sshconnect1.c revision 92559
1/* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Code to connect to a remote host, and to perform the client side of the 6 * login (authentication) dialog. 7 * 8 * As far as I am concerned, the code I have written for this software 9 * can be used freely for any purpose. Any derived versions of this 10 * software must be clearly marked as such, and if the derived work is 11 * incompatible with the protocol description in the RFC file, it must be 12 * called by a name other than "ssh" or "Secure Shell". 13 */ 14 15#include "includes.h" 16RCSID("$OpenBSD: sshconnect1.c,v 1.48 2002/02/11 16:15:46 markus Exp $"); 17RCSID("$FreeBSD: head/crypto/openssh/sshconnect1.c 92559 2002-03-18 10:09:43Z des $"); 18 19#include <openssl/bn.h> 20#include <openssl/md5.h> 21 22#ifdef KRB4 23#include <krb.h> 24#endif 25#ifdef KRB5 26#include <krb5.h> 27#endif 28#ifdef AFS 29#include <kafs.h> 30#include "radix.h" 31#endif 32 33#include "ssh.h" 34#include "ssh1.h" 35#include "xmalloc.h" 36#include "rsa.h" 37#include "buffer.h" 38#include "packet.h" 39#include "mpaux.h" 40#include "uidswap.h" 41#include "log.h" 42#include "readconf.h" 43#include "key.h" 44#include "authfd.h" 45#include "sshconnect.h" 46#include "authfile.h" 47#include "readpass.h" 48#include "cipher.h" 49#include "canohost.h" 50#include "auth.h" 51 52/* Session id for the current session. */ 53u_char session_id[16]; 54u_int supported_authentications = 0; 55 56extern Options options; 57extern char *__progname; 58 59/* 60 * Checks if the user has an authentication agent, and if so, tries to 61 * authenticate using the agent. 62 */ 63static int 64try_agent_authentication(void) 65{ 66 int type; 67 char *comment; 68 AuthenticationConnection *auth; 69 u_char response[16]; 70 u_int i; 71 Key *key; 72 BIGNUM *challenge; 73 74 /* Get connection to the agent. */ 75 auth = ssh_get_authentication_connection(); 76 if (!auth) 77 return 0; 78 79 if ((challenge = BN_new()) == NULL) 80 fatal("try_agent_authentication: BN_new failed"); 81 /* Loop through identities served by the agent. */ 82 for (key = ssh_get_first_identity(auth, &comment, 1); 83 key != NULL; 84 key = ssh_get_next_identity(auth, &comment, 1)) { 85 86 /* Try this identity. */ 87 debug("Trying RSA authentication via agent with '%.100s'", comment); 88 xfree(comment); 89 90 /* Tell the server that we are willing to authenticate using this key. */ 91 packet_start(SSH_CMSG_AUTH_RSA); 92 packet_put_bignum(key->rsa->n); 93 packet_send(); 94 packet_write_wait(); 95 96 /* Wait for server's response. */ 97 type = packet_read(); 98 99 /* The server sends failure if it doesn\'t like our key or 100 does not support RSA authentication. */ 101 if (type == SSH_SMSG_FAILURE) { 102 debug("Server refused our key."); 103 key_free(key); 104 continue; 105 } 106 /* Otherwise it should have sent a challenge. */ 107 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 108 packet_disconnect("Protocol error during RSA authentication: %d", 109 type); 110 111 packet_get_bignum(challenge); 112 packet_check_eom(); 113 114 debug("Received RSA challenge from server."); 115 116 /* Ask the agent to decrypt the challenge. */ 117 if (!ssh_decrypt_challenge(auth, key, challenge, session_id, 1, response)) { 118 /* 119 * The agent failed to authenticate this identifier 120 * although it advertised it supports this. Just 121 * return a wrong value. 122 */ 123 log("Authentication agent failed to decrypt challenge."); 124 memset(response, 0, sizeof(response)); 125 } 126 key_free(key); 127 debug("Sending response to RSA challenge."); 128 129 /* Send the decrypted challenge back to the server. */ 130 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 131 for (i = 0; i < 16; i++) 132 packet_put_char(response[i]); 133 packet_send(); 134 packet_write_wait(); 135 136 /* Wait for response from the server. */ 137 type = packet_read(); 138 139 /* The server returns success if it accepted the authentication. */ 140 if (type == SSH_SMSG_SUCCESS) { 141 ssh_close_authentication_connection(auth); 142 BN_clear_free(challenge); 143 debug("RSA authentication accepted by server."); 144 return 1; 145 } 146 /* Otherwise it should return failure. */ 147 if (type != SSH_SMSG_FAILURE) 148 packet_disconnect("Protocol error waiting RSA auth response: %d", 149 type); 150 } 151 ssh_close_authentication_connection(auth); 152 BN_clear_free(challenge); 153 debug("RSA authentication using agent refused."); 154 return 0; 155} 156 157/* 158 * Computes the proper response to a RSA challenge, and sends the response to 159 * the server. 160 */ 161static void 162respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv) 163{ 164 u_char buf[32], response[16]; 165 MD5_CTX md; 166 int i, len; 167 168 /* Decrypt the challenge using the private key. */ 169 /* XXX think about Bleichenbacher, too */ 170 if (rsa_private_decrypt(challenge, challenge, prv) <= 0) 171 packet_disconnect( 172 "respond_to_rsa_challenge: rsa_private_decrypt failed"); 173 174 /* Compute the response. */ 175 /* The response is MD5 of decrypted challenge plus session id. */ 176 len = BN_num_bytes(challenge); 177 if (len <= 0 || len > sizeof(buf)) 178 packet_disconnect( 179 "respond_to_rsa_challenge: bad challenge length %d", len); 180 181 memset(buf, 0, sizeof(buf)); 182 BN_bn2bin(challenge, buf + sizeof(buf) - len); 183 MD5_Init(&md); 184 MD5_Update(&md, buf, 32); 185 MD5_Update(&md, session_id, 16); 186 MD5_Final(response, &md); 187 188 debug("Sending response to host key RSA challenge."); 189 190 /* Send the response back to the server. */ 191 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 192 for (i = 0; i < 16; i++) 193 packet_put_char(response[i]); 194 packet_send(); 195 packet_write_wait(); 196 197 memset(buf, 0, sizeof(buf)); 198 memset(response, 0, sizeof(response)); 199 memset(&md, 0, sizeof(md)); 200} 201 202/* 203 * Checks if the user has authentication file, and if so, tries to authenticate 204 * the user using it. 205 */ 206static int 207try_rsa_authentication(int idx) 208{ 209 BIGNUM *challenge; 210 Key *public, *private; 211 char buf[300], *passphrase, *comment, *authfile; 212 int i, type, quit; 213 214 public = options.identity_keys[idx]; 215 authfile = options.identity_files[idx]; 216 comment = xstrdup(authfile); 217 218 debug("Trying RSA authentication with key '%.100s'", comment); 219 220 /* Tell the server that we are willing to authenticate using this key. */ 221 packet_start(SSH_CMSG_AUTH_RSA); 222 packet_put_bignum(public->rsa->n); 223 packet_send(); 224 packet_write_wait(); 225 226 /* Wait for server's response. */ 227 type = packet_read(); 228 229 /* 230 * The server responds with failure if it doesn\'t like our key or 231 * doesn\'t support RSA authentication. 232 */ 233 if (type == SSH_SMSG_FAILURE) { 234 debug("Server refused our key."); 235 xfree(comment); 236 return 0; 237 } 238 /* Otherwise, the server should respond with a challenge. */ 239 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 240 packet_disconnect("Protocol error during RSA authentication: %d", type); 241 242 /* Get the challenge from the packet. */ 243 if ((challenge = BN_new()) == NULL) 244 fatal("try_rsa_authentication: BN_new failed"); 245 packet_get_bignum(challenge); 246 packet_check_eom(); 247 248 debug("Received RSA challenge from server."); 249 250 /* 251 * If the key is not stored in external hardware, we have to 252 * load the private key. Try first with empty passphrase; if it 253 * fails, ask for a passphrase. 254 */ 255 if (public->flags && KEY_FLAG_EXT) 256 private = public; 257 else 258 private = key_load_private_type(KEY_RSA1, authfile, "", NULL); 259 if (private == NULL && !options.batch_mode) { 260 snprintf(buf, sizeof(buf), 261 "Enter passphrase for RSA key '%.100s': ", comment); 262 for (i = 0; i < options.number_of_password_prompts; i++) { 263 passphrase = read_passphrase(buf, 0); 264 if (strcmp(passphrase, "") != 0) { 265 private = key_load_private_type(KEY_RSA1, 266 authfile, passphrase, NULL); 267 quit = 0; 268 } else { 269 debug2("no passphrase given, try next key"); 270 quit = 1; 271 } 272 memset(passphrase, 0, strlen(passphrase)); 273 xfree(passphrase); 274 if (private != NULL || quit) 275 break; 276 debug2("bad passphrase given, try again..."); 277 } 278 } 279 /* We no longer need the comment. */ 280 xfree(comment); 281 282 if (private == NULL) { 283 if (!options.batch_mode) 284 error("Bad passphrase."); 285 286 /* Send a dummy response packet to avoid protocol error. */ 287 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 288 for (i = 0; i < 16; i++) 289 packet_put_char(0); 290 packet_send(); 291 packet_write_wait(); 292 293 /* Expect the server to reject it... */ 294 packet_read_expect(SSH_SMSG_FAILURE); 295 BN_clear_free(challenge); 296 return 0; 297 } 298 299 /* Compute and send a response to the challenge. */ 300 respond_to_rsa_challenge(challenge, private->rsa); 301 302 /* Destroy the private key unless it in external hardware. */ 303 if (!(private->flags & KEY_FLAG_EXT)) 304 key_free(private); 305 306 /* We no longer need the challenge. */ 307 BN_clear_free(challenge); 308 309 /* Wait for response from the server. */ 310 type = packet_read(); 311 if (type == SSH_SMSG_SUCCESS) { 312 debug("RSA authentication accepted by server."); 313 return 1; 314 } 315 if (type != SSH_SMSG_FAILURE) 316 packet_disconnect("Protocol error waiting RSA auth response: %d", type); 317 debug("RSA authentication refused."); 318 return 0; 319} 320 321/* 322 * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv 323 * authentication and RSA host authentication. 324 */ 325static int 326try_rhosts_rsa_authentication(const char *local_user, Key * host_key) 327{ 328 int type; 329 BIGNUM *challenge; 330 331 debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication."); 332 333 /* Tell the server that we are willing to authenticate using this key. */ 334 packet_start(SSH_CMSG_AUTH_RHOSTS_RSA); 335 packet_put_cstring(local_user); 336 packet_put_int(BN_num_bits(host_key->rsa->n)); 337 packet_put_bignum(host_key->rsa->e); 338 packet_put_bignum(host_key->rsa->n); 339 packet_send(); 340 packet_write_wait(); 341 342 /* Wait for server's response. */ 343 type = packet_read(); 344 345 /* The server responds with failure if it doesn't admit our 346 .rhosts authentication or doesn't know our host key. */ 347 if (type == SSH_SMSG_FAILURE) { 348 debug("Server refused our rhosts authentication or host key."); 349 return 0; 350 } 351 /* Otherwise, the server should respond with a challenge. */ 352 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 353 packet_disconnect("Protocol error during RSA authentication: %d", type); 354 355 /* Get the challenge from the packet. */ 356 if ((challenge = BN_new()) == NULL) 357 fatal("try_rhosts_rsa_authentication: BN_new failed"); 358 packet_get_bignum(challenge); 359 packet_check_eom(); 360 361 debug("Received RSA challenge for host key from server."); 362 363 /* Compute a response to the challenge. */ 364 respond_to_rsa_challenge(challenge, host_key->rsa); 365 366 /* We no longer need the challenge. */ 367 BN_clear_free(challenge); 368 369 /* Wait for response from the server. */ 370 type = packet_read(); 371 if (type == SSH_SMSG_SUCCESS) { 372 debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server."); 373 return 1; 374 } 375 if (type != SSH_SMSG_FAILURE) 376 packet_disconnect("Protocol error waiting RSA auth response: %d", type); 377 debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused."); 378 return 0; 379} 380 381#ifdef KRB4 382static int 383try_krb4_authentication(void) 384{ 385 KTEXT_ST auth; /* Kerberos data */ 386 char *reply; 387 char inst[INST_SZ]; 388 char *realm; 389 CREDENTIALS cred; 390 int r, type; 391 socklen_t slen; 392 Key_schedule schedule; 393 u_long checksum, cksum; 394 MSG_DAT msg_data; 395 struct sockaddr_in local, foreign; 396 struct stat st; 397 398 /* Don't do anything if we don't have any tickets. */ 399 if (stat(tkt_string(), &st) < 0) 400 return 0; 401 402 strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)), 403 INST_SZ); 404 405 realm = (char *)krb_realmofhost(get_canonical_hostname(1)); 406 if (!realm) { 407 debug("Kerberos v4: no realm for %s", get_canonical_hostname(1)); 408 return 0; 409 } 410 /* This can really be anything. */ 411 checksum = (u_long)getpid(); 412 413 r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum); 414 if (r != KSUCCESS) { 415 debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]); 416 return 0; 417 } 418 /* Get session key to decrypt the server's reply with. */ 419 r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred); 420 if (r != KSUCCESS) { 421 debug("get_cred failed: %s", krb_err_txt[r]); 422 return 0; 423 } 424 des_key_sched((des_cblock *) cred.session, schedule); 425 426 /* Send authentication info to server. */ 427 packet_start(SSH_CMSG_AUTH_KERBEROS); 428 packet_put_string((char *) auth.dat, auth.length); 429 packet_send(); 430 packet_write_wait(); 431 432 /* Zero the buffer. */ 433 (void) memset(auth.dat, 0, MAX_KTXT_LEN); 434 435 slen = sizeof(local); 436 memset(&local, 0, sizeof(local)); 437 if (getsockname(packet_get_connection_in(), 438 (struct sockaddr *)&local, &slen) < 0) 439 debug("getsockname failed: %s", strerror(errno)); 440 441 slen = sizeof(foreign); 442 memset(&foreign, 0, sizeof(foreign)); 443 if (getpeername(packet_get_connection_in(), 444 (struct sockaddr *)&foreign, &slen) < 0) { 445 debug("getpeername failed: %s", strerror(errno)); 446 fatal_cleanup(); 447 } 448 /* Get server reply. */ 449 type = packet_read(); 450 switch (type) { 451 case SSH_SMSG_FAILURE: 452 /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ 453 debug("Kerberos v4 authentication failed."); 454 return 0; 455 break; 456 457 case SSH_SMSG_AUTH_KERBEROS_RESPONSE: 458 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ 459 debug("Kerberos v4 authentication accepted."); 460 461 /* Get server's response. */ 462 reply = packet_get_string((u_int *) &auth.length); 463 memcpy(auth.dat, reply, auth.length); 464 xfree(reply); 465 466 packet_check_eom(); 467 468 /* 469 * If his response isn't properly encrypted with the session 470 * key, and the decrypted checksum fails to match, he's 471 * bogus. Bail out. 472 */ 473 r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session, 474 &foreign, &local, &msg_data); 475 if (r != KSUCCESS) { 476 debug("Kerberos v4 krb_rd_priv failed: %s", 477 krb_err_txt[r]); 478 packet_disconnect("Kerberos v4 challenge failed!"); 479 } 480 /* Fetch the (incremented) checksum that we supplied in the request. */ 481 memcpy((char *)&cksum, (char *)msg_data.app_data, 482 sizeof(cksum)); 483 cksum = ntohl(cksum); 484 485 /* If it matches, we're golden. */ 486 if (cksum == checksum + 1) { 487 debug("Kerberos v4 challenge successful."); 488 return 1; 489 } else 490 packet_disconnect("Kerberos v4 challenge failed!"); 491 break; 492 493 default: 494 packet_disconnect("Protocol error on Kerberos v4 response: %d", type); 495 } 496 return 0; 497} 498 499#endif /* KRB4 */ 500 501#ifdef KRB5 502static int 503try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context) 504{ 505 krb5_error_code problem; 506 const char *tkfile; 507 struct stat buf; 508 krb5_ccache ccache = NULL; 509 const char *remotehost; 510 krb5_data ap; 511 int type; 512 krb5_ap_rep_enc_part *reply = NULL; 513 int ret; 514 515 memset(&ap, 0, sizeof(ap)); 516 517 problem = krb5_init_context(context); 518 if (problem) { 519 debug("Kerberos v5: krb5_init_context failed"); 520 ret = 0; 521 goto out; 522 } 523 524 tkfile = krb5_cc_default_name(*context); 525 if (strncmp(tkfile, "FILE:", 5) == 0) 526 tkfile += 5; 527 528 if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) { 529 debug("Kerberos v5: could not get default ccache (permission denied)."); 530 ret = 0; 531 goto out; 532 } 533 534 problem = krb5_cc_default(*context, &ccache); 535 if (problem) { 536 debug("Kerberos v5: krb5_cc_default failed: %s", 537 krb5_get_err_text(*context, problem)); 538 ret = 0; 539 goto out; 540 } 541 542 remotehost = get_canonical_hostname(1); 543 544 problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED, 545 "host", remotehost, NULL, ccache, &ap); 546 if (problem) { 547 debug("Kerberos v5: krb5_mk_req failed: %s", 548 krb5_get_err_text(*context, problem)); 549 ret = 0; 550 goto out; 551 } 552 553 packet_start(SSH_CMSG_AUTH_KERBEROS); 554 packet_put_string((char *) ap.data, ap.length); 555 packet_send(); 556 packet_write_wait(); 557 558 xfree(ap.data); 559 ap.length = 0; 560 561 type = packet_read(); 562 switch (type) { 563 case SSH_SMSG_FAILURE: 564 /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ 565 debug("Kerberos v5 authentication failed."); 566 ret = 0; 567 break; 568 569 case SSH_SMSG_AUTH_KERBEROS_RESPONSE: 570 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ 571 debug("Kerberos v5 authentication accepted."); 572 573 /* Get server's response. */ 574 ap.data = packet_get_string((unsigned int *) &ap.length); 575 packet_check_eom(); 576 /* XXX je to dobre? */ 577 578 problem = krb5_rd_rep(*context, *auth_context, &ap, &reply); 579 if (problem) { 580 ret = 0; 581 } 582 ret = 1; 583 break; 584 585 default: 586 packet_disconnect("Protocol error on Kerberos v5 response: %d", 587 type); 588 ret = 0; 589 break; 590 591 } 592 593 out: 594 if (ccache != NULL) 595 krb5_cc_close(*context, ccache); 596 if (reply != NULL) 597 krb5_free_ap_rep_enc_part(*context, reply); 598 if (ap.length > 0) 599 krb5_data_free(&ap); 600 601 return (ret); 602} 603 604static void 605send_krb5_tgt(krb5_context context, krb5_auth_context auth_context) 606{ 607 int fd, type; 608 krb5_error_code problem; 609 krb5_data outbuf; 610 krb5_ccache ccache = NULL; 611 krb5_creds creds; 612 krb5_kdc_flags flags; 613 const char *remotehost; 614 615 memset(&creds, 0, sizeof(creds)); 616 memset(&outbuf, 0, sizeof(outbuf)); 617 618 fd = packet_get_connection_in(); 619 620 problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd); 621 if (problem) 622 goto out; 623 624 problem = krb5_cc_default(context, &ccache); 625 if (problem) 626 goto out; 627 628 problem = krb5_cc_get_principal(context, ccache, &creds.client); 629 if (problem) 630 goto out; 631 632 problem = krb5_build_principal(context, &creds.server, 633 strlen(creds.client->realm), creds.client->realm, 634 "krbtgt", creds.client->realm, NULL); 635 if (problem) 636 goto out; 637 638 creds.times.endtime = 0; 639 640 flags.i = 0; 641 flags.b.forwarded = 1; 642 flags.b.forwardable = krb5_config_get_bool(context, NULL, 643 "libdefaults", "forwardable", NULL); 644 645 remotehost = get_canonical_hostname(1); 646 647 problem = krb5_get_forwarded_creds(context, auth_context, 648 ccache, flags.i, remotehost, &creds, &outbuf); 649 if (problem) 650 goto out; 651 652 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); 653 packet_put_string((char *)outbuf.data, outbuf.length); 654 packet_send(); 655 packet_write_wait(); 656 657 type = packet_read(); 658 659 if (type == SSH_SMSG_SUCCESS) { 660 char *pname; 661 662 krb5_unparse_name(context, creds.client, &pname); 663 debug("Kerberos v5 TGT forwarded (%s).", pname); 664 xfree(pname); 665 } else 666 debug("Kerberos v5 TGT forwarding failed."); 667 668 return; 669 670 out: 671 if (problem) 672 debug("Kerberos v5 TGT forwarding failed: %s", 673 krb5_get_err_text(context, problem)); 674 if (creds.client) 675 krb5_free_principal(context, creds.client); 676 if (creds.server) 677 krb5_free_principal(context, creds.server); 678 if (ccache) 679 krb5_cc_close(context, ccache); 680 if (outbuf.data) 681 xfree(outbuf.data); 682} 683#endif /* KRB5 */ 684 685#ifdef AFS 686static void 687send_krb4_tgt(void) 688{ 689 CREDENTIALS *creds; 690 struct stat st; 691 char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; 692 int problem, type; 693 694 /* Don't do anything if we don't have any tickets. */ 695 if (stat(tkt_string(), &st) < 0) 696 return; 697 698 creds = xmalloc(sizeof(*creds)); 699 700 problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm); 701 if (problem) 702 goto out; 703 704 problem = krb_get_cred("krbtgt", prealm, prealm, creds); 705 if (problem) 706 goto out; 707 708 if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) { 709 problem = RD_AP_EXP; 710 goto out; 711 } 712 creds_to_radix(creds, (u_char *)buffer, sizeof(buffer)); 713 714 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); 715 packet_put_cstring(buffer); 716 packet_send(); 717 packet_write_wait(); 718 719 type = packet_read(); 720 721 if (type == SSH_SMSG_SUCCESS) 722 debug("Kerberos v4 TGT forwarded (%s%s%s@%s).", 723 creds->pname, creds->pinst[0] ? "." : "", 724 creds->pinst, creds->realm); 725 else 726 debug("Kerberos v4 TGT rejected."); 727 728 xfree(creds); 729 return; 730 731 out: 732 debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]); 733 xfree(creds); 734} 735 736static void 737send_afs_tokens(void) 738{ 739 CREDENTIALS creds; 740 struct ViceIoctl parms; 741 struct ClearToken ct; 742 int i, type, len; 743 char buf[2048], *p, *server_cell; 744 char buffer[8192]; 745 746 /* Move over ktc_GetToken, here's something leaner. */ 747 for (i = 0; i < 100; i++) { /* just in case */ 748 parms.in = (char *) &i; 749 parms.in_size = sizeof(i); 750 parms.out = buf; 751 parms.out_size = sizeof(buf); 752 if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0) 753 break; 754 p = buf; 755 756 /* Get secret token. */ 757 memcpy(&creds.ticket_st.length, p, sizeof(u_int)); 758 if (creds.ticket_st.length > MAX_KTXT_LEN) 759 break; 760 p += sizeof(u_int); 761 memcpy(creds.ticket_st.dat, p, creds.ticket_st.length); 762 p += creds.ticket_st.length; 763 764 /* Get clear token. */ 765 memcpy(&len, p, sizeof(len)); 766 if (len != sizeof(struct ClearToken)) 767 break; 768 p += sizeof(len); 769 memcpy(&ct, p, len); 770 p += len; 771 p += sizeof(len); /* primary flag */ 772 server_cell = p; 773 774 /* Flesh out our credentials. */ 775 strlcpy(creds.service, "afs", sizeof(creds.service)); 776 creds.instance[0] = '\0'; 777 strlcpy(creds.realm, server_cell, REALM_SZ); 778 memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ); 779 creds.issue_date = ct.BeginTimestamp; 780 creds.lifetime = krb_time_to_life(creds.issue_date, 781 ct.EndTimestamp); 782 creds.kvno = ct.AuthHandle; 783 snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId); 784 creds.pinst[0] = '\0'; 785 786 /* Encode token, ship it off. */ 787 if (creds_to_radix(&creds, (u_char *)buffer, 788 sizeof(buffer)) <= 0) 789 break; 790 packet_start(SSH_CMSG_HAVE_AFS_TOKEN); 791 packet_put_cstring(buffer); 792 packet_send(); 793 packet_write_wait(); 794 795 /* Roger, Roger. Clearance, Clarence. What's your vector, 796 Victor? */ 797 type = packet_read(); 798 799 if (type == SSH_SMSG_FAILURE) 800 debug("AFS token for cell %s rejected.", server_cell); 801 else if (type != SSH_SMSG_SUCCESS) 802 packet_disconnect("Protocol error on AFS token response: %d", type); 803 } 804} 805 806#endif /* AFS */ 807 808/* 809 * Tries to authenticate with any string-based challenge/response system. 810 * Note that the client code is not tied to s/key or TIS. 811 */ 812static int 813try_challenge_response_authentication(void) 814{ 815 int type, i; 816 u_int clen; 817 char prompt[1024]; 818 char *challenge, *response; 819 820 debug("Doing challenge response authentication."); 821 822 for (i = 0; i < options.number_of_password_prompts; i++) { 823 /* request a challenge */ 824 packet_start(SSH_CMSG_AUTH_TIS); 825 packet_send(); 826 packet_write_wait(); 827 828 type = packet_read(); 829 if (type != SSH_SMSG_FAILURE && 830 type != SSH_SMSG_AUTH_TIS_CHALLENGE) { 831 packet_disconnect("Protocol error: got %d in response " 832 "to SSH_CMSG_AUTH_TIS", type); 833 } 834 if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) { 835 debug("No challenge."); 836 return 0; 837 } 838 challenge = packet_get_string(&clen); 839 packet_check_eom(); 840 snprintf(prompt, sizeof prompt, "%s%s", challenge, 841 strchr(challenge, '\n') ? "" : "\nResponse: "); 842 xfree(challenge); 843 if (i != 0) 844 error("Permission denied, please try again."); 845 if (options.cipher == SSH_CIPHER_NONE) 846 log("WARNING: Encryption is disabled! " 847 "Reponse will be transmitted in clear text."); 848 response = read_passphrase(prompt, 0); 849 if (strcmp(response, "") == 0) { 850 xfree(response); 851 break; 852 } 853 packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); 854 ssh_put_password(response); 855 memset(response, 0, strlen(response)); 856 xfree(response); 857 packet_send(); 858 packet_write_wait(); 859 type = packet_read(); 860 if (type == SSH_SMSG_SUCCESS) 861 return 1; 862 if (type != SSH_SMSG_FAILURE) 863 packet_disconnect("Protocol error: got %d in response " 864 "to SSH_CMSG_AUTH_TIS_RESPONSE", type); 865 } 866 /* failure */ 867 return 0; 868} 869 870/* 871 * Tries to authenticate with plain passwd authentication. 872 */ 873static int 874try_password_authentication(char *prompt) 875{ 876 int type, i; 877 char *password; 878 879 debug("Doing password authentication."); 880 if (options.cipher == SSH_CIPHER_NONE) 881 log("WARNING: Encryption is disabled! Password will be transmitted in clear text."); 882 for (i = 0; i < options.number_of_password_prompts; i++) { 883 if (i != 0) 884 error("Permission denied, please try again."); 885 password = read_passphrase(prompt, 0); 886 packet_start(SSH_CMSG_AUTH_PASSWORD); 887 ssh_put_password(password); 888 memset(password, 0, strlen(password)); 889 xfree(password); 890 packet_send(); 891 packet_write_wait(); 892 893 type = packet_read(); 894 if (type == SSH_SMSG_SUCCESS) 895 return 1; 896 if (type != SSH_SMSG_FAILURE) 897 packet_disconnect("Protocol error: got %d in response to passwd auth", type); 898 } 899 /* failure */ 900 return 0; 901} 902 903/* 904 * SSH1 key exchange 905 */ 906void 907ssh_kex(char *host, struct sockaddr *hostaddr) 908{ 909 int i; 910 BIGNUM *key; 911 Key *host_key, *server_key; 912 int bits, rbits; 913 int ssh_cipher_default = SSH_CIPHER_3DES; 914 u_char session_key[SSH_SESSION_KEY_LENGTH]; 915 u_char cookie[8]; 916 u_int supported_ciphers; 917 u_int server_flags, client_flags; 918 u_int32_t rand = 0; 919 920 debug("Waiting for server public key."); 921 922 /* Wait for a public key packet from the server. */ 923 packet_read_expect(SSH_SMSG_PUBLIC_KEY); 924 925 /* Get cookie from the packet. */ 926 for (i = 0; i < 8; i++) 927 cookie[i] = packet_get_char(); 928 929 /* Get the public key. */ 930 server_key = key_new(KEY_RSA1); 931 bits = packet_get_int(); 932 packet_get_bignum(server_key->rsa->e); 933 packet_get_bignum(server_key->rsa->n); 934 935 rbits = BN_num_bits(server_key->rsa->n); 936 if (bits != rbits) { 937 log("Warning: Server lies about size of server public key: " 938 "actual size is %d bits vs. announced %d.", rbits, bits); 939 log("Warning: This may be due to an old implementation of ssh."); 940 } 941 /* Get the host key. */ 942 host_key = key_new(KEY_RSA1); 943 bits = packet_get_int(); 944 packet_get_bignum(host_key->rsa->e); 945 packet_get_bignum(host_key->rsa->n); 946 947 rbits = BN_num_bits(host_key->rsa->n); 948 if (bits != rbits) { 949 log("Warning: Server lies about size of server host key: " 950 "actual size is %d bits vs. announced %d.", rbits, bits); 951 log("Warning: This may be due to an old implementation of ssh."); 952 } 953 954 /* Get protocol flags. */ 955 server_flags = packet_get_int(); 956 packet_set_protocol_flags(server_flags); 957 958 supported_ciphers = packet_get_int(); 959 supported_authentications = packet_get_int(); 960 packet_check_eom(); 961 962 debug("Received server public key (%d bits) and host key (%d bits).", 963 BN_num_bits(server_key->rsa->n), BN_num_bits(host_key->rsa->n)); 964 965 if (verify_host_key(host, hostaddr, host_key) == -1) 966 fatal("Host key verification failed."); 967 968 client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN; 969 970 compute_session_id(session_id, cookie, host_key->rsa->n, server_key->rsa->n); 971 972 /* Generate a session key. */ 973 arc4random_stir(); 974 975 /* 976 * Generate an encryption key for the session. The key is a 256 bit 977 * random number, interpreted as a 32-byte key, with the least 978 * significant 8 bits being the first byte of the key. 979 */ 980 for (i = 0; i < 32; i++) { 981 if (i % 4 == 0) 982 rand = arc4random(); 983 session_key[i] = rand & 0xff; 984 rand >>= 8; 985 } 986 987 /* 988 * According to the protocol spec, the first byte of the session key 989 * is the highest byte of the integer. The session key is xored with 990 * the first 16 bytes of the session id. 991 */ 992 if ((key = BN_new()) == NULL) 993 fatal("respond_to_rsa_challenge: BN_new failed"); 994 BN_set_word(key, 0); 995 for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { 996 BN_lshift(key, key, 8); 997 if (i < 16) 998 BN_add_word(key, session_key[i] ^ session_id[i]); 999 else 1000 BN_add_word(key, session_key[i]); 1001 } 1002 1003 /* 1004 * Encrypt the integer using the public key and host key of the 1005 * server (key with smaller modulus first). 1006 */ 1007 if (BN_cmp(server_key->rsa->n, host_key->rsa->n) < 0) { 1008 /* Public key has smaller modulus. */ 1009 if (BN_num_bits(host_key->rsa->n) < 1010 BN_num_bits(server_key->rsa->n) + SSH_KEY_BITS_RESERVED) { 1011 fatal("respond_to_rsa_challenge: host_key %d < server_key %d + " 1012 "SSH_KEY_BITS_RESERVED %d", 1013 BN_num_bits(host_key->rsa->n), 1014 BN_num_bits(server_key->rsa->n), 1015 SSH_KEY_BITS_RESERVED); 1016 } 1017 rsa_public_encrypt(key, key, server_key->rsa); 1018 rsa_public_encrypt(key, key, host_key->rsa); 1019 } else { 1020 /* Host key has smaller modulus (or they are equal). */ 1021 if (BN_num_bits(server_key->rsa->n) < 1022 BN_num_bits(host_key->rsa->n) + SSH_KEY_BITS_RESERVED) { 1023 fatal("respond_to_rsa_challenge: server_key %d < host_key %d + " 1024 "SSH_KEY_BITS_RESERVED %d", 1025 BN_num_bits(server_key->rsa->n), 1026 BN_num_bits(host_key->rsa->n), 1027 SSH_KEY_BITS_RESERVED); 1028 } 1029 rsa_public_encrypt(key, key, host_key->rsa); 1030 rsa_public_encrypt(key, key, server_key->rsa); 1031 } 1032 1033 /* Destroy the public keys since we no longer need them. */ 1034 key_free(server_key); 1035 key_free(host_key); 1036 1037 if (options.cipher == SSH_CIPHER_NOT_SET) { 1038 if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default)) 1039 options.cipher = ssh_cipher_default; 1040 } else if (options.cipher == SSH_CIPHER_ILLEGAL || 1041 !(cipher_mask_ssh1(1) & (1 << options.cipher))) { 1042 log("No valid SSH1 cipher, using %.100s instead.", 1043 cipher_name(ssh_cipher_default)); 1044 options.cipher = ssh_cipher_default; 1045 } 1046 /* Check that the selected cipher is supported. */ 1047 if (!(supported_ciphers & (1 << options.cipher))) 1048 fatal("Selected cipher type %.100s not supported by server.", 1049 cipher_name(options.cipher)); 1050 1051 debug("Encryption type: %.100s", cipher_name(options.cipher)); 1052 1053 /* Send the encrypted session key to the server. */ 1054 packet_start(SSH_CMSG_SESSION_KEY); 1055 packet_put_char(options.cipher); 1056 1057 /* Send the cookie back to the server. */ 1058 for (i = 0; i < 8; i++) 1059 packet_put_char(cookie[i]); 1060 1061 /* Send and destroy the encrypted encryption key integer. */ 1062 packet_put_bignum(key); 1063 BN_clear_free(key); 1064 1065 /* Send protocol flags. */ 1066 packet_put_int(client_flags); 1067 1068 /* Send the packet now. */ 1069 packet_send(); 1070 packet_write_wait(); 1071 1072 debug("Sent encrypted session key."); 1073 1074 /* Set the encryption key. */ 1075 packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher); 1076 1077 /* We will no longer need the session key here. Destroy any extra copies. */ 1078 memset(session_key, 0, sizeof(session_key)); 1079 1080 /* 1081 * Expect a success message from the server. Note that this message 1082 * will be received in encrypted form. 1083 */ 1084 packet_read_expect(SSH_SMSG_SUCCESS); 1085 1086 debug("Received encrypted confirmation."); 1087} 1088 1089/* 1090 * Authenticate user 1091 */ 1092void 1093ssh_userauth1(const char *local_user, const char *server_user, char *host, 1094 Key **keys, int nkeys) 1095{ 1096#ifdef KRB5 1097 krb5_context context = NULL; 1098 krb5_auth_context auth_context = NULL; 1099#endif 1100 int i, type; 1101 1102 if (supported_authentications == 0) 1103 fatal("ssh_userauth1: server supports no auth methods"); 1104 1105 /* Send the name of the user to log in as on the server. */ 1106 packet_start(SSH_CMSG_USER); 1107 packet_put_cstring(server_user); 1108 packet_send(); 1109 packet_write_wait(); 1110 1111 /* 1112 * The server should respond with success if no authentication is 1113 * needed (the user has no password). Otherwise the server responds 1114 * with failure. 1115 */ 1116 type = packet_read(); 1117 1118 /* check whether the connection was accepted without authentication. */ 1119 if (type == SSH_SMSG_SUCCESS) 1120 goto success; 1121 if (type != SSH_SMSG_FAILURE) 1122 packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type); 1123 1124#ifdef KRB5 1125 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && 1126 options.kerberos_authentication) { 1127 debug("Trying Kerberos v5 authentication."); 1128 1129 if (try_krb5_authentication(&context, &auth_context)) { 1130 type = packet_read(); 1131 if (type == SSH_SMSG_SUCCESS) 1132 goto success; 1133 if (type != SSH_SMSG_FAILURE) 1134 packet_disconnect("Protocol error: got %d in response to Kerberos v5 auth", type); 1135 } 1136 } 1137#endif /* KRB5 */ 1138 1139#ifdef KRB4 1140 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && 1141 options.kerberos_authentication) { 1142 debug("Trying Kerberos v4 authentication."); 1143 1144 if (try_krb4_authentication()) { 1145 type = packet_read(); 1146 if (type == SSH_SMSG_SUCCESS) 1147 goto success; 1148 if (type != SSH_SMSG_FAILURE) 1149 packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type); 1150 } 1151 } 1152#endif /* KRB4 */ 1153 1154 /* 1155 * Use rhosts authentication if running in privileged socket and we 1156 * do not wish to remain anonymous. 1157 */ 1158 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) && 1159 options.rhosts_authentication) { 1160 debug("Trying rhosts authentication."); 1161 packet_start(SSH_CMSG_AUTH_RHOSTS); 1162 packet_put_cstring(local_user); 1163 packet_send(); 1164 packet_write_wait(); 1165 1166 /* The server should respond with success or failure. */ 1167 type = packet_read(); 1168 if (type == SSH_SMSG_SUCCESS) 1169 goto success; 1170 if (type != SSH_SMSG_FAILURE) 1171 packet_disconnect("Protocol error: got %d in response to rhosts auth", 1172 type); 1173 } 1174 /* 1175 * Try .rhosts or /etc/hosts.equiv authentication with RSA host 1176 * authentication. 1177 */ 1178 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) && 1179 options.rhosts_rsa_authentication) { 1180 for (i = 0; i < nkeys; i++) { 1181 if (keys[i] != NULL && keys[i]->type == KEY_RSA1 && 1182 try_rhosts_rsa_authentication(local_user, keys[i])) 1183 goto success; 1184 } 1185 } 1186 /* Try RSA authentication if the server supports it. */ 1187 if ((supported_authentications & (1 << SSH_AUTH_RSA)) && 1188 options.rsa_authentication) { 1189 /* 1190 * Try RSA authentication using the authentication agent. The 1191 * agent is tried first because no passphrase is needed for 1192 * it, whereas identity files may require passphrases. 1193 */ 1194 if (try_agent_authentication()) 1195 goto success; 1196 1197 /* Try RSA authentication for each identity. */ 1198 for (i = 0; i < options.num_identity_files; i++) 1199 if (options.identity_keys[i] != NULL && 1200 options.identity_keys[i]->type == KEY_RSA1 && 1201 try_rsa_authentication(i)) 1202 goto success; 1203 } 1204 /* Try challenge response authentication if the server supports it. */ 1205 if ((supported_authentications & (1 << SSH_AUTH_TIS)) && 1206 options.challenge_response_authentication && !options.batch_mode) { 1207 if (try_challenge_response_authentication()) 1208 goto success; 1209 } 1210 /* Try password authentication if the server supports it. */ 1211 if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) && 1212 options.password_authentication && !options.batch_mode) { 1213 char prompt[80]; 1214 1215 snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ", 1216 server_user, host); 1217 if (try_password_authentication(prompt)) 1218 goto success; 1219 } 1220 /* All authentication methods have failed. Exit with an error message. */ 1221 fatal("Permission denied."); 1222 /* NOTREACHED */ 1223 1224 success: 1225#ifdef KRB5 1226 /* Try Kerberos v5 TGT passing. */ 1227 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && 1228 options.kerberos_tgt_passing && context && auth_context) { 1229 if (options.cipher == SSH_CIPHER_NONE) 1230 log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); 1231 send_krb5_tgt(context, auth_context); 1232 } 1233 if (auth_context) 1234 krb5_auth_con_free(context, auth_context); 1235 if (context) 1236 krb5_free_context(context); 1237#endif 1238 1239#ifdef AFS 1240 /* Try Kerberos v4 TGT passing if the server supports it. */ 1241 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && 1242 options.kerberos_tgt_passing) { 1243 if (options.cipher == SSH_CIPHER_NONE) 1244 log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); 1245 send_krb4_tgt(); 1246 } 1247 /* Try AFS token passing if the server supports it. */ 1248 if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) && 1249 options.afs_token_passing && k_hasafs()) { 1250 if (options.cipher == SSH_CIPHER_NONE) 1251 log("WARNING: Encryption is disabled! Token will be transmitted in the clear!"); 1252 send_afs_tokens(); 1253 } 1254#endif /* AFS */ 1255 1256 return; /* need statement after label */ 1257} 1258