sshconnect1.c revision 60573
1/* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Created: Sat Mar 18 22:15:47 1995 ylo 6 * Code to connect to a remote host, and to perform the client side of the 7 * login (authentication) dialog. 8 * 9 */ 10 11#include "includes.h" 12RCSID("$OpenBSD: sshconnect1.c,v 1.3 2000/05/08 17:12:16 markus Exp $"); 13 14#include <openssl/bn.h> 15#include <openssl/dsa.h> 16#include <openssl/rsa.h> 17#include <openssl/evp.h> 18 19#include "xmalloc.h" 20#include "rsa.h" 21#include "ssh.h" 22#include "buffer.h" 23#include "packet.h" 24#include "authfd.h" 25#include "cipher.h" 26#include "mpaux.h" 27#include "uidswap.h" 28#include "readconf.h" 29#include "key.h" 30#include "sshconnect.h" 31#include "authfile.h" 32 33/* Session id for the current session. */ 34unsigned char session_id[16]; 35unsigned int supported_authentications = 0; 36 37extern Options options; 38extern char *__progname; 39 40/* 41 * Checks if the user has an authentication agent, and if so, tries to 42 * authenticate using the agent. 43 */ 44int 45try_agent_authentication() 46{ 47 int status, type; 48 char *comment; 49 AuthenticationConnection *auth; 50 unsigned char response[16]; 51 unsigned int i; 52 BIGNUM *e, *n, *challenge; 53 54 /* Get connection to the agent. */ 55 auth = ssh_get_authentication_connection(); 56 if (!auth) 57 return 0; 58 59 e = BN_new(); 60 n = BN_new(); 61 challenge = BN_new(); 62 63 /* Loop through identities served by the agent. */ 64 for (status = ssh_get_first_identity(auth, e, n, &comment); 65 status; 66 status = ssh_get_next_identity(auth, e, n, &comment)) { 67 int plen, clen; 68 69 /* Try this identity. */ 70 debug("Trying RSA authentication via agent with '%.100s'", comment); 71 xfree(comment); 72 73 /* Tell the server that we are willing to authenticate using this key. */ 74 packet_start(SSH_CMSG_AUTH_RSA); 75 packet_put_bignum(n); 76 packet_send(); 77 packet_write_wait(); 78 79 /* Wait for server's response. */ 80 type = packet_read(&plen); 81 82 /* The server sends failure if it doesn\'t like our key or 83 does not support RSA authentication. */ 84 if (type == SSH_SMSG_FAILURE) { 85 debug("Server refused our key."); 86 continue; 87 } 88 /* Otherwise it should have sent a challenge. */ 89 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 90 packet_disconnect("Protocol error during RSA authentication: %d", 91 type); 92 93 packet_get_bignum(challenge, &clen); 94 95 packet_integrity_check(plen, clen, type); 96 97 debug("Received RSA challenge from server."); 98 99 /* Ask the agent to decrypt the challenge. */ 100 if (!ssh_decrypt_challenge(auth, e, n, challenge, 101 session_id, 1, response)) { 102 /* The agent failed to authenticate this identifier although it 103 advertised it supports this. Just return a wrong value. */ 104 log("Authentication agent failed to decrypt challenge."); 105 memset(response, 0, sizeof(response)); 106 } 107 debug("Sending response to RSA challenge."); 108 109 /* Send the decrypted challenge back to the server. */ 110 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 111 for (i = 0; i < 16; i++) 112 packet_put_char(response[i]); 113 packet_send(); 114 packet_write_wait(); 115 116 /* Wait for response from the server. */ 117 type = packet_read(&plen); 118 119 /* The server returns success if it accepted the authentication. */ 120 if (type == SSH_SMSG_SUCCESS) { 121 debug("RSA authentication accepted by server."); 122 BN_clear_free(e); 123 BN_clear_free(n); 124 BN_clear_free(challenge); 125 return 1; 126 } 127 /* Otherwise it should return failure. */ 128 if (type != SSH_SMSG_FAILURE) 129 packet_disconnect("Protocol error waiting RSA auth response: %d", 130 type); 131 } 132 133 BN_clear_free(e); 134 BN_clear_free(n); 135 BN_clear_free(challenge); 136 137 debug("RSA authentication using agent refused."); 138 return 0; 139} 140 141/* 142 * Computes the proper response to a RSA challenge, and sends the response to 143 * the server. 144 */ 145void 146respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv) 147{ 148 unsigned char buf[32], response[16]; 149 MD5_CTX md; 150 int i, len; 151 152 /* Decrypt the challenge using the private key. */ 153 rsa_private_decrypt(challenge, challenge, prv); 154 155 /* Compute the response. */ 156 /* The response is MD5 of decrypted challenge plus session id. */ 157 len = BN_num_bytes(challenge); 158 if (len <= 0 || len > sizeof(buf)) 159 packet_disconnect("respond_to_rsa_challenge: bad challenge length %d", 160 len); 161 162 memset(buf, 0, sizeof(buf)); 163 BN_bn2bin(challenge, buf + sizeof(buf) - len); 164 MD5_Init(&md); 165 MD5_Update(&md, buf, 32); 166 MD5_Update(&md, session_id, 16); 167 MD5_Final(response, &md); 168 169 debug("Sending response to host key RSA challenge."); 170 171 /* Send the response back to the server. */ 172 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 173 for (i = 0; i < 16; i++) 174 packet_put_char(response[i]); 175 packet_send(); 176 packet_write_wait(); 177 178 memset(buf, 0, sizeof(buf)); 179 memset(response, 0, sizeof(response)); 180 memset(&md, 0, sizeof(md)); 181} 182 183/* 184 * Checks if the user has authentication file, and if so, tries to authenticate 185 * the user using it. 186 */ 187int 188try_rsa_authentication(const char *authfile) 189{ 190 BIGNUM *challenge; 191 Key *public; 192 Key *private; 193 char *passphrase, *comment; 194 int type, i; 195 int plen, clen; 196 197 /* Try to load identification for the authentication key. */ 198 public = key_new(KEY_RSA); 199 if (!load_public_key(authfile, public, &comment)) { 200 key_free(public); 201 /* Could not load it. Fail. */ 202 return 0; 203 } 204 debug("Trying RSA authentication with key '%.100s'", comment); 205 206 /* Tell the server that we are willing to authenticate using this key. */ 207 packet_start(SSH_CMSG_AUTH_RSA); 208 packet_put_bignum(public->rsa->n); 209 packet_send(); 210 packet_write_wait(); 211 212 /* We no longer need the public key. */ 213 key_free(public); 214 215 /* Wait for server's response. */ 216 type = packet_read(&plen); 217 218 /* 219 * The server responds with failure if it doesn\'t like our key or 220 * doesn\'t support RSA authentication. 221 */ 222 if (type == SSH_SMSG_FAILURE) { 223 debug("Server refused our key."); 224 xfree(comment); 225 return 0; 226 } 227 /* Otherwise, the server should respond with a challenge. */ 228 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 229 packet_disconnect("Protocol error during RSA authentication: %d", type); 230 231 /* Get the challenge from the packet. */ 232 challenge = BN_new(); 233 packet_get_bignum(challenge, &clen); 234 235 packet_integrity_check(plen, clen, type); 236 237 debug("Received RSA challenge from server."); 238 239 private = key_new(KEY_RSA); 240 /* 241 * Load the private key. Try first with empty passphrase; if it 242 * fails, ask for a passphrase. 243 */ 244 if (!load_private_key(authfile, "", private, NULL)) { 245 char buf[300]; 246 snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ", 247 comment); 248 if (!options.batch_mode) 249 passphrase = read_passphrase(buf, 0); 250 else { 251 debug("Will not query passphrase for %.100s in batch mode.", 252 comment); 253 passphrase = xstrdup(""); 254 } 255 256 /* Load the authentication file using the pasphrase. */ 257 if (!load_private_key(authfile, passphrase, private, NULL)) { 258 memset(passphrase, 0, strlen(passphrase)); 259 xfree(passphrase); 260 error("Bad passphrase."); 261 262 /* Send a dummy response packet to avoid protocol error. */ 263 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 264 for (i = 0; i < 16; i++) 265 packet_put_char(0); 266 packet_send(); 267 packet_write_wait(); 268 269 /* Expect the server to reject it... */ 270 packet_read_expect(&plen, SSH_SMSG_FAILURE); 271 xfree(comment); 272 return 0; 273 } 274 /* Destroy the passphrase. */ 275 memset(passphrase, 0, strlen(passphrase)); 276 xfree(passphrase); 277 } 278 /* We no longer need the comment. */ 279 xfree(comment); 280 281 /* Compute and send a response to the challenge. */ 282 respond_to_rsa_challenge(challenge, private->rsa); 283 284 /* Destroy the private key. */ 285 key_free(private); 286 287 /* We no longer need the challenge. */ 288 BN_clear_free(challenge); 289 290 /* Wait for response from the server. */ 291 type = packet_read(&plen); 292 if (type == SSH_SMSG_SUCCESS) { 293 debug("RSA authentication accepted by server."); 294 return 1; 295 } 296 if (type != SSH_SMSG_FAILURE) 297 packet_disconnect("Protocol error waiting RSA auth response: %d", type); 298 debug("RSA authentication refused."); 299 return 0; 300} 301 302/* 303 * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv 304 * authentication and RSA host authentication. 305 */ 306int 307try_rhosts_rsa_authentication(const char *local_user, RSA * host_key) 308{ 309 int type; 310 BIGNUM *challenge; 311 int plen, clen; 312 313 debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication."); 314 315 /* Tell the server that we are willing to authenticate using this key. */ 316 packet_start(SSH_CMSG_AUTH_RHOSTS_RSA); 317 packet_put_string(local_user, strlen(local_user)); 318 packet_put_int(BN_num_bits(host_key->n)); 319 packet_put_bignum(host_key->e); 320 packet_put_bignum(host_key->n); 321 packet_send(); 322 packet_write_wait(); 323 324 /* Wait for server's response. */ 325 type = packet_read(&plen); 326 327 /* The server responds with failure if it doesn't admit our 328 .rhosts authentication or doesn't know our host key. */ 329 if (type == SSH_SMSG_FAILURE) { 330 debug("Server refused our rhosts authentication or host key."); 331 return 0; 332 } 333 /* Otherwise, the server should respond with a challenge. */ 334 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 335 packet_disconnect("Protocol error during RSA authentication: %d", type); 336 337 /* Get the challenge from the packet. */ 338 challenge = BN_new(); 339 packet_get_bignum(challenge, &clen); 340 341 packet_integrity_check(plen, clen, type); 342 343 debug("Received RSA challenge for host key from server."); 344 345 /* Compute a response to the challenge. */ 346 respond_to_rsa_challenge(challenge, host_key); 347 348 /* We no longer need the challenge. */ 349 BN_clear_free(challenge); 350 351 /* Wait for response from the server. */ 352 type = packet_read(&plen); 353 if (type == SSH_SMSG_SUCCESS) { 354 debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server."); 355 return 1; 356 } 357 if (type != SSH_SMSG_FAILURE) 358 packet_disconnect("Protocol error waiting RSA auth response: %d", type); 359 debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused."); 360 return 0; 361} 362 363#ifdef KRB4 364int 365try_kerberos_authentication() 366{ 367 KTEXT_ST auth; /* Kerberos data */ 368 char *reply; 369 char inst[INST_SZ]; 370 char *realm; 371 CREDENTIALS cred; 372 int r, type, plen; 373 socklen_t slen; 374 Key_schedule schedule; 375 u_long checksum, cksum; 376 MSG_DAT msg_data; 377 struct sockaddr_in local, foreign; 378 struct stat st; 379 380 /* Don't do anything if we don't have any tickets. */ 381 if (stat(tkt_string(), &st) < 0) 382 return 0; 383 384 strncpy(inst, (char *) krb_get_phost(get_canonical_hostname()), INST_SZ); 385 386 realm = (char *) krb_realmofhost(get_canonical_hostname()); 387 if (!realm) { 388 debug("Kerberos V4: no realm for %s", get_canonical_hostname()); 389 return 0; 390 } 391 /* This can really be anything. */ 392 checksum = (u_long) getpid(); 393 394 r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum); 395 if (r != KSUCCESS) { 396 debug("Kerberos V4 krb_mk_req failed: %s", krb_err_txt[r]); 397 return 0; 398 } 399 /* Get session key to decrypt the server's reply with. */ 400 r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred); 401 if (r != KSUCCESS) { 402 debug("get_cred failed: %s", krb_err_txt[r]); 403 return 0; 404 } 405 des_key_sched((des_cblock *) cred.session, schedule); 406 407 /* Send authentication info to server. */ 408 packet_start(SSH_CMSG_AUTH_KERBEROS); 409 packet_put_string((char *) auth.dat, auth.length); 410 packet_send(); 411 packet_write_wait(); 412 413 /* Zero the buffer. */ 414 (void) memset(auth.dat, 0, MAX_KTXT_LEN); 415 416 slen = sizeof(local); 417 memset(&local, 0, sizeof(local)); 418 if (getsockname(packet_get_connection_in(), 419 (struct sockaddr *) & local, &slen) < 0) 420 debug("getsockname failed: %s", strerror(errno)); 421 422 slen = sizeof(foreign); 423 memset(&foreign, 0, sizeof(foreign)); 424 if (getpeername(packet_get_connection_in(), 425 (struct sockaddr *) & foreign, &slen) < 0) { 426 debug("getpeername failed: %s", strerror(errno)); 427 fatal_cleanup(); 428 } 429 /* Get server reply. */ 430 type = packet_read(&plen); 431 switch (type) { 432 case SSH_SMSG_FAILURE: 433 /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ 434 debug("Kerberos V4 authentication failed."); 435 return 0; 436 break; 437 438 case SSH_SMSG_AUTH_KERBEROS_RESPONSE: 439 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ 440 debug("Kerberos V4 authentication accepted."); 441 442 /* Get server's response. */ 443 reply = packet_get_string((unsigned int *) &auth.length); 444 memcpy(auth.dat, reply, auth.length); 445 xfree(reply); 446 447 packet_integrity_check(plen, 4 + auth.length, type); 448 449 /* 450 * If his response isn't properly encrypted with the session 451 * key, and the decrypted checksum fails to match, he's 452 * bogus. Bail out. 453 */ 454 r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session, 455 &foreign, &local, &msg_data); 456 if (r != KSUCCESS) { 457 debug("Kerberos V4 krb_rd_priv failed: %s", krb_err_txt[r]); 458 packet_disconnect("Kerberos V4 challenge failed!"); 459 } 460 /* Fetch the (incremented) checksum that we supplied in the request. */ 461 (void) memcpy((char *) &cksum, (char *) msg_data.app_data, sizeof(cksum)); 462 cksum = ntohl(cksum); 463 464 /* If it matches, we're golden. */ 465 if (cksum == checksum + 1) { 466 debug("Kerberos V4 challenge successful."); 467 return 1; 468 } else 469 packet_disconnect("Kerberos V4 challenge failed!"); 470 break; 471 472 default: 473 packet_disconnect("Protocol error on Kerberos V4 response: %d", type); 474 } 475 return 0; 476} 477 478#endif /* KRB4 */ 479 480#ifdef AFS 481int 482send_kerberos_tgt() 483{ 484 CREDENTIALS *creds; 485 char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; 486 int r, type, plen; 487 char buffer[8192]; 488 struct stat st; 489 490 /* Don't do anything if we don't have any tickets. */ 491 if (stat(tkt_string(), &st) < 0) 492 return 0; 493 494 creds = xmalloc(sizeof(*creds)); 495 496 if ((r = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm)) != KSUCCESS) { 497 debug("Kerberos V4 tf_fullname failed: %s", krb_err_txt[r]); 498 return 0; 499 } 500 if ((r = krb_get_cred("krbtgt", prealm, prealm, creds)) != GC_OK) { 501 debug("Kerberos V4 get_cred failed: %s", krb_err_txt[r]); 502 return 0; 503 } 504 if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) { 505 debug("Kerberos V4 ticket expired: %s", TKT_FILE); 506 return 0; 507 } 508 creds_to_radix(creds, (unsigned char *)buffer, sizeof buffer); 509 xfree(creds); 510 511 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); 512 packet_put_string(buffer, strlen(buffer)); 513 packet_send(); 514 packet_write_wait(); 515 516 type = packet_read(&plen); 517 518 if (type == SSH_SMSG_FAILURE) 519 debug("Kerberos TGT for realm %s rejected.", prealm); 520 else if (type != SSH_SMSG_SUCCESS) 521 packet_disconnect("Protocol error on Kerberos TGT response: %d", type); 522 523 return 1; 524} 525 526void 527send_afs_tokens(void) 528{ 529 CREDENTIALS creds; 530 struct ViceIoctl parms; 531 struct ClearToken ct; 532 int i, type, len, plen; 533 char buf[2048], *p, *server_cell; 534 char buffer[8192]; 535 536 /* Move over ktc_GetToken, here's something leaner. */ 537 for (i = 0; i < 100; i++) { /* just in case */ 538 parms.in = (char *) &i; 539 parms.in_size = sizeof(i); 540 parms.out = buf; 541 parms.out_size = sizeof(buf); 542 if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0) 543 break; 544 p = buf; 545 546 /* Get secret token. */ 547 memcpy(&creds.ticket_st.length, p, sizeof(unsigned int)); 548 if (creds.ticket_st.length > MAX_KTXT_LEN) 549 break; 550 p += sizeof(unsigned int); 551 memcpy(creds.ticket_st.dat, p, creds.ticket_st.length); 552 p += creds.ticket_st.length; 553 554 /* Get clear token. */ 555 memcpy(&len, p, sizeof(len)); 556 if (len != sizeof(struct ClearToken)) 557 break; 558 p += sizeof(len); 559 memcpy(&ct, p, len); 560 p += len; 561 p += sizeof(len); /* primary flag */ 562 server_cell = p; 563 564 /* Flesh out our credentials. */ 565 strlcpy(creds.service, "afs", sizeof creds.service); 566 creds.instance[0] = '\0'; 567 strlcpy(creds.realm, server_cell, REALM_SZ); 568 memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ); 569 creds.issue_date = ct.BeginTimestamp; 570 creds.lifetime = krb_time_to_life(creds.issue_date, ct.EndTimestamp); 571 creds.kvno = ct.AuthHandle; 572 snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId); 573 creds.pinst[0] = '\0'; 574 575 /* Encode token, ship it off. */ 576 if (creds_to_radix(&creds, (unsigned char*) buffer, sizeof buffer) <= 0) 577 break; 578 packet_start(SSH_CMSG_HAVE_AFS_TOKEN); 579 packet_put_string(buffer, strlen(buffer)); 580 packet_send(); 581 packet_write_wait(); 582 583 /* Roger, Roger. Clearance, Clarence. What's your vector, 584 Victor? */ 585 type = packet_read(&plen); 586 587 if (type == SSH_SMSG_FAILURE) 588 debug("AFS token for cell %s rejected.", server_cell); 589 else if (type != SSH_SMSG_SUCCESS) 590 packet_disconnect("Protocol error on AFS token response: %d", type); 591 } 592} 593 594#endif /* AFS */ 595 596/* 597 * Tries to authenticate with any string-based challenge/response system. 598 * Note that the client code is not tied to s/key or TIS. 599 */ 600int 601try_skey_authentication() 602{ 603 int type, i; 604 int payload_len; 605 unsigned int clen; 606 char *challenge, *response; 607 608 debug("Doing skey authentication."); 609 610 /* request a challenge */ 611 packet_start(SSH_CMSG_AUTH_TIS); 612 packet_send(); 613 packet_write_wait(); 614 615 type = packet_read(&payload_len); 616 if (type != SSH_SMSG_FAILURE && 617 type != SSH_SMSG_AUTH_TIS_CHALLENGE) { 618 packet_disconnect("Protocol error: got %d in response " 619 "to skey-auth", type); 620 } 621 if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) { 622 debug("No challenge for skey authentication."); 623 return 0; 624 } 625 challenge = packet_get_string(&clen); 626 packet_integrity_check(payload_len, (4 + clen), type); 627 if (options.cipher == SSH_CIPHER_NONE) 628 log("WARNING: Encryption is disabled! " 629 "Reponse will be transmitted in clear text."); 630 fprintf(stderr, "%s\n", challenge); 631 xfree(challenge); 632 fflush(stderr); 633 for (i = 0; i < options.number_of_password_prompts; i++) { 634 if (i != 0) 635 error("Permission denied, please try again."); 636 response = read_passphrase("Response: ", 0); 637 packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); 638 packet_put_string(response, strlen(response)); 639 memset(response, 0, strlen(response)); 640 xfree(response); 641 packet_send(); 642 packet_write_wait(); 643 type = packet_read(&payload_len); 644 if (type == SSH_SMSG_SUCCESS) 645 return 1; 646 if (type != SSH_SMSG_FAILURE) 647 packet_disconnect("Protocol error: got %d in response " 648 "to skey-auth-reponse", type); 649 } 650 /* failure */ 651 return 0; 652} 653 654/* 655 * Tries to authenticate with plain passwd authentication. 656 */ 657int 658try_password_authentication(char *prompt) 659{ 660 int type, i, payload_len; 661 char *password; 662 663 debug("Doing password authentication."); 664 if (options.cipher == SSH_CIPHER_NONE) 665 log("WARNING: Encryption is disabled! Password will be transmitted in clear text."); 666 for (i = 0; i < options.number_of_password_prompts; i++) { 667 if (i != 0) 668 error("Permission denied, please try again."); 669 password = read_passphrase(prompt, 0); 670 packet_start(SSH_CMSG_AUTH_PASSWORD); 671 packet_put_string(password, strlen(password)); 672 memset(password, 0, strlen(password)); 673 xfree(password); 674 packet_send(); 675 packet_write_wait(); 676 677 type = packet_read(&payload_len); 678 if (type == SSH_SMSG_SUCCESS) 679 return 1; 680 if (type != SSH_SMSG_FAILURE) 681 packet_disconnect("Protocol error: got %d in response to passwd auth", type); 682 } 683 /* failure */ 684 return 0; 685} 686 687/* 688 * SSH1 key exchange 689 */ 690void 691ssh_kex(char *host, struct sockaddr *hostaddr) 692{ 693 int i; 694 BIGNUM *key; 695 RSA *host_key; 696 RSA *public_key; 697 Key k; 698 int bits, rbits; 699 int ssh_cipher_default = SSH_CIPHER_3DES; 700 unsigned char session_key[SSH_SESSION_KEY_LENGTH]; 701 unsigned char cookie[8]; 702 unsigned int supported_ciphers; 703 unsigned int server_flags, client_flags; 704 int payload_len, clen, sum_len = 0; 705 u_int32_t rand = 0; 706 707 debug("Waiting for server public key."); 708 709 /* Wait for a public key packet from the server. */ 710 packet_read_expect(&payload_len, SSH_SMSG_PUBLIC_KEY); 711 712 /* Get cookie from the packet. */ 713 for (i = 0; i < 8; i++) 714 cookie[i] = packet_get_char(); 715 716 /* Get the public key. */ 717 public_key = RSA_new(); 718 bits = packet_get_int();/* bits */ 719 public_key->e = BN_new(); 720 packet_get_bignum(public_key->e, &clen); 721 sum_len += clen; 722 public_key->n = BN_new(); 723 packet_get_bignum(public_key->n, &clen); 724 sum_len += clen; 725 726 rbits = BN_num_bits(public_key->n); 727 if (bits != rbits) { 728 log("Warning: Server lies about size of server public key: " 729 "actual size is %d bits vs. announced %d.", rbits, bits); 730 log("Warning: This may be due to an old implementation of ssh."); 731 } 732 /* Get the host key. */ 733 host_key = RSA_new(); 734 bits = packet_get_int();/* bits */ 735 host_key->e = BN_new(); 736 packet_get_bignum(host_key->e, &clen); 737 sum_len += clen; 738 host_key->n = BN_new(); 739 packet_get_bignum(host_key->n, &clen); 740 sum_len += clen; 741 742 rbits = BN_num_bits(host_key->n); 743 if (bits != rbits) { 744 log("Warning: Server lies about size of server host key: " 745 "actual size is %d bits vs. announced %d.", rbits, bits); 746 log("Warning: This may be due to an old implementation of ssh."); 747 } 748 749 /* Get protocol flags. */ 750 server_flags = packet_get_int(); 751 packet_set_protocol_flags(server_flags); 752 753 supported_ciphers = packet_get_int(); 754 supported_authentications = packet_get_int(); 755 756 debug("Received server public key (%d bits) and host key (%d bits).", 757 BN_num_bits(public_key->n), BN_num_bits(host_key->n)); 758 759 packet_integrity_check(payload_len, 760 8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4, 761 SSH_SMSG_PUBLIC_KEY); 762 k.type = KEY_RSA; 763 k.rsa = host_key; 764 check_host_key(host, hostaddr, &k, 765 options.user_hostfile, options.system_hostfile); 766 767 client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN; 768 769 compute_session_id(session_id, cookie, host_key->n, public_key->n); 770 771 /* Generate a session key. */ 772 arc4random_stir(); 773 774 /* 775 * Generate an encryption key for the session. The key is a 256 bit 776 * random number, interpreted as a 32-byte key, with the least 777 * significant 8 bits being the first byte of the key. 778 */ 779 for (i = 0; i < 32; i++) { 780 if (i % 4 == 0) 781 rand = arc4random(); 782 session_key[i] = rand & 0xff; 783 rand >>= 8; 784 } 785 786 /* 787 * According to the protocol spec, the first byte of the session key 788 * is the highest byte of the integer. The session key is xored with 789 * the first 16 bytes of the session id. 790 */ 791 key = BN_new(); 792 BN_set_word(key, 0); 793 for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { 794 BN_lshift(key, key, 8); 795 if (i < 16) 796 BN_add_word(key, session_key[i] ^ session_id[i]); 797 else 798 BN_add_word(key, session_key[i]); 799 } 800 801 /* 802 * Encrypt the integer using the public key and host key of the 803 * server (key with smaller modulus first). 804 */ 805 if (BN_cmp(public_key->n, host_key->n) < 0) { 806 /* Public key has smaller modulus. */ 807 if (BN_num_bits(host_key->n) < 808 BN_num_bits(public_key->n) + SSH_KEY_BITS_RESERVED) { 809 fatal("respond_to_rsa_challenge: host_key %d < public_key %d + " 810 "SSH_KEY_BITS_RESERVED %d", 811 BN_num_bits(host_key->n), 812 BN_num_bits(public_key->n), 813 SSH_KEY_BITS_RESERVED); 814 } 815 rsa_public_encrypt(key, key, public_key); 816 rsa_public_encrypt(key, key, host_key); 817 } else { 818 /* Host key has smaller modulus (or they are equal). */ 819 if (BN_num_bits(public_key->n) < 820 BN_num_bits(host_key->n) + SSH_KEY_BITS_RESERVED) { 821 fatal("respond_to_rsa_challenge: public_key %d < host_key %d + " 822 "SSH_KEY_BITS_RESERVED %d", 823 BN_num_bits(public_key->n), 824 BN_num_bits(host_key->n), 825 SSH_KEY_BITS_RESERVED); 826 } 827 rsa_public_encrypt(key, key, host_key); 828 rsa_public_encrypt(key, key, public_key); 829 } 830 831 /* Destroy the public keys since we no longer need them. */ 832 RSA_free(public_key); 833 RSA_free(host_key); 834 835 if (options.cipher == SSH_CIPHER_ILLEGAL) { 836 log("No valid SSH1 cipher, using %.100s instead.", 837 cipher_name(SSH_FALLBACK_CIPHER)); 838 options.cipher = SSH_FALLBACK_CIPHER; 839 } else if (options.cipher == SSH_CIPHER_NOT_SET) { 840 if (cipher_mask1() & supported_ciphers & (1 << ssh_cipher_default)) 841 options.cipher = ssh_cipher_default; 842 else { 843 debug("Cipher %s not supported, using %.100s instead.", 844 cipher_name(ssh_cipher_default), 845 cipher_name(SSH_FALLBACK_CIPHER)); 846 options.cipher = SSH_FALLBACK_CIPHER; 847 } 848 } 849 /* Check that the selected cipher is supported. */ 850 if (!(supported_ciphers & (1 << options.cipher))) 851 fatal("Selected cipher type %.100s not supported by server.", 852 cipher_name(options.cipher)); 853 854 debug("Encryption type: %.100s", cipher_name(options.cipher)); 855 856 /* Send the encrypted session key to the server. */ 857 packet_start(SSH_CMSG_SESSION_KEY); 858 packet_put_char(options.cipher); 859 860 /* Send the cookie back to the server. */ 861 for (i = 0; i < 8; i++) 862 packet_put_char(cookie[i]); 863 864 /* Send and destroy the encrypted encryption key integer. */ 865 packet_put_bignum(key); 866 BN_clear_free(key); 867 868 /* Send protocol flags. */ 869 packet_put_int(client_flags); 870 871 /* Send the packet now. */ 872 packet_send(); 873 packet_write_wait(); 874 875 debug("Sent encrypted session key."); 876 877 /* Set the encryption key. */ 878 packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher); 879 880 /* We will no longer need the session key here. Destroy any extra copies. */ 881 memset(session_key, 0, sizeof(session_key)); 882 883 /* 884 * Expect a success message from the server. Note that this message 885 * will be received in encrypted form. 886 */ 887 packet_read_expect(&payload_len, SSH_SMSG_SUCCESS); 888 889 debug("Received encrypted confirmation."); 890} 891 892/* 893 * Authenticate user 894 */ 895void 896ssh_userauth( 897 const char* local_user, 898 const char* server_user, 899 char *host, 900 int host_key_valid, RSA *own_host_key) 901{ 902 int i, type; 903 int payload_len; 904 905 if (supported_authentications == 0) 906 fatal("ssh_userauth: server supports no auth methods"); 907 908 /* Send the name of the user to log in as on the server. */ 909 packet_start(SSH_CMSG_USER); 910 packet_put_string(server_user, strlen(server_user)); 911 packet_send(); 912 packet_write_wait(); 913 914 /* 915 * The server should respond with success if no authentication is 916 * needed (the user has no password). Otherwise the server responds 917 * with failure. 918 */ 919 type = packet_read(&payload_len); 920 921 /* check whether the connection was accepted without authentication. */ 922 if (type == SSH_SMSG_SUCCESS) 923 return; 924 if (type != SSH_SMSG_FAILURE) 925 packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", 926 type); 927 928#ifdef AFS 929 /* Try Kerberos tgt passing if the server supports it. */ 930 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && 931 options.kerberos_tgt_passing) { 932 if (options.cipher == SSH_CIPHER_NONE) 933 log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); 934 (void) send_kerberos_tgt(); 935 } 936 /* Try AFS token passing if the server supports it. */ 937 if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) && 938 options.afs_token_passing && k_hasafs()) { 939 if (options.cipher == SSH_CIPHER_NONE) 940 log("WARNING: Encryption is disabled! Token will be transmitted in the clear!"); 941 send_afs_tokens(); 942 } 943#endif /* AFS */ 944 945#ifdef KRB4 946 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && 947 options.kerberos_authentication) { 948 debug("Trying Kerberos authentication."); 949 if (try_kerberos_authentication()) { 950 /* The server should respond with success or failure. */ 951 type = packet_read(&payload_len); 952 if (type == SSH_SMSG_SUCCESS) 953 return; 954 if (type != SSH_SMSG_FAILURE) 955 packet_disconnect("Protocol error: got %d in response to Kerberos auth", type); 956 } 957 } 958#endif /* KRB4 */ 959 960 /* 961 * Use rhosts authentication if running in privileged socket and we 962 * do not wish to remain anonymous. 963 */ 964 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) && 965 options.rhosts_authentication) { 966 debug("Trying rhosts authentication."); 967 packet_start(SSH_CMSG_AUTH_RHOSTS); 968 packet_put_string(local_user, strlen(local_user)); 969 packet_send(); 970 packet_write_wait(); 971 972 /* The server should respond with success or failure. */ 973 type = packet_read(&payload_len); 974 if (type == SSH_SMSG_SUCCESS) 975 return; 976 if (type != SSH_SMSG_FAILURE) 977 packet_disconnect("Protocol error: got %d in response to rhosts auth", 978 type); 979 } 980 /* 981 * Try .rhosts or /etc/hosts.equiv authentication with RSA host 982 * authentication. 983 */ 984 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) && 985 options.rhosts_rsa_authentication && host_key_valid) { 986 if (try_rhosts_rsa_authentication(local_user, own_host_key)) 987 return; 988 } 989 /* Try RSA authentication if the server supports it. */ 990 if ((supported_authentications & (1 << SSH_AUTH_RSA)) && 991 options.rsa_authentication) { 992 /* 993 * Try RSA authentication using the authentication agent. The 994 * agent is tried first because no passphrase is needed for 995 * it, whereas identity files may require passphrases. 996 */ 997 if (try_agent_authentication()) 998 return; 999 1000 /* Try RSA authentication for each identity. */ 1001 for (i = 0; i < options.num_identity_files; i++) 1002 if (try_rsa_authentication(options.identity_files[i])) 1003 return; 1004 } 1005 /* Try skey authentication if the server supports it. */ 1006 if ((supported_authentications & (1 << SSH_AUTH_TIS)) && 1007 options.skey_authentication && !options.batch_mode) { 1008 if (try_skey_authentication()) 1009 return; 1010 } 1011 /* Try password authentication if the server supports it. */ 1012 if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) && 1013 options.password_authentication && !options.batch_mode) { 1014 char prompt[80]; 1015 1016 snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ", 1017 server_user, host); 1018 if (try_password_authentication(prompt)) 1019 return; 1020 } 1021 /* All authentication methods have failed. Exit with an error message. */ 1022 fatal("Permission denied."); 1023 /* NOTREACHED */ 1024} 1025