sshconnect1.c revision 76265
1/* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Code to connect to a remote host, and to perform the client side of the 6 * login (authentication) dialog. 7 * 8 * As far as I am concerned, the code I have written for this software 9 * can be used freely for any purpose. Any derived versions of this 10 * software must be clearly marked as such, and if the derived work is 11 * incompatible with the protocol description in the RFC file, it must be 12 * called by a name other than "ssh" or "Secure Shell". 13 */ 14 15#include "includes.h" 16RCSID("$OpenBSD: sshconnect1.c,v 1.31 2001/04/17 08:14:01 markus Exp $"); 17RCSID("$FreeBSD: head/crypto/openssh/sshconnect1.c 76265 2001-05-04 04:37:49Z green $"); 18 19#include <openssl/bn.h> 20#include <openssl/evp.h> 21 22#ifdef KRB4 23#include <krb.h> 24#endif 25#ifdef AFS 26#include <kafs.h> 27#include "radix.h" 28#endif 29 30#include "ssh.h" 31#include "ssh1.h" 32#include "xmalloc.h" 33#include "rsa.h" 34#include "buffer.h" 35#include "packet.h" 36#include "mpaux.h" 37#include "uidswap.h" 38#include "log.h" 39#include "readconf.h" 40#include "key.h" 41#include "authfd.h" 42#include "sshconnect.h" 43#include "authfile.h" 44#include "readpass.h" 45#include "cipher.h" 46#include "canohost.h" 47#include "auth.h" 48 49/* Session id for the current session. */ 50u_char session_id[16]; 51u_int supported_authentications = 0; 52 53extern Options options; 54extern char *__progname; 55 56/* 57 * Checks if the user has an authentication agent, and if so, tries to 58 * authenticate using the agent. 59 */ 60int 61try_agent_authentication(void) 62{ 63 int type; 64 char *comment; 65 AuthenticationConnection *auth; 66 u_char response[16]; 67 u_int i; 68 int plen, clen; 69 Key *key; 70 BIGNUM *challenge; 71 72 /* Get connection to the agent. */ 73 auth = ssh_get_authentication_connection(); 74 if (!auth) 75 return 0; 76 77 challenge = BN_new(); 78 79 /* Loop through identities served by the agent. */ 80 for (key = ssh_get_first_identity(auth, &comment, 1); 81 key != NULL; 82 key = ssh_get_next_identity(auth, &comment, 1)) { 83 84 /* Try this identity. */ 85 debug("Trying RSA authentication via agent with '%.100s'", comment); 86 xfree(comment); 87 88 /* Tell the server that we are willing to authenticate using this key. */ 89 packet_start(SSH_CMSG_AUTH_RSA); 90 packet_put_bignum(key->rsa->n); 91 packet_send(); 92 packet_write_wait(); 93 94 /* Wait for server's response. */ 95 type = packet_read(&plen); 96 97 /* The server sends failure if it doesn\'t like our key or 98 does not support RSA authentication. */ 99 if (type == SSH_SMSG_FAILURE) { 100 debug("Server refused our key."); 101 key_free(key); 102 continue; 103 } 104 /* Otherwise it should have sent a challenge. */ 105 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 106 packet_disconnect("Protocol error during RSA authentication: %d", 107 type); 108 109 packet_get_bignum(challenge, &clen); 110 111 packet_integrity_check(plen, clen, type); 112 113 debug("Received RSA challenge from server."); 114 115 /* Ask the agent to decrypt the challenge. */ 116 if (!ssh_decrypt_challenge(auth, key, challenge, session_id, 1, response)) { 117 /* 118 * The agent failed to authenticate this identifier 119 * although it advertised it supports this. Just 120 * return a wrong value. 121 */ 122 log("Authentication agent failed to decrypt challenge."); 123 memset(response, 0, sizeof(response)); 124 } 125 key_free(key); 126 debug("Sending response to RSA challenge."); 127 128 /* Send the decrypted challenge back to the server. */ 129 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 130 for (i = 0; i < 16; i++) 131 packet_put_char(response[i]); 132 packet_send(); 133 packet_write_wait(); 134 135 /* Wait for response from the server. */ 136 type = packet_read(&plen); 137 138 /* The server returns success if it accepted the authentication. */ 139 if (type == SSH_SMSG_SUCCESS) { 140 ssh_close_authentication_connection(auth); 141 BN_clear_free(challenge); 142 debug("RSA authentication accepted by server."); 143 return 1; 144 } 145 /* Otherwise it should return failure. */ 146 if (type != SSH_SMSG_FAILURE) 147 packet_disconnect("Protocol error waiting RSA auth response: %d", 148 type); 149 } 150 ssh_close_authentication_connection(auth); 151 BN_clear_free(challenge); 152 debug("RSA authentication using agent refused."); 153 return 0; 154} 155 156/* 157 * Computes the proper response to a RSA challenge, and sends the response to 158 * the server. 159 */ 160void 161respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv) 162{ 163 u_char buf[32], response[16]; 164 MD5_CTX md; 165 int i, len; 166 167 /* Decrypt the challenge using the private key. */ 168 /* XXX think about Bleichenbacher, too */ 169 if (rsa_private_decrypt(challenge, challenge, prv) <= 0) 170 packet_disconnect( 171 "respond_to_rsa_challenge: rsa_private_decrypt failed"); 172 173 /* Compute the response. */ 174 /* The response is MD5 of decrypted challenge plus session id. */ 175 len = BN_num_bytes(challenge); 176 if (len <= 0 || len > sizeof(buf)) 177 packet_disconnect( 178 "respond_to_rsa_challenge: bad challenge length %d", len); 179 180 memset(buf, 0, sizeof(buf)); 181 BN_bn2bin(challenge, buf + sizeof(buf) - len); 182 MD5_Init(&md); 183 MD5_Update(&md, buf, 32); 184 MD5_Update(&md, session_id, 16); 185 MD5_Final(response, &md); 186 187 debug("Sending response to host key RSA challenge."); 188 189 /* Send the response back to the server. */ 190 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 191 for (i = 0; i < 16; i++) 192 packet_put_char(response[i]); 193 packet_send(); 194 packet_write_wait(); 195 196 memset(buf, 0, sizeof(buf)); 197 memset(response, 0, sizeof(response)); 198 memset(&md, 0, sizeof(md)); 199} 200 201/* 202 * Checks if the user has authentication file, and if so, tries to authenticate 203 * the user using it. 204 */ 205int 206try_rsa_authentication(const char *authfile) 207{ 208 BIGNUM *challenge; 209 Key *public; 210 Key *private; 211 char *passphrase, *comment; 212 int type, i; 213 int plen, clen; 214 215 /* Try to load identification for the authentication key. */ 216 /* XXKEYLOAD */ 217 public = key_load_public_type(KEY_RSA1, authfile, &comment); 218 if (public == NULL) { 219 /* Could not load it. Fail. */ 220 return 0; 221 } 222 debug("Trying RSA authentication with key '%.100s'", comment); 223 224 /* Tell the server that we are willing to authenticate using this key. */ 225 packet_start(SSH_CMSG_AUTH_RSA); 226 packet_put_bignum(public->rsa->n); 227 packet_send(); 228 packet_write_wait(); 229 230 /* We no longer need the public key. */ 231 key_free(public); 232 233 /* Wait for server's response. */ 234 type = packet_read(&plen); 235 236 /* 237 * The server responds with failure if it doesn\'t like our key or 238 * doesn\'t support RSA authentication. 239 */ 240 if (type == SSH_SMSG_FAILURE) { 241 debug("Server refused our key."); 242 xfree(comment); 243 return 0; 244 } 245 /* Otherwise, the server should respond with a challenge. */ 246 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 247 packet_disconnect("Protocol error during RSA authentication: %d", type); 248 249 /* Get the challenge from the packet. */ 250 challenge = BN_new(); 251 packet_get_bignum(challenge, &clen); 252 253 packet_integrity_check(plen, clen, type); 254 255 debug("Received RSA challenge from server."); 256 257 /* 258 * Load the private key. Try first with empty passphrase; if it 259 * fails, ask for a passphrase. 260 */ 261 private = key_load_private_type(KEY_RSA1, authfile, "", NULL); 262 if (private == NULL) { 263 char buf[300]; 264 snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ", 265 comment); 266 if (!options.batch_mode) 267 passphrase = read_passphrase(buf, 0); 268 else { 269 debug("Will not query passphrase for %.100s in batch mode.", 270 comment); 271 passphrase = xstrdup(""); 272 } 273 274 /* Load the authentication file using the pasphrase. */ 275 private = key_load_private_type(KEY_RSA1, authfile, passphrase, NULL); 276 if (private == NULL) { 277 memset(passphrase, 0, strlen(passphrase)); 278 xfree(passphrase); 279 error("Bad passphrase."); 280 281 /* Send a dummy response packet to avoid protocol error. */ 282 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 283 for (i = 0; i < 16; i++) 284 packet_put_char(0); 285 packet_send(); 286 packet_write_wait(); 287 288 /* Expect the server to reject it... */ 289 packet_read_expect(&plen, SSH_SMSG_FAILURE); 290 xfree(comment); 291 BN_clear_free(challenge); 292 return 0; 293 } 294 /* Destroy the passphrase. */ 295 memset(passphrase, 0, strlen(passphrase)); 296 xfree(passphrase); 297 } 298 /* We no longer need the comment. */ 299 xfree(comment); 300 301 /* Compute and send a response to the challenge. */ 302 respond_to_rsa_challenge(challenge, private->rsa); 303 304 /* Destroy the private key. */ 305 key_free(private); 306 307 /* We no longer need the challenge. */ 308 BN_clear_free(challenge); 309 310 /* Wait for response from the server. */ 311 type = packet_read(&plen); 312 if (type == SSH_SMSG_SUCCESS) { 313 debug("RSA authentication accepted by server."); 314 return 1; 315 } 316 if (type != SSH_SMSG_FAILURE) 317 packet_disconnect("Protocol error waiting RSA auth response: %d", type); 318 debug("RSA authentication refused."); 319 return 0; 320} 321 322/* 323 * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv 324 * authentication and RSA host authentication. 325 */ 326int 327try_rhosts_rsa_authentication(const char *local_user, Key * host_key) 328{ 329 int type; 330 BIGNUM *challenge; 331 int plen, clen; 332 333 debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication."); 334 335 /* Tell the server that we are willing to authenticate using this key. */ 336 packet_start(SSH_CMSG_AUTH_RHOSTS_RSA); 337 packet_put_string(local_user, strlen(local_user)); 338 packet_put_int(BN_num_bits(host_key->rsa->n)); 339 packet_put_bignum(host_key->rsa->e); 340 packet_put_bignum(host_key->rsa->n); 341 packet_send(); 342 packet_write_wait(); 343 344 /* Wait for server's response. */ 345 type = packet_read(&plen); 346 347 /* The server responds with failure if it doesn't admit our 348 .rhosts authentication or doesn't know our host key. */ 349 if (type == SSH_SMSG_FAILURE) { 350 debug("Server refused our rhosts authentication or host key."); 351 return 0; 352 } 353 /* Otherwise, the server should respond with a challenge. */ 354 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 355 packet_disconnect("Protocol error during RSA authentication: %d", type); 356 357 /* Get the challenge from the packet. */ 358 challenge = BN_new(); 359 packet_get_bignum(challenge, &clen); 360 361 packet_integrity_check(plen, clen, type); 362 363 debug("Received RSA challenge for host key from server."); 364 365 /* Compute a response to the challenge. */ 366 respond_to_rsa_challenge(challenge, host_key->rsa); 367 368 /* We no longer need the challenge. */ 369 BN_clear_free(challenge); 370 371 /* Wait for response from the server. */ 372 type = packet_read(&plen); 373 if (type == SSH_SMSG_SUCCESS) { 374 debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server."); 375 return 1; 376 } 377 if (type != SSH_SMSG_FAILURE) 378 packet_disconnect("Protocol error waiting RSA auth response: %d", type); 379 debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused."); 380 return 0; 381} 382 383#ifdef KRB4 384int 385try_krb4_authentication(void) 386{ 387 KTEXT_ST auth; /* Kerberos data */ 388 char *reply; 389 char inst[INST_SZ]; 390 char *realm; 391 CREDENTIALS cred; 392 int r, type, plen; 393 socklen_t slen; 394 Key_schedule schedule; 395 u_long checksum, cksum; 396 MSG_DAT msg_data; 397 struct sockaddr_in local, foreign; 398 struct stat st; 399 400 /* Don't do anything if we don't have any tickets. */ 401 if (stat(tkt_string(), &st) < 0) 402 return 0; 403 404 strncpy(inst, (char *) krb_get_phost(get_canonical_hostname(1)), INST_SZ); 405 406 realm = (char *) krb_realmofhost(get_canonical_hostname(1)); 407 if (!realm) { 408 debug("Kerberos V4: no realm for %s", get_canonical_hostname(1)); 409 return 0; 410 } 411 /* This can really be anything. */ 412 checksum = (u_long) getpid(); 413 414 r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum); 415 if (r != KSUCCESS) { 416 debug("Kerberos V4 krb_mk_req failed: %s", krb_err_txt[r]); 417 return 0; 418 } 419 /* Get session key to decrypt the server's reply with. */ 420 r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred); 421 if (r != KSUCCESS) { 422 debug("get_cred failed: %s", krb_err_txt[r]); 423 return 0; 424 } 425 des_key_sched((des_cblock *) cred.session, schedule); 426 427 /* Send authentication info to server. */ 428 packet_start(SSH_CMSG_AUTH_KERBEROS); 429 packet_put_string((char *) auth.dat, auth.length); 430 packet_send(); 431 packet_write_wait(); 432 433 /* Zero the buffer. */ 434 (void) memset(auth.dat, 0, MAX_KTXT_LEN); 435 436 slen = sizeof(local); 437 memset(&local, 0, sizeof(local)); 438 if (getsockname(packet_get_connection_in(), 439 (struct sockaddr *) & local, &slen) < 0) 440 debug("getsockname failed: %s", strerror(errno)); 441 442 slen = sizeof(foreign); 443 memset(&foreign, 0, sizeof(foreign)); 444 if (getpeername(packet_get_connection_in(), 445 (struct sockaddr *) & foreign, &slen) < 0) { 446 debug("getpeername failed: %s", strerror(errno)); 447 fatal_cleanup(); 448 } 449 /* Get server reply. */ 450 type = packet_read(&plen); 451 switch (type) { 452 case SSH_SMSG_FAILURE: 453 /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ 454 debug("Kerberos V4 authentication failed."); 455 return 0; 456 break; 457 458 case SSH_SMSG_AUTH_KERBEROS_RESPONSE: 459 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ 460 debug("Kerberos V4 authentication accepted."); 461 462 /* Get server's response. */ 463 reply = packet_get_string((u_int *) &auth.length); 464 memcpy(auth.dat, reply, auth.length); 465 xfree(reply); 466 467 packet_integrity_check(plen, 4 + auth.length, type); 468 469 /* 470 * If his response isn't properly encrypted with the session 471 * key, and the decrypted checksum fails to match, he's 472 * bogus. Bail out. 473 */ 474 r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session, 475 &foreign, &local, &msg_data); 476 if (r != KSUCCESS) { 477 debug("Kerberos V4 krb_rd_priv failed: %s", krb_err_txt[r]); 478 packet_disconnect("Kerberos V4 challenge failed!"); 479 } 480 /* Fetch the (incremented) checksum that we supplied in the request. */ 481 (void) memcpy((char *) &cksum, (char *) msg_data.app_data, sizeof(cksum)); 482 cksum = ntohl(cksum); 483 484 /* If it matches, we're golden. */ 485 if (cksum == checksum + 1) { 486 debug("Kerberos V4 challenge successful."); 487 return 1; 488 } else 489 packet_disconnect("Kerberos V4 challenge failed!"); 490 break; 491 492 default: 493 packet_disconnect("Protocol error on Kerberos V4 response: %d", type); 494 } 495 return 0; 496} 497 498#endif /* KRB4 */ 499 500#ifdef AFS 501int 502send_krb4_tgt(void) 503{ 504 CREDENTIALS *creds; 505 char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; 506 int r, type, plen; 507 char buffer[8192]; 508 struct stat st; 509 510 /* Don't do anything if we don't have any tickets. */ 511 if (stat(tkt_string(), &st) < 0) 512 return 0; 513 514 creds = xmalloc(sizeof(*creds)); 515 516 if ((r = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm)) != KSUCCESS) { 517 debug("Kerberos V4 tf_fullname failed: %s", krb_err_txt[r]); 518 return 0; 519 } 520 if ((r = krb_get_cred("krbtgt", prealm, prealm, creds)) != GC_OK) { 521 debug("Kerberos V4 get_cred failed: %s", krb_err_txt[r]); 522 return 0; 523 } 524 if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) { 525 debug("Kerberos V4 ticket expired: %s", TKT_FILE); 526 return 0; 527 } 528 creds_to_radix(creds, (u_char *)buffer, sizeof buffer); 529 xfree(creds); 530 531 packet_start(SSH_CMSG_HAVE_KRB4_TGT); 532 packet_put_string(buffer, strlen(buffer)); 533 packet_send(); 534 packet_write_wait(); 535 536 type = packet_read(&plen); 537 538 if (type == SSH_SMSG_FAILURE) 539 debug("Kerberos TGT for realm %s rejected.", prealm); 540 else if (type != SSH_SMSG_SUCCESS) 541 packet_disconnect("Protocol error on Kerberos TGT response: %d", type); 542 543 return 1; 544} 545 546void 547send_afs_tokens(void) 548{ 549 CREDENTIALS creds; 550 struct ViceIoctl parms; 551 struct ClearToken ct; 552 int i, type, len, plen; 553 char buf[2048], *p, *server_cell; 554 char buffer[8192]; 555 556 /* Move over ktc_GetToken, here's something leaner. */ 557 for (i = 0; i < 100; i++) { /* just in case */ 558 parms.in = (char *) &i; 559 parms.in_size = sizeof(i); 560 parms.out = buf; 561 parms.out_size = sizeof(buf); 562 if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0) 563 break; 564 p = buf; 565 566 /* Get secret token. */ 567 memcpy(&creds.ticket_st.length, p, sizeof(u_int)); 568 if (creds.ticket_st.length > MAX_KTXT_LEN) 569 break; 570 p += sizeof(u_int); 571 memcpy(creds.ticket_st.dat, p, creds.ticket_st.length); 572 p += creds.ticket_st.length; 573 574 /* Get clear token. */ 575 memcpy(&len, p, sizeof(len)); 576 if (len != sizeof(struct ClearToken)) 577 break; 578 p += sizeof(len); 579 memcpy(&ct, p, len); 580 p += len; 581 p += sizeof(len); /* primary flag */ 582 server_cell = p; 583 584 /* Flesh out our credentials. */ 585 strlcpy(creds.service, "afs", sizeof creds.service); 586 creds.instance[0] = '\0'; 587 strlcpy(creds.realm, server_cell, REALM_SZ); 588 memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ); 589 creds.issue_date = ct.BeginTimestamp; 590 creds.lifetime = krb_time_to_life(creds.issue_date, ct.EndTimestamp); 591 creds.kvno = ct.AuthHandle; 592 snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId); 593 creds.pinst[0] = '\0'; 594 595 /* Encode token, ship it off. */ 596 if (creds_to_radix(&creds, (u_char *) buffer, sizeof buffer) <= 0) 597 break; 598 packet_start(SSH_CMSG_HAVE_AFS_TOKEN); 599 packet_put_string(buffer, strlen(buffer)); 600 packet_send(); 601 packet_write_wait(); 602 603 /* Roger, Roger. Clearance, Clarence. What's your vector, 604 Victor? */ 605 type = packet_read(&plen); 606 607 if (type == SSH_SMSG_FAILURE) 608 debug("AFS token for cell %s rejected.", server_cell); 609 else if (type != SSH_SMSG_SUCCESS) 610 packet_disconnect("Protocol error on AFS token response: %d", type); 611 } 612} 613 614#endif /* AFS */ 615 616/* 617 * Tries to authenticate with any string-based challenge/response system. 618 * Note that the client code is not tied to s/key or TIS. 619 */ 620int 621try_challenge_reponse_authentication(void) 622{ 623 int type, i; 624 int payload_len; 625 u_int clen; 626 char prompt[1024]; 627 char *challenge, *response; 628 629 debug("Doing challenge reponse authentication."); 630 631 /* request a challenge */ 632 packet_start(SSH_CMSG_AUTH_TIS); 633 packet_send(); 634 packet_write_wait(); 635 636 type = packet_read(&payload_len); 637 if (type != SSH_SMSG_FAILURE && 638 type != SSH_SMSG_AUTH_TIS_CHALLENGE) { 639 packet_disconnect("Protocol error: got %d in response " 640 "to skey-auth", type); 641 } 642 if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) { 643 debug("No challenge for skey authentication."); 644 return 0; 645 } 646 challenge = packet_get_string(&clen); 647 packet_integrity_check(payload_len, (4 + clen), type); 648 if (options.cipher == SSH_CIPHER_NONE) 649 log("WARNING: Encryption is disabled! " 650 "Reponse will be transmitted in clear text."); 651 fprintf(stderr, "%s\n", challenge); 652 xfree(challenge); 653 fflush(stderr); 654 for (i = 0; i < options.number_of_password_prompts; i++) { 655 /* request a challenge */ 656 packet_start(SSH_CMSG_AUTH_TIS); 657 packet_send(); 658 packet_write_wait(); 659 660 type = packet_read(&payload_len); 661 if (type != SSH_SMSG_FAILURE && 662 type != SSH_SMSG_AUTH_TIS_CHALLENGE) { 663 packet_disconnect("Protocol error: got %d in response " 664 "to SSH_CMSG_AUTH_TIS", type); 665 } 666 if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) { 667 debug("No challenge."); 668 return 0; 669 } 670 challenge = packet_get_string(&clen); 671 packet_integrity_check(payload_len, (4 + clen), type); 672 snprintf(prompt, sizeof prompt, "%s%s", challenge, 673 strchr(challenge, '\n') ? "" : "\nResponse: "); 674 xfree(challenge); 675 if (i != 0) 676 error("Permission denied, please try again."); 677 if (options.cipher == SSH_CIPHER_NONE) 678 log("WARNING: Encryption is disabled! " 679 "Reponse will be transmitted in clear text."); 680 response = read_passphrase(prompt, 0); 681 if (strcmp(response, "") == 0) { 682 xfree(response); 683 break; 684 } 685 packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); 686 ssh_put_password(response); 687 memset(response, 0, strlen(response)); 688 xfree(response); 689 packet_send(); 690 packet_write_wait(); 691 type = packet_read(&payload_len); 692 if (type == SSH_SMSG_SUCCESS) 693 return 1; 694 if (type != SSH_SMSG_FAILURE) 695 packet_disconnect("Protocol error: got %d in response " 696 "to SSH_CMSG_AUTH_TIS_RESPONSE", type); 697 } 698 /* failure */ 699 return 0; 700} 701 702/* 703 * Tries to authenticate with plain passwd authentication. 704 */ 705int 706try_password_authentication(char *prompt) 707{ 708 int type, i, payload_len; 709 char *password; 710 711 debug("Doing password authentication."); 712 if (options.cipher == SSH_CIPHER_NONE) 713 log("WARNING: Encryption is disabled! Password will be transmitted in clear text."); 714 for (i = 0; i < options.number_of_password_prompts; i++) { 715 if (i != 0) 716 error("Permission denied, please try again."); 717 password = read_passphrase(prompt, 0); 718 packet_start(SSH_CMSG_AUTH_PASSWORD); 719 ssh_put_password(password); 720 memset(password, 0, strlen(password)); 721 xfree(password); 722 packet_send(); 723 packet_write_wait(); 724 725 type = packet_read(&payload_len); 726 if (type == SSH_SMSG_SUCCESS) 727 return 1; 728 if (type != SSH_SMSG_FAILURE) 729 packet_disconnect("Protocol error: got %d in response to passwd auth", type); 730 } 731 /* failure */ 732 return 0; 733} 734 735/* 736 * SSH1 key exchange 737 */ 738void 739ssh_kex(char *host, struct sockaddr *hostaddr) 740{ 741 int i; 742 BIGNUM *key; 743 RSA *host_key; 744 RSA *public_key; 745 Key k; 746 int bits, rbits; 747 int ssh_cipher_default = SSH_CIPHER_3DES; 748 u_char session_key[SSH_SESSION_KEY_LENGTH]; 749 u_char cookie[8]; 750 u_int supported_ciphers; 751 u_int server_flags, client_flags; 752 int payload_len, clen, sum_len = 0; 753 u_int32_t rand = 0; 754 755 debug("Waiting for server public key."); 756 757 /* Wait for a public key packet from the server. */ 758 packet_read_expect(&payload_len, SSH_SMSG_PUBLIC_KEY); 759 760 /* Get cookie from the packet. */ 761 for (i = 0; i < 8; i++) 762 cookie[i] = packet_get_char(); 763 764 /* Get the public key. */ 765 public_key = RSA_new(); 766 bits = packet_get_int();/* bits */ 767 public_key->e = BN_new(); 768 packet_get_bignum(public_key->e, &clen); 769 sum_len += clen; 770 public_key->n = BN_new(); 771 packet_get_bignum(public_key->n, &clen); 772 sum_len += clen; 773 774 rbits = BN_num_bits(public_key->n); 775 if (bits != rbits) { 776 log("Warning: Server lies about size of server public key: " 777 "actual size is %d bits vs. announced %d.", rbits, bits); 778 log("Warning: This may be due to an old implementation of ssh."); 779 } 780 /* Get the host key. */ 781 host_key = RSA_new(); 782 bits = packet_get_int();/* bits */ 783 host_key->e = BN_new(); 784 packet_get_bignum(host_key->e, &clen); 785 sum_len += clen; 786 host_key->n = BN_new(); 787 packet_get_bignum(host_key->n, &clen); 788 sum_len += clen; 789 790 rbits = BN_num_bits(host_key->n); 791 if (bits != rbits) { 792 log("Warning: Server lies about size of server host key: " 793 "actual size is %d bits vs. announced %d.", rbits, bits); 794 log("Warning: This may be due to an old implementation of ssh."); 795 } 796 797 /* Get protocol flags. */ 798 server_flags = packet_get_int(); 799 packet_set_protocol_flags(server_flags); 800 801 supported_ciphers = packet_get_int(); 802 supported_authentications = packet_get_int(); 803 804 debug("Received server public key (%d bits) and host key (%d bits).", 805 BN_num_bits(public_key->n), BN_num_bits(host_key->n)); 806 807 packet_integrity_check(payload_len, 808 8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4, 809 SSH_SMSG_PUBLIC_KEY); 810 k.type = KEY_RSA1; 811 k.rsa = host_key; 812 check_host_key(host, hostaddr, &k, 813 options.user_hostfile, options.system_hostfile); 814 815 client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN; 816 817 compute_session_id(session_id, cookie, host_key->n, public_key->n); 818 819 /* Generate a session key. */ 820 arc4random_stir(); 821 822 /* 823 * Generate an encryption key for the session. The key is a 256 bit 824 * random number, interpreted as a 32-byte key, with the least 825 * significant 8 bits being the first byte of the key. 826 */ 827 for (i = 0; i < 32; i++) { 828 if (i % 4 == 0) 829 rand = arc4random(); 830 session_key[i] = rand & 0xff; 831 rand >>= 8; 832 } 833 834 /* 835 * According to the protocol spec, the first byte of the session key 836 * is the highest byte of the integer. The session key is xored with 837 * the first 16 bytes of the session id. 838 */ 839 key = BN_new(); 840 BN_set_word(key, 0); 841 for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { 842 BN_lshift(key, key, 8); 843 if (i < 16) 844 BN_add_word(key, session_key[i] ^ session_id[i]); 845 else 846 BN_add_word(key, session_key[i]); 847 } 848 849 /* 850 * Encrypt the integer using the public key and host key of the 851 * server (key with smaller modulus first). 852 */ 853 if (BN_cmp(public_key->n, host_key->n) < 0) { 854 /* Public key has smaller modulus. */ 855 if (BN_num_bits(host_key->n) < 856 BN_num_bits(public_key->n) + SSH_KEY_BITS_RESERVED) { 857 fatal("respond_to_rsa_challenge: host_key %d < public_key %d + " 858 "SSH_KEY_BITS_RESERVED %d", 859 BN_num_bits(host_key->n), 860 BN_num_bits(public_key->n), 861 SSH_KEY_BITS_RESERVED); 862 } 863 rsa_public_encrypt(key, key, public_key); 864 rsa_public_encrypt(key, key, host_key); 865 } else { 866 /* Host key has smaller modulus (or they are equal). */ 867 if (BN_num_bits(public_key->n) < 868 BN_num_bits(host_key->n) + SSH_KEY_BITS_RESERVED) { 869 fatal("respond_to_rsa_challenge: public_key %d < host_key %d + " 870 "SSH_KEY_BITS_RESERVED %d", 871 BN_num_bits(public_key->n), 872 BN_num_bits(host_key->n), 873 SSH_KEY_BITS_RESERVED); 874 } 875 rsa_public_encrypt(key, key, host_key); 876 rsa_public_encrypt(key, key, public_key); 877 } 878 879 /* Destroy the public keys since we no longer need them. */ 880 RSA_free(public_key); 881 RSA_free(host_key); 882 883 if (options.cipher == SSH_CIPHER_NOT_SET) { 884 if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default)) 885 options.cipher = ssh_cipher_default; 886 } else if (options.cipher == SSH_CIPHER_ILLEGAL || 887 !(cipher_mask_ssh1(1) & (1 << options.cipher))) { 888 log("No valid SSH1 cipher, using %.100s instead.", 889 cipher_name(ssh_cipher_default)); 890 options.cipher = ssh_cipher_default; 891 } 892 /* Check that the selected cipher is supported. */ 893 if (!(supported_ciphers & (1 << options.cipher))) 894 fatal("Selected cipher type %.100s not supported by server.", 895 cipher_name(options.cipher)); 896 897 debug("Encryption type: %.100s", cipher_name(options.cipher)); 898 899 /* Send the encrypted session key to the server. */ 900 packet_start(SSH_CMSG_SESSION_KEY); 901 packet_put_char(options.cipher); 902 903 /* Send the cookie back to the server. */ 904 for (i = 0; i < 8; i++) 905 packet_put_char(cookie[i]); 906 907 /* Send and destroy the encrypted encryption key integer. */ 908 packet_put_bignum(key); 909 BN_clear_free(key); 910 911 /* Send protocol flags. */ 912 packet_put_int(client_flags); 913 914 /* Send the packet now. */ 915 packet_send(); 916 packet_write_wait(); 917 918 debug("Sent encrypted session key."); 919 920 /* Set the encryption key. */ 921 packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher); 922 923 /* We will no longer need the session key here. Destroy any extra copies. */ 924 memset(session_key, 0, sizeof(session_key)); 925 926 /* 927 * Expect a success message from the server. Note that this message 928 * will be received in encrypted form. 929 */ 930 packet_read_expect(&payload_len, SSH_SMSG_SUCCESS); 931 932 debug("Received encrypted confirmation."); 933} 934 935/* 936 * Authenticate user 937 */ 938void 939ssh_userauth1(const char *local_user, const char *server_user, char *host, 940 Key **keys, int nkeys) 941{ 942 int i, type; 943 int payload_len; 944 945 if (supported_authentications == 0) 946 fatal("ssh_userauth1: server supports no auth methods"); 947 948 /* Send the name of the user to log in as on the server. */ 949 packet_start(SSH_CMSG_USER); 950 packet_put_string(server_user, strlen(server_user)); 951 packet_send(); 952 packet_write_wait(); 953 954 /* 955 * The server should respond with success if no authentication is 956 * needed (the user has no password). Otherwise the server responds 957 * with failure. 958 */ 959 type = packet_read(&payload_len); 960 961 /* check whether the connection was accepted without authentication. */ 962 if (type == SSH_SMSG_SUCCESS) 963 return; 964 if (type != SSH_SMSG_FAILURE) 965 packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", 966 type); 967 968#ifdef KRB5 969 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && 970 options.kerberos_authentication){ 971 krb5_context ssh_context = NULL; 972 krb5_auth_context auth_context = NULL; 973 974 debug("Trying Kerberos V5 authentication."); 975 976 if (try_krb5_authentication(&ssh_context, &auth_context)) { 977 type = packet_read(&payload_len); 978 if (type == SSH_SMSG_SUCCESS) { 979 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && 980 options.krb5_tgt_passing) { 981 if (options.cipher == SSH_CIPHER_NONE) 982 log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); 983 send_krb5_tgt(ssh_context, auth_context); 984 985 } 986 krb5_auth_con_free(ssh_context, auth_context); 987 krb5_free_context(ssh_context); 988 return; 989 } 990 if (type != SSH_SMSG_FAILURE) 991 packet_disconnect("Protocol error: got %d in response to Kerberos5 auth", type); 992 993 } 994 } 995#endif /* KRB5 */ 996 997#ifdef AFS 998 /* Try Kerberos tgt passing if the server supports it. */ 999 if ((supported_authentications & (1 << SSH_PASS_KRB4_TGT)) && 1000 options.krb4_tgt_passing) { 1001 if (options.cipher == SSH_CIPHER_NONE) 1002 log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); 1003 (void) send_krb4_tgt(); 1004 } 1005 /* Try AFS token passing if the server supports it. */ 1006 if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) && 1007 options.afs_token_passing && k_hasafs()) { 1008 if (options.cipher == SSH_CIPHER_NONE) 1009 log("WARNING: Encryption is disabled! Token will be transmitted in the clear!"); 1010 send_afs_tokens(); 1011 } 1012#endif /* AFS */ 1013 1014#ifdef KRB4 1015 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && 1016 options.kerberos_authentication) { 1017 debug("Trying Kerberos authentication."); 1018 if (try_krb4_authentication()) { 1019 /* The server should respond with success or failure. */ 1020 type = packet_read(&payload_len); 1021 if (type == SSH_SMSG_SUCCESS) 1022 return; 1023 if (type != SSH_SMSG_FAILURE) 1024 packet_disconnect("Protocol error: got %d in response to Kerberos auth", type); 1025 } 1026 } 1027#endif /* KRB4 */ 1028 1029 1030 /* 1031 * Use rhosts authentication if running in privileged socket and we 1032 * do not wish to remain anonymous. 1033 */ 1034 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) && 1035 options.rhosts_authentication) { 1036 debug("Trying rhosts authentication."); 1037 packet_start(SSH_CMSG_AUTH_RHOSTS); 1038 packet_put_string(local_user, strlen(local_user)); 1039 packet_send(); 1040 packet_write_wait(); 1041 1042 /* The server should respond with success or failure. */ 1043 type = packet_read(&payload_len); 1044 if (type == SSH_SMSG_SUCCESS) 1045 return; 1046 if (type != SSH_SMSG_FAILURE) 1047 packet_disconnect("Protocol error: got %d in response to rhosts auth", 1048 type); 1049 } 1050 /* 1051 * Try .rhosts or /etc/hosts.equiv authentication with RSA host 1052 * authentication. 1053 */ 1054 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) && 1055 options.rhosts_rsa_authentication) { 1056 for (i = 0; i < nkeys; i++) { 1057 if (keys[i] != NULL && keys[i]->type == KEY_RSA1 && 1058 try_rhosts_rsa_authentication(local_user, keys[i])) 1059 return; 1060 } 1061 } 1062 /* Try RSA authentication if the server supports it. */ 1063 if ((supported_authentications & (1 << SSH_AUTH_RSA)) && 1064 options.rsa_authentication) { 1065 /* 1066 * Try RSA authentication using the authentication agent. The 1067 * agent is tried first because no passphrase is needed for 1068 * it, whereas identity files may require passphrases. 1069 */ 1070 if (try_agent_authentication()) 1071 return; 1072 1073 /* Try RSA authentication for each identity. */ 1074 for (i = 0; i < options.num_identity_files; i++) 1075 if (options.identity_keys[i] != NULL && 1076 options.identity_keys[i]->type == KEY_RSA1 && 1077 try_rsa_authentication(options.identity_files[i])) 1078 return; 1079 } 1080 /* Try challenge response authentication if the server supports it. */ 1081 if ((supported_authentications & (1 << SSH_AUTH_TIS)) && 1082 options.challenge_reponse_authentication && !options.batch_mode) { 1083 if (try_challenge_reponse_authentication()) 1084 return; 1085 } 1086 /* Try password authentication if the server supports it. */ 1087 if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) && 1088 options.password_authentication && !options.batch_mode) { 1089 char prompt[80]; 1090 1091 snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ", 1092 server_user, host); 1093 if (try_password_authentication(prompt)) 1094 return; 1095 } 1096 /* All authentication methods have failed. Exit with an error message. */ 1097 fatal("Permission denied."); 1098 /* NOTREACHED */ 1099} 1100