Identity;
235typedef struct idlist Idlist;
236
237struct identity {
238 TAILQ_ENTRY(identity) next;
239 AuthenticationConnection *ac; /* set if agent supports key */
240 Key *key; /* public/private key */
241 char *filename; /* comment for agent-only keys */
242 int tried;
243 int isprivate; /* key points to the private key */
244};
245TAILQ_HEAD(idlist, identity);
246
247struct Authctxt {
248 const char *server_user;
249 const char *local_user;
250 const char *host;
251 const char *service;
252 Authmethod *method;
253 sig_atomic_t success;
254 char *authlist;
255 /* pubkey */
256 Idlist keys;
257 AuthenticationConnection *agent;
258 /* hostbased */
259 Sensitive *sensitive;
260 /* kbd-interactive */
261 int info_req_seen;
262 /* generic */
263 void *methoddata;
264};
265struct Authmethod {
266 char *name; /* string to compare against server's list */
267 int (*userauth)(Authctxt *authctxt);
268 void (*cleanup)(Authctxt *authctxt);
269 int *enabled; /* flag in option struct that enables method */
270 int *batch_flag; /* flag in option struct that disables method */
271};
272
273void input_userauth_success(int, u_int32_t, void *);
274void input_userauth_success_unexpected(int, u_int32_t, void *);
275void input_userauth_failure(int, u_int32_t, void *);
276void input_userauth_banner(int, u_int32_t, void *);
277void input_userauth_error(int, u_int32_t, void *);
278void input_userauth_info_req(int, u_int32_t, void *);
279void input_userauth_pk_ok(int, u_int32_t, void *);
280void input_userauth_passwd_changereq(int, u_int32_t, void *);
281void input_userauth_jpake_server_step1(int, u_int32_t, void *);
282void input_userauth_jpake_server_step2(int, u_int32_t, void *);
283void input_userauth_jpake_server_confirm(int, u_int32_t, void *);
284
285int userauth_none(Authctxt *);
286int userauth_pubkey(Authctxt *);
287int userauth_passwd(Authctxt *);
288int userauth_kbdint(Authctxt *);
289int userauth_hostbased(Authctxt *);
290int userauth_jpake(Authctxt *);
291
292void userauth_jpake_cleanup(Authctxt *);
293
294#ifdef GSSAPI
295int userauth_gssapi(Authctxt *authctxt);
296void input_gssapi_response(int type, u_int32_t, void *);
297void input_gssapi_token(int type, u_int32_t, void *);
298void input_gssapi_hash(int type, u_int32_t, void *);
299void input_gssapi_error(int, u_int32_t, void *);
300void input_gssapi_errtok(int, u_int32_t, void *);
301#endif
302
303void userauth(Authctxt *, char *);
304
305static int sign_and_send_pubkey(Authctxt *, Identity *);
306static void pubkey_prepare(Authctxt *);
307static void pubkey_cleanup(Authctxt *);
308static Key *load_identity_file(char *);
309
310static Authmethod *authmethod_get(char *authlist);
311static Authmethod *authmethod_lookup(const char *name);
312static char *authmethods_get(void);
313
314Authmethod authmethods[] = {
315#ifdef GSSAPI
316 {"gssapi-with-mic",
317 userauth_gssapi,
318 NULL,
319 &options.gss_authentication,
320 NULL},
321#endif
322 {"hostbased",
323 userauth_hostbased,
324 NULL,
325 &options.hostbased_authentication,
326 NULL},
327 {"publickey",
328 userauth_pubkey,
329 NULL,
330 &options.pubkey_authentication,
331 NULL},
332#ifdef JPAKE
333 {"jpake-01@openssh.com",
334 userauth_jpake,
335 userauth_jpake_cleanup,
336 &options.zero_knowledge_password_authentication,
337 &options.batch_mode},
338#endif
339 {"keyboard-interactive",
340 userauth_kbdint,
341 NULL,
342 &options.kbd_interactive_authentication,
343 &options.batch_mode},
344 {"password",
345 userauth_passwd,
346 NULL,
347 &options.password_authentication,
348 &options.batch_mode},
349 {"none",
350 userauth_none,
351 NULL,
352 NULL,
353 NULL},
354 {NULL, NULL, NULL, NULL, NULL}
355};
356
357void
358ssh_userauth2(const char *local_user, const char *server_user, char *host,
359 Sensitive *sensitive)
360{
361 Authctxt authctxt;
362 int type;
363
364 if (options.challenge_response_authentication)
365 options.kbd_interactive_authentication = 1;
366
367 packet_start(SSH2_MSG_SERVICE_REQUEST);
368 packet_put_cstring("ssh-userauth");
369 packet_send();
370 debug("SSH2_MSG_SERVICE_REQUEST sent");
371 packet_write_wait();
372 type = packet_read();
373 if (type != SSH2_MSG_SERVICE_ACCEPT)
374 fatal("Server denied authentication request: %d", type);
375 if (packet_remaining() > 0) {
376 char *reply = packet_get_string(NULL);
377 debug2("service_accept: %s", reply);
378 xfree(reply);
379 } else {
380 debug2("buggy server: service_accept w/o service");
381 }
382 packet_check_eom();
383 debug("SSH2_MSG_SERVICE_ACCEPT received");
384
385 if (options.preferred_authentications == NULL)
386 options.preferred_authentications = authmethods_get();
387
388 /* setup authentication context */
389 memset(&authctxt, 0, sizeof(authctxt));
390 pubkey_prepare(&authctxt);
391 authctxt.server_user = server_user;
392 authctxt.local_user = local_user;
393 authctxt.host = host;
394 authctxt.service = "ssh-connection"; /* service name */
395 authctxt.success = 0;
396 authctxt.method = authmethod_lookup("none");
397 authctxt.authlist = NULL;
398 authctxt.methoddata = NULL;
399 authctxt.sensitive = sensitive;
400 authctxt.info_req_seen = 0;
401 if (authctxt.method == NULL)
402 fatal("ssh_userauth2: internal error: cannot send userauth none request");
403
404 /* initial userauth request */
405 userauth_none(&authctxt);
406
407 dispatch_init(&input_userauth_error);
408 dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
409 dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure);
410 dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);
411 dispatch_run(DISPATCH_BLOCK, &authctxt.success, &authctxt); /* loop until success */
412
413 pubkey_cleanup(&authctxt);
414 dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
415
416 debug("Authentication succeeded (%s).", authctxt.method->name);
417}
418
419void
420userauth(Authctxt *authctxt, char *authlist)
421{
422 if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
423 authctxt->method->cleanup(authctxt);
424
425 if (authctxt->methoddata) {
426 xfree(authctxt->methoddata);
427 authctxt->methoddata = NULL;
428 }
429 if (authlist == NULL) {
430 authlist = authctxt->authlist;
431 } else {
432 if (authctxt->authlist)
433 xfree(authctxt->authlist);
434 authctxt->authlist = authlist;
435 }
436 for (;;) {
437 Authmethod *method = authmethod_get(authlist);
438 if (method == NULL)
439 fatal("Permission denied (%s).", authlist);
440 authctxt->method = method;
441
442 /* reset the per method handler */
443 dispatch_range(SSH2_MSG_USERAUTH_PER_METHOD_MIN,
444 SSH2_MSG_USERAUTH_PER_METHOD_MAX, NULL);
445
446 /* and try new method */
447 if (method->userauth(authctxt) != 0) {
448 debug2("we sent a %s packet, wait for reply", method->name);
449 break;
450 } else {
451 debug2("we did not send a packet, disable method");
452 method->enabled = NULL;
453 }
454 }
455}
456
457/* ARGSUSED */
458void
459input_userauth_error(int type, u_int32_t seq, void *ctxt)
460{
461 fatal("input_userauth_error: bad message during authentication: "
462 "type %d", type);
463}
464
465/* ARGSUSED */
466void
467input_userauth_banner(int type, u_int32_t seq, void *ctxt)
468{
469 char *msg, *raw, *lang;
470 u_int len;
471
472 debug3("input_userauth_banner");
473 raw = packet_get_string(&len);
474 lang = packet_get_string(NULL);
475 if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
476 if (len > 65536)
477 len = 65536;
478 msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
479 strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
480 fprintf(stderr, "%s", msg);
481 xfree(msg);
482 }
483 xfree(raw);
484 xfree(lang);
485}
486
487/* ARGSUSED */
488void
489input_userauth_success(int type, u_int32_t seq, void *ctxt)
490{
491 Authctxt *authctxt = ctxt;
492
493 if (authctxt == NULL)
494 fatal("input_userauth_success: no authentication context");
495 if (authctxt->authlist) {
496 xfree(authctxt->authlist);
497 authctxt->authlist = NULL;
498 }
499 if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
500 authctxt->method->cleanup(authctxt);
501 if (authctxt->methoddata) {
502 xfree(authctxt->methoddata);
503 authctxt->methoddata = NULL;
504 }
505 authctxt->success = 1; /* break out */
506}
507
508void
509input_userauth_success_unexpected(int type, u_int32_t seq, void *ctxt)
510{
511 Authctxt *authctxt = ctxt;
512
513 if (authctxt == NULL)
514 fatal("%s: no authentication context", __func__);
515
516 fatal("Unexpected authentication success during %s.",
517 authctxt->method->name);
518}
519
520/* ARGSUSED */
521void
522input_userauth_failure(int type, u_int32_t seq, void *ctxt)
523{
524 Authctxt *authctxt = ctxt;
525 char *authlist = NULL;
526 int partial;
527
528 if (authctxt == NULL)
529 fatal("input_userauth_failure: no authentication context");
530
531 authlist = packet_get_string(NULL);
532 partial = packet_get_char();
533 packet_check_eom();
534
535 if (partial != 0)
536 logit("Authenticated with partial success.");
537 debug("Authentications that can continue: %s", authlist);
538
539 userauth(authctxt, authlist);
540}
541
542/* ARGSUSED */
543void
544input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
545{
546 Authctxt *authctxt = ctxt;
547 Key *key = NULL;
548 Identity *id = NULL;
549 Buffer b;
550 int pktype, sent = 0;
551 u_int alen, blen;
552 char *pkalg, *fp;
553 u_char *pkblob;
554
555 if (authctxt == NULL)
556 fatal("input_userauth_pk_ok: no authentication context");
557 if (datafellows & SSH_BUG_PKOK) {
558 /* this is similar to SSH_BUG_PKAUTH */
559 debug2("input_userauth_pk_ok: SSH_BUG_PKOK");
560 pkblob = packet_get_string(&blen);
561 buffer_init(&b);
562 buffer_append(&b, pkblob, blen);
563 pkalg = buffer_get_string(&b, &alen);
564 buffer_free(&b);
565 } else {
566 pkalg = packet_get_string(&alen);
567 pkblob = packet_get_string(&blen);
568 }
569 packet_check_eom();
570
571 debug("Server accepts key: pkalg %s blen %u", pkalg, blen);
572
573 if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) {
574 debug("unknown pkalg %s", pkalg);
575 goto done;
576 }
577 if ((key = key_from_blob(pkblob, blen)) == NULL) {
578 debug("no key from blob. pkalg %s", pkalg);
579 goto done;
580 }
581 if (key->type != pktype) {
582 error("input_userauth_pk_ok: type mismatch "
583 "for decoded key (received %d, expected %d)",
584 key->type, pktype);
585 goto done;
586 }
587 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
588 debug2("input_userauth_pk_ok: fp %s", fp);
589 xfree(fp);
590
591 /*
592 * search keys in the reverse order, because last candidate has been
593 * moved to the end of the queue. this also avoids confusion by
594 * duplicate keys
595 */
596 TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) {
597 if (key_equal(key, id->key)) {
598 sent = sign_and_send_pubkey(authctxt, id);
599 break;
600 }
601 }
602done:
603 if (key != NULL)
604 key_free(key);
605 xfree(pkalg);
606 xfree(pkblob);
607
608 /* try another method if we did not send a packet */
609 if (sent == 0)
610 userauth(authctxt, NULL);
611}
612
613#ifdef GSSAPI
614int
615userauth_gssapi(Authctxt *authctxt)
616{
617 Gssctxt *gssctxt = NULL;
618 static gss_OID_set gss_supported = NULL;
619 static u_int mech = 0;
620 OM_uint32 min;
621 int ok = 0;
622
623 /* Try one GSSAPI method at a time, rather than sending them all at
624 * once. */
625
626 if (gss_supported == NULL)
627 gss_indicate_mechs(&min, &gss_supported);
628
629 /* Check to see if the mechanism is usable before we offer it */
630 while (mech < gss_supported->count && !ok) {
631 /* My DER encoding requires length<128 */
632 if (gss_supported->elements[mech].length < 128 &&
633 ssh_gssapi_check_mechanism(&gssctxt,
634 &gss_supported->elements[mech], authctxt->host)) {
635 ok = 1; /* Mechanism works */
636 } else {
637 mech++;
638 }
639 }
640
641 if (!ok)
642 return 0;
643
644 authctxt->methoddata=(void *)gssctxt;
645
646 packet_start(SSH2_MSG_USERAUTH_REQUEST);
647 packet_put_cstring(authctxt->server_user);
648 packet_put_cstring(authctxt->service);
649 packet_put_cstring(authctxt->method->name);
650
651 packet_put_int(1);
652
653 packet_put_int((gss_supported->elements[mech].length) + 2);
654 packet_put_char(SSH_GSS_OIDTYPE);
655 packet_put_char(gss_supported->elements[mech].length);
656 packet_put_raw(gss_supported->elements[mech].elements,
657 gss_supported->elements[mech].length);
658
659 packet_send();
660
661 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE, &input_gssapi_response);
662 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
663 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERROR, &input_gssapi_error);
664 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
665
666 mech++; /* Move along to next candidate */
667
668 return 1;
669}
670
671static OM_uint32
672process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
673{
674 Authctxt *authctxt = ctxt;
675 Gssctxt *gssctxt = authctxt->methoddata;
676 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
677 gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
678 gss_buffer_desc gssbuf;
679 OM_uint32 status, ms, flags;
680 Buffer b;
681
682 status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
683 recv_tok, &send_tok, &flags);
684
685 if (send_tok.length > 0) {
686 if (GSS_ERROR(status))
687 packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
688 else
689 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
690
691 packet_put_string(send_tok.value, send_tok.length);
692 packet_send();
693 gss_release_buffer(&ms, &send_tok);
694 }
695
696 if (status == GSS_S_COMPLETE) {
697 /* send either complete or MIC, depending on mechanism */
698 if (!(flags & GSS_C_INTEG_FLAG)) {
699 packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
700 packet_send();
701 } else {
702 ssh_gssapi_buildmic(&b, authctxt->server_user,
703 authctxt->service, "gssapi-with-mic");
704
705 gssbuf.value = buffer_ptr(&b);
706 gssbuf.length = buffer_len(&b);
707
708 status = ssh_gssapi_sign(gssctxt, &gssbuf, &mic);
709
710 if (!GSS_ERROR(status)) {
711 packet_start(SSH2_MSG_USERAUTH_GSSAPI_MIC);
712 packet_put_string(mic.value, mic.length);
713
714 packet_send();
715 }
716
717 buffer_free(&b);
718 gss_release_buffer(&ms, &mic);
719 }
720 }
721
722 return status;
723}
724
725/* ARGSUSED */
726void
727input_gssapi_response(int type, u_int32_t plen, void *ctxt)
728{
729 Authctxt *authctxt = ctxt;
730 Gssctxt *gssctxt;
731 int oidlen;
732 char *oidv;
733
734 if (authctxt == NULL)
735 fatal("input_gssapi_response: no authentication context");
736 gssctxt = authctxt->methoddata;
737
738 /* Setup our OID */
739 oidv = packet_get_string(&oidlen);
740
741 if (oidlen <= 2 ||
742 oidv[0] != SSH_GSS_OIDTYPE ||
743 oidv[1] != oidlen - 2) {
744 xfree(oidv);
745 debug("Badly encoded mechanism OID received");
746 userauth(authctxt, NULL);
747 return;
748 }
749
750 if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
751 fatal("Server returned different OID than expected");
752
753 packet_check_eom();
754
755 xfree(oidv);
756
757 if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
758 /* Start again with next method on list */
759 debug("Trying to start again");
760 userauth(authctxt, NULL);
761 return;
762 }
763}
764
765/* ARGSUSED */
766void
767input_gssapi_token(int type, u_int32_t plen, void *ctxt)
768{
769 Authctxt *authctxt = ctxt;
770 gss_buffer_desc recv_tok;
771 OM_uint32 status;
772 u_int slen;
773
774 if (authctxt == NULL)
775 fatal("input_gssapi_response: no authentication context");
776
777 recv_tok.value = packet_get_string(&slen);
778 recv_tok.length = slen; /* safe typecast */
779
780 packet_check_eom();
781
782 status = process_gssapi_token(ctxt, &recv_tok);
783
784 xfree(recv_tok.value);
785
786 if (GSS_ERROR(status)) {
787 /* Start again with the next method in the list */
788 userauth(authctxt, NULL);
789 return;
790 }
791}
792
793/* ARGSUSED */
794void
795input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
796{
797 Authctxt *authctxt = ctxt;
798 Gssctxt *gssctxt;
799 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
800 gss_buffer_desc recv_tok;
801 OM_uint32 status, ms;
802 u_int len;
803
804 if (authctxt == NULL)
805 fatal("input_gssapi_response: no authentication context");
806 gssctxt = authctxt->methoddata;
807
808 recv_tok.value = packet_get_string(&len);
809 recv_tok.length = len;
810
811 packet_check_eom();
812
813 /* Stick it into GSSAPI and see what it says */
814 status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
815 &recv_tok, &send_tok, NULL);
816
817 xfree(recv_tok.value);
818 gss_release_buffer(&ms, &send_tok);
819
820 /* Server will be returning a failed packet after this one */
821}
822
823/* ARGSUSED */
824void
825input_gssapi_error(int type, u_int32_t plen, void *ctxt)
826{
827 OM_uint32 maj, min;
828 char *msg;
829 char *lang;
830
831 maj=packet_get_int();
832 min=packet_get_int();
833 msg=packet_get_string(NULL);
834 lang=packet_get_string(NULL);
835
836 packet_check_eom();
837
838 debug("Server GSSAPI Error:\n%s", msg);
839 xfree(msg);
840 xfree(lang);
841}
842#endif /* GSSAPI */
843
844int
845userauth_none(Authctxt *authctxt)
846{
847 /* initial userauth request */
848 packet_start(SSH2_MSG_USERAUTH_REQUEST);
849 packet_put_cstring(authctxt->server_user);
850 packet_put_cstring(authctxt->service);
851 packet_put_cstring(authctxt->method->name);
852 packet_send();
853 return 1;
854}
855
856int
857userauth_passwd(Authctxt *authctxt)
858{
859 static int attempt = 0;
860 char prompt[150];
861 char *password;
862 const char *host = options.host_key_alias ? options.host_key_alias :
863 authctxt->host;
864
865 if (attempt++ >= options.number_of_password_prompts)
866 return 0;
867
868 if (attempt != 1)
869 error("Permission denied, please try again.");
870
871 snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
872 authctxt->server_user, host);
873 password = read_passphrase(prompt, 0);
874 packet_start(SSH2_MSG_USERAUTH_REQUEST);
875 packet_put_cstring(authctxt->server_user);
876 packet_put_cstring(authctxt->service);
877 packet_put_cstring(authctxt->method->name);
878 packet_put_char(0);
879 packet_put_cstring(password);
880 memset(password, 0, strlen(password));
881 xfree(password);
882 packet_add_padding(64);
883 packet_send();
884
885 dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
886 &input_userauth_passwd_changereq);
887
888 return 1;
889}
890
891/*
892 * parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST
893 */
894/* ARGSUSED */
895void
896input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
897{
898 Authctxt *authctxt = ctxt;
899 char *info, *lang, *password = NULL, *retype = NULL;
900 char prompt[150];
901 const char *host = options.host_key_alias ? options.host_key_alias :
902 authctxt->host;
903
904 debug2("input_userauth_passwd_changereq");
905
906 if (authctxt == NULL)
907 fatal("input_userauth_passwd_changereq: "
908 "no authentication context");
909
910 info = packet_get_string(NULL);
911 lang = packet_get_string(NULL);
912 if (strlen(info) > 0)
913 logit("%s", info);
914 xfree(info);
915 xfree(lang);
916 packet_start(SSH2_MSG_USERAUTH_REQUEST);
917 packet_put_cstring(authctxt->server_user);
918 packet_put_cstring(authctxt->service);
919 packet_put_cstring(authctxt->method->name);
920 packet_put_char(1); /* additional info */
921 snprintf(prompt, sizeof(prompt),
922 "Enter %.30s@%.128s's old password: ",
923 authctxt->server_user, host);
924 password = read_passphrase(prompt, 0);
925 packet_put_cstring(password);
926 memset(password, 0, strlen(password));
927 xfree(password);
928 password = NULL;
929 while (password == NULL) {
930 snprintf(prompt, sizeof(prompt),
931 "Enter %.30s@%.128s's new password: ",
932 authctxt->server_user, host);
933 password = read_passphrase(prompt, RP_ALLOW_EOF);
934 if (password == NULL) {
935 /* bail out */
936 return;
937 }
938 snprintf(prompt, sizeof(prompt),
939 "Retype %.30s@%.128s's new password: ",
940 authctxt->server_user, host);
941 retype = read_passphrase(prompt, 0);
942 if (strcmp(password, retype) != 0) {
943 memset(password, 0, strlen(password));
944 xfree(password);
945 logit("Mismatch; try again, EOF to quit.");
946 password = NULL;
947 }
948 memset(retype, 0, strlen(retype));
949 xfree(retype);
950 }
951 packet_put_cstring(password);
952 memset(password, 0, strlen(password));
953 xfree(password);
954 packet_add_padding(64);
955 packet_send();
956
957 dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
958 &input_userauth_passwd_changereq);
959}
960
961#ifdef JPAKE
962static char *
963pw_encrypt(const char *password, const char *crypt_scheme, const char *salt)
964{
965 /* OpenBSD crypt(3) handles all of these */
966 if (strcmp(crypt_scheme, "crypt") == 0 ||
967 strcmp(crypt_scheme, "bcrypt") == 0 ||
968 strcmp(crypt_scheme, "md5crypt") == 0 ||
969 strcmp(crypt_scheme, "crypt-extended") == 0)
970 return xstrdup(crypt(password, salt));
971 error("%s: unsupported password encryption scheme \"%.100s\"",
972 __func__, crypt_scheme);
973 return NULL;
974}
975
976static BIGNUM *
977jpake_password_to_secret(Authctxt *authctxt, const char *crypt_scheme,
978 const char *salt)
979{
980 char prompt[256], *password, *crypted;
981 u_char *secret;
982 u_int secret_len;
983 BIGNUM *ret;
984
985 snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password (JPAKE): ",
986 authctxt->server_user, authctxt->host);
987 password = read_passphrase(prompt, 0);
988
989 if ((crypted = pw_encrypt(password, crypt_scheme, salt)) == NULL) {
990 logit("Disabling %s authentication", authctxt->method->name);
991 authctxt->method->enabled = NULL;
992 /* Continue with an empty password to fail gracefully */
993 crypted = xstrdup("");
994 }
995
996#ifdef JPAKE_DEBUG
997 debug3("%s: salt = %s", __func__, salt);
998 debug3("%s: scheme = %s", __func__, crypt_scheme);
999 debug3("%s: crypted = %s", __func__, crypted);
1000#endif
1001
1002 if (hash_buffer(crypted, strlen(crypted), EVP_sha256(),
1003 &secret, &secret_len) != 0)
1004 fatal("%s: hash_buffer", __func__);
1005
1006 bzero(password, strlen(password));
1007 bzero(crypted, strlen(crypted));
1008 xfree(password);
1009 xfree(crypted);
1010
1011 if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL)
1012 fatal("%s: BN_bin2bn (secret)", __func__);
1013 bzero(secret, secret_len);
1014 xfree(secret);
1015
1016 return ret;
1017}
1018
1019/* ARGSUSED */
1020void
1021input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt)
1022{
1023 Authctxt *authctxt = ctxt;
1024 struct jpake_ctx *pctx = authctxt->methoddata;
1025 u_char *x3_proof, *x4_proof, *x2_s_proof;
1026 u_int x3_proof_len, x4_proof_len, x2_s_proof_len;
1027 char *crypt_scheme, *salt;
1028
1029 /* Disable this message */
1030 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1, NULL);
1031
1032 if ((pctx->g_x3 = BN_new()) == NULL ||
1033 (pctx->g_x4 = BN_new()) == NULL)
1034 fatal("%s: BN_new", __func__);
1035
1036 /* Fetch step 1 values */
1037 crypt_scheme = packet_get_string(NULL);
1038 salt = packet_get_string(NULL);
1039 pctx->server_id = packet_get_string(&pctx->server_id_len);
1040 packet_get_bignum2(pctx->g_x3);
1041 packet_get_bignum2(pctx->g_x4);
1042 x3_proof = packet_get_string(&x3_proof_len);
1043 x4_proof = packet_get_string(&x4_proof_len);
1044 packet_check_eom();
1045
1046 JPAKE_DEBUG_CTX((pctx, "step 1 received in %s", __func__));
1047
1048 /* Obtain password and derive secret */
1049 pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt);
1050 bzero(crypt_scheme, strlen(crypt_scheme));
1051 bzero(salt, strlen(salt));
1052 xfree(crypt_scheme);
1053 xfree(salt);
1054 JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__));
1055
1056 /* Calculate step 2 values */
1057 jpake_step2(pctx->grp, pctx->s, pctx->g_x1,
1058 pctx->g_x3, pctx->g_x4, pctx->x2,
1059 pctx->server_id, pctx->server_id_len,
1060 pctx->client_id, pctx->client_id_len,
1061 x3_proof, x3_proof_len,
1062 x4_proof, x4_proof_len,
1063 &pctx->a,
1064 &x2_s_proof, &x2_s_proof_len);
1065
1066 bzero(x3_proof, x3_proof_len);
1067 bzero(x4_proof, x4_proof_len);
1068 xfree(x3_proof);
1069 xfree(x4_proof);
1070
1071 JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
1072
1073 /* Send values for step 2 */
1074 packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2);
1075 packet_put_bignum2(pctx->a);
1076 packet_put_string(x2_s_proof, x2_s_proof_len);
1077 packet_send();
1078
1079 bzero(x2_s_proof, x2_s_proof_len);
1080 xfree(x2_s_proof);
1081
1082 /* Expect step 2 packet from peer */
1083 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2,
1084 input_userauth_jpake_server_step2);
1085}
1086
1087/* ARGSUSED */
1088void
1089input_userauth_jpake_server_step2(int type, u_int32_t seq, void *ctxt)
1090{
1091 Authctxt *authctxt = ctxt;
1092 struct jpake_ctx *pctx = authctxt->methoddata;
1093 u_char *x4_s_proof;
1094 u_int x4_s_proof_len;
1095
1096 /* Disable this message */
1097 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2, NULL);
1098
1099 if ((pctx->b = BN_new()) == NULL)
1100 fatal("%s: BN_new", __func__);
1101
1102 /* Fetch step 2 values */
1103 packet_get_bignum2(pctx->b);
1104 x4_s_proof = packet_get_string(&x4_s_proof_len);
1105 packet_check_eom();
1106
1107 JPAKE_DEBUG_CTX((pctx, "step 2 received in %s", __func__));
1108
1109 /* Derive shared key and calculate confirmation hash */
1110 jpake_key_confirm(pctx->grp, pctx->s, pctx->b,
1111 pctx->x2, pctx->g_x1, pctx->g_x2, pctx->g_x3, pctx->g_x4,
1112 pctx->client_id, pctx->client_id_len,
1113 pctx->server_id, pctx->server_id_len,
1114 session_id2, session_id2_len,
1115 x4_s_proof, x4_s_proof_len,
1116 &pctx->k,
1117 &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len);
1118
1119 bzero(x4_s_proof, x4_s_proof_len);
1120 xfree(x4_s_proof);
1121
1122 JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
1123
1124 /* Send key confirmation proof */
1125 packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM);
1126 packet_put_string(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
1127 packet_send();
1128
1129 /* Expect confirmation from peer */
1130 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM,
1131 input_userauth_jpake_server_confirm);
1132}
1133
1134/* ARGSUSED */
1135void
1136input_userauth_jpake_server_confirm(int type, u_int32_t seq, void *ctxt)
1137{
1138 Authctxt *authctxt = ctxt;
1139 struct jpake_ctx *pctx = authctxt->methoddata;
1140
1141 /* Disable this message */
1142 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM, NULL);
1143
1144 pctx->h_k_sid_sessid = packet_get_string(&pctx->h_k_sid_sessid_len);
1145 packet_check_eom();
1146
1147 JPAKE_DEBUG_CTX((pctx, "confirm received in %s", __func__));
1148
1149 /* Verify expected confirmation hash */
1150 if (jpake_check_confirm(pctx->k,
1151 pctx->server_id, pctx->server_id_len,
1152 session_id2, session_id2_len,
1153 pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len) == 1)
1154 debug("%s: %s success", __func__, authctxt->method->name);
1155 else {
1156 debug("%s: confirmation mismatch", __func__);
1157 /* XXX stash this so if auth succeeds then we can warn/kill */
1158 }
1159
1160 userauth_jpake_cleanup(authctxt);
1161}
1162#endif /* JPAKE */
1163
1164static int
1165identity_sign(Identity *id, u_char **sigp, u_int *lenp,
1166 u_char *data, u_int datalen)
1167{
1168 Key *prv;
1169 int ret;
1170
1171 /* the agent supports this key */
1172 if (id->ac)
1173 return (ssh_agent_sign(id->ac, id->key, sigp, lenp,
1174 data, datalen));
1175 /*
1176 * we have already loaded the private key or
1177 * the private key is stored in external hardware
1178 */
1179 if (id->isprivate || (id->key->flags & KEY_FLAG_EXT))
1180 return (key_sign(id->key, sigp, lenp, data, datalen));
1181 /* load the private key from the file */
1182 if ((prv = load_identity_file(id->filename)) == NULL)
1183 return (-1);
1184 ret = key_sign(prv, sigp, lenp, data, datalen);
1185 key_free(prv);
1186 return (ret);
1187}
1188
1189static int
1190sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
1191{
1192 Buffer b;
1193 u_char *blob, *signature;
1194 u_int bloblen, slen;
1195 u_int skip = 0;
1196 int ret = -1;
1197 int have_sig = 1;
1198 char *fp;
1199
1200 fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
1201 debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
1202 xfree(fp);
1203
1204 if (key_to_blob(id->key, &blob, &bloblen) == 0) {
1205 /* we cannot handle this key */
1206 debug3("sign_and_send_pubkey: cannot handle key");
1207 return 0;
1208 }
1209 /* data to be signed */
1210 buffer_init(&b);
1211 if (datafellows & SSH_OLD_SESSIONID) {
1212 buffer_append(&b, session_id2, session_id2_len);
1213 skip = session_id2_len;
1214 } else {
1215 buffer_put_string(&b, session_id2, session_id2_len);
1216 skip = buffer_len(&b);
1217 }
1218 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
1219 buffer_put_cstring(&b, authctxt->server_user);
1220 buffer_put_cstring(&b,
1221 datafellows & SSH_BUG_PKSERVICE ?
1222 "ssh-userauth" :
1223 authctxt->service);
1224 if (datafellows & SSH_BUG_PKAUTH) {
1225 buffer_put_char(&b, have_sig);
1226 } else {
1227 buffer_put_cstring(&b, authctxt->method->name);
1228 buffer_put_char(&b, have_sig);
1229 buffer_put_cstring(&b, key_ssh_name(id->key));
1230 }
1231 buffer_put_string(&b, blob, bloblen);
1232
1233 /* generate signature */
1234 ret = identity_sign(id, &signature, &slen,
1235 buffer_ptr(&b), buffer_len(&b));
1236 if (ret == -1) {
1237 xfree(blob);
1238 buffer_free(&b);
1239 return 0;
1240 }
1241#ifdef DEBUG_PK
1242 buffer_dump(&b);
1243#endif
1244 if (datafellows & SSH_BUG_PKSERVICE) {
1245 buffer_clear(&b);
1246 buffer_append(&b, session_id2, session_id2_len);
1247 skip = session_id2_len;
1248 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
1249 buffer_put_cstring(&b, authctxt->server_user);
1250 buffer_put_cstring(&b, authctxt->service);
1251 buffer_put_cstring(&b, authctxt->method->name);
1252 buffer_put_char(&b, have_sig);
1253 if (!(datafellows & SSH_BUG_PKAUTH))
1254 buffer_put_cstring(&b, key_ssh_name(id->key));
1255 buffer_put_string(&b, blob, bloblen);
1256 }
1257 xfree(blob);
1258
1259 /* append signature */
1260 buffer_put_string(&b, signature, slen);
1261 xfree(signature);
1262
1263 /* skip session id and packet type */
1264 if (buffer_len(&b) < skip + 1)
1265 fatal("userauth_pubkey: internal error");
1266 buffer_consume(&b, skip + 1);
1267
1268 /* put remaining data from buffer into packet */
1269 packet_start(SSH2_MSG_USERAUTH_REQUEST);
1270 packet_put_raw(buffer_ptr(&b), buffer_len(&b));
1271 buffer_free(&b);
1272 packet_send();
1273
1274 return 1;
1275}
1276
1277static int
1278send_pubkey_test(Authctxt *authctxt, Identity *id)
1279{
1280 u_char *blob;
1281 u_int bloblen, have_sig = 0;
1282
1283 debug3("send_pubkey_test");
1284
1285 if (key_to_blob(id->key, &blob, &bloblen) == 0) {
1286 /* we cannot handle this key */
1287 debug3("send_pubkey_test: cannot handle key");
1288 return 0;
1289 }
1290 /* register callback for USERAUTH_PK_OK message */
1291 dispatch_set(SSH2_MSG_USERAUTH_PK_OK, &input_userauth_pk_ok);
1292
1293 packet_start(SSH2_MSG_USERAUTH_REQUEST);
1294 packet_put_cstring(authctxt->server_user);
1295 packet_put_cstring(authctxt->service);
1296 packet_put_cstring(authctxt->method->name);
1297 packet_put_char(have_sig);
1298 if (!(datafellows & SSH_BUG_PKAUTH))
1299 packet_put_cstring(key_ssh_name(id->key));
1300 packet_put_string(blob, bloblen);
1301 xfree(blob);
1302 packet_send();
1303 return 1;
1304}
1305
1306static Key *
1307load_identity_file(char *filename)
1308{
1309 Key *private;
1310 char prompt[300], *passphrase;
1311 int perm_ok = 0, quit, i;
1312 struct stat st;
1313
1314 if (stat(filename, &st) < 0) {
1315 debug3("no such identity: %s", filename);
1316 return NULL;
1317 }
1318 private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok);
1319 if (!perm_ok)
1320 return NULL;
1321 if (private == NULL) {
1322 if (options.batch_mode)
1323 return NULL;
1324 snprintf(prompt, sizeof prompt,
1325 "Enter passphrase for key '%.100s': ", filename);
1326 for (i = 0; i < options.number_of_password_prompts; i++) {
1327 passphrase = read_passphrase(prompt, 0);
1328 if (strcmp(passphrase, "") != 0) {
1329 private = key_load_private_type(KEY_UNSPEC,
1330 filename, passphrase, NULL, NULL);
1331 quit = 0;
1332 } else {
1333 debug2("no passphrase given, try next key");
1334 quit = 1;
1335 }
1336 memset(passphrase, 0, strlen(passphrase));
1337 xfree(passphrase);
1338 if (private != NULL || quit)
1339 break;
1340 debug2("bad passphrase given, try again...");
1341 }
1342 }
1343 return private;
1344}
1345
1346/*
1347 * try keys in the following order:
1348 * 1. agent keys that are found in the config file
1349 * 2. other agent keys
1350 * 3. keys that are only listed in the config file
1351 */
1352static void
1353pubkey_prepare(Authctxt *authctxt)
1354{
1355 Identity *id;
1356 Idlist agent, files, *preferred;
1357 Key *key;
1358 AuthenticationConnection *ac;
1359 char *comment;
1360 int i, found;
1361
1362 TAILQ_INIT(&agent); /* keys from the agent */
1363 TAILQ_INIT(&files); /* keys from the config file */
1364 preferred = &authctxt->keys;
1365 TAILQ_INIT(preferred); /* preferred order of keys */
1366
1367 /* list of keys stored in the filesystem */
1368 for (i = 0; i < options.num_identity_files; i++) {
1369 key = options.identity_keys[i];
1370 if (key && key->type == KEY_RSA1)
1371 continue;
1372 if (key && key->cert && key->cert->type != SSH2_CERT_TYPE_USER)
1373 continue;
1374 options.identity_keys[i] = NULL;
1375 id = xcalloc(1, sizeof(*id));
1376 id->key = key;
1377 id->filename = xstrdup(options.identity_files[i]);
1378 TAILQ_INSERT_TAIL(&files, id, next);
1379 }
1380 /* list of keys supported by the agent */
1381 if ((ac = ssh_get_authentication_connection())) {
1382 for (key = ssh_get_first_identity(ac, &comment, 2);
1383 key != NULL;
1384 key = ssh_get_next_identity(ac, &comment, 2)) {
1385 found = 0;
1386 TAILQ_FOREACH(id, &files, next) {
1387 /* agent keys from the config file are preferred */
1388 if (key_equal(key, id->key)) {
1389 key_free(key);
1390 xfree(comment);
1391 TAILQ_REMOVE(&files, id, next);
1392 TAILQ_INSERT_TAIL(preferred, id, next);
1393 id->ac = ac;
1394 found = 1;
1395 break;
1396 }
1397 }
1398 if (!found && !options.identities_only) {
1399 id = xcalloc(1, sizeof(*id));
1400 id->key = key;
1401 id->filename = comment;
1402 id->ac = ac;
1403 TAILQ_INSERT_TAIL(&agent, id, next);
1404 }
1405 }
1406 /* append remaining agent keys */
1407 for (id = TAILQ_FIRST(&agent); id; id = TAILQ_FIRST(&agent)) {
1408 TAILQ_REMOVE(&agent, id, next);
1409 TAILQ_INSERT_TAIL(preferred, id, next);
1410 }
1411 authctxt->agent = ac;
1412 }
1413 /* append remaining keys from the config file */
1414 for (id = TAILQ_FIRST(&files); id; id = TAILQ_FIRST(&files)) {
1415 TAILQ_REMOVE(&files, id, next);
1416 TAILQ_INSERT_TAIL(preferred, id, next);
1417 }
1418 TAILQ_FOREACH(id, preferred, next) {
1419 debug2("key: %s (%p)", id->filename, id->key);
1420 }
1421}
1422
1423static void
1424pubkey_cleanup(Authctxt *authctxt)
1425{
1426 Identity *id;
1427
1428 if (authctxt->agent != NULL)
1429 ssh_close_authentication_connection(authctxt->agent);
1430 for (id = TAILQ_FIRST(&authctxt->keys); id;
1431 id = TAILQ_FIRST(&authctxt->keys)) {
1432 TAILQ_REMOVE(&authctxt->keys, id, next);
1433 if (id->key)
1434 key_free(id->key);
1435 if (id->filename)
1436 xfree(id->filename);
1437 xfree(id);
1438 }
1439}
1440
1441int
1442userauth_pubkey(Authctxt *authctxt)
1443{
1444 Identity *id;
1445 int sent = 0;
1446
1447 while ((id = TAILQ_FIRST(&authctxt->keys))) {
1448 if (id->tried++)
1449 return (0);
1450 /* move key to the end of the queue */
1451 TAILQ_REMOVE(&authctxt->keys, id, next);
1452 TAILQ_INSERT_TAIL(&authctxt->keys, id, next);
1453 /*
1454 * send a test message if we have the public key. for
1455 * encrypted keys we cannot do this and have to load the
1456 * private key instead
1457 */
1458 if (id->key && id->key->type != KEY_RSA1) {
1459 debug("Offering %s public key: %s", key_type(id->key),
1460 id->filename);
1461 sent = send_pubkey_test(authctxt, id);
1462 } else if (id->key == NULL) {
1463 debug("Trying private key: %s", id->filename);
1464 id->key = load_identity_file(id->filename);
1465 if (id->key != NULL) {
1466 id->isprivate = 1;
1467 sent = sign_and_send_pubkey(authctxt, id);
1468 key_free(id->key);
1469 id->key = NULL;
1470 }
1471 }
1472 if (sent)
1473 return (sent);
1474 }
1475 return (0);
1476}
1477
1478/*
1479 * Send userauth request message specifying keyboard-interactive method.
1480 */
1481int
1482userauth_kbdint(Authctxt *authctxt)
1483{
1484 static int attempt = 0;
1485
1486 if (attempt++ >= options.number_of_password_prompts)
1487 return 0;
1488 /* disable if no SSH2_MSG_USERAUTH_INFO_REQUEST has been seen */
1489 if (attempt > 1 && !authctxt->info_req_seen) {
1490 debug3("userauth_kbdint: disable: no info_req_seen");
1491 dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, NULL);
1492 return 0;
1493 }
1494
1495 debug2("userauth_kbdint");
1496 packet_start(SSH2_MSG_USERAUTH_REQUEST);
1497 packet_put_cstring(authctxt->server_user);
1498 packet_put_cstring(authctxt->service);
1499 packet_put_cstring(authctxt->method->name);
1500 packet_put_cstring(""); /* lang */
1501 packet_put_cstring(options.kbd_interactive_devices ?
1502 options.kbd_interactive_devices : "");
1503 packet_send();
1504
1505 dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, &input_userauth_info_req);
1506 return 1;
1507}
1508
1509/*
1510 * parse INFO_REQUEST, prompt user and send INFO_RESPONSE
1511 */
1512void
1513input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
1514{
1515 Authctxt *authctxt = ctxt;
1516 char *name, *inst, *lang, *prompt, *response;
1517 u_int num_prompts, i;
1518 int echo = 0;
1519
1520 debug2("input_userauth_info_req");
1521
1522 if (authctxt == NULL)
1523 fatal("input_userauth_info_req: no authentication context");
1524
1525 authctxt->info_req_seen = 1;
1526
1527 name = packet_get_string(NULL);
1528 inst = packet_get_string(NULL);
1529 lang = packet_get_string(NULL);
1530 if (strlen(name) > 0)
1531 logit("%s", name);
1532 if (strlen(inst) > 0)
1533 logit("%s", inst);
1534 xfree(name);
1535 xfree(inst);
1536 xfree(lang);
1537
1538 num_prompts = packet_get_int();
1539 /*
1540 * Begin to build info response packet based on prompts requested.
1541 * We commit to providing the correct number of responses, so if
1542 * further on we run into a problem that prevents this, we have to
1543 * be sure and clean this up and send a correct error response.
1544 */
1545 packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);
1546 packet_put_int(num_prompts);
1547
1548 debug2("input_userauth_info_req: num_prompts %d", num_prompts);
1549 for (i = 0; i < num_prompts; i++) {
1550 prompt = packet_get_string(NULL);
1551 echo = packet_get_char();
1552
1553 response = read_passphrase(prompt, echo ? RP_ECHO : 0);
1554
1555 packet_put_cstring(response);
1556 memset(response, 0, strlen(response));
1557 xfree(response);
1558 xfree(prompt);
1559 }
1560 packet_check_eom(); /* done with parsing incoming message. */
1561
1562 packet_add_padding(64);
1563 packet_send();
1564}
1565
1566static int
1567ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
1568 u_char *data, u_int datalen)
1569{
1570 Buffer b;
1571 struct stat st;
1572 pid_t pid;
1573 int to[2], from[2], status, version = 2;
1574
1575 debug2("ssh_keysign called");
1576
1577 if (stat(_PATH_SSH_KEY_SIGN, &st) < 0) {
1578 error("ssh_keysign: not installed: %s", strerror(errno));
1579 return -1;
1580 }
1581 if (fflush(stdout) != 0)
1582 error("ssh_keysign: fflush: %s", strerror(errno));
1583 if (pipe(to) < 0) {
1584 error("ssh_keysign: pipe: %s", strerror(errno));
1585 return -1;
1586 }
1587 if (pipe(from) < 0) {
1588 error("ssh_keysign: pipe: %s", strerror(errno));
1589 return -1;
1590 }
1591 if ((pid = fork()) < 0) {
1592 error("ssh_keysign: fork: %s", strerror(errno));
1593 return -1;
1594 }
1595 if (pid == 0) {
1596 /* keep the socket on exec */
1597 fcntl(packet_get_connection_in(), F_SETFD, 0);
1598 permanently_drop_suid(getuid());
1599 close(from[0]);
1600 if (dup2(from[1], STDOUT_FILENO) < 0)
1601 fatal("ssh_keysign: dup2: %s", strerror(errno));
1602 close(to[1]);
1603 if (dup2(to[0], STDIN_FILENO) < 0)
1604 fatal("ssh_keysign: dup2: %s", strerror(errno));
1605 close(from[1]);
1606 close(to[0]);
1607 execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *) 0);
1608 fatal("ssh_keysign: exec(%s): %s", _PATH_SSH_KEY_SIGN,
1609 strerror(errno));
1610 }
1611 close(from[1]);
1612 close(to[0]);
1613
1614 buffer_init(&b);
1615 buffer_put_int(&b, packet_get_connection_in()); /* send # of socket */
1616 buffer_put_string(&b, data, datalen);
1617 if (ssh_msg_send(to[1], version, &b) == -1)
1618 fatal("ssh_keysign: couldn't send request");
1619
1620 if (ssh_msg_recv(from[0], &b) < 0) {
1621 error("ssh_keysign: no reply");
1622 buffer_free(&b);
1623 return -1;
1624 }
1625 close(from[0]);
1626 close(to[1]);
1627
1628 while (waitpid(pid, &status, 0) < 0)
1629 if (errno != EINTR)
1630 break;
1631
1632 if (buffer_get_char(&b) != version) {
1633 error("ssh_keysign: bad version");
1634 buffer_free(&b);
1635 return -1;
1636 }
1637 *sigp = buffer_get_string(&b, lenp);
1638 buffer_free(&b);
1639
1640 return 0;
1641}
1642
1643int
1644userauth_hostbased(Authctxt *authctxt)
1645{
1646 Key *private = NULL;
1647 Sensitive *sensitive = authctxt->sensitive;
1648 Buffer b;
1649 u_char *signature, *blob;
1650 char *chost, *pkalg, *p;
1651 const char *service;
1652 u_int blen, slen;
1653 int ok, i, found = 0;
1654
1655 /* check for a useful key */
1656 for (i = 0; i < sensitive->nkeys; i++) {
1657 private = sensitive->keys[i];
1658 if (private && private->type != KEY_RSA1) {
1659 found = 1;
1660 /* we take and free the key */
1661 sensitive->keys[i] = NULL;
1662 break;
1663 }
1664 }
1665 if (!found) {
1666 debug("No more client hostkeys for hostbased authentication.");
1667 return 0;
1668 }
1669 if (key_to_blob(private, &blob, &blen) == 0) {
1670 key_free(private);
1671 return 0;
1672 }
1673 /* figure out a name for the client host */
1674 p = get_local_name(packet_get_connection_in());
1675 if (p == NULL) {
1676 error("userauth_hostbased: cannot get local ipaddr/name");
1677 key_free(private);
1678 xfree(blob);
1679 return 0;
1680 }
1681 xasprintf(&chost, "%s.", p);
1682 debug2("userauth_hostbased: chost %s", chost);
1683 xfree(p);
1684
1685 service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
1686 authctxt->service;
1687 pkalg = xstrdup(key_ssh_name(private));
1688 buffer_init(&b);
1689 /* construct data */
1690 buffer_put_string(&b, session_id2, session_id2_len);
1691 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
1692 buffer_put_cstring(&b, authctxt->server_user);
1693 buffer_put_cstring(&b, service);
1694 buffer_put_cstring(&b, authctxt->method->name);
1695 buffer_put_cstring(&b, pkalg);
1696 buffer_put_string(&b, blob, blen);
1697 buffer_put_cstring(&b, chost);
1698 buffer_put_cstring(&b, authctxt->local_user);
1699#ifdef DEBUG_PK
1700 buffer_dump(&b);
1701#endif
1702 if (sensitive->external_keysign)
1703 ok = ssh_keysign(private, &signature, &slen,
1704 buffer_ptr(&b), buffer_len(&b));
1705 else
1706 ok = key_sign(private, &signature, &slen,
1707 buffer_ptr(&b), buffer_len(&b));
1708 key_free(private);
1709 buffer_free(&b);
1710 if (ok != 0) {
1711 error("key_sign failed");
1712 xfree(chost);
1713 xfree(pkalg);
1714 xfree(blob);
1715 return 0;
1716 }
1717 packet_start(SSH2_MSG_USERAUTH_REQUEST);
1718 packet_put_cstring(authctxt->server_user);
1719 packet_put_cstring(authctxt->service);
1720 packet_put_cstring(authctxt->method->name);
1721 packet_put_cstring(pkalg);
1722 packet_put_string(blob, blen);
1723 packet_put_cstring(chost);
1724 packet_put_cstring(authctxt->local_user);
1725 packet_put_string(signature, slen);
1726 memset(signature, 's', slen);
1727 xfree(signature);
1728 xfree(chost);
1729 xfree(pkalg);
1730 xfree(blob);
1731
1732 packet_send();
1733 return 1;
1734}
1735
1736#ifdef JPAKE
1737int
1738userauth_jpake(Authctxt *authctxt)
1739{
1740 struct jpake_ctx *pctx;
1741 u_char *x1_proof, *x2_proof;
1742 u_int x1_proof_len, x2_proof_len;
1743 static int attempt = 0; /* XXX share with userauth_password's? */
1744
1745 if (attempt++ >= options.number_of_password_prompts)
1746 return 0;
1747 if (attempt != 1)
1748 error("Permission denied, please try again.");
1749
1750 if (authctxt->methoddata != NULL)
1751 fatal("%s: authctxt->methoddata already set (%p)",
1752 __func__, authctxt->methoddata);
1753
1754 authctxt->methoddata = pctx = jpake_new();
1755
1756 /*
1757 * Send request immediately, to get the protocol going while
1758 * we do the initial computations.
1759 */
1760 packet_start(SSH2_MSG_USERAUTH_REQUEST);
1761 packet_put_cstring(authctxt->server_user);
1762 packet_put_cstring(authctxt->service);
1763 packet_put_cstring(authctxt->method->name);
1764 packet_send();
1765 packet_write_wait();
1766
1767 jpake_step1(pctx->grp,
1768 &pctx->client_id, &pctx->client_id_len,
1769 &pctx->x1, &pctx->x2, &pctx->g_x1, &pctx->g_x2,
1770 &x1_proof, &x1_proof_len,
1771 &x2_proof, &x2_proof_len);
1772
1773 JPAKE_DEBUG_CTX((pctx, "step 1 sending in %s", __func__));
1774
1775 packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1);
1776 packet_put_string(pctx->client_id, pctx->client_id_len);
1777 packet_put_bignum2(pctx->g_x1);
1778 packet_put_bignum2(pctx->g_x2);
1779 packet_put_string(x1_proof, x1_proof_len);
1780 packet_put_string(x2_proof, x2_proof_len);
1781 packet_send();
1782
1783 bzero(x1_proof, x1_proof_len);
1784 bzero(x2_proof, x2_proof_len);
1785 xfree(x1_proof);
1786 xfree(x2_proof);
1787
1788 /* Expect step 1 packet from peer */
1789 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1,
1790 input_userauth_jpake_server_step1);
1791 dispatch_set(SSH2_MSG_USERAUTH_SUCCESS,
1792 &input_userauth_success_unexpected);
1793
1794 return 1;
1795}
1796
1797void
1798userauth_jpake_cleanup(Authctxt *authctxt)
1799{
1800 debug3("%s: clean up", __func__);
1801 if (authctxt->methoddata != NULL) {
1802 jpake_free(authctxt->methoddata);
1803 authctxt->methoddata = NULL;
1804 }
1805 dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
1806}
1807#endif /* JPAKE */
1808
1809/* find auth method */
1810
1811/*
1812 * given auth method name, if configurable options permit this method fill
1813 * in auth_ident field and return true, otherwise return false.
1814 */
1815static int
1816authmethod_is_enabled(Authmethod *method)
1817{
1818 if (method == NULL)
1819 return 0;
1820 /* return false if options indicate this method is disabled */
1821 if (method->enabled == NULL || *method->enabled == 0)
1822 return 0;
1823 /* return false if batch mode is enabled but method needs interactive mode */
1824 if (method->batch_flag != NULL && *method->batch_flag != 0)
1825 return 0;
1826 return 1;
1827}
1828
1829static Authmethod *
1830authmethod_lookup(const char *name)
1831{
1832 Authmethod *method = NULL;
1833 if (name != NULL)
1834 for (method = authmethods; method->name != NULL; method++)
1835 if (strcmp(name, method->name) == 0)
1836 return method;
1837 debug2("Unrecognized authentication method name: %s", name ? name : "NULL");
1838 return NULL;
1839}
1840
1841/* XXX internal state */
1842static Authmethod *current = NULL;
1843static char *supported = NULL;
1844static char *preferred = NULL;
1845
1846/*
1847 * Given the authentication method list sent by the server, return the
1848 * next method we should try. If the server initially sends a nil list,
1849 * use a built-in default list.
1850 */
1851static Authmethod *
1852authmethod_get(char *authlist)
1853{
1854 char *name = NULL;
1855 u_int next;
1856
1857 /* Use a suitable default if we're passed a nil list. */
1858 if (authlist == NULL || strlen(authlist) == 0)
1859 authlist = options.preferred_authentications;
1860
1861 if (supported == NULL || strcmp(authlist, supported) != 0) {
1862 debug3("start over, passed a different list %s", authlist);
1863 if (supported != NULL)
1864 xfree(supported);
1865 supported = xstrdup(authlist);
1866 preferred = options.preferred_authentications;
1867 debug3("preferred %s", preferred);
1868 current = NULL;
1869 } else if (current != NULL && authmethod_is_enabled(current))
1870 return current;
1871
1872 for (;;) {
1873 if ((name = match_list(preferred, supported, &next)) == NULL) {
1874 debug("No more authentication methods to try.");
1875 current = NULL;
1876 return NULL;
1877 }
1878 preferred += next;
1879 debug3("authmethod_lookup %s", name);
1880 debug3("remaining preferred: %s", preferred);
1881 if ((current = authmethod_lookup(name)) != NULL &&
1882 authmethod_is_enabled(current)) {
1883 debug3("authmethod_is_enabled %s", name);
1884 debug("Next authentication method: %s", name);
1885 return current;
1886 }
1887 }
1888}
1889
1890static char *
1891authmethods_get(void)
1892{
1893 Authmethod *method = NULL;
1894 Buffer b;
1895 char *list;
1896
1897 buffer_init(&b);
1898 for (method = authmethods; method->name != NULL; method++) {
1899 if (authmethod_is_enabled(method)) {
1900 if (buffer_len(&b) > 0)
1901 buffer_append(&b, ",", 1);
1902 buffer_append(&b, method->name, strlen(method->name));
1903 }
1904 }
1905 buffer_append(&b, "\0", 1);
1906 list = xstrdup(buffer_ptr(&b));
1907 buffer_free(&b);
1908 return list;
1909}
1910
2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include <sys/types.h>
28#include <sys/socket.h>
29#include <sys/wait.h>
30#include <sys/queue.h>
31#include <sys/stat.h>
32
33#include <errno.h>
34#include <fcntl.h>
35#include <netdb.h>
36#include <stdio.h>
37#include <string.h>
38#include <signal.h>
39#include <pwd.h>
40#include <unistd.h>
41#include <vis.h>
42
43#include "xmalloc.h"
44#include "ssh.h"
45#include "ssh2.h"
46#include "buffer.h"
47#include "packet.h"
48#include "compat.h"
49#include "cipher.h"
50#include "key.h"
51#include "kex.h"
52#include "myproposal.h"
53#include "sshconnect.h"
54#include "authfile.h"
55#include "dh.h"
56#include "authfd.h"
57#include "log.h"
58#include "readconf.h"
59#include "misc.h"
60#include "match.h"
61#include "dispatch.h"
62#include "canohost.h"
63#include "msg.h"
64#include "pathnames.h"
65#include "uidswap.h"
66#include "hostfile.h"
67#include "schnorr.h"
68#include "jpake.h"
69
70#ifdef GSSAPI
71#include "ssh-gss.h"
72#endif
73
74/* import */
75extern char *client_version_string;
76extern char *server_version_string;
77extern Options options;
78
79/*
80 * SSH2 key exchange
81 */
82
83u_char *session_id2 = NULL;
84u_int session_id2_len = 0;
85
86char *xxx_host;
87struct sockaddr *xxx_hostaddr;
88
89Kex *xxx_kex = NULL;
90
91static int
92verify_host_key_callback(Key *hostkey)
93{
94 if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1)
95 fatal("Host key verification failed.");
96 return 0;
97}
98
99static char *
100order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
101{
102 char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
103 size_t maxlen;
104 struct hostkeys *hostkeys;
105 int ktype;
106
107 /* Find all hostkeys for this hostname */
108 get_hostfile_hostname_ipaddr(host, hostaddr, port, &hostname, NULL);
109 hostkeys = init_hostkeys();
110 load_hostkeys(hostkeys, hostname, options.user_hostfile2);
111 load_hostkeys(hostkeys, hostname, options.system_hostfile2);
112 load_hostkeys(hostkeys, hostname, options.user_hostfile);
113 load_hostkeys(hostkeys, hostname, options.system_hostfile);
114
115 oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
116 maxlen = strlen(avail) + 1;
117 first = xmalloc(maxlen);
118 last = xmalloc(maxlen);
119 *first = *last = '\0';
120
121#define ALG_APPEND(to, from) \
122 do { \
123 if (*to != '\0') \
124 strlcat(to, ",", maxlen); \
125 strlcat(to, from, maxlen); \
126 } while (0)
127
128 while ((alg = strsep(&avail, ",")) && *alg != '\0') {
129 if ((ktype = key_type_from_name(alg)) == KEY_UNSPEC)
130 fatal("%s: unknown alg %s", __func__, alg);
131 if (lookup_key_in_hostkeys_by_type(hostkeys,
132 key_type_plain(ktype), NULL))
133 ALG_APPEND(first, alg);
134 else
135 ALG_APPEND(last, alg);
136 }
137#undef ALG_APPEND
138 xasprintf(&ret, "%s%s%s", first, *first == '\0' ? "" : ",", last);
139 if (*first != '\0')
140 debug3("%s: prefer hostkeyalgs: %s", __func__, first);
141
142 xfree(first);
143 xfree(last);
144 xfree(hostname);
145 xfree(oavail);
146 free_hostkeys(hostkeys);
147
148 return ret;
149}
150
151void
152ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
153{
154 Kex *kex;
155
156 xxx_host = host;
157 xxx_hostaddr = hostaddr;
158
159 if (options.ciphers == (char *)-1) {
160 logit("No valid ciphers for protocol version 2 given, using defaults.");
161 options.ciphers = NULL;
162 }
163 if (options.ciphers != NULL) {
164 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
165 myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
166 }
167 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
168 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
169 myproposal[PROPOSAL_ENC_ALGS_STOC] =
170 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
171 if (options.compression) {
172 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
173 myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none";
174 } else {
175 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
176 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib";
177 }
178 if (options.macs != NULL) {
179 myproposal[PROPOSAL_MAC_ALGS_CTOS] =
180 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
181 }
182 if (options.hostkeyalgorithms != NULL)
183 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
184 options.hostkeyalgorithms;
185 else {
186 /* Prefer algorithms that we already have keys for */
187 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
188 order_hostkeyalgs(host, hostaddr, port);
189 }
190 if (options.kex_algorithms != NULL)
191 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
192
193 if (options.rekey_limit)
194 packet_set_rekey_limit((u_int32_t)options.rekey_limit);
195
196 /* start key exchange */
197 kex = kex_setup(myproposal);
198 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
199 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
200 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
201 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
202 kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
203 kex->client_version_string=client_version_string;
204 kex->server_version_string=server_version_string;
205 kex->verify_host_key=&verify_host_key_callback;
206
207 xxx_kex = kex;
208
209 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
210
211 if (options.use_roaming && !kex->roaming) {
212 debug("Roaming not allowed by server");
213 options.use_roaming = 0;
214 }
215
216 session_id2 = kex->session_id;
217 session_id2_len = kex->session_id_len;
218
219#ifdef DEBUG_KEXDH
220 /* send 1st encrypted/maced/compressed message */
221 packet_start(SSH2_MSG_IGNORE);
222 packet_put_cstring("markus");
223 packet_send();
224 packet_write_wait();
225#endif
226}
227
228/*
229 * Authenticate user
230 */
231
232typedef struct Authctxt Authctxt;
233typedef struct Authmethod Authmethod;
234typedef struct identity Identity;
235typedef struct idlist Idlist;
236
237struct identity {
238 TAILQ_ENTRY(identity) next;
239 AuthenticationConnection *ac; /* set if agent supports key */
240 Key *key; /* public/private key */
241 char *filename; /* comment for agent-only keys */
242 int tried;
243 int isprivate; /* key points to the private key */
244};
245TAILQ_HEAD(idlist, identity);
246
247struct Authctxt {
248 const char *server_user;
249 const char *local_user;
250 const char *host;
251 const char *service;
252 Authmethod *method;
253 sig_atomic_t success;
254 char *authlist;
255 /* pubkey */
256 Idlist keys;
257 AuthenticationConnection *agent;
258 /* hostbased */
259 Sensitive *sensitive;
260 /* kbd-interactive */
261 int info_req_seen;
262 /* generic */
263 void *methoddata;
264};
265struct Authmethod {
266 char *name; /* string to compare against server's list */
267 int (*userauth)(Authctxt *authctxt);
268 void (*cleanup)(Authctxt *authctxt);
269 int *enabled; /* flag in option struct that enables method */
270 int *batch_flag; /* flag in option struct that disables method */
271};
272
273void input_userauth_success(int, u_int32_t, void *);
274void input_userauth_success_unexpected(int, u_int32_t, void *);
275void input_userauth_failure(int, u_int32_t, void *);
276void input_userauth_banner(int, u_int32_t, void *);
277void input_userauth_error(int, u_int32_t, void *);
278void input_userauth_info_req(int, u_int32_t, void *);
279void input_userauth_pk_ok(int, u_int32_t, void *);
280void input_userauth_passwd_changereq(int, u_int32_t, void *);
281void input_userauth_jpake_server_step1(int, u_int32_t, void *);
282void input_userauth_jpake_server_step2(int, u_int32_t, void *);
283void input_userauth_jpake_server_confirm(int, u_int32_t, void *);
284
285int userauth_none(Authctxt *);
286int userauth_pubkey(Authctxt *);
287int userauth_passwd(Authctxt *);
288int userauth_kbdint(Authctxt *);
289int userauth_hostbased(Authctxt *);
290int userauth_jpake(Authctxt *);
291
292void userauth_jpake_cleanup(Authctxt *);
293
294#ifdef GSSAPI
295int userauth_gssapi(Authctxt *authctxt);
296void input_gssapi_response(int type, u_int32_t, void *);
297void input_gssapi_token(int type, u_int32_t, void *);
298void input_gssapi_hash(int type, u_int32_t, void *);
299void input_gssapi_error(int, u_int32_t, void *);
300void input_gssapi_errtok(int, u_int32_t, void *);
301#endif
302
303void userauth(Authctxt *, char *);
304
305static int sign_and_send_pubkey(Authctxt *, Identity *);
306static void pubkey_prepare(Authctxt *);
307static void pubkey_cleanup(Authctxt *);
308static Key *load_identity_file(char *);
309
310static Authmethod *authmethod_get(char *authlist);
311static Authmethod *authmethod_lookup(const char *name);
312static char *authmethods_get(void);
313
314Authmethod authmethods[] = {
315#ifdef GSSAPI
316 {"gssapi-with-mic",
317 userauth_gssapi,
318 NULL,
319 &options.gss_authentication,
320 NULL},
321#endif
322 {"hostbased",
323 userauth_hostbased,
324 NULL,
325 &options.hostbased_authentication,
326 NULL},
327 {"publickey",
328 userauth_pubkey,
329 NULL,
330 &options.pubkey_authentication,
331 NULL},
332#ifdef JPAKE
333 {"jpake-01@openssh.com",
334 userauth_jpake,
335 userauth_jpake_cleanup,
336 &options.zero_knowledge_password_authentication,
337 &options.batch_mode},
338#endif
339 {"keyboard-interactive",
340 userauth_kbdint,
341 NULL,
342 &options.kbd_interactive_authentication,
343 &options.batch_mode},
344 {"password",
345 userauth_passwd,
346 NULL,
347 &options.password_authentication,
348 &options.batch_mode},
349 {"none",
350 userauth_none,
351 NULL,
352 NULL,
353 NULL},
354 {NULL, NULL, NULL, NULL, NULL}
355};
356
357void
358ssh_userauth2(const char *local_user, const char *server_user, char *host,
359 Sensitive *sensitive)
360{
361 Authctxt authctxt;
362 int type;
363
364 if (options.challenge_response_authentication)
365 options.kbd_interactive_authentication = 1;
366
367 packet_start(SSH2_MSG_SERVICE_REQUEST);
368 packet_put_cstring("ssh-userauth");
369 packet_send();
370 debug("SSH2_MSG_SERVICE_REQUEST sent");
371 packet_write_wait();
372 type = packet_read();
373 if (type != SSH2_MSG_SERVICE_ACCEPT)
374 fatal("Server denied authentication request: %d", type);
375 if (packet_remaining() > 0) {
376 char *reply = packet_get_string(NULL);
377 debug2("service_accept: %s", reply);
378 xfree(reply);
379 } else {
380 debug2("buggy server: service_accept w/o service");
381 }
382 packet_check_eom();
383 debug("SSH2_MSG_SERVICE_ACCEPT received");
384
385 if (options.preferred_authentications == NULL)
386 options.preferred_authentications = authmethods_get();
387
388 /* setup authentication context */
389 memset(&authctxt, 0, sizeof(authctxt));
390 pubkey_prepare(&authctxt);
391 authctxt.server_user = server_user;
392 authctxt.local_user = local_user;
393 authctxt.host = host;
394 authctxt.service = "ssh-connection"; /* service name */
395 authctxt.success = 0;
396 authctxt.method = authmethod_lookup("none");
397 authctxt.authlist = NULL;
398 authctxt.methoddata = NULL;
399 authctxt.sensitive = sensitive;
400 authctxt.info_req_seen = 0;
401 if (authctxt.method == NULL)
402 fatal("ssh_userauth2: internal error: cannot send userauth none request");
403
404 /* initial userauth request */
405 userauth_none(&authctxt);
406
407 dispatch_init(&input_userauth_error);
408 dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
409 dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure);
410 dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);
411 dispatch_run(DISPATCH_BLOCK, &authctxt.success, &authctxt); /* loop until success */
412
413 pubkey_cleanup(&authctxt);
414 dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
415
416 debug("Authentication succeeded (%s).", authctxt.method->name);
417}
418
419void
420userauth(Authctxt *authctxt, char *authlist)
421{
422 if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
423 authctxt->method->cleanup(authctxt);
424
425 if (authctxt->methoddata) {
426 xfree(authctxt->methoddata);
427 authctxt->methoddata = NULL;
428 }
429 if (authlist == NULL) {
430 authlist = authctxt->authlist;
431 } else {
432 if (authctxt->authlist)
433 xfree(authctxt->authlist);
434 authctxt->authlist = authlist;
435 }
436 for (;;) {
437 Authmethod *method = authmethod_get(authlist);
438 if (method == NULL)
439 fatal("Permission denied (%s).", authlist);
440 authctxt->method = method;
441
442 /* reset the per method handler */
443 dispatch_range(SSH2_MSG_USERAUTH_PER_METHOD_MIN,
444 SSH2_MSG_USERAUTH_PER_METHOD_MAX, NULL);
445
446 /* and try new method */
447 if (method->userauth(authctxt) != 0) {
448 debug2("we sent a %s packet, wait for reply", method->name);
449 break;
450 } else {
451 debug2("we did not send a packet, disable method");
452 method->enabled = NULL;
453 }
454 }
455}
456
457/* ARGSUSED */
458void
459input_userauth_error(int type, u_int32_t seq, void *ctxt)
460{
461 fatal("input_userauth_error: bad message during authentication: "
462 "type %d", type);
463}
464
465/* ARGSUSED */
466void
467input_userauth_banner(int type, u_int32_t seq, void *ctxt)
468{
469 char *msg, *raw, *lang;
470 u_int len;
471
472 debug3("input_userauth_banner");
473 raw = packet_get_string(&len);
474 lang = packet_get_string(NULL);
475 if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
476 if (len > 65536)
477 len = 65536;
478 msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
479 strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
480 fprintf(stderr, "%s", msg);
481 xfree(msg);
482 }
483 xfree(raw);
484 xfree(lang);
485}
486
487/* ARGSUSED */
488void
489input_userauth_success(int type, u_int32_t seq, void *ctxt)
490{
491 Authctxt *authctxt = ctxt;
492
493 if (authctxt == NULL)
494 fatal("input_userauth_success: no authentication context");
495 if (authctxt->authlist) {
496 xfree(authctxt->authlist);
497 authctxt->authlist = NULL;
498 }
499 if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
500 authctxt->method->cleanup(authctxt);
501 if (authctxt->methoddata) {
502 xfree(authctxt->methoddata);
503 authctxt->methoddata = NULL;
504 }
505 authctxt->success = 1; /* break out */
506}
507
508void
509input_userauth_success_unexpected(int type, u_int32_t seq, void *ctxt)
510{
511 Authctxt *authctxt = ctxt;
512
513 if (authctxt == NULL)
514 fatal("%s: no authentication context", __func__);
515
516 fatal("Unexpected authentication success during %s.",
517 authctxt->method->name);
518}
519
520/* ARGSUSED */
521void
522input_userauth_failure(int type, u_int32_t seq, void *ctxt)
523{
524 Authctxt *authctxt = ctxt;
525 char *authlist = NULL;
526 int partial;
527
528 if (authctxt == NULL)
529 fatal("input_userauth_failure: no authentication context");
530
531 authlist = packet_get_string(NULL);
532 partial = packet_get_char();
533 packet_check_eom();
534
535 if (partial != 0)
536 logit("Authenticated with partial success.");
537 debug("Authentications that can continue: %s", authlist);
538
539 userauth(authctxt, authlist);
540}
541
542/* ARGSUSED */
543void
544input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
545{
546 Authctxt *authctxt = ctxt;
547 Key *key = NULL;
548 Identity *id = NULL;
549 Buffer b;
550 int pktype, sent = 0;
551 u_int alen, blen;
552 char *pkalg, *fp;
553 u_char *pkblob;
554
555 if (authctxt == NULL)
556 fatal("input_userauth_pk_ok: no authentication context");
557 if (datafellows & SSH_BUG_PKOK) {
558 /* this is similar to SSH_BUG_PKAUTH */
559 debug2("input_userauth_pk_ok: SSH_BUG_PKOK");
560 pkblob = packet_get_string(&blen);
561 buffer_init(&b);
562 buffer_append(&b, pkblob, blen);
563 pkalg = buffer_get_string(&b, &alen);
564 buffer_free(&b);
565 } else {
566 pkalg = packet_get_string(&alen);
567 pkblob = packet_get_string(&blen);
568 }
569 packet_check_eom();
570
571 debug("Server accepts key: pkalg %s blen %u", pkalg, blen);
572
573 if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) {
574 debug("unknown pkalg %s", pkalg);
575 goto done;
576 }
577 if ((key = key_from_blob(pkblob, blen)) == NULL) {
578 debug("no key from blob. pkalg %s", pkalg);
579 goto done;
580 }
581 if (key->type != pktype) {
582 error("input_userauth_pk_ok: type mismatch "
583 "for decoded key (received %d, expected %d)",
584 key->type, pktype);
585 goto done;
586 }
587 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
588 debug2("input_userauth_pk_ok: fp %s", fp);
589 xfree(fp);
590
591 /*
592 * search keys in the reverse order, because last candidate has been
593 * moved to the end of the queue. this also avoids confusion by
594 * duplicate keys
595 */
596 TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) {
597 if (key_equal(key, id->key)) {
598 sent = sign_and_send_pubkey(authctxt, id);
599 break;
600 }
601 }
602done:
603 if (key != NULL)
604 key_free(key);
605 xfree(pkalg);
606 xfree(pkblob);
607
608 /* try another method if we did not send a packet */
609 if (sent == 0)
610 userauth(authctxt, NULL);
611}
612
613#ifdef GSSAPI
614int
615userauth_gssapi(Authctxt *authctxt)
616{
617 Gssctxt *gssctxt = NULL;
618 static gss_OID_set gss_supported = NULL;
619 static u_int mech = 0;
620 OM_uint32 min;
621 int ok = 0;
622
623 /* Try one GSSAPI method at a time, rather than sending them all at
624 * once. */
625
626 if (gss_supported == NULL)
627 gss_indicate_mechs(&min, &gss_supported);
628
629 /* Check to see if the mechanism is usable before we offer it */
630 while (mech < gss_supported->count && !ok) {
631 /* My DER encoding requires length<128 */
632 if (gss_supported->elements[mech].length < 128 &&
633 ssh_gssapi_check_mechanism(&gssctxt,
634 &gss_supported->elements[mech], authctxt->host)) {
635 ok = 1; /* Mechanism works */
636 } else {
637 mech++;
638 }
639 }
640
641 if (!ok)
642 return 0;
643
644 authctxt->methoddata=(void *)gssctxt;
645
646 packet_start(SSH2_MSG_USERAUTH_REQUEST);
647 packet_put_cstring(authctxt->server_user);
648 packet_put_cstring(authctxt->service);
649 packet_put_cstring(authctxt->method->name);
650
651 packet_put_int(1);
652
653 packet_put_int((gss_supported->elements[mech].length) + 2);
654 packet_put_char(SSH_GSS_OIDTYPE);
655 packet_put_char(gss_supported->elements[mech].length);
656 packet_put_raw(gss_supported->elements[mech].elements,
657 gss_supported->elements[mech].length);
658
659 packet_send();
660
661 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE, &input_gssapi_response);
662 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
663 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERROR, &input_gssapi_error);
664 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
665
666 mech++; /* Move along to next candidate */
667
668 return 1;
669}
670
671static OM_uint32
672process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
673{
674 Authctxt *authctxt = ctxt;
675 Gssctxt *gssctxt = authctxt->methoddata;
676 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
677 gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
678 gss_buffer_desc gssbuf;
679 OM_uint32 status, ms, flags;
680 Buffer b;
681
682 status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
683 recv_tok, &send_tok, &flags);
684
685 if (send_tok.length > 0) {
686 if (GSS_ERROR(status))
687 packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
688 else
689 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
690
691 packet_put_string(send_tok.value, send_tok.length);
692 packet_send();
693 gss_release_buffer(&ms, &send_tok);
694 }
695
696 if (status == GSS_S_COMPLETE) {
697 /* send either complete or MIC, depending on mechanism */
698 if (!(flags & GSS_C_INTEG_FLAG)) {
699 packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
700 packet_send();
701 } else {
702 ssh_gssapi_buildmic(&b, authctxt->server_user,
703 authctxt->service, "gssapi-with-mic");
704
705 gssbuf.value = buffer_ptr(&b);
706 gssbuf.length = buffer_len(&b);
707
708 status = ssh_gssapi_sign(gssctxt, &gssbuf, &mic);
709
710 if (!GSS_ERROR(status)) {
711 packet_start(SSH2_MSG_USERAUTH_GSSAPI_MIC);
712 packet_put_string(mic.value, mic.length);
713
714 packet_send();
715 }
716
717 buffer_free(&b);
718 gss_release_buffer(&ms, &mic);
719 }
720 }
721
722 return status;
723}
724
725/* ARGSUSED */
726void
727input_gssapi_response(int type, u_int32_t plen, void *ctxt)
728{
729 Authctxt *authctxt = ctxt;
730 Gssctxt *gssctxt;
731 int oidlen;
732 char *oidv;
733
734 if (authctxt == NULL)
735 fatal("input_gssapi_response: no authentication context");
736 gssctxt = authctxt->methoddata;
737
738 /* Setup our OID */
739 oidv = packet_get_string(&oidlen);
740
741 if (oidlen <= 2 ||
742 oidv[0] != SSH_GSS_OIDTYPE ||
743 oidv[1] != oidlen - 2) {
744 xfree(oidv);
745 debug("Badly encoded mechanism OID received");
746 userauth(authctxt, NULL);
747 return;
748 }
749
750 if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
751 fatal("Server returned different OID than expected");
752
753 packet_check_eom();
754
755 xfree(oidv);
756
757 if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
758 /* Start again with next method on list */
759 debug("Trying to start again");
760 userauth(authctxt, NULL);
761 return;
762 }
763}
764
765/* ARGSUSED */
766void
767input_gssapi_token(int type, u_int32_t plen, void *ctxt)
768{
769 Authctxt *authctxt = ctxt;
770 gss_buffer_desc recv_tok;
771 OM_uint32 status;
772 u_int slen;
773
774 if (authctxt == NULL)
775 fatal("input_gssapi_response: no authentication context");
776
777 recv_tok.value = packet_get_string(&slen);
778 recv_tok.length = slen; /* safe typecast */
779
780 packet_check_eom();
781
782 status = process_gssapi_token(ctxt, &recv_tok);
783
784 xfree(recv_tok.value);
785
786 if (GSS_ERROR(status)) {
787 /* Start again with the next method in the list */
788 userauth(authctxt, NULL);
789 return;
790 }
791}
792
793/* ARGSUSED */
794void
795input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
796{
797 Authctxt *authctxt = ctxt;
798 Gssctxt *gssctxt;
799 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
800 gss_buffer_desc recv_tok;
801 OM_uint32 status, ms;
802 u_int len;
803
804 if (authctxt == NULL)
805 fatal("input_gssapi_response: no authentication context");
806 gssctxt = authctxt->methoddata;
807
808 recv_tok.value = packet_get_string(&len);
809 recv_tok.length = len;
810
811 packet_check_eom();
812
813 /* Stick it into GSSAPI and see what it says */
814 status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
815 &recv_tok, &send_tok, NULL);
816
817 xfree(recv_tok.value);
818 gss_release_buffer(&ms, &send_tok);
819
820 /* Server will be returning a failed packet after this one */
821}
822
823/* ARGSUSED */
824void
825input_gssapi_error(int type, u_int32_t plen, void *ctxt)
826{
827 OM_uint32 maj, min;
828 char *msg;
829 char *lang;
830
831 maj=packet_get_int();
832 min=packet_get_int();
833 msg=packet_get_string(NULL);
834 lang=packet_get_string(NULL);
835
836 packet_check_eom();
837
838 debug("Server GSSAPI Error:\n%s", msg);
839 xfree(msg);
840 xfree(lang);
841}
842#endif /* GSSAPI */
843
844int
845userauth_none(Authctxt *authctxt)
846{
847 /* initial userauth request */
848 packet_start(SSH2_MSG_USERAUTH_REQUEST);
849 packet_put_cstring(authctxt->server_user);
850 packet_put_cstring(authctxt->service);
851 packet_put_cstring(authctxt->method->name);
852 packet_send();
853 return 1;
854}
855
856int
857userauth_passwd(Authctxt *authctxt)
858{
859 static int attempt = 0;
860 char prompt[150];
861 char *password;
862 const char *host = options.host_key_alias ? options.host_key_alias :
863 authctxt->host;
864
865 if (attempt++ >= options.number_of_password_prompts)
866 return 0;
867
868 if (attempt != 1)
869 error("Permission denied, please try again.");
870
871 snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
872 authctxt->server_user, host);
873 password = read_passphrase(prompt, 0);
874 packet_start(SSH2_MSG_USERAUTH_REQUEST);
875 packet_put_cstring(authctxt->server_user);
876 packet_put_cstring(authctxt->service);
877 packet_put_cstring(authctxt->method->name);
878 packet_put_char(0);
879 packet_put_cstring(password);
880 memset(password, 0, strlen(password));
881 xfree(password);
882 packet_add_padding(64);
883 packet_send();
884
885 dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
886 &input_userauth_passwd_changereq);
887
888 return 1;
889}
890
891/*
892 * parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST
893 */
894/* ARGSUSED */
895void
896input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
897{
898 Authctxt *authctxt = ctxt;
899 char *info, *lang, *password = NULL, *retype = NULL;
900 char prompt[150];
901 const char *host = options.host_key_alias ? options.host_key_alias :
902 authctxt->host;
903
904 debug2("input_userauth_passwd_changereq");
905
906 if (authctxt == NULL)
907 fatal("input_userauth_passwd_changereq: "
908 "no authentication context");
909
910 info = packet_get_string(NULL);
911 lang = packet_get_string(NULL);
912 if (strlen(info) > 0)
913 logit("%s", info);
914 xfree(info);
915 xfree(lang);
916 packet_start(SSH2_MSG_USERAUTH_REQUEST);
917 packet_put_cstring(authctxt->server_user);
918 packet_put_cstring(authctxt->service);
919 packet_put_cstring(authctxt->method->name);
920 packet_put_char(1); /* additional info */
921 snprintf(prompt, sizeof(prompt),
922 "Enter %.30s@%.128s's old password: ",
923 authctxt->server_user, host);
924 password = read_passphrase(prompt, 0);
925 packet_put_cstring(password);
926 memset(password, 0, strlen(password));
927 xfree(password);
928 password = NULL;
929 while (password == NULL) {
930 snprintf(prompt, sizeof(prompt),
931 "Enter %.30s@%.128s's new password: ",
932 authctxt->server_user, host);
933 password = read_passphrase(prompt, RP_ALLOW_EOF);
934 if (password == NULL) {
935 /* bail out */
936 return;
937 }
938 snprintf(prompt, sizeof(prompt),
939 "Retype %.30s@%.128s's new password: ",
940 authctxt->server_user, host);
941 retype = read_passphrase(prompt, 0);
942 if (strcmp(password, retype) != 0) {
943 memset(password, 0, strlen(password));
944 xfree(password);
945 logit("Mismatch; try again, EOF to quit.");
946 password = NULL;
947 }
948 memset(retype, 0, strlen(retype));
949 xfree(retype);
950 }
951 packet_put_cstring(password);
952 memset(password, 0, strlen(password));
953 xfree(password);
954 packet_add_padding(64);
955 packet_send();
956
957 dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
958 &input_userauth_passwd_changereq);
959}
960
961#ifdef JPAKE
962static char *
963pw_encrypt(const char *password, const char *crypt_scheme, const char *salt)
964{
965 /* OpenBSD crypt(3) handles all of these */
966 if (strcmp(crypt_scheme, "crypt") == 0 ||
967 strcmp(crypt_scheme, "bcrypt") == 0 ||
968 strcmp(crypt_scheme, "md5crypt") == 0 ||
969 strcmp(crypt_scheme, "crypt-extended") == 0)
970 return xstrdup(crypt(password, salt));
971 error("%s: unsupported password encryption scheme \"%.100s\"",
972 __func__, crypt_scheme);
973 return NULL;
974}
975
976static BIGNUM *
977jpake_password_to_secret(Authctxt *authctxt, const char *crypt_scheme,
978 const char *salt)
979{
980 char prompt[256], *password, *crypted;
981 u_char *secret;
982 u_int secret_len;
983 BIGNUM *ret;
984
985 snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password (JPAKE): ",
986 authctxt->server_user, authctxt->host);
987 password = read_passphrase(prompt, 0);
988
989 if ((crypted = pw_encrypt(password, crypt_scheme, salt)) == NULL) {
990 logit("Disabling %s authentication", authctxt->method->name);
991 authctxt->method->enabled = NULL;
992 /* Continue with an empty password to fail gracefully */
993 crypted = xstrdup("");
994 }
995
996#ifdef JPAKE_DEBUG
997 debug3("%s: salt = %s", __func__, salt);
998 debug3("%s: scheme = %s", __func__, crypt_scheme);
999 debug3("%s: crypted = %s", __func__, crypted);
1000#endif
1001
1002 if (hash_buffer(crypted, strlen(crypted), EVP_sha256(),
1003 &secret, &secret_len) != 0)
1004 fatal("%s: hash_buffer", __func__);
1005
1006 bzero(password, strlen(password));
1007 bzero(crypted, strlen(crypted));
1008 xfree(password);
1009 xfree(crypted);
1010
1011 if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL)
1012 fatal("%s: BN_bin2bn (secret)", __func__);
1013 bzero(secret, secret_len);
1014 xfree(secret);
1015
1016 return ret;
1017}
1018
1019/* ARGSUSED */
1020void
1021input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt)
1022{
1023 Authctxt *authctxt = ctxt;
1024 struct jpake_ctx *pctx = authctxt->methoddata;
1025 u_char *x3_proof, *x4_proof, *x2_s_proof;
1026 u_int x3_proof_len, x4_proof_len, x2_s_proof_len;
1027 char *crypt_scheme, *salt;
1028
1029 /* Disable this message */
1030 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1, NULL);
1031
1032 if ((pctx->g_x3 = BN_new()) == NULL ||
1033 (pctx->g_x4 = BN_new()) == NULL)
1034 fatal("%s: BN_new", __func__);
1035
1036 /* Fetch step 1 values */
1037 crypt_scheme = packet_get_string(NULL);
1038 salt = packet_get_string(NULL);
1039 pctx->server_id = packet_get_string(&pctx->server_id_len);
1040 packet_get_bignum2(pctx->g_x3);
1041 packet_get_bignum2(pctx->g_x4);
1042 x3_proof = packet_get_string(&x3_proof_len);
1043 x4_proof = packet_get_string(&x4_proof_len);
1044 packet_check_eom();
1045
1046 JPAKE_DEBUG_CTX((pctx, "step 1 received in %s", __func__));
1047
1048 /* Obtain password and derive secret */
1049 pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt);
1050 bzero(crypt_scheme, strlen(crypt_scheme));
1051 bzero(salt, strlen(salt));
1052 xfree(crypt_scheme);
1053 xfree(salt);
1054 JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__));
1055
1056 /* Calculate step 2 values */
1057 jpake_step2(pctx->grp, pctx->s, pctx->g_x1,
1058 pctx->g_x3, pctx->g_x4, pctx->x2,
1059 pctx->server_id, pctx->server_id_len,
1060 pctx->client_id, pctx->client_id_len,
1061 x3_proof, x3_proof_len,
1062 x4_proof, x4_proof_len,
1063 &pctx->a,
1064 &x2_s_proof, &x2_s_proof_len);
1065
1066 bzero(x3_proof, x3_proof_len);
1067 bzero(x4_proof, x4_proof_len);
1068 xfree(x3_proof);
1069 xfree(x4_proof);
1070
1071 JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
1072
1073 /* Send values for step 2 */
1074 packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2);
1075 packet_put_bignum2(pctx->a);
1076 packet_put_string(x2_s_proof, x2_s_proof_len);
1077 packet_send();
1078
1079 bzero(x2_s_proof, x2_s_proof_len);
1080 xfree(x2_s_proof);
1081
1082 /* Expect step 2 packet from peer */
1083 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2,
1084 input_userauth_jpake_server_step2);
1085}
1086
1087/* ARGSUSED */
1088void
1089input_userauth_jpake_server_step2(int type, u_int32_t seq, void *ctxt)
1090{
1091 Authctxt *authctxt = ctxt;
1092 struct jpake_ctx *pctx = authctxt->methoddata;
1093 u_char *x4_s_proof;
1094 u_int x4_s_proof_len;
1095
1096 /* Disable this message */
1097 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2, NULL);
1098
1099 if ((pctx->b = BN_new()) == NULL)
1100 fatal("%s: BN_new", __func__);
1101
1102 /* Fetch step 2 values */
1103 packet_get_bignum2(pctx->b);
1104 x4_s_proof = packet_get_string(&x4_s_proof_len);
1105 packet_check_eom();
1106
1107 JPAKE_DEBUG_CTX((pctx, "step 2 received in %s", __func__));
1108
1109 /* Derive shared key and calculate confirmation hash */
1110 jpake_key_confirm(pctx->grp, pctx->s, pctx->b,
1111 pctx->x2, pctx->g_x1, pctx->g_x2, pctx->g_x3, pctx->g_x4,
1112 pctx->client_id, pctx->client_id_len,
1113 pctx->server_id, pctx->server_id_len,
1114 session_id2, session_id2_len,
1115 x4_s_proof, x4_s_proof_len,
1116 &pctx->k,
1117 &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len);
1118
1119 bzero(x4_s_proof, x4_s_proof_len);
1120 xfree(x4_s_proof);
1121
1122 JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
1123
1124 /* Send key confirmation proof */
1125 packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM);
1126 packet_put_string(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
1127 packet_send();
1128
1129 /* Expect confirmation from peer */
1130 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM,
1131 input_userauth_jpake_server_confirm);
1132}
1133
1134/* ARGSUSED */
1135void
1136input_userauth_jpake_server_confirm(int type, u_int32_t seq, void *ctxt)
1137{
1138 Authctxt *authctxt = ctxt;
1139 struct jpake_ctx *pctx = authctxt->methoddata;
1140
1141 /* Disable this message */
1142 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM, NULL);
1143
1144 pctx->h_k_sid_sessid = packet_get_string(&pctx->h_k_sid_sessid_len);
1145 packet_check_eom();
1146
1147 JPAKE_DEBUG_CTX((pctx, "confirm received in %s", __func__));
1148
1149 /* Verify expected confirmation hash */
1150 if (jpake_check_confirm(pctx->k,
1151 pctx->server_id, pctx->server_id_len,
1152 session_id2, session_id2_len,
1153 pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len) == 1)
1154 debug("%s: %s success", __func__, authctxt->method->name);
1155 else {
1156 debug("%s: confirmation mismatch", __func__);
1157 /* XXX stash this so if auth succeeds then we can warn/kill */
1158 }
1159
1160 userauth_jpake_cleanup(authctxt);
1161}
1162#endif /* JPAKE */
1163
1164static int
1165identity_sign(Identity *id, u_char **sigp, u_int *lenp,
1166 u_char *data, u_int datalen)
1167{
1168 Key *prv;
1169 int ret;
1170
1171 /* the agent supports this key */
1172 if (id->ac)
1173 return (ssh_agent_sign(id->ac, id->key, sigp, lenp,
1174 data, datalen));
1175 /*
1176 * we have already loaded the private key or
1177 * the private key is stored in external hardware
1178 */
1179 if (id->isprivate || (id->key->flags & KEY_FLAG_EXT))
1180 return (key_sign(id->key, sigp, lenp, data, datalen));
1181 /* load the private key from the file */
1182 if ((prv = load_identity_file(id->filename)) == NULL)
1183 return (-1);
1184 ret = key_sign(prv, sigp, lenp, data, datalen);
1185 key_free(prv);
1186 return (ret);
1187}
1188
1189static int
1190sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
1191{
1192 Buffer b;
1193 u_char *blob, *signature;
1194 u_int bloblen, slen;
1195 u_int skip = 0;
1196 int ret = -1;
1197 int have_sig = 1;
1198 char *fp;
1199
1200 fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
1201 debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
1202 xfree(fp);
1203
1204 if (key_to_blob(id->key, &blob, &bloblen) == 0) {
1205 /* we cannot handle this key */
1206 debug3("sign_and_send_pubkey: cannot handle key");
1207 return 0;
1208 }
1209 /* data to be signed */
1210 buffer_init(&b);
1211 if (datafellows & SSH_OLD_SESSIONID) {
1212 buffer_append(&b, session_id2, session_id2_len);
1213 skip = session_id2_len;
1214 } else {
1215 buffer_put_string(&b, session_id2, session_id2_len);
1216 skip = buffer_len(&b);
1217 }
1218 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
1219 buffer_put_cstring(&b, authctxt->server_user);
1220 buffer_put_cstring(&b,
1221 datafellows & SSH_BUG_PKSERVICE ?
1222 "ssh-userauth" :
1223 authctxt->service);
1224 if (datafellows & SSH_BUG_PKAUTH) {
1225 buffer_put_char(&b, have_sig);
1226 } else {
1227 buffer_put_cstring(&b, authctxt->method->name);
1228 buffer_put_char(&b, have_sig);
1229 buffer_put_cstring(&b, key_ssh_name(id->key));
1230 }
1231 buffer_put_string(&b, blob, bloblen);
1232
1233 /* generate signature */
1234 ret = identity_sign(id, &signature, &slen,
1235 buffer_ptr(&b), buffer_len(&b));
1236 if (ret == -1) {
1237 xfree(blob);
1238 buffer_free(&b);
1239 return 0;
1240 }
1241#ifdef DEBUG_PK
1242 buffer_dump(&b);
1243#endif
1244 if (datafellows & SSH_BUG_PKSERVICE) {
1245 buffer_clear(&b);
1246 buffer_append(&b, session_id2, session_id2_len);
1247 skip = session_id2_len;
1248 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
1249 buffer_put_cstring(&b, authctxt->server_user);
1250 buffer_put_cstring(&b, authctxt->service);
1251 buffer_put_cstring(&b, authctxt->method->name);
1252 buffer_put_char(&b, have_sig);
1253 if (!(datafellows & SSH_BUG_PKAUTH))
1254 buffer_put_cstring(&b, key_ssh_name(id->key));
1255 buffer_put_string(&b, blob, bloblen);
1256 }
1257 xfree(blob);
1258
1259 /* append signature */
1260 buffer_put_string(&b, signature, slen);
1261 xfree(signature);
1262
1263 /* skip session id and packet type */
1264 if (buffer_len(&b) < skip + 1)
1265 fatal("userauth_pubkey: internal error");
1266 buffer_consume(&b, skip + 1);
1267
1268 /* put remaining data from buffer into packet */
1269 packet_start(SSH2_MSG_USERAUTH_REQUEST);
1270 packet_put_raw(buffer_ptr(&b), buffer_len(&b));
1271 buffer_free(&b);
1272 packet_send();
1273
1274 return 1;
1275}
1276
1277static int
1278send_pubkey_test(Authctxt *authctxt, Identity *id)
1279{
1280 u_char *blob;
1281 u_int bloblen, have_sig = 0;
1282
1283 debug3("send_pubkey_test");
1284
1285 if (key_to_blob(id->key, &blob, &bloblen) == 0) {
1286 /* we cannot handle this key */
1287 debug3("send_pubkey_test: cannot handle key");
1288 return 0;
1289 }
1290 /* register callback for USERAUTH_PK_OK message */
1291 dispatch_set(SSH2_MSG_USERAUTH_PK_OK, &input_userauth_pk_ok);
1292
1293 packet_start(SSH2_MSG_USERAUTH_REQUEST);
1294 packet_put_cstring(authctxt->server_user);
1295 packet_put_cstring(authctxt->service);
1296 packet_put_cstring(authctxt->method->name);
1297 packet_put_char(have_sig);
1298 if (!(datafellows & SSH_BUG_PKAUTH))
1299 packet_put_cstring(key_ssh_name(id->key));
1300 packet_put_string(blob, bloblen);
1301 xfree(blob);
1302 packet_send();
1303 return 1;
1304}
1305
1306static Key *
1307load_identity_file(char *filename)
1308{
1309 Key *private;
1310 char prompt[300], *passphrase;
1311 int perm_ok = 0, quit, i;
1312 struct stat st;
1313
1314 if (stat(filename, &st) < 0) {
1315 debug3("no such identity: %s", filename);
1316 return NULL;
1317 }
1318 private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok);
1319 if (!perm_ok)
1320 return NULL;
1321 if (private == NULL) {
1322 if (options.batch_mode)
1323 return NULL;
1324 snprintf(prompt, sizeof prompt,
1325 "Enter passphrase for key '%.100s': ", filename);
1326 for (i = 0; i < options.number_of_password_prompts; i++) {
1327 passphrase = read_passphrase(prompt, 0);
1328 if (strcmp(passphrase, "") != 0) {
1329 private = key_load_private_type(KEY_UNSPEC,
1330 filename, passphrase, NULL, NULL);
1331 quit = 0;
1332 } else {
1333 debug2("no passphrase given, try next key");
1334 quit = 1;
1335 }
1336 memset(passphrase, 0, strlen(passphrase));
1337 xfree(passphrase);
1338 if (private != NULL || quit)
1339 break;
1340 debug2("bad passphrase given, try again...");
1341 }
1342 }
1343 return private;
1344}
1345
1346/*
1347 * try keys in the following order:
1348 * 1. agent keys that are found in the config file
1349 * 2. other agent keys
1350 * 3. keys that are only listed in the config file
1351 */
1352static void
1353pubkey_prepare(Authctxt *authctxt)
1354{
1355 Identity *id;
1356 Idlist agent, files, *preferred;
1357 Key *key;
1358 AuthenticationConnection *ac;
1359 char *comment;
1360 int i, found;
1361
1362 TAILQ_INIT(&agent); /* keys from the agent */
1363 TAILQ_INIT(&files); /* keys from the config file */
1364 preferred = &authctxt->keys;
1365 TAILQ_INIT(preferred); /* preferred order of keys */
1366
1367 /* list of keys stored in the filesystem */
1368 for (i = 0; i < options.num_identity_files; i++) {
1369 key = options.identity_keys[i];
1370 if (key && key->type == KEY_RSA1)
1371 continue;
1372 if (key && key->cert && key->cert->type != SSH2_CERT_TYPE_USER)
1373 continue;
1374 options.identity_keys[i] = NULL;
1375 id = xcalloc(1, sizeof(*id));
1376 id->key = key;
1377 id->filename = xstrdup(options.identity_files[i]);
1378 TAILQ_INSERT_TAIL(&files, id, next);
1379 }
1380 /* list of keys supported by the agent */
1381 if ((ac = ssh_get_authentication_connection())) {
1382 for (key = ssh_get_first_identity(ac, &comment, 2);
1383 key != NULL;
1384 key = ssh_get_next_identity(ac, &comment, 2)) {
1385 found = 0;
1386 TAILQ_FOREACH(id, &files, next) {
1387 /* agent keys from the config file are preferred */
1388 if (key_equal(key, id->key)) {
1389 key_free(key);
1390 xfree(comment);
1391 TAILQ_REMOVE(&files, id, next);
1392 TAILQ_INSERT_TAIL(preferred, id, next);
1393 id->ac = ac;
1394 found = 1;
1395 break;
1396 }
1397 }
1398 if (!found && !options.identities_only) {
1399 id = xcalloc(1, sizeof(*id));
1400 id->key = key;
1401 id->filename = comment;
1402 id->ac = ac;
1403 TAILQ_INSERT_TAIL(&agent, id, next);
1404 }
1405 }
1406 /* append remaining agent keys */
1407 for (id = TAILQ_FIRST(&agent); id; id = TAILQ_FIRST(&agent)) {
1408 TAILQ_REMOVE(&agent, id, next);
1409 TAILQ_INSERT_TAIL(preferred, id, next);
1410 }
1411 authctxt->agent = ac;
1412 }
1413 /* append remaining keys from the config file */
1414 for (id = TAILQ_FIRST(&files); id; id = TAILQ_FIRST(&files)) {
1415 TAILQ_REMOVE(&files, id, next);
1416 TAILQ_INSERT_TAIL(preferred, id, next);
1417 }
1418 TAILQ_FOREACH(id, preferred, next) {
1419 debug2("key: %s (%p)", id->filename, id->key);
1420 }
1421}
1422
1423static void
1424pubkey_cleanup(Authctxt *authctxt)
1425{
1426 Identity *id;
1427
1428 if (authctxt->agent != NULL)
1429 ssh_close_authentication_connection(authctxt->agent);
1430 for (id = TAILQ_FIRST(&authctxt->keys); id;
1431 id = TAILQ_FIRST(&authctxt->keys)) {
1432 TAILQ_REMOVE(&authctxt->keys, id, next);
1433 if (id->key)
1434 key_free(id->key);
1435 if (id->filename)
1436 xfree(id->filename);
1437 xfree(id);
1438 }
1439}
1440
1441int
1442userauth_pubkey(Authctxt *authctxt)
1443{
1444 Identity *id;
1445 int sent = 0;
1446
1447 while ((id = TAILQ_FIRST(&authctxt->keys))) {
1448 if (id->tried++)
1449 return (0);
1450 /* move key to the end of the queue */
1451 TAILQ_REMOVE(&authctxt->keys, id, next);
1452 TAILQ_INSERT_TAIL(&authctxt->keys, id, next);
1453 /*
1454 * send a test message if we have the public key. for
1455 * encrypted keys we cannot do this and have to load the
1456 * private key instead
1457 */
1458 if (id->key && id->key->type != KEY_RSA1) {
1459 debug("Offering %s public key: %s", key_type(id->key),
1460 id->filename);
1461 sent = send_pubkey_test(authctxt, id);
1462 } else if (id->key == NULL) {
1463 debug("Trying private key: %s", id->filename);
1464 id->key = load_identity_file(id->filename);
1465 if (id->key != NULL) {
1466 id->isprivate = 1;
1467 sent = sign_and_send_pubkey(authctxt, id);
1468 key_free(id->key);
1469 id->key = NULL;
1470 }
1471 }
1472 if (sent)
1473 return (sent);
1474 }
1475 return (0);
1476}
1477
1478/*
1479 * Send userauth request message specifying keyboard-interactive method.
1480 */
1481int
1482userauth_kbdint(Authctxt *authctxt)
1483{
1484 static int attempt = 0;
1485
1486 if (attempt++ >= options.number_of_password_prompts)
1487 return 0;
1488 /* disable if no SSH2_MSG_USERAUTH_INFO_REQUEST has been seen */
1489 if (attempt > 1 && !authctxt->info_req_seen) {
1490 debug3("userauth_kbdint: disable: no info_req_seen");
1491 dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, NULL);
1492 return 0;
1493 }
1494
1495 debug2("userauth_kbdint");
1496 packet_start(SSH2_MSG_USERAUTH_REQUEST);
1497 packet_put_cstring(authctxt->server_user);
1498 packet_put_cstring(authctxt->service);
1499 packet_put_cstring(authctxt->method->name);
1500 packet_put_cstring(""); /* lang */
1501 packet_put_cstring(options.kbd_interactive_devices ?
1502 options.kbd_interactive_devices : "");
1503 packet_send();
1504
1505 dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, &input_userauth_info_req);
1506 return 1;
1507}
1508
1509/*
1510 * parse INFO_REQUEST, prompt user and send INFO_RESPONSE
1511 */
1512void
1513input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
1514{
1515 Authctxt *authctxt = ctxt;
1516 char *name, *inst, *lang, *prompt, *response;
1517 u_int num_prompts, i;
1518 int echo = 0;
1519
1520 debug2("input_userauth_info_req");
1521
1522 if (authctxt == NULL)
1523 fatal("input_userauth_info_req: no authentication context");
1524
1525 authctxt->info_req_seen = 1;
1526
1527 name = packet_get_string(NULL);
1528 inst = packet_get_string(NULL);
1529 lang = packet_get_string(NULL);
1530 if (strlen(name) > 0)
1531 logit("%s", name);
1532 if (strlen(inst) > 0)
1533 logit("%s", inst);
1534 xfree(name);
1535 xfree(inst);
1536 xfree(lang);
1537
1538 num_prompts = packet_get_int();
1539 /*
1540 * Begin to build info response packet based on prompts requested.
1541 * We commit to providing the correct number of responses, so if
1542 * further on we run into a problem that prevents this, we have to
1543 * be sure and clean this up and send a correct error response.
1544 */
1545 packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);
1546 packet_put_int(num_prompts);
1547
1548 debug2("input_userauth_info_req: num_prompts %d", num_prompts);
1549 for (i = 0; i < num_prompts; i++) {
1550 prompt = packet_get_string(NULL);
1551 echo = packet_get_char();
1552
1553 response = read_passphrase(prompt, echo ? RP_ECHO : 0);
1554
1555 packet_put_cstring(response);
1556 memset(response, 0, strlen(response));
1557 xfree(response);
1558 xfree(prompt);
1559 }
1560 packet_check_eom(); /* done with parsing incoming message. */
1561
1562 packet_add_padding(64);
1563 packet_send();
1564}
1565
1566static int
1567ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
1568 u_char *data, u_int datalen)
1569{
1570 Buffer b;
1571 struct stat st;
1572 pid_t pid;
1573 int to[2], from[2], status, version = 2;
1574
1575 debug2("ssh_keysign called");
1576
1577 if (stat(_PATH_SSH_KEY_SIGN, &st) < 0) {
1578 error("ssh_keysign: not installed: %s", strerror(errno));
1579 return -1;
1580 }
1581 if (fflush(stdout) != 0)
1582 error("ssh_keysign: fflush: %s", strerror(errno));
1583 if (pipe(to) < 0) {
1584 error("ssh_keysign: pipe: %s", strerror(errno));
1585 return -1;
1586 }
1587 if (pipe(from) < 0) {
1588 error("ssh_keysign: pipe: %s", strerror(errno));
1589 return -1;
1590 }
1591 if ((pid = fork()) < 0) {
1592 error("ssh_keysign: fork: %s", strerror(errno));
1593 return -1;
1594 }
1595 if (pid == 0) {
1596 /* keep the socket on exec */
1597 fcntl(packet_get_connection_in(), F_SETFD, 0);
1598 permanently_drop_suid(getuid());
1599 close(from[0]);
1600 if (dup2(from[1], STDOUT_FILENO) < 0)
1601 fatal("ssh_keysign: dup2: %s", strerror(errno));
1602 close(to[1]);
1603 if (dup2(to[0], STDIN_FILENO) < 0)
1604 fatal("ssh_keysign: dup2: %s", strerror(errno));
1605 close(from[1]);
1606 close(to[0]);
1607 execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *) 0);
1608 fatal("ssh_keysign: exec(%s): %s", _PATH_SSH_KEY_SIGN,
1609 strerror(errno));
1610 }
1611 close(from[1]);
1612 close(to[0]);
1613
1614 buffer_init(&b);
1615 buffer_put_int(&b, packet_get_connection_in()); /* send # of socket */
1616 buffer_put_string(&b, data, datalen);
1617 if (ssh_msg_send(to[1], version, &b) == -1)
1618 fatal("ssh_keysign: couldn't send request");
1619
1620 if (ssh_msg_recv(from[0], &b) < 0) {
1621 error("ssh_keysign: no reply");
1622 buffer_free(&b);
1623 return -1;
1624 }
1625 close(from[0]);
1626 close(to[1]);
1627
1628 while (waitpid(pid, &status, 0) < 0)
1629 if (errno != EINTR)
1630 break;
1631
1632 if (buffer_get_char(&b) != version) {
1633 error("ssh_keysign: bad version");
1634 buffer_free(&b);
1635 return -1;
1636 }
1637 *sigp = buffer_get_string(&b, lenp);
1638 buffer_free(&b);
1639
1640 return 0;
1641}
1642
1643int
1644userauth_hostbased(Authctxt *authctxt)
1645{
1646 Key *private = NULL;
1647 Sensitive *sensitive = authctxt->sensitive;
1648 Buffer b;
1649 u_char *signature, *blob;
1650 char *chost, *pkalg, *p;
1651 const char *service;
1652 u_int blen, slen;
1653 int ok, i, found = 0;
1654
1655 /* check for a useful key */
1656 for (i = 0; i < sensitive->nkeys; i++) {
1657 private = sensitive->keys[i];
1658 if (private && private->type != KEY_RSA1) {
1659 found = 1;
1660 /* we take and free the key */
1661 sensitive->keys[i] = NULL;
1662 break;
1663 }
1664 }
1665 if (!found) {
1666 debug("No more client hostkeys for hostbased authentication.");
1667 return 0;
1668 }
1669 if (key_to_blob(private, &blob, &blen) == 0) {
1670 key_free(private);
1671 return 0;
1672 }
1673 /* figure out a name for the client host */
1674 p = get_local_name(packet_get_connection_in());
1675 if (p == NULL) {
1676 error("userauth_hostbased: cannot get local ipaddr/name");
1677 key_free(private);
1678 xfree(blob);
1679 return 0;
1680 }
1681 xasprintf(&chost, "%s.", p);
1682 debug2("userauth_hostbased: chost %s", chost);
1683 xfree(p);
1684
1685 service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
1686 authctxt->service;
1687 pkalg = xstrdup(key_ssh_name(private));
1688 buffer_init(&b);
1689 /* construct data */
1690 buffer_put_string(&b, session_id2, session_id2_len);
1691 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
1692 buffer_put_cstring(&b, authctxt->server_user);
1693 buffer_put_cstring(&b, service);
1694 buffer_put_cstring(&b, authctxt->method->name);
1695 buffer_put_cstring(&b, pkalg);
1696 buffer_put_string(&b, blob, blen);
1697 buffer_put_cstring(&b, chost);
1698 buffer_put_cstring(&b, authctxt->local_user);
1699#ifdef DEBUG_PK
1700 buffer_dump(&b);
1701#endif
1702 if (sensitive->external_keysign)
1703 ok = ssh_keysign(private, &signature, &slen,
1704 buffer_ptr(&b), buffer_len(&b));
1705 else
1706 ok = key_sign(private, &signature, &slen,
1707 buffer_ptr(&b), buffer_len(&b));
1708 key_free(private);
1709 buffer_free(&b);
1710 if (ok != 0) {
1711 error("key_sign failed");
1712 xfree(chost);
1713 xfree(pkalg);
1714 xfree(blob);
1715 return 0;
1716 }
1717 packet_start(SSH2_MSG_USERAUTH_REQUEST);
1718 packet_put_cstring(authctxt->server_user);
1719 packet_put_cstring(authctxt->service);
1720 packet_put_cstring(authctxt->method->name);
1721 packet_put_cstring(pkalg);
1722 packet_put_string(blob, blen);
1723 packet_put_cstring(chost);
1724 packet_put_cstring(authctxt->local_user);
1725 packet_put_string(signature, slen);
1726 memset(signature, 's', slen);
1727 xfree(signature);
1728 xfree(chost);
1729 xfree(pkalg);
1730 xfree(blob);
1731
1732 packet_send();
1733 return 1;
1734}
1735
1736#ifdef JPAKE
1737int
1738userauth_jpake(Authctxt *authctxt)
1739{
1740 struct jpake_ctx *pctx;
1741 u_char *x1_proof, *x2_proof;
1742 u_int x1_proof_len, x2_proof_len;
1743 static int attempt = 0; /* XXX share with userauth_password's? */
1744
1745 if (attempt++ >= options.number_of_password_prompts)
1746 return 0;
1747 if (attempt != 1)
1748 error("Permission denied, please try again.");
1749
1750 if (authctxt->methoddata != NULL)
1751 fatal("%s: authctxt->methoddata already set (%p)",
1752 __func__, authctxt->methoddata);
1753
1754 authctxt->methoddata = pctx = jpake_new();
1755
1756 /*
1757 * Send request immediately, to get the protocol going while
1758 * we do the initial computations.
1759 */
1760 packet_start(SSH2_MSG_USERAUTH_REQUEST);
1761 packet_put_cstring(authctxt->server_user);
1762 packet_put_cstring(authctxt->service);
1763 packet_put_cstring(authctxt->method->name);
1764 packet_send();
1765 packet_write_wait();
1766
1767 jpake_step1(pctx->grp,
1768 &pctx->client_id, &pctx->client_id_len,
1769 &pctx->x1, &pctx->x2, &pctx->g_x1, &pctx->g_x2,
1770 &x1_proof, &x1_proof_len,
1771 &x2_proof, &x2_proof_len);
1772
1773 JPAKE_DEBUG_CTX((pctx, "step 1 sending in %s", __func__));
1774
1775 packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1);
1776 packet_put_string(pctx->client_id, pctx->client_id_len);
1777 packet_put_bignum2(pctx->g_x1);
1778 packet_put_bignum2(pctx->g_x2);
1779 packet_put_string(x1_proof, x1_proof_len);
1780 packet_put_string(x2_proof, x2_proof_len);
1781 packet_send();
1782
1783 bzero(x1_proof, x1_proof_len);
1784 bzero(x2_proof, x2_proof_len);
1785 xfree(x1_proof);
1786 xfree(x2_proof);
1787
1788 /* Expect step 1 packet from peer */
1789 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1,
1790 input_userauth_jpake_server_step1);
1791 dispatch_set(SSH2_MSG_USERAUTH_SUCCESS,
1792 &input_userauth_success_unexpected);
1793
1794 return 1;
1795}
1796
1797void
1798userauth_jpake_cleanup(Authctxt *authctxt)
1799{
1800 debug3("%s: clean up", __func__);
1801 if (authctxt->methoddata != NULL) {
1802 jpake_free(authctxt->methoddata);
1803 authctxt->methoddata = NULL;
1804 }
1805 dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
1806}
1807#endif /* JPAKE */
1808
1809/* find auth method */
1810
1811/*
1812 * given auth method name, if configurable options permit this method fill
1813 * in auth_ident field and return true, otherwise return false.
1814 */
1815static int
1816authmethod_is_enabled(Authmethod *method)
1817{
1818 if (method == NULL)
1819 return 0;
1820 /* return false if options indicate this method is disabled */
1821 if (method->enabled == NULL || *method->enabled == 0)
1822 return 0;
1823 /* return false if batch mode is enabled but method needs interactive mode */
1824 if (method->batch_flag != NULL && *method->batch_flag != 0)
1825 return 0;
1826 return 1;
1827}
1828
1829static Authmethod *
1830authmethod_lookup(const char *name)
1831{
1832 Authmethod *method = NULL;
1833 if (name != NULL)
1834 for (method = authmethods; method->name != NULL; method++)
1835 if (strcmp(name, method->name) == 0)
1836 return method;
1837 debug2("Unrecognized authentication method name: %s", name ? name : "NULL");
1838 return NULL;
1839}
1840
1841/* XXX internal state */
1842static Authmethod *current = NULL;
1843static char *supported = NULL;
1844static char *preferred = NULL;
1845
1846/*
1847 * Given the authentication method list sent by the server, return the
1848 * next method we should try. If the server initially sends a nil list,
1849 * use a built-in default list.
1850 */
1851static Authmethod *
1852authmethod_get(char *authlist)
1853{
1854 char *name = NULL;
1855 u_int next;
1856
1857 /* Use a suitable default if we're passed a nil list. */
1858 if (authlist == NULL || strlen(authlist) == 0)
1859 authlist = options.preferred_authentications;
1860
1861 if (supported == NULL || strcmp(authlist, supported) != 0) {
1862 debug3("start over, passed a different list %s", authlist);
1863 if (supported != NULL)
1864 xfree(supported);
1865 supported = xstrdup(authlist);
1866 preferred = options.preferred_authentications;
1867 debug3("preferred %s", preferred);
1868 current = NULL;
1869 } else if (current != NULL && authmethod_is_enabled(current))
1870 return current;
1871
1872 for (;;) {
1873 if ((name = match_list(preferred, supported, &next)) == NULL) {
1874 debug("No more authentication methods to try.");
1875 current = NULL;
1876 return NULL;
1877 }
1878 preferred += next;
1879 debug3("authmethod_lookup %s", name);
1880 debug3("remaining preferred: %s", preferred);
1881 if ((current = authmethod_lookup(name)) != NULL &&
1882 authmethod_is_enabled(current)) {
1883 debug3("authmethod_is_enabled %s", name);
1884 debug("Next authentication method: %s", name);
1885 return current;
1886 }
1887 }
1888}
1889
1890static char *
1891authmethods_get(void)
1892{
1893 Authmethod *method = NULL;
1894 Buffer b;
1895 char *list;
1896
1897 buffer_init(&b);
1898 for (method = authmethods; method->name != NULL; method++) {
1899 if (authmethod_is_enabled(method)) {
1900 if (buffer_len(&b) > 0)
1901 buffer_append(&b, ",", 1);
1902 buffer_append(&b, method->name, strlen(method->name));
1903 }
1904 }
1905 buffer_append(&b, "\0", 1);
1906 list = xstrdup(buffer_ptr(&b));
1907 buffer_free(&b);
1908 return list;
1909}
1910