sshconnect1.c revision 74500
11592Srgrimes/* 21592Srgrimes * Author: Tatu Ylonen <ylo@cs.hut.fi> 31592Srgrimes * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 41592Srgrimes * All rights reserved 51592Srgrimes * Code to connect to a remote host, and to perform the client side of the 61592Srgrimes * login (authentication) dialog. 71592Srgrimes * 81592Srgrimes * As far as I am concerned, the code I have written for this software 91592Srgrimes * can be used freely for any purpose. Any derived versions of this 101592Srgrimes * software must be clearly marked as such, and if the derived work is 111592Srgrimes * incompatible with the protocol description in the RFC file, it must be 121592Srgrimes * called by a name other than "ssh" or "Secure Shell". 131592Srgrimes */ 141592Srgrimes 151592Srgrimes#include "includes.h" 161592SrgrimesRCSID("$OpenBSD: sshconnect1.c,v 1.8 2000/10/12 09:59:19 markus Exp $"); 171592SrgrimesRCSID("$FreeBSD: head/crypto/openssh/sshconnect1.c 74500 2001-03-20 02:06:40Z green $"); 181592Srgrimes 191592Srgrimes#include <openssl/bn.h> 201592Srgrimes#include <openssl/dsa.h> 211592Srgrimes#include <openssl/rsa.h> 221592Srgrimes#include <openssl/evp.h> 231592Srgrimes 241592Srgrimes#include "xmalloc.h" 251592Srgrimes#include "rsa.h" 261592Srgrimes#include "ssh.h" 271592Srgrimes#include "buffer.h" 281592Srgrimes#include "packet.h" 291592Srgrimes#include "mpaux.h" 301592Srgrimes#include "uidswap.h" 311592Srgrimes#include "readconf.h" 321592Srgrimes#include "key.h" 331592Srgrimes#include "authfd.h" 341592Srgrimes#include "sshconnect.h" 3531491Scharnier#include "authfile.h" 3621838Spst 3731491Scharnier/* Session id for the current session. */ 3831491Scharnierunsigned char session_id[16]; 3950476Speterunsigned int supported_authentications = 0; 401592Srgrimes 411592Srgrimesextern Options options; 421592Srgrimesextern char *__progname; 431592Srgrimes 441592Srgrimes/* 451592Srgrimes * Checks if the user has an authentication agent, and if so, tries to 461592Srgrimes * authenticate using the agent. 471592Srgrimes */ 4821838Spstint 491592Srgrimestry_agent_authentication() 5021838Spst{ 511592Srgrimes int type; 5221838Spst char *comment; 5321838Spst AuthenticationConnection *auth; 5421838Spst unsigned char response[16]; 5521838Spst unsigned int i; 561592Srgrimes int plen, clen; 571592Srgrimes Key *key; 5821838Spst BIGNUM *challenge; 591592Srgrimes 6083244Sdd /* Get connection to the agent. */ 6190261Simp auth = ssh_get_authentication_connection(); 6283244Sdd if (!auth) 631592Srgrimes return 0; 641592Srgrimes 651592Srgrimes challenge = BN_new(); 661592Srgrimes key = key_new(KEY_RSA); 671592Srgrimes 688870Srgrimes /* Loop through identities served by the agent. */ 691592Srgrimes for (key = ssh_get_first_identity(auth, &comment, 1); 708870Srgrimes key != NULL; 711592Srgrimes key = ssh_get_next_identity(auth, &comment, 1)) { 721592Srgrimes 7331491Scharnier /* Try this identity. */ 7490261Simp debug("Trying RSA authentication via agent with '%.100s'", comment); 751592Srgrimes xfree(comment); 761592Srgrimes 771592Srgrimes /* Tell the server that we are willing to authenticate using this key. */ 781592Srgrimes packet_start(SSH_CMSG_AUTH_RSA); 791592Srgrimes packet_put_bignum(key->rsa->n); 801592Srgrimes packet_send(); 811592Srgrimes packet_write_wait(); 821592Srgrimes 831592Srgrimes /* Wait for server's response. */ 841592Srgrimes type = packet_read(&plen); 851592Srgrimes 861592Srgrimes /* The server sends failure if it doesn\'t like our key or 871592Srgrimes does not support RSA authentication. */ 881592Srgrimes if (type == SSH_SMSG_FAILURE) { 8921838Spst debug("Server refused our key."); 901592Srgrimes key_free(key); 911592Srgrimes continue; 928870Srgrimes } 931592Srgrimes /* Otherwise it should have sent a challenge. */ 941592Srgrimes if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 951592Srgrimes packet_disconnect("Protocol error during RSA authentication: %d", 961592Srgrimes type); 9731491Scharnier 9890261Simp packet_get_bignum(challenge, &clen); 9990261Simp 1001592Srgrimes packet_integrity_check(plen, clen, type); 1011592Srgrimes 10237262Sbde debug("Received RSA challenge from server."); 1031592Srgrimes 1041592Srgrimes /* Ask the agent to decrypt the challenge. */ 1051592Srgrimes if (!ssh_decrypt_challenge(auth, key, challenge, session_id, 1, response)) { 1061592Srgrimes /* 1071592Srgrimes * The agent failed to authenticate this identifier 1081592Srgrimes * although it advertised it supports this. Just 1091592Srgrimes * return a wrong value. 11021838Spst */ 1111592Srgrimes log("Authentication agent failed to decrypt challenge."); 1121592Srgrimes memset(response, 0, sizeof(response)); 1131592Srgrimes } 1141592Srgrimes key_free(key); 1151592Srgrimes debug("Sending response to RSA challenge."); 11637262Sbde 11737262Sbde /* Send the decrypted challenge back to the server. */ 11821838Spst packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 1191592Srgrimes for (i = 0; i < 16; i++) 1201592Srgrimes packet_put_char(response[i]); 1211592Srgrimes packet_send(); 12221838Spst packet_write_wait(); 12377862Sdd 12477862Sdd /* Wait for response from the server. */ 12579674Sbrian type = packet_read(&plen); 12677862Sdd 1271592Srgrimes /* The server returns success if it accepted the authentication. */ 1281592Srgrimes if (type == SSH_SMSG_SUCCESS) { 1291592Srgrimes BN_clear_free(challenge); 13021838Spst debug("RSA authentication accepted by server."); 13121838Spst return 1; 13221838Spst } 13321838Spst /* Otherwise it should return failure. */ 13421838Spst if (type != SSH_SMSG_FAILURE) 1351592Srgrimes packet_disconnect("Protocol error waiting RSA auth response: %d", 1361592Srgrimes type); 1371592Srgrimes } 13821838Spst BN_clear_free(challenge); 13921838Spst debug("RSA authentication using agent refused."); 1401592Srgrimes return 0; 1411592Srgrimes} 1421592Srgrimes 14321838Spst/* 1441592Srgrimes * Computes the proper response to a RSA challenge, and sends the response to 1451592Srgrimes * the server. 1461592Srgrimes */ 1471592Srgrimesvoid 1481801Sphkrespond_to_rsa_challenge(BIGNUM * challenge, RSA * prv) 1491592Srgrimes{ 1501592Srgrimes unsigned char buf[32], response[16]; 1511592Srgrimes MD5_CTX md; 1521592Srgrimes int i, len; 1531592Srgrimes 1541592Srgrimes /* Decrypt the challenge using the private key. */ 1551592Srgrimes /* XXX think about Bleichenbacher, too */ 1561592Srgrimes if (rsa_private_decrypt(challenge, challenge, prv) <= 0) 1571592Srgrimes packet_disconnect( 1581592Srgrimes "respond_to_rsa_challenge: rsa_private_decrypt failed"); 1591592Srgrimes 1601592Srgrimes /* Compute the response. */ 1611592Srgrimes /* The response is MD5 of decrypted challenge plus session id. */ 1621592Srgrimes len = BN_num_bytes(challenge); 1631592Srgrimes if (len <= 0 || len > sizeof(buf)) 1641592Srgrimes packet_disconnect( 1651592Srgrimes "respond_to_rsa_challenge: bad challenge length %d", len); 1661592Srgrimes 1671592Srgrimes memset(buf, 0, sizeof(buf)); 1681592Srgrimes BN_bn2bin(challenge, buf + sizeof(buf) - len); 1691592Srgrimes MD5_Init(&md); 1701592Srgrimes MD5_Update(&md, buf, 32); 1711592Srgrimes MD5_Update(&md, session_id, 16); 1721592Srgrimes MD5_Final(response, &md); 1731592Srgrimes 1741592Srgrimes debug("Sending response to host key RSA challenge."); 175 176 /* Send the response back to the server. */ 177 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 178 for (i = 0; i < 16; i++) 179 packet_put_char(response[i]); 180 packet_send(); 181 packet_write_wait(); 182 183 memset(buf, 0, sizeof(buf)); 184 memset(response, 0, sizeof(response)); 185 memset(&md, 0, sizeof(md)); 186} 187 188/* 189 * Checks if the user has authentication file, and if so, tries to authenticate 190 * the user using it. 191 */ 192int 193try_rsa_authentication(const char *authfile) 194{ 195 BIGNUM *challenge; 196 Key *public; 197 Key *private; 198 char *passphrase, *comment; 199 int type, i; 200 int plen, clen; 201 202 /* Try to load identification for the authentication key. */ 203 public = key_new(KEY_RSA); 204 if (!load_public_key(authfile, public, &comment)) { 205 key_free(public); 206 /* Could not load it. Fail. */ 207 return 0; 208 } 209 debug("Trying RSA authentication with key '%.100s'", comment); 210 211 /* Tell the server that we are willing to authenticate using this key. */ 212 packet_start(SSH_CMSG_AUTH_RSA); 213 packet_put_bignum(public->rsa->n); 214 packet_send(); 215 packet_write_wait(); 216 217 /* We no longer need the public key. */ 218 key_free(public); 219 220 /* Wait for server's response. */ 221 type = packet_read(&plen); 222 223 /* 224 * The server responds with failure if it doesn\'t like our key or 225 * doesn\'t support RSA authentication. 226 */ 227 if (type == SSH_SMSG_FAILURE) { 228 debug("Server refused our key."); 229 xfree(comment); 230 return 0; 231 } 232 /* Otherwise, the server should respond with a challenge. */ 233 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 234 packet_disconnect("Protocol error during RSA authentication: %d", type); 235 236 /* Get the challenge from the packet. */ 237 challenge = BN_new(); 238 packet_get_bignum(challenge, &clen); 239 240 packet_integrity_check(plen, clen, type); 241 242 debug("Received RSA challenge from server."); 243 244 private = key_new(KEY_RSA); 245 /* 246 * Load the private key. Try first with empty passphrase; if it 247 * fails, ask for a passphrase. 248 */ 249 if (!load_private_key(authfile, "", private, NULL)) { 250 char buf[300]; 251 snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ", 252 comment); 253 if (!options.batch_mode) 254 passphrase = read_passphrase(buf, 0); 255 else { 256 debug("Will not query passphrase for %.100s in batch mode.", 257 comment); 258 passphrase = xstrdup(""); 259 } 260 261 /* Load the authentication file using the pasphrase. */ 262 if (!load_private_key(authfile, passphrase, private, NULL)) { 263 memset(passphrase, 0, strlen(passphrase)); 264 xfree(passphrase); 265 error("Bad passphrase."); 266 267 /* Send a dummy response packet to avoid protocol error. */ 268 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 269 for (i = 0; i < 16; i++) 270 packet_put_char(0); 271 packet_send(); 272 packet_write_wait(); 273 274 /* Expect the server to reject it... */ 275 packet_read_expect(&plen, SSH_SMSG_FAILURE); 276 xfree(comment); 277 return 0; 278 } 279 /* Destroy the passphrase. */ 280 memset(passphrase, 0, strlen(passphrase)); 281 xfree(passphrase); 282 } 283 /* We no longer need the comment. */ 284 xfree(comment); 285 286 /* Compute and send a response to the challenge. */ 287 respond_to_rsa_challenge(challenge, private->rsa); 288 289 /* Destroy the private key. */ 290 key_free(private); 291 292 /* We no longer need the challenge. */ 293 BN_clear_free(challenge); 294 295 /* Wait for response from the server. */ 296 type = packet_read(&plen); 297 if (type == SSH_SMSG_SUCCESS) { 298 debug("RSA authentication accepted by server."); 299 return 1; 300 } 301 if (type != SSH_SMSG_FAILURE) 302 packet_disconnect("Protocol error waiting RSA auth response: %d", type); 303 debug("RSA authentication refused."); 304 return 0; 305} 306 307/* 308 * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv 309 * authentication and RSA host authentication. 310 */ 311int 312try_rhosts_rsa_authentication(const char *local_user, RSA * host_key) 313{ 314 int type; 315 BIGNUM *challenge; 316 int plen, clen; 317 318 debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication."); 319 320 /* Tell the server that we are willing to authenticate using this key. */ 321 packet_start(SSH_CMSG_AUTH_RHOSTS_RSA); 322 packet_put_string(local_user, strlen(local_user)); 323 packet_put_int(BN_num_bits(host_key->n)); 324 packet_put_bignum(host_key->e); 325 packet_put_bignum(host_key->n); 326 packet_send(); 327 packet_write_wait(); 328 329 /* Wait for server's response. */ 330 type = packet_read(&plen); 331 332 /* The server responds with failure if it doesn't admit our 333 .rhosts authentication or doesn't know our host key. */ 334 if (type == SSH_SMSG_FAILURE) { 335 debug("Server refused our rhosts authentication or host key."); 336 return 0; 337 } 338 /* Otherwise, the server should respond with a challenge. */ 339 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 340 packet_disconnect("Protocol error during RSA authentication: %d", type); 341 342 /* Get the challenge from the packet. */ 343 challenge = BN_new(); 344 packet_get_bignum(challenge, &clen); 345 346 packet_integrity_check(plen, clen, type); 347 348 debug("Received RSA challenge for host key from server."); 349 350 /* Compute a response to the challenge. */ 351 respond_to_rsa_challenge(challenge, host_key); 352 353 /* We no longer need the challenge. */ 354 BN_clear_free(challenge); 355 356 /* Wait for response from the server. */ 357 type = packet_read(&plen); 358 if (type == SSH_SMSG_SUCCESS) { 359 debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server."); 360 return 1; 361 } 362 if (type != SSH_SMSG_FAILURE) 363 packet_disconnect("Protocol error waiting RSA auth response: %d", type); 364 debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused."); 365 return 0; 366} 367 368#ifdef KRB4 369int 370try_krb4_authentication() 371{ 372 KTEXT_ST auth; /* Kerberos data */ 373 char *reply; 374 char inst[INST_SZ]; 375 char *realm; 376 CREDENTIALS cred; 377 int r, type, plen; 378 socklen_t slen; 379 Key_schedule schedule; 380 u_long checksum, cksum; 381 MSG_DAT msg_data; 382 struct sockaddr_in local, foreign; 383 struct stat st; 384 385 /* Don't do anything if we don't have any tickets. */ 386 if (stat(tkt_string(), &st) < 0) 387 return 0; 388 389 strncpy(inst, (char *) krb_get_phost(get_canonical_hostname()), INST_SZ); 390 391 realm = (char *) krb_realmofhost(get_canonical_hostname()); 392 if (!realm) { 393 debug("Kerberos V4: no realm for %s", get_canonical_hostname()); 394 return 0; 395 } 396 /* This can really be anything. */ 397 checksum = (u_long) getpid(); 398 399 r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum); 400 if (r != KSUCCESS) { 401 debug("Kerberos V4 krb_mk_req failed: %s", krb_err_txt[r]); 402 return 0; 403 } 404 /* Get session key to decrypt the server's reply with. */ 405 r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred); 406 if (r != KSUCCESS) { 407 debug("get_cred failed: %s", krb_err_txt[r]); 408 return 0; 409 } 410 des_key_sched((des_cblock *) cred.session, schedule); 411 412 /* Send authentication info to server. */ 413 packet_start(SSH_CMSG_AUTH_KERBEROS); 414 packet_put_string((char *) auth.dat, auth.length); 415 packet_send(); 416 packet_write_wait(); 417 418 /* Zero the buffer. */ 419 (void) memset(auth.dat, 0, MAX_KTXT_LEN); 420 421 slen = sizeof(local); 422 memset(&local, 0, sizeof(local)); 423 if (getsockname(packet_get_connection_in(), 424 (struct sockaddr *) & local, &slen) < 0) 425 debug("getsockname failed: %s", strerror(errno)); 426 427 slen = sizeof(foreign); 428 memset(&foreign, 0, sizeof(foreign)); 429 if (getpeername(packet_get_connection_in(), 430 (struct sockaddr *) & foreign, &slen) < 0) { 431 debug("getpeername failed: %s", strerror(errno)); 432 fatal_cleanup(); 433 } 434 /* Get server reply. */ 435 type = packet_read(&plen); 436 switch (type) { 437 case SSH_SMSG_FAILURE: 438 /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ 439 debug("Kerberos V4 authentication failed."); 440 return 0; 441 break; 442 443 case SSH_SMSG_AUTH_KERBEROS_RESPONSE: 444 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ 445 debug("Kerberos V4 authentication accepted."); 446 447 /* Get server's response. */ 448 reply = packet_get_string((unsigned int *) &auth.length); 449 memcpy(auth.dat, reply, auth.length); 450 xfree(reply); 451 452 packet_integrity_check(plen, 4 + auth.length, type); 453 454 /* 455 * If his response isn't properly encrypted with the session 456 * key, and the decrypted checksum fails to match, he's 457 * bogus. Bail out. 458 */ 459 r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session, 460 &foreign, &local, &msg_data); 461 if (r != KSUCCESS) { 462 debug("Kerberos V4 krb_rd_priv failed: %s", krb_err_txt[r]); 463 packet_disconnect("Kerberos V4 challenge failed!"); 464 } 465 /* Fetch the (incremented) checksum that we supplied in the request. */ 466 (void) memcpy((char *) &cksum, (char *) msg_data.app_data, sizeof(cksum)); 467 cksum = ntohl(cksum); 468 469 /* If it matches, we're golden. */ 470 if (cksum == checksum + 1) { 471 debug("Kerberos V4 challenge successful."); 472 return 1; 473 } else 474 packet_disconnect("Kerberos V4 challenge failed!"); 475 break; 476 477 default: 478 packet_disconnect("Protocol error on Kerberos V4 response: %d", type); 479 } 480 return 0; 481} 482 483#endif /* KRB4 */ 484 485#ifdef AFS 486int 487send_krb4_tgt() 488{ 489 CREDENTIALS *creds; 490 char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; 491 int r, type, plen; 492 char buffer[8192]; 493 struct stat st; 494 495 /* Don't do anything if we don't have any tickets. */ 496 if (stat(tkt_string(), &st) < 0) 497 return 0; 498 499 creds = xmalloc(sizeof(*creds)); 500 501 if ((r = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm)) != KSUCCESS) { 502 debug("Kerberos V4 tf_fullname failed: %s", krb_err_txt[r]); 503 return 0; 504 } 505 if ((r = krb_get_cred("krbtgt", prealm, prealm, creds)) != GC_OK) { 506 debug("Kerberos V4 get_cred failed: %s", krb_err_txt[r]); 507 return 0; 508 } 509 if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) { 510 debug("Kerberos V4 ticket expired: %s", TKT_FILE); 511 return 0; 512 } 513 creds_to_radix(creds, (unsigned char *)buffer, sizeof buffer); 514 xfree(creds); 515 516 packet_start(SSH_CMSG_HAVE_KRB4_TGT); 517 packet_put_string(buffer, strlen(buffer)); 518 packet_send(); 519 packet_write_wait(); 520 521 type = packet_read(&plen); 522 523 if (type == SSH_SMSG_FAILURE) 524 debug("Kerberos TGT for realm %s rejected.", prealm); 525 else if (type != SSH_SMSG_SUCCESS) 526 packet_disconnect("Protocol error on Kerberos TGT response: %d", type); 527 528 return 1; 529} 530 531void 532send_afs_tokens(void) 533{ 534 CREDENTIALS creds; 535 struct ViceIoctl parms; 536 struct ClearToken ct; 537 int i, type, len, plen; 538 char buf[2048], *p, *server_cell; 539 char buffer[8192]; 540 541 /* Move over ktc_GetToken, here's something leaner. */ 542 for (i = 0; i < 100; i++) { /* just in case */ 543 parms.in = (char *) &i; 544 parms.in_size = sizeof(i); 545 parms.out = buf; 546 parms.out_size = sizeof(buf); 547 if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0) 548 break; 549 p = buf; 550 551 /* Get secret token. */ 552 memcpy(&creds.ticket_st.length, p, sizeof(unsigned int)); 553 if (creds.ticket_st.length > MAX_KTXT_LEN) 554 break; 555 p += sizeof(unsigned int); 556 memcpy(creds.ticket_st.dat, p, creds.ticket_st.length); 557 p += creds.ticket_st.length; 558 559 /* Get clear token. */ 560 memcpy(&len, p, sizeof(len)); 561 if (len != sizeof(struct ClearToken)) 562 break; 563 p += sizeof(len); 564 memcpy(&ct, p, len); 565 p += len; 566 p += sizeof(len); /* primary flag */ 567 server_cell = p; 568 569 /* Flesh out our credentials. */ 570 strlcpy(creds.service, "afs", sizeof creds.service); 571 creds.instance[0] = '\0'; 572 strlcpy(creds.realm, server_cell, REALM_SZ); 573 memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ); 574 creds.issue_date = ct.BeginTimestamp; 575 creds.lifetime = krb_time_to_life(creds.issue_date, ct.EndTimestamp); 576 creds.kvno = ct.AuthHandle; 577 snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId); 578 creds.pinst[0] = '\0'; 579 580 /* Encode token, ship it off. */ 581 if (creds_to_radix(&creds, (unsigned char*) buffer, sizeof buffer) <= 0) 582 break; 583 packet_start(SSH_CMSG_HAVE_AFS_TOKEN); 584 packet_put_string(buffer, strlen(buffer)); 585 packet_send(); 586 packet_write_wait(); 587 588 /* Roger, Roger. Clearance, Clarence. What's your vector, 589 Victor? */ 590 type = packet_read(&plen); 591 592 if (type == SSH_SMSG_FAILURE) 593 debug("AFS token for cell %s rejected.", server_cell); 594 else if (type != SSH_SMSG_SUCCESS) 595 packet_disconnect("Protocol error on AFS token response: %d", type); 596 } 597} 598 599#endif /* AFS */ 600 601/* 602 * Tries to authenticate with any string-based challenge/response system. 603 * Note that the client code is not tied to s/key or TIS. 604 */ 605int 606try_skey_authentication() 607{ 608 int type, i; 609 int payload_len; 610 unsigned int clen; 611 char *challenge, *response; 612 613 debug("Doing skey authentication."); 614 615 /* request a challenge */ 616 packet_start(SSH_CMSG_AUTH_TIS); 617 packet_send(); 618 packet_write_wait(); 619 620 type = packet_read(&payload_len); 621 if (type != SSH_SMSG_FAILURE && 622 type != SSH_SMSG_AUTH_TIS_CHALLENGE) { 623 packet_disconnect("Protocol error: got %d in response " 624 "to skey-auth", type); 625 } 626 if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) { 627 debug("No challenge for skey authentication."); 628 return 0; 629 } 630 challenge = packet_get_string(&clen); 631 packet_integrity_check(payload_len, (4 + clen), type); 632 if (options.cipher == SSH_CIPHER_NONE) 633 log("WARNING: Encryption is disabled! " 634 "Reponse will be transmitted in clear text."); 635 fprintf(stderr, "%s\n", challenge); 636 xfree(challenge); 637 fflush(stderr); 638 for (i = 0; i < options.number_of_password_prompts; i++) { 639 if (i != 0) 640 error("Permission denied, please try again."); 641 response = read_passphrase("Response: ", 0); 642 packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); 643 ssh_put_password(response); 644 memset(response, 0, strlen(response)); 645 xfree(response); 646 packet_send(); 647 packet_write_wait(); 648 type = packet_read(&payload_len); 649 if (type == SSH_SMSG_SUCCESS) 650 return 1; 651 if (type != SSH_SMSG_FAILURE) 652 packet_disconnect("Protocol error: got %d in response " 653 "to skey-auth-reponse", type); 654 } 655 /* failure */ 656 return 0; 657} 658 659/* 660 * Tries to authenticate with plain passwd authentication. 661 */ 662int 663try_password_authentication(char *prompt) 664{ 665 int type, i, payload_len; 666 char *password; 667 668 debug("Doing password authentication."); 669 if (options.cipher == SSH_CIPHER_NONE) 670 log("WARNING: Encryption is disabled! Password will be transmitted in clear text."); 671 for (i = 0; i < options.number_of_password_prompts; i++) { 672 if (i != 0) 673 error("Permission denied, please try again."); 674 password = read_passphrase(prompt, 0); 675 packet_start(SSH_CMSG_AUTH_PASSWORD); 676 ssh_put_password(password); 677 memset(password, 0, strlen(password)); 678 xfree(password); 679 packet_send(); 680 packet_write_wait(); 681 682 type = packet_read(&payload_len); 683 if (type == SSH_SMSG_SUCCESS) 684 return 1; 685 if (type != SSH_SMSG_FAILURE) 686 packet_disconnect("Protocol error: got %d in response to passwd auth", type); 687 } 688 /* failure */ 689 return 0; 690} 691 692/* 693 * SSH1 key exchange 694 */ 695void 696ssh_kex(char *host, struct sockaddr *hostaddr) 697{ 698 int i; 699 BIGNUM *key; 700 RSA *host_key; 701 RSA *public_key; 702 Key k; 703 int bits, rbits; 704 int ssh_cipher_default = SSH_CIPHER_3DES; 705 unsigned char session_key[SSH_SESSION_KEY_LENGTH]; 706 unsigned char cookie[8]; 707 unsigned int supported_ciphers; 708 unsigned int server_flags, client_flags; 709 int payload_len, clen, sum_len = 0; 710 u_int32_t rand = 0; 711 712 debug("Waiting for server public key."); 713 714 /* Wait for a public key packet from the server. */ 715 packet_read_expect(&payload_len, SSH_SMSG_PUBLIC_KEY); 716 717 /* Get cookie from the packet. */ 718 for (i = 0; i < 8; i++) 719 cookie[i] = packet_get_char(); 720 721 /* Get the public key. */ 722 public_key = RSA_new(); 723 bits = packet_get_int();/* bits */ 724 public_key->e = BN_new(); 725 packet_get_bignum(public_key->e, &clen); 726 sum_len += clen; 727 public_key->n = BN_new(); 728 packet_get_bignum(public_key->n, &clen); 729 sum_len += clen; 730 731 rbits = BN_num_bits(public_key->n); 732 if (bits != rbits) { 733 log("Warning: Server lies about size of server public key: " 734 "actual size is %d bits vs. announced %d.", rbits, bits); 735 log("Warning: This may be due to an old implementation of ssh."); 736 } 737 /* Get the host key. */ 738 host_key = RSA_new(); 739 bits = packet_get_int();/* bits */ 740 host_key->e = BN_new(); 741 packet_get_bignum(host_key->e, &clen); 742 sum_len += clen; 743 host_key->n = BN_new(); 744 packet_get_bignum(host_key->n, &clen); 745 sum_len += clen; 746 747 rbits = BN_num_bits(host_key->n); 748 if (bits != rbits) { 749 log("Warning: Server lies about size of server host key: " 750 "actual size is %d bits vs. announced %d.", rbits, bits); 751 log("Warning: This may be due to an old implementation of ssh."); 752 } 753 754 /* Get protocol flags. */ 755 server_flags = packet_get_int(); 756 packet_set_protocol_flags(server_flags); 757 758 supported_ciphers = packet_get_int(); 759 supported_authentications = packet_get_int(); 760 761 debug("Received server public key (%d bits) and host key (%d bits).", 762 BN_num_bits(public_key->n), BN_num_bits(host_key->n)); 763 764 packet_integrity_check(payload_len, 765 8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4, 766 SSH_SMSG_PUBLIC_KEY); 767 k.type = KEY_RSA; 768 k.rsa = host_key; 769 check_host_key(host, hostaddr, &k, 770 options.user_hostfile, options.system_hostfile); 771 772 client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN; 773 774 compute_session_id(session_id, cookie, host_key->n, public_key->n); 775 776 /* Generate a session key. */ 777 arc4random_stir(); 778 779 /* 780 * Generate an encryption key for the session. The key is a 256 bit 781 * random number, interpreted as a 32-byte key, with the least 782 * significant 8 bits being the first byte of the key. 783 */ 784 for (i = 0; i < 32; i++) { 785 if (i % 4 == 0) 786 rand = arc4random(); 787 session_key[i] = rand & 0xff; 788 rand >>= 8; 789 } 790 791 /* 792 * According to the protocol spec, the first byte of the session key 793 * is the highest byte of the integer. The session key is xored with 794 * the first 16 bytes of the session id. 795 */ 796 key = BN_new(); 797 BN_set_word(key, 0); 798 for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { 799 BN_lshift(key, key, 8); 800 if (i < 16) 801 BN_add_word(key, session_key[i] ^ session_id[i]); 802 else 803 BN_add_word(key, session_key[i]); 804 } 805 806 /* 807 * Encrypt the integer using the public key and host key of the 808 * server (key with smaller modulus first). 809 */ 810 if (BN_cmp(public_key->n, host_key->n) < 0) { 811 /* Public key has smaller modulus. */ 812 if (BN_num_bits(host_key->n) < 813 BN_num_bits(public_key->n) + SSH_KEY_BITS_RESERVED) { 814 fatal("respond_to_rsa_challenge: host_key %d < public_key %d + " 815 "SSH_KEY_BITS_RESERVED %d", 816 BN_num_bits(host_key->n), 817 BN_num_bits(public_key->n), 818 SSH_KEY_BITS_RESERVED); 819 } 820 rsa_public_encrypt(key, key, public_key); 821 rsa_public_encrypt(key, key, host_key); 822 } else { 823 /* Host key has smaller modulus (or they are equal). */ 824 if (BN_num_bits(public_key->n) < 825 BN_num_bits(host_key->n) + SSH_KEY_BITS_RESERVED) { 826 fatal("respond_to_rsa_challenge: public_key %d < host_key %d + " 827 "SSH_KEY_BITS_RESERVED %d", 828 BN_num_bits(public_key->n), 829 BN_num_bits(host_key->n), 830 SSH_KEY_BITS_RESERVED); 831 } 832 rsa_public_encrypt(key, key, host_key); 833 rsa_public_encrypt(key, key, public_key); 834 } 835 836 /* Destroy the public keys since we no longer need them. */ 837 RSA_free(public_key); 838 RSA_free(host_key); 839 840 if (options.cipher == SSH_CIPHER_ILLEGAL) { 841 log("No valid SSH1 cipher, using %.100s instead.", 842 cipher_name(ssh_cipher_default)); 843 options.cipher = ssh_cipher_default; 844 } else if (options.cipher == SSH_CIPHER_NOT_SET) { 845 if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default)) 846 options.cipher = ssh_cipher_default; 847 } 848 /* Check that the selected cipher is supported. */ 849 if (!(supported_ciphers & (1 << options.cipher))) 850 fatal("Selected cipher type %.100s not supported by server.", 851 cipher_name(options.cipher)); 852 853 debug("Encryption type: %.100s", cipher_name(options.cipher)); 854 855 /* Send the encrypted session key to the server. */ 856 packet_start(SSH_CMSG_SESSION_KEY); 857 packet_put_char(options.cipher); 858 859 /* Send the cookie back to the server. */ 860 for (i = 0; i < 8; i++) 861 packet_put_char(cookie[i]); 862 863 /* Send and destroy the encrypted encryption key integer. */ 864 packet_put_bignum(key); 865 BN_clear_free(key); 866 867 /* Send protocol flags. */ 868 packet_put_int(client_flags); 869 870 /* Send the packet now. */ 871 packet_send(); 872 packet_write_wait(); 873 874 debug("Sent encrypted session key."); 875 876 /* Set the encryption key. */ 877 packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher); 878 879 /* We will no longer need the session key here. Destroy any extra copies. */ 880 memset(session_key, 0, sizeof(session_key)); 881 882 /* 883 * Expect a success message from the server. Note that this message 884 * will be received in encrypted form. 885 */ 886 packet_read_expect(&payload_len, SSH_SMSG_SUCCESS); 887 888 debug("Received encrypted confirmation."); 889} 890 891/* 892 * Authenticate user 893 */ 894void 895ssh_userauth( 896 const char* local_user, 897 const char* server_user, 898 char *host, 899 int host_key_valid, RSA *own_host_key) 900{ 901 int i, type; 902 int payload_len; 903 904 if (supported_authentications == 0) 905 fatal("ssh_userauth: server supports no auth methods"); 906 907 /* Send the name of the user to log in as on the server. */ 908 packet_start(SSH_CMSG_USER); 909 packet_put_string(server_user, strlen(server_user)); 910 packet_send(); 911 packet_write_wait(); 912 913 /* 914 * The server should respond with success if no authentication is 915 * needed (the user has no password). Otherwise the server responds 916 * with failure. 917 */ 918 type = packet_read(&payload_len); 919 920 /* check whether the connection was accepted without authentication. */ 921 if (type == SSH_SMSG_SUCCESS) 922 return; 923 if (type != SSH_SMSG_FAILURE) 924 packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", 925 type); 926 927#ifdef KRB5 928 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && 929 options.kerberos_authentication){ 930 krb5_context ssh_context = NULL; 931 krb5_auth_context auth_context = NULL; 932 933 debug("Trying Kerberos V5 authentication."); 934 935 if (try_krb5_authentication(&ssh_context, &auth_context)) { 936 type = packet_read(&payload_len); 937 if (type == SSH_SMSG_SUCCESS) { 938 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && 939 options.krb5_tgt_passing) { 940 if (options.cipher == SSH_CIPHER_NONE) 941 log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); 942 send_krb5_tgt(ssh_context, auth_context); 943 944 } 945 krb5_auth_con_free(ssh_context, auth_context); 946 krb5_free_context(ssh_context); 947 return; 948 } 949 if (type != SSH_SMSG_FAILURE) 950 packet_disconnect("Protocol error: got %d in response to Kerberos5 auth", type); 951 952 } 953 } 954#endif /* KRB5 */ 955 956#ifdef AFS 957 /* Try Kerberos tgt passing if the server supports it. */ 958 if ((supported_authentications & (1 << SSH_PASS_KRB4_TGT)) && 959 options.krb4_tgt_passing) { 960 if (options.cipher == SSH_CIPHER_NONE) 961 log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); 962 (void) send_krb4_tgt(); 963 } 964 /* Try AFS token passing if the server supports it. */ 965 if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) && 966 options.afs_token_passing && k_hasafs()) { 967 if (options.cipher == SSH_CIPHER_NONE) 968 log("WARNING: Encryption is disabled! Token will be transmitted in the clear!"); 969 send_afs_tokens(); 970 } 971#endif /* AFS */ 972 973#ifdef KRB4 974 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && 975 options.kerberos_authentication) { 976 debug("Trying Kerberos authentication."); 977 if (try_krb4_authentication()) { 978 /* The server should respond with success or failure. */ 979 type = packet_read(&payload_len); 980 if (type == SSH_SMSG_SUCCESS) 981 return; 982 if (type != SSH_SMSG_FAILURE) 983 packet_disconnect("Protocol error: got %d in response to Kerberos auth", type); 984 } 985 } 986#endif /* KRB4 */ 987 988 989 /* 990 * Use rhosts authentication if running in privileged socket and we 991 * do not wish to remain anonymous. 992 */ 993 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) && 994 options.rhosts_authentication) { 995 debug("Trying rhosts authentication."); 996 packet_start(SSH_CMSG_AUTH_RHOSTS); 997 packet_put_string(local_user, strlen(local_user)); 998 packet_send(); 999 packet_write_wait(); 1000 1001 /* The server should respond with success or failure. */ 1002 type = packet_read(&payload_len); 1003 if (type == SSH_SMSG_SUCCESS) 1004 return; 1005 if (type != SSH_SMSG_FAILURE) 1006 packet_disconnect("Protocol error: got %d in response to rhosts auth", 1007 type); 1008 } 1009 /* 1010 * Try .rhosts or /etc/hosts.equiv authentication with RSA host 1011 * authentication. 1012 */ 1013 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) && 1014 options.rhosts_rsa_authentication && host_key_valid) { 1015 if (try_rhosts_rsa_authentication(local_user, own_host_key)) 1016 return; 1017 } 1018 /* Try RSA authentication if the server supports it. */ 1019 if ((supported_authentications & (1 << SSH_AUTH_RSA)) && 1020 options.rsa_authentication) { 1021 /* 1022 * Try RSA authentication using the authentication agent. The 1023 * agent is tried first because no passphrase is needed for 1024 * it, whereas identity files may require passphrases. 1025 */ 1026 if (try_agent_authentication()) 1027 return; 1028 1029 /* Try RSA authentication for each identity. */ 1030 for (i = 0; i < options.num_identity_files; i++) 1031 if (try_rsa_authentication(options.identity_files[i])) 1032 return; 1033 } 1034 /* Try skey authentication if the server supports it. */ 1035 if ((supported_authentications & (1 << SSH_AUTH_TIS)) && 1036 options.skey_authentication && !options.batch_mode) { 1037 if (try_skey_authentication()) 1038 return; 1039 } 1040 /* Try password authentication if the server supports it. */ 1041 if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) && 1042 options.password_authentication && !options.batch_mode) { 1043 char prompt[80]; 1044 1045 snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ", 1046 server_user, host); 1047 if (try_password_authentication(prompt)) 1048 return; 1049 } 1050 /* All authentication methods have failed. Exit with an error message. */ 1051 fatal("Permission denied."); 1052 /* NOTREACHED */ 1053} 1054