sshconnect1.c revision 106130
1/* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Code to connect to a remote host, and to perform the client side of the 6 * login (authentication) dialog. 7 * 8 * As far as I am concerned, the code I have written for this software 9 * can be used freely for any purpose. Any derived versions of this 10 * software must be clearly marked as such, and if the derived work is 11 * incompatible with the protocol description in the RFC file, it must be 12 * called by a name other than "ssh" or "Secure Shell". 13 */ 14 15#include "includes.h" 16RCSID("$OpenBSD: sshconnect1.c,v 1.52 2002/08/08 13:50:23 aaron Exp $"); 17RCSID("$FreeBSD: head/crypto/openssh/sshconnect1.c 106130 2002-10-29 10:16:02Z des $"); 18 19#include <openssl/bn.h> 20#include <openssl/md5.h> 21 22#ifdef KRB4 23#include <krb.h> 24#endif 25#ifdef KRB5 26#include <krb5.h> 27#ifndef HEIMDAL 28#define krb5_get_err_text(context,code) error_message(code) 29#endif /* !HEIMDAL */ 30#endif 31#ifdef AFS 32#include <kafs.h> 33#include "radix.h" 34#endif 35 36#include "ssh.h" 37#include "ssh1.h" 38#include "xmalloc.h" 39#include "rsa.h" 40#include "buffer.h" 41#include "packet.h" 42#include "mpaux.h" 43#include "uidswap.h" 44#include "log.h" 45#include "readconf.h" 46#include "key.h" 47#include "authfd.h" 48#include "sshconnect.h" 49#include "authfile.h" 50#include "readpass.h" 51#include "cipher.h" 52#include "canohost.h" 53#include "auth.h" 54 55/* Session id for the current session. */ 56u_char session_id[16]; 57u_int supported_authentications = 0; 58 59extern Options options; 60extern char *__progname; 61 62/* 63 * Checks if the user has an authentication agent, and if so, tries to 64 * authenticate using the agent. 65 */ 66static int 67try_agent_authentication(void) 68{ 69 int type; 70 char *comment; 71 AuthenticationConnection *auth; 72 u_char response[16]; 73 u_int i; 74 Key *key; 75 BIGNUM *challenge; 76 77 /* Get connection to the agent. */ 78 auth = ssh_get_authentication_connection(); 79 if (!auth) 80 return 0; 81 82 if ((challenge = BN_new()) == NULL) 83 fatal("try_agent_authentication: BN_new failed"); 84 /* Loop through identities served by the agent. */ 85 for (key = ssh_get_first_identity(auth, &comment, 1); 86 key != NULL; 87 key = ssh_get_next_identity(auth, &comment, 1)) { 88 89 /* Try this identity. */ 90 debug("Trying RSA authentication via agent with '%.100s'", comment); 91 xfree(comment); 92 93 /* Tell the server that we are willing to authenticate using this key. */ 94 packet_start(SSH_CMSG_AUTH_RSA); 95 packet_put_bignum(key->rsa->n); 96 packet_send(); 97 packet_write_wait(); 98 99 /* Wait for server's response. */ 100 type = packet_read(); 101 102 /* The server sends failure if it doesn\'t like our key or 103 does not support RSA authentication. */ 104 if (type == SSH_SMSG_FAILURE) { 105 debug("Server refused our key."); 106 key_free(key); 107 continue; 108 } 109 /* Otherwise it should have sent a challenge. */ 110 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 111 packet_disconnect("Protocol error during RSA authentication: %d", 112 type); 113 114 packet_get_bignum(challenge); 115 packet_check_eom(); 116 117 debug("Received RSA challenge from server."); 118 119 /* Ask the agent to decrypt the challenge. */ 120 if (!ssh_decrypt_challenge(auth, key, challenge, session_id, 1, response)) { 121 /* 122 * The agent failed to authenticate this identifier 123 * although it advertised it supports this. Just 124 * return a wrong value. 125 */ 126 log("Authentication agent failed to decrypt challenge."); 127 memset(response, 0, sizeof(response)); 128 } 129 key_free(key); 130 debug("Sending response to RSA challenge."); 131 132 /* Send the decrypted challenge back to the server. */ 133 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 134 for (i = 0; i < 16; i++) 135 packet_put_char(response[i]); 136 packet_send(); 137 packet_write_wait(); 138 139 /* Wait for response from the server. */ 140 type = packet_read(); 141 142 /* The server returns success if it accepted the authentication. */ 143 if (type == SSH_SMSG_SUCCESS) { 144 ssh_close_authentication_connection(auth); 145 BN_clear_free(challenge); 146 debug("RSA authentication accepted by server."); 147 return 1; 148 } 149 /* Otherwise it should return failure. */ 150 if (type != SSH_SMSG_FAILURE) 151 packet_disconnect("Protocol error waiting RSA auth response: %d", 152 type); 153 } 154 ssh_close_authentication_connection(auth); 155 BN_clear_free(challenge); 156 debug("RSA authentication using agent refused."); 157 return 0; 158} 159 160/* 161 * Computes the proper response to a RSA challenge, and sends the response to 162 * the server. 163 */ 164static void 165respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv) 166{ 167 u_char buf[32], response[16]; 168 MD5_CTX md; 169 int i, len; 170 171 /* Decrypt the challenge using the private key. */ 172 /* XXX think about Bleichenbacher, too */ 173 if (rsa_private_decrypt(challenge, challenge, prv) <= 0) 174 packet_disconnect( 175 "respond_to_rsa_challenge: rsa_private_decrypt failed"); 176 177 /* Compute the response. */ 178 /* The response is MD5 of decrypted challenge plus session id. */ 179 len = BN_num_bytes(challenge); 180 if (len <= 0 || len > sizeof(buf)) 181 packet_disconnect( 182 "respond_to_rsa_challenge: bad challenge length %d", len); 183 184 memset(buf, 0, sizeof(buf)); 185 BN_bn2bin(challenge, buf + sizeof(buf) - len); 186 MD5_Init(&md); 187 MD5_Update(&md, buf, 32); 188 MD5_Update(&md, session_id, 16); 189 MD5_Final(response, &md); 190 191 debug("Sending response to host key RSA challenge."); 192 193 /* Send the response back to the server. */ 194 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 195 for (i = 0; i < 16; i++) 196 packet_put_char(response[i]); 197 packet_send(); 198 packet_write_wait(); 199 200 memset(buf, 0, sizeof(buf)); 201 memset(response, 0, sizeof(response)); 202 memset(&md, 0, sizeof(md)); 203} 204 205/* 206 * Checks if the user has authentication file, and if so, tries to authenticate 207 * the user using it. 208 */ 209static int 210try_rsa_authentication(int idx) 211{ 212 BIGNUM *challenge; 213 Key *public, *private; 214 char buf[300], *passphrase, *comment, *authfile; 215 int i, type, quit; 216 217 public = options.identity_keys[idx]; 218 authfile = options.identity_files[idx]; 219 comment = xstrdup(authfile); 220 221 debug("Trying RSA authentication with key '%.100s'", comment); 222 223 /* Tell the server that we are willing to authenticate using this key. */ 224 packet_start(SSH_CMSG_AUTH_RSA); 225 packet_put_bignum(public->rsa->n); 226 packet_send(); 227 packet_write_wait(); 228 229 /* Wait for server's response. */ 230 type = packet_read(); 231 232 /* 233 * The server responds with failure if it doesn\'t like our key or 234 * doesn\'t support RSA authentication. 235 */ 236 if (type == SSH_SMSG_FAILURE) { 237 debug("Server refused our key."); 238 xfree(comment); 239 return 0; 240 } 241 /* Otherwise, the server should respond with a challenge. */ 242 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 243 packet_disconnect("Protocol error during RSA authentication: %d", type); 244 245 /* Get the challenge from the packet. */ 246 if ((challenge = BN_new()) == NULL) 247 fatal("try_rsa_authentication: BN_new failed"); 248 packet_get_bignum(challenge); 249 packet_check_eom(); 250 251 debug("Received RSA challenge from server."); 252 253 /* 254 * If the key is not stored in external hardware, we have to 255 * load the private key. Try first with empty passphrase; if it 256 * fails, ask for a passphrase. 257 */ 258 if (public->flags & KEY_FLAG_EXT) 259 private = public; 260 else 261 private = key_load_private_type(KEY_RSA1, authfile, "", NULL); 262 if (private == NULL && !options.batch_mode) { 263 snprintf(buf, sizeof(buf), 264 "Enter passphrase for RSA key '%.100s': ", comment); 265 for (i = 0; i < options.number_of_password_prompts; i++) { 266 passphrase = read_passphrase(buf, 0); 267 if (strcmp(passphrase, "") != 0) { 268 private = key_load_private_type(KEY_RSA1, 269 authfile, passphrase, NULL); 270 quit = 0; 271 } else { 272 debug2("no passphrase given, try next key"); 273 quit = 1; 274 } 275 memset(passphrase, 0, strlen(passphrase)); 276 xfree(passphrase); 277 if (private != NULL || quit) 278 break; 279 debug2("bad passphrase given, try again..."); 280 } 281 } 282 /* We no longer need the comment. */ 283 xfree(comment); 284 285 if (private == NULL) { 286 if (!options.batch_mode) 287 error("Bad passphrase."); 288 289 /* Send a dummy response packet to avoid protocol error. */ 290 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 291 for (i = 0; i < 16; i++) 292 packet_put_char(0); 293 packet_send(); 294 packet_write_wait(); 295 296 /* Expect the server to reject it... */ 297 packet_read_expect(SSH_SMSG_FAILURE); 298 BN_clear_free(challenge); 299 return 0; 300 } 301 302 /* Compute and send a response to the challenge. */ 303 respond_to_rsa_challenge(challenge, private->rsa); 304 305 /* Destroy the private key unless it in external hardware. */ 306 if (!(private->flags & KEY_FLAG_EXT)) 307 key_free(private); 308 309 /* We no longer need the challenge. */ 310 BN_clear_free(challenge); 311 312 /* Wait for response from the server. */ 313 type = packet_read(); 314 if (type == SSH_SMSG_SUCCESS) { 315 debug("RSA authentication accepted by server."); 316 return 1; 317 } 318 if (type != SSH_SMSG_FAILURE) 319 packet_disconnect("Protocol error waiting RSA auth response: %d", type); 320 debug("RSA authentication refused."); 321 return 0; 322} 323 324/* 325 * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv 326 * authentication and RSA host authentication. 327 */ 328static int 329try_rhosts_rsa_authentication(const char *local_user, Key * host_key) 330{ 331 int type; 332 BIGNUM *challenge; 333 334 debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication."); 335 336 /* Tell the server that we are willing to authenticate using this key. */ 337 packet_start(SSH_CMSG_AUTH_RHOSTS_RSA); 338 packet_put_cstring(local_user); 339 packet_put_int(BN_num_bits(host_key->rsa->n)); 340 packet_put_bignum(host_key->rsa->e); 341 packet_put_bignum(host_key->rsa->n); 342 packet_send(); 343 packet_write_wait(); 344 345 /* Wait for server's response. */ 346 type = packet_read(); 347 348 /* The server responds with failure if it doesn't admit our 349 .rhosts authentication or doesn't know our host key. */ 350 if (type == SSH_SMSG_FAILURE) { 351 debug("Server refused our rhosts authentication or host key."); 352 return 0; 353 } 354 /* Otherwise, the server should respond with a challenge. */ 355 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 356 packet_disconnect("Protocol error during RSA authentication: %d", type); 357 358 /* Get the challenge from the packet. */ 359 if ((challenge = BN_new()) == NULL) 360 fatal("try_rhosts_rsa_authentication: BN_new failed"); 361 packet_get_bignum(challenge); 362 packet_check_eom(); 363 364 debug("Received RSA challenge for host key from server."); 365 366 /* Compute a response to the challenge. */ 367 respond_to_rsa_challenge(challenge, host_key->rsa); 368 369 /* We no longer need the challenge. */ 370 BN_clear_free(challenge); 371 372 /* Wait for response from the server. */ 373 type = packet_read(); 374 if (type == SSH_SMSG_SUCCESS) { 375 debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server."); 376 return 1; 377 } 378 if (type != SSH_SMSG_FAILURE) 379 packet_disconnect("Protocol error waiting RSA auth response: %d", type); 380 debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused."); 381 return 0; 382} 383 384#ifdef KRB4 385static int 386try_krb4_authentication(void) 387{ 388 KTEXT_ST auth; /* Kerberos data */ 389 char *reply; 390 char inst[INST_SZ]; 391 char *realm; 392 CREDENTIALS cred; 393 int r, type; 394 socklen_t slen; 395 Key_schedule schedule; 396 u_long checksum, cksum; 397 MSG_DAT msg_data; 398 struct sockaddr_in local, foreign; 399 struct stat st; 400 401 /* Don't do anything if we don't have any tickets. */ 402 if (stat(tkt_string(), &st) < 0) 403 return 0; 404 405 strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)), 406 INST_SZ); 407 408 realm = (char *)krb_realmofhost(get_canonical_hostname(1)); 409 if (!realm) { 410 debug("Kerberos v4: no realm for %s", get_canonical_hostname(1)); 411 return 0; 412 } 413 /* This can really be anything. */ 414 checksum = (u_long)getpid(); 415 416 r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum); 417 if (r != KSUCCESS) { 418 debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]); 419 return 0; 420 } 421 /* Get session key to decrypt the server's reply with. */ 422 r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred); 423 if (r != KSUCCESS) { 424 debug("get_cred failed: %s", krb_err_txt[r]); 425 return 0; 426 } 427 des_key_sched((des_cblock *) cred.session, schedule); 428 429 /* Send authentication info to server. */ 430 packet_start(SSH_CMSG_AUTH_KERBEROS); 431 packet_put_string((char *) auth.dat, auth.length); 432 packet_send(); 433 packet_write_wait(); 434 435 /* Zero the buffer. */ 436 (void) memset(auth.dat, 0, MAX_KTXT_LEN); 437 438 slen = sizeof(local); 439 memset(&local, 0, sizeof(local)); 440 if (getsockname(packet_get_connection_in(), 441 (struct sockaddr *)&local, &slen) < 0) 442 debug("getsockname failed: %s", strerror(errno)); 443 444 slen = sizeof(foreign); 445 memset(&foreign, 0, sizeof(foreign)); 446 if (getpeername(packet_get_connection_in(), 447 (struct sockaddr *)&foreign, &slen) < 0) { 448 debug("getpeername failed: %s", strerror(errno)); 449 fatal_cleanup(); 450 } 451 /* Get server reply. */ 452 type = packet_read(); 453 switch (type) { 454 case SSH_SMSG_FAILURE: 455 /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ 456 debug("Kerberos v4 authentication failed."); 457 return 0; 458 break; 459 460 case SSH_SMSG_AUTH_KERBEROS_RESPONSE: 461 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ 462 debug("Kerberos v4 authentication accepted."); 463 464 /* Get server's response. */ 465 reply = packet_get_string((u_int *) &auth.length); 466 if (auth.length >= MAX_KTXT_LEN) 467 fatal("Kerberos v4: Malformed response from server"); 468 memcpy(auth.dat, reply, auth.length); 469 xfree(reply); 470 471 packet_check_eom(); 472 473 /* 474 * If his response isn't properly encrypted with the session 475 * key, and the decrypted checksum fails to match, he's 476 * bogus. Bail out. 477 */ 478 r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session, 479 &foreign, &local, &msg_data); 480 if (r != KSUCCESS) { 481 debug("Kerberos v4 krb_rd_priv failed: %s", 482 krb_err_txt[r]); 483 packet_disconnect("Kerberos v4 challenge failed!"); 484 } 485 /* Fetch the (incremented) checksum that we supplied in the request. */ 486 memcpy((char *)&cksum, (char *)msg_data.app_data, 487 sizeof(cksum)); 488 cksum = ntohl(cksum); 489 490 /* If it matches, we're golden. */ 491 if (cksum == checksum + 1) { 492 debug("Kerberos v4 challenge successful."); 493 return 1; 494 } else 495 packet_disconnect("Kerberos v4 challenge failed!"); 496 break; 497 498 default: 499 packet_disconnect("Protocol error on Kerberos v4 response: %d", type); 500 } 501 return 0; 502} 503 504#endif /* KRB4 */ 505 506#ifdef KRB5 507static int 508try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context) 509{ 510 krb5_error_code problem; 511 const char *tkfile; 512 struct stat buf; 513 krb5_ccache ccache = NULL; 514 const char *remotehost; 515 krb5_data ap; 516 int type; 517 krb5_ap_rep_enc_part *reply = NULL; 518 int ret; 519 520 memset(&ap, 0, sizeof(ap)); 521 522 problem = krb5_init_context(context); 523 if (problem) { 524 debug("Kerberos v5: krb5_init_context failed"); 525 ret = 0; 526 goto out; 527 } 528 529 problem = krb5_auth_con_init(*context, auth_context); 530 if (problem) { 531 debug("Kerberos v5: krb5_auth_con_init failed"); 532 ret = 0; 533 goto out; 534 } 535 536#ifndef HEIMDAL 537 problem = krb5_auth_con_setflags(*context, *auth_context, 538 KRB5_AUTH_CONTEXT_RET_TIME); 539 if (problem) { 540 debug("Keberos v5: krb5_auth_con_setflags failed"); 541 ret = 0; 542 goto out; 543 } 544#endif 545 546 tkfile = krb5_cc_default_name(*context); 547 if (strncmp(tkfile, "FILE:", 5) == 0) 548 tkfile += 5; 549 550 if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) { 551 debug("Kerberos v5: could not get default ccache (permission denied)."); 552 ret = 0; 553 goto out; 554 } 555 556 problem = krb5_cc_default(*context, &ccache); 557 if (problem) { 558 debug("Kerberos v5: krb5_cc_default failed: %s", 559 krb5_get_err_text(*context, problem)); 560 ret = 0; 561 goto out; 562 } 563 564 remotehost = get_canonical_hostname(1); 565 566 problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED, 567 "host", remotehost, NULL, ccache, &ap); 568 if (problem) { 569 debug("Kerberos v5: krb5_mk_req failed: %s", 570 krb5_get_err_text(*context, problem)); 571 ret = 0; 572 goto out; 573 } 574 575 packet_start(SSH_CMSG_AUTH_KERBEROS); 576 packet_put_string((char *) ap.data, ap.length); 577 packet_send(); 578 packet_write_wait(); 579 580 xfree(ap.data); 581 ap.length = 0; 582 583 type = packet_read(); 584 switch (type) { 585 case SSH_SMSG_FAILURE: 586 /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ 587 debug("Kerberos v5 authentication failed."); 588 ret = 0; 589 break; 590 591 case SSH_SMSG_AUTH_KERBEROS_RESPONSE: 592 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ 593 debug("Kerberos v5 authentication accepted."); 594 595 /* Get server's response. */ 596 ap.data = packet_get_string((unsigned int *) &ap.length); 597 packet_check_eom(); 598 /* XXX je to dobre? */ 599 600 problem = krb5_rd_rep(*context, *auth_context, &ap, &reply); 601 if (problem) { 602 ret = 0; 603 } 604 ret = 1; 605 break; 606 607 default: 608 packet_disconnect("Protocol error on Kerberos v5 response: %d", 609 type); 610 ret = 0; 611 break; 612 613 } 614 615 out: 616 if (ccache != NULL) 617 krb5_cc_close(*context, ccache); 618 if (reply != NULL) 619 krb5_free_ap_rep_enc_part(*context, reply); 620 if (ap.length > 0) 621#ifdef HEIMDAL 622 krb5_data_free(&ap); 623#else 624 krb5_free_data_contents(*context, &ap); 625#endif 626 627 return (ret); 628} 629 630static void 631send_krb5_tgt(krb5_context context, krb5_auth_context auth_context) 632{ 633 int fd, type; 634 krb5_error_code problem; 635 krb5_data outbuf; 636 krb5_ccache ccache = NULL; 637 krb5_creds creds; 638#ifdef HEIMDAL 639 krb5_kdc_flags flags; 640#else 641 int forwardable; 642#endif 643 const char *remotehost; 644 645 memset(&creds, 0, sizeof(creds)); 646 memset(&outbuf, 0, sizeof(outbuf)); 647 648 fd = packet_get_connection_in(); 649 650#ifdef HEIMDAL 651 problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd); 652#else 653 problem = krb5_auth_con_genaddrs(context, auth_context, fd, 654 KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR | 655 KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR); 656#endif 657 if (problem) 658 goto out; 659 660 problem = krb5_cc_default(context, &ccache); 661 if (problem) 662 goto out; 663 664 problem = krb5_cc_get_principal(context, ccache, &creds.client); 665 if (problem) 666 goto out; 667 668 remotehost = get_canonical_hostname(1); 669 670#ifdef HEIMDAL 671 problem = krb5_build_principal(context, &creds.server, 672 strlen(creds.client->realm), creds.client->realm, 673 "krbtgt", creds.client->realm, NULL); 674#else 675 problem = krb5_build_principal(context, &creds.server, 676 creds.client->realm.length, creds.client->realm.data, 677 "host", remotehost, NULL); 678#endif 679 if (problem) 680 goto out; 681 682 creds.times.endtime = 0; 683 684#ifdef HEIMDAL 685 flags.i = 0; 686 flags.b.forwarded = 1; 687 flags.b.forwardable = krb5_config_get_bool(context, NULL, 688 "libdefaults", "forwardable", NULL); 689 problem = krb5_get_forwarded_creds(context, auth_context, 690 ccache, flags.i, remotehost, &creds, &outbuf); 691#else 692 forwardable = 1; 693 problem = krb5_fwd_tgt_creds(context, auth_context, remotehost, 694 creds.client, creds.server, ccache, forwardable, &outbuf); 695#endif 696 697 if (problem) 698 goto out; 699 700 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); 701 packet_put_string((char *)outbuf.data, outbuf.length); 702 packet_send(); 703 packet_write_wait(); 704 705 type = packet_read(); 706 707 if (type == SSH_SMSG_SUCCESS) { 708 char *pname; 709 710 krb5_unparse_name(context, creds.client, &pname); 711 debug("Kerberos v5 TGT forwarded (%s).", pname); 712 xfree(pname); 713 } else 714 debug("Kerberos v5 TGT forwarding failed."); 715 716 return; 717 718 out: 719 if (problem) 720 debug("Kerberos v5 TGT forwarding failed: %s", 721 krb5_get_err_text(context, problem)); 722 if (creds.client) 723 krb5_free_principal(context, creds.client); 724 if (creds.server) 725 krb5_free_principal(context, creds.server); 726 if (ccache) 727 krb5_cc_close(context, ccache); 728 if (outbuf.data) 729 xfree(outbuf.data); 730} 731#endif /* KRB5 */ 732 733#ifdef AFS 734static void 735send_krb4_tgt(void) 736{ 737 CREDENTIALS *creds; 738 struct stat st; 739 char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; 740 int problem, type; 741 742 /* Don't do anything if we don't have any tickets. */ 743 if (stat(tkt_string(), &st) < 0) 744 return; 745 746 creds = xmalloc(sizeof(*creds)); 747 748 problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm); 749 if (problem) 750 goto out; 751 752 problem = krb_get_cred("krbtgt", prealm, prealm, creds); 753 if (problem) 754 goto out; 755 756 if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) { 757 problem = RD_AP_EXP; 758 goto out; 759 } 760 creds_to_radix(creds, (u_char *)buffer, sizeof(buffer)); 761 762 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); 763 packet_put_cstring(buffer); 764 packet_send(); 765 packet_write_wait(); 766 767 type = packet_read(); 768 769 if (type == SSH_SMSG_SUCCESS) 770 debug("Kerberos v4 TGT forwarded (%s%s%s@%s).", 771 creds->pname, creds->pinst[0] ? "." : "", 772 creds->pinst, creds->realm); 773 else 774 debug("Kerberos v4 TGT rejected."); 775 776 xfree(creds); 777 return; 778 779 out: 780 debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]); 781 xfree(creds); 782} 783 784static void 785send_afs_tokens(void) 786{ 787 CREDENTIALS creds; 788 struct ViceIoctl parms; 789 struct ClearToken ct; 790 int i, type, len; 791 char buf[2048], *p, *server_cell; 792 char buffer[8192]; 793 794 /* Move over ktc_GetToken, here's something leaner. */ 795 for (i = 0; i < 100; i++) { /* just in case */ 796 parms.in = (char *) &i; 797 parms.in_size = sizeof(i); 798 parms.out = buf; 799 parms.out_size = sizeof(buf); 800 if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0) 801 break; 802 p = buf; 803 804 /* Get secret token. */ 805 memcpy(&creds.ticket_st.length, p, sizeof(u_int)); 806 if (creds.ticket_st.length > MAX_KTXT_LEN) 807 break; 808 p += sizeof(u_int); 809 memcpy(creds.ticket_st.dat, p, creds.ticket_st.length); 810 p += creds.ticket_st.length; 811 812 /* Get clear token. */ 813 memcpy(&len, p, sizeof(len)); 814 if (len != sizeof(struct ClearToken)) 815 break; 816 p += sizeof(len); 817 memcpy(&ct, p, len); 818 p += len; 819 p += sizeof(len); /* primary flag */ 820 server_cell = p; 821 822 /* Flesh out our credentials. */ 823 strlcpy(creds.service, "afs", sizeof(creds.service)); 824 creds.instance[0] = '\0'; 825 strlcpy(creds.realm, server_cell, REALM_SZ); 826 memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ); 827 creds.issue_date = ct.BeginTimestamp; 828 creds.lifetime = krb_time_to_life(creds.issue_date, 829 ct.EndTimestamp); 830 creds.kvno = ct.AuthHandle; 831 snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId); 832 creds.pinst[0] = '\0'; 833 834 /* Encode token, ship it off. */ 835 if (creds_to_radix(&creds, (u_char *)buffer, 836 sizeof(buffer)) <= 0) 837 break; 838 packet_start(SSH_CMSG_HAVE_AFS_TOKEN); 839 packet_put_cstring(buffer); 840 packet_send(); 841 packet_write_wait(); 842 843 /* Roger, Roger. Clearance, Clarence. What's your vector, 844 Victor? */ 845 type = packet_read(); 846 847 if (type == SSH_SMSG_FAILURE) 848 debug("AFS token for cell %s rejected.", server_cell); 849 else if (type != SSH_SMSG_SUCCESS) 850 packet_disconnect("Protocol error on AFS token response: %d", type); 851 } 852} 853 854#endif /* AFS */ 855 856/* 857 * Tries to authenticate with any string-based challenge/response system. 858 * Note that the client code is not tied to s/key or TIS. 859 */ 860static int 861try_challenge_response_authentication(void) 862{ 863 int type, i; 864 u_int clen; 865 char prompt[1024]; 866 char *challenge, *response; 867 868 debug("Doing challenge response authentication."); 869 870 for (i = 0; i < options.number_of_password_prompts; i++) { 871 /* request a challenge */ 872 packet_start(SSH_CMSG_AUTH_TIS); 873 packet_send(); 874 packet_write_wait(); 875 876 type = packet_read(); 877 if (type != SSH_SMSG_FAILURE && 878 type != SSH_SMSG_AUTH_TIS_CHALLENGE) { 879 packet_disconnect("Protocol error: got %d in response " 880 "to SSH_CMSG_AUTH_TIS", type); 881 } 882 if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) { 883 debug("No challenge."); 884 return 0; 885 } 886 challenge = packet_get_string(&clen); 887 packet_check_eom(); 888 snprintf(prompt, sizeof prompt, "%s%s", challenge, 889 strchr(challenge, '\n') ? "" : "\nResponse: "); 890 xfree(challenge); 891 if (i != 0) 892 error("Permission denied, please try again."); 893 if (options.cipher == SSH_CIPHER_NONE) 894 log("WARNING: Encryption is disabled! " 895 "Response will be transmitted in clear text."); 896 response = read_passphrase(prompt, 0); 897 if (strcmp(response, "") == 0) { 898 xfree(response); 899 break; 900 } 901 packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); 902 ssh_put_password(response); 903 memset(response, 0, strlen(response)); 904 xfree(response); 905 packet_send(); 906 packet_write_wait(); 907 type = packet_read(); 908 if (type == SSH_SMSG_SUCCESS) 909 return 1; 910 if (type != SSH_SMSG_FAILURE) 911 packet_disconnect("Protocol error: got %d in response " 912 "to SSH_CMSG_AUTH_TIS_RESPONSE", type); 913 } 914 /* failure */ 915 return 0; 916} 917 918/* 919 * Tries to authenticate with plain passwd authentication. 920 */ 921static int 922try_password_authentication(char *prompt) 923{ 924 int type, i; 925 char *password; 926 927 debug("Doing password authentication."); 928 if (options.cipher == SSH_CIPHER_NONE) 929 log("WARNING: Encryption is disabled! Password will be transmitted in clear text."); 930 for (i = 0; i < options.number_of_password_prompts; i++) { 931 if (i != 0) 932 error("Permission denied, please try again."); 933 password = read_passphrase(prompt, 0); 934 packet_start(SSH_CMSG_AUTH_PASSWORD); 935 ssh_put_password(password); 936 memset(password, 0, strlen(password)); 937 xfree(password); 938 packet_send(); 939 packet_write_wait(); 940 941 type = packet_read(); 942 if (type == SSH_SMSG_SUCCESS) 943 return 1; 944 if (type != SSH_SMSG_FAILURE) 945 packet_disconnect("Protocol error: got %d in response to passwd auth", type); 946 } 947 /* failure */ 948 return 0; 949} 950 951/* 952 * SSH1 key exchange 953 */ 954void 955ssh_kex(char *host, struct sockaddr *hostaddr) 956{ 957 int i; 958 BIGNUM *key; 959 Key *host_key, *server_key; 960 int bits, rbits; 961 int ssh_cipher_default = SSH_CIPHER_3DES; 962 u_char session_key[SSH_SESSION_KEY_LENGTH]; 963 u_char cookie[8]; 964 u_int supported_ciphers; 965 u_int server_flags, client_flags; 966 u_int32_t rand = 0; 967 968 debug("Waiting for server public key."); 969 970 /* Wait for a public key packet from the server. */ 971 packet_read_expect(SSH_SMSG_PUBLIC_KEY); 972 973 /* Get cookie from the packet. */ 974 for (i = 0; i < 8; i++) 975 cookie[i] = packet_get_char(); 976 977 /* Get the public key. */ 978 server_key = key_new(KEY_RSA1); 979 bits = packet_get_int(); 980 packet_get_bignum(server_key->rsa->e); 981 packet_get_bignum(server_key->rsa->n); 982 983 rbits = BN_num_bits(server_key->rsa->n); 984 if (bits != rbits) { 985 log("Warning: Server lies about size of server public key: " 986 "actual size is %d bits vs. announced %d.", rbits, bits); 987 log("Warning: This may be due to an old implementation of ssh."); 988 } 989 /* Get the host key. */ 990 host_key = key_new(KEY_RSA1); 991 bits = packet_get_int(); 992 packet_get_bignum(host_key->rsa->e); 993 packet_get_bignum(host_key->rsa->n); 994 995 rbits = BN_num_bits(host_key->rsa->n); 996 if (bits != rbits) { 997 log("Warning: Server lies about size of server host key: " 998 "actual size is %d bits vs. announced %d.", rbits, bits); 999 log("Warning: This may be due to an old implementation of ssh."); 1000 } 1001 1002 /* Get protocol flags. */ 1003 server_flags = packet_get_int(); 1004 packet_set_protocol_flags(server_flags); 1005 1006 supported_ciphers = packet_get_int(); 1007 supported_authentications = packet_get_int(); 1008 packet_check_eom(); 1009 1010 debug("Received server public key (%d bits) and host key (%d bits).", 1011 BN_num_bits(server_key->rsa->n), BN_num_bits(host_key->rsa->n)); 1012 1013 if (verify_host_key(host, hostaddr, host_key) == -1) 1014 fatal("Host key verification failed."); 1015 1016 client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN; 1017 1018 compute_session_id(session_id, cookie, host_key->rsa->n, server_key->rsa->n); 1019 1020 /* Generate a session key. */ 1021 arc4random_stir(); 1022 1023 /* 1024 * Generate an encryption key for the session. The key is a 256 bit 1025 * random number, interpreted as a 32-byte key, with the least 1026 * significant 8 bits being the first byte of the key. 1027 */ 1028 for (i = 0; i < 32; i++) { 1029 if (i % 4 == 0) 1030 rand = arc4random(); 1031 session_key[i] = rand & 0xff; 1032 rand >>= 8; 1033 } 1034 1035 /* 1036 * According to the protocol spec, the first byte of the session key 1037 * is the highest byte of the integer. The session key is xored with 1038 * the first 16 bytes of the session id. 1039 */ 1040 if ((key = BN_new()) == NULL) 1041 fatal("respond_to_rsa_challenge: BN_new failed"); 1042 BN_set_word(key, 0); 1043 for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { 1044 BN_lshift(key, key, 8); 1045 if (i < 16) 1046 BN_add_word(key, session_key[i] ^ session_id[i]); 1047 else 1048 BN_add_word(key, session_key[i]); 1049 } 1050 1051 /* 1052 * Encrypt the integer using the public key and host key of the 1053 * server (key with smaller modulus first). 1054 */ 1055 if (BN_cmp(server_key->rsa->n, host_key->rsa->n) < 0) { 1056 /* Public key has smaller modulus. */ 1057 if (BN_num_bits(host_key->rsa->n) < 1058 BN_num_bits(server_key->rsa->n) + SSH_KEY_BITS_RESERVED) { 1059 fatal("respond_to_rsa_challenge: host_key %d < server_key %d + " 1060 "SSH_KEY_BITS_RESERVED %d", 1061 BN_num_bits(host_key->rsa->n), 1062 BN_num_bits(server_key->rsa->n), 1063 SSH_KEY_BITS_RESERVED); 1064 } 1065 rsa_public_encrypt(key, key, server_key->rsa); 1066 rsa_public_encrypt(key, key, host_key->rsa); 1067 } else { 1068 /* Host key has smaller modulus (or they are equal). */ 1069 if (BN_num_bits(server_key->rsa->n) < 1070 BN_num_bits(host_key->rsa->n) + SSH_KEY_BITS_RESERVED) { 1071 fatal("respond_to_rsa_challenge: server_key %d < host_key %d + " 1072 "SSH_KEY_BITS_RESERVED %d", 1073 BN_num_bits(server_key->rsa->n), 1074 BN_num_bits(host_key->rsa->n), 1075 SSH_KEY_BITS_RESERVED); 1076 } 1077 rsa_public_encrypt(key, key, host_key->rsa); 1078 rsa_public_encrypt(key, key, server_key->rsa); 1079 } 1080 1081 /* Destroy the public keys since we no longer need them. */ 1082 key_free(server_key); 1083 key_free(host_key); 1084 1085 if (options.cipher == SSH_CIPHER_NOT_SET) { 1086 if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default)) 1087 options.cipher = ssh_cipher_default; 1088 } else if (options.cipher == SSH_CIPHER_ILLEGAL || 1089 !(cipher_mask_ssh1(1) & (1 << options.cipher))) { 1090 log("No valid SSH1 cipher, using %.100s instead.", 1091 cipher_name(ssh_cipher_default)); 1092 options.cipher = ssh_cipher_default; 1093 } 1094 /* Check that the selected cipher is supported. */ 1095 if (!(supported_ciphers & (1 << options.cipher))) 1096 fatal("Selected cipher type %.100s not supported by server.", 1097 cipher_name(options.cipher)); 1098 1099 debug("Encryption type: %.100s", cipher_name(options.cipher)); 1100 1101 /* Send the encrypted session key to the server. */ 1102 packet_start(SSH_CMSG_SESSION_KEY); 1103 packet_put_char(options.cipher); 1104 1105 /* Send the cookie back to the server. */ 1106 for (i = 0; i < 8; i++) 1107 packet_put_char(cookie[i]); 1108 1109 /* Send and destroy the encrypted encryption key integer. */ 1110 packet_put_bignum(key); 1111 BN_clear_free(key); 1112 1113 /* Send protocol flags. */ 1114 packet_put_int(client_flags); 1115 1116 /* Send the packet now. */ 1117 packet_send(); 1118 packet_write_wait(); 1119 1120 debug("Sent encrypted session key."); 1121 1122 /* Set the encryption key. */ 1123 packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher); 1124 1125 /* We will no longer need the session key here. Destroy any extra copies. */ 1126 memset(session_key, 0, sizeof(session_key)); 1127 1128 /* 1129 * Expect a success message from the server. Note that this message 1130 * will be received in encrypted form. 1131 */ 1132 packet_read_expect(SSH_SMSG_SUCCESS); 1133 1134 debug("Received encrypted confirmation."); 1135} 1136 1137/* 1138 * Authenticate user 1139 */ 1140void 1141ssh_userauth1(const char *local_user, const char *server_user, char *host, 1142 Sensitive *sensitive) 1143{ 1144#ifdef KRB5 1145 krb5_context context = NULL; 1146 krb5_auth_context auth_context = NULL; 1147#endif 1148 int i, type; 1149 1150 if (supported_authentications == 0) 1151 fatal("ssh_userauth1: server supports no auth methods"); 1152 1153 /* Send the name of the user to log in as on the server. */ 1154 packet_start(SSH_CMSG_USER); 1155 packet_put_cstring(server_user); 1156 packet_send(); 1157 packet_write_wait(); 1158 1159 /* 1160 * The server should respond with success if no authentication is 1161 * needed (the user has no password). Otherwise the server responds 1162 * with failure. 1163 */ 1164 type = packet_read(); 1165 1166 /* check whether the connection was accepted without authentication. */ 1167 if (type == SSH_SMSG_SUCCESS) 1168 goto success; 1169 if (type != SSH_SMSG_FAILURE) 1170 packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type); 1171 1172#ifdef KRB5 1173 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && 1174 options.kerberos_authentication) { 1175 debug("Trying Kerberos v5 authentication."); 1176 1177 if (try_krb5_authentication(&context, &auth_context)) { 1178 type = packet_read(); 1179 if (type == SSH_SMSG_SUCCESS) 1180 goto success; 1181 if (type != SSH_SMSG_FAILURE) 1182 packet_disconnect("Protocol error: got %d in response to Kerberos v5 auth", type); 1183 } 1184 } 1185#endif /* KRB5 */ 1186 1187#ifdef KRB4 1188 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && 1189 options.kerberos_authentication) { 1190 debug("Trying Kerberos v4 authentication."); 1191 1192 if (try_krb4_authentication()) { 1193 type = packet_read(); 1194 if (type == SSH_SMSG_SUCCESS) 1195 goto success; 1196 if (type != SSH_SMSG_FAILURE) 1197 packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type); 1198 } 1199 } 1200#endif /* KRB4 */ 1201 1202 /* 1203 * Use rhosts authentication if running in privileged socket and we 1204 * do not wish to remain anonymous. 1205 */ 1206 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) && 1207 options.rhosts_authentication) { 1208 debug("Trying rhosts authentication."); 1209 packet_start(SSH_CMSG_AUTH_RHOSTS); 1210 packet_put_cstring(local_user); 1211 packet_send(); 1212 packet_write_wait(); 1213 1214 /* The server should respond with success or failure. */ 1215 type = packet_read(); 1216 if (type == SSH_SMSG_SUCCESS) 1217 goto success; 1218 if (type != SSH_SMSG_FAILURE) 1219 packet_disconnect("Protocol error: got %d in response to rhosts auth", 1220 type); 1221 } 1222 /* 1223 * Try .rhosts or /etc/hosts.equiv authentication with RSA host 1224 * authentication. 1225 */ 1226 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) && 1227 options.rhosts_rsa_authentication) { 1228 for (i = 0; i < sensitive->nkeys; i++) { 1229 if (sensitive->keys[i] != NULL && 1230 sensitive->keys[i]->type == KEY_RSA1 && 1231 try_rhosts_rsa_authentication(local_user, 1232 sensitive->keys[i])) 1233 goto success; 1234 } 1235 } 1236 /* Try RSA authentication if the server supports it. */ 1237 if ((supported_authentications & (1 << SSH_AUTH_RSA)) && 1238 options.rsa_authentication) { 1239 /* 1240 * Try RSA authentication using the authentication agent. The 1241 * agent is tried first because no passphrase is needed for 1242 * it, whereas identity files may require passphrases. 1243 */ 1244 if (try_agent_authentication()) 1245 goto success; 1246 1247 /* Try RSA authentication for each identity. */ 1248 for (i = 0; i < options.num_identity_files; i++) 1249 if (options.identity_keys[i] != NULL && 1250 options.identity_keys[i]->type == KEY_RSA1 && 1251 try_rsa_authentication(i)) 1252 goto success; 1253 } 1254 /* Try challenge response authentication if the server supports it. */ 1255 if ((supported_authentications & (1 << SSH_AUTH_TIS)) && 1256 options.challenge_response_authentication && !options.batch_mode) { 1257 if (try_challenge_response_authentication()) 1258 goto success; 1259 } 1260 /* Try password authentication if the server supports it. */ 1261 if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) && 1262 options.password_authentication && !options.batch_mode) { 1263 char prompt[80]; 1264 1265 snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ", 1266 server_user, host); 1267 if (try_password_authentication(prompt)) 1268 goto success; 1269 } 1270 /* All authentication methods have failed. Exit with an error message. */ 1271 fatal("Permission denied."); 1272 /* NOTREACHED */ 1273 1274 success: 1275#ifdef KRB5 1276 /* Try Kerberos v5 TGT passing. */ 1277 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && 1278 options.kerberos_tgt_passing && context && auth_context) { 1279 if (options.cipher == SSH_CIPHER_NONE) 1280 log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); 1281 send_krb5_tgt(context, auth_context); 1282 } 1283 if (auth_context) 1284 krb5_auth_con_free(context, auth_context); 1285 if (context) 1286 krb5_free_context(context); 1287#endif 1288 1289#ifdef AFS 1290 /* Try Kerberos v4 TGT passing if the server supports it. */ 1291 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && 1292 options.kerberos_tgt_passing) { 1293 if (options.cipher == SSH_CIPHER_NONE) 1294 log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); 1295 send_krb4_tgt(); 1296 } 1297 /* Try AFS token passing if the server supports it. */ 1298 if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) && 1299 options.afs_token_passing && k_hasafs()) { 1300 if (options.cipher == SSH_CIPHER_NONE) 1301 log("WARNING: Encryption is disabled! Token will be transmitted in the clear!"); 1302 send_afs_tokens(); 1303 } 1304#endif /* AFS */ 1305 1306 return; /* need statement after label */ 1307} 1308