2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * Code to connect to a remote host, and to perform the client side of the
6 * login (authentication) dialog.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
16 RCSID("$OpenBSD: sshconnect1.c,v 1.36 2001/06/23 22:37:46 markus Exp $");
18 #include <openssl/bn.h>
19 #include <openssl/evp.h>
41 #include "sshconnect.h"
47 /* Session id for the current session. */
48 u_char session_id[16];
49 u_int supported_authentications = 0;
51 extern Options options;
52 extern char *__progname;
55 * Checks if the user has an authentication agent, and if so, tries to
56 * authenticate using the agent.
59 try_agent_authentication(void)
63 AuthenticationConnection *auth;
70 /* Get connection to the agent. */
71 auth = ssh_get_authentication_connection();
77 /* Loop through identities served by the agent. */
78 for (key = ssh_get_first_identity(auth, &comment, 1);
80 key = ssh_get_next_identity(auth, &comment, 1)) {
82 /* Try this identity. */
83 debug("Trying RSA authentication via agent with '%.100s'", comment);
86 /* Tell the server that we are willing to authenticate using this key. */
87 packet_start(SSH_CMSG_AUTH_RSA);
88 packet_put_bignum(key->rsa->n);
92 /* Wait for server's response. */
93 type = packet_read(&plen);
95 /* The server sends failure if it doesn\'t like our key or
96 does not support RSA authentication. */
97 if (type == SSH_SMSG_FAILURE) {
98 debug("Server refused our key.");
102 /* Otherwise it should have sent a challenge. */
103 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
104 packet_disconnect("Protocol error during RSA authentication: %d",
107 packet_get_bignum(challenge, &clen);
109 packet_integrity_check(plen, clen, type);
111 debug("Received RSA challenge from server.");
113 /* Ask the agent to decrypt the challenge. */
114 if (!ssh_decrypt_challenge(auth, key, challenge, session_id, 1, response)) {
116 * The agent failed to authenticate this identifier
117 * although it advertised it supports this. Just
118 * return a wrong value.
120 log("Authentication agent failed to decrypt challenge.");
121 memset(response, 0, sizeof(response));
124 debug("Sending response to RSA challenge.");
126 /* Send the decrypted challenge back to the server. */
127 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
128 for (i = 0; i < 16; i++)
129 packet_put_char(response[i]);
133 /* Wait for response from the server. */
134 type = packet_read(&plen);
136 /* The server returns success if it accepted the authentication. */
137 if (type == SSH_SMSG_SUCCESS) {
138 ssh_close_authentication_connection(auth);
139 BN_clear_free(challenge);
140 debug("RSA authentication accepted by server.");
143 /* Otherwise it should return failure. */
144 if (type != SSH_SMSG_FAILURE)
145 packet_disconnect("Protocol error waiting RSA auth response: %d",
148 ssh_close_authentication_connection(auth);
149 BN_clear_free(challenge);
150 debug("RSA authentication using agent refused.");
155 * Computes the proper response to a RSA challenge, and sends the response to
159 respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
161 u_char buf[32], response[16];
165 /* Decrypt the challenge using the private key. */
166 /* XXX think about Bleichenbacher, too */
167 if (rsa_private_decrypt(challenge, challenge, prv) <= 0)
169 "respond_to_rsa_challenge: rsa_private_decrypt failed");
171 /* Compute the response. */
172 /* The response is MD5 of decrypted challenge plus session id. */
173 len = BN_num_bytes(challenge);
174 if (len <= 0 || len > sizeof(buf))
176 "respond_to_rsa_challenge: bad challenge length %d", len);
178 memset(buf, 0, sizeof(buf));
179 BN_bn2bin(challenge, buf + sizeof(buf) - len);
181 MD5_Update(&md, buf, 32);
182 MD5_Update(&md, session_id, 16);
183 MD5_Final(response, &md);
185 debug("Sending response to host key RSA challenge.");
187 /* Send the response back to the server. */
188 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
189 for (i = 0; i < 16; i++)
190 packet_put_char(response[i]);
194 memset(buf, 0, sizeof(buf));
195 memset(response, 0, sizeof(response));
196 memset(&md, 0, sizeof(md));
200 * Checks if the user has authentication file, and if so, tries to authenticate
204 try_rsa_authentication(const char *authfile)
207 Key *public, *private;
208 char buf[300], *passphrase, *comment;
209 int i, type, quit, plen, clen;
211 /* Try to load identification for the authentication key. */
213 public = key_load_public_type(KEY_RSA1, authfile, &comment);
214 if (public == NULL) {
215 /* Could not load it. Fail. */
218 debug("Trying RSA authentication with key '%.100s'", comment);
220 /* Tell the server that we are willing to authenticate using this key. */
221 packet_start(SSH_CMSG_AUTH_RSA);
222 packet_put_bignum(public->rsa->n);
226 /* We no longer need the public key. */
229 /* Wait for server's response. */
230 type = packet_read(&plen);
233 * The server responds with failure if it doesn\'t like our key or
234 * doesn\'t support RSA authentication.
236 if (type == SSH_SMSG_FAILURE) {
237 debug("Server refused our key.");
241 /* Otherwise, the server should respond with a challenge. */
242 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
243 packet_disconnect("Protocol error during RSA authentication: %d", type);
245 /* Get the challenge from the packet. */
246 challenge = BN_new();
247 packet_get_bignum(challenge, &clen);
249 packet_integrity_check(plen, clen, type);
251 debug("Received RSA challenge from server.");
254 * Load the private key. Try first with empty passphrase; if it
255 * fails, ask for a passphrase.
257 private = key_load_private_type(KEY_RSA1, authfile, "", NULL);
258 if (private == NULL && !options.batch_mode) {
259 snprintf(buf, sizeof(buf),
260 "Enter passphrase for RSA key '%.100s': ", comment);
261 for (i = 0; i < options.number_of_password_prompts; i++) {
262 passphrase = read_passphrase(buf, 0);
263 if (strcmp(passphrase, "") != 0) {
264 private = key_load_private_type(KEY_RSA1,
265 authfile, passphrase, NULL);
268 debug2("no passphrase given, try next key");
271 memset(passphrase, 0, strlen(passphrase));
273 if (private != NULL || quit)
275 debug2("bad passphrase given, try again...");
278 /* We no longer need the comment. */
281 if (private == NULL) {
282 if (!options.batch_mode)
283 error("Bad passphrase.");
285 /* Send a dummy response packet to avoid protocol error. */
286 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
287 for (i = 0; i < 16; i++)
292 /* Expect the server to reject it... */
293 packet_read_expect(&plen, SSH_SMSG_FAILURE);
294 BN_clear_free(challenge);
298 /* Compute and send a response to the challenge. */
299 respond_to_rsa_challenge(challenge, private->rsa);
301 /* Destroy the private key. */
304 /* We no longer need the challenge. */
305 BN_clear_free(challenge);
307 /* Wait for response from the server. */
308 type = packet_read(&plen);
309 if (type == SSH_SMSG_SUCCESS) {
310 debug("RSA authentication accepted by server.");
313 if (type != SSH_SMSG_FAILURE)
314 packet_disconnect("Protocol error waiting RSA auth response: %d", type);
315 debug("RSA authentication refused.");
320 * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv
321 * authentication and RSA host authentication.
324 try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
330 debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication.");
332 /* Tell the server that we are willing to authenticate using this key. */
333 packet_start(SSH_CMSG_AUTH_RHOSTS_RSA);
334 packet_put_cstring(local_user);
335 packet_put_int(BN_num_bits(host_key->rsa->n));
336 packet_put_bignum(host_key->rsa->e);
337 packet_put_bignum(host_key->rsa->n);
341 /* Wait for server's response. */
342 type = packet_read(&plen);
344 /* The server responds with failure if it doesn't admit our
345 .rhosts authentication or doesn't know our host key. */
346 if (type == SSH_SMSG_FAILURE) {
347 debug("Server refused our rhosts authentication or host key.");
350 /* Otherwise, the server should respond with a challenge. */
351 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
352 packet_disconnect("Protocol error during RSA authentication: %d", type);
354 /* Get the challenge from the packet. */
355 challenge = BN_new();
356 packet_get_bignum(challenge, &clen);
358 packet_integrity_check(plen, clen, type);
360 debug("Received RSA challenge for host key from server.");
362 /* Compute a response to the challenge. */
363 respond_to_rsa_challenge(challenge, host_key->rsa);
365 /* We no longer need the challenge. */
366 BN_clear_free(challenge);
368 /* Wait for response from the server. */
369 type = packet_read(&plen);
370 if (type == SSH_SMSG_SUCCESS) {
371 debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server.");
374 if (type != SSH_SMSG_FAILURE)
375 packet_disconnect("Protocol error waiting RSA auth response: %d", type);
376 debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused.");
382 try_kerberos_authentication(void)
384 KTEXT_ST auth; /* Kerberos data */
391 Key_schedule schedule;
392 u_long checksum, cksum;
394 struct sockaddr_in local, foreign;
397 /* Don't do anything if we don't have any tickets. */
398 if (stat(tkt_string(), &st) < 0)
401 strncpy(inst, (char *) krb_get_phost(get_canonical_hostname(1)), INST_SZ);
403 realm = (char *) krb_realmofhost(get_canonical_hostname(1));
405 debug("Kerberos V4: no realm for %s", get_canonical_hostname(1));
408 /* This can really be anything. */
409 checksum = (u_long) getpid();
411 r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
413 debug("Kerberos V4 krb_mk_req failed: %s", krb_err_txt[r]);
416 /* Get session key to decrypt the server's reply with. */
417 r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
419 debug("get_cred failed: %s", krb_err_txt[r]);
422 des_key_sched((des_cblock *) cred.session, schedule);
424 /* Send authentication info to server. */
425 packet_start(SSH_CMSG_AUTH_KERBEROS);
426 packet_put_string((char *) auth.dat, auth.length);
430 /* Zero the buffer. */
431 (void) memset(auth.dat, 0, MAX_KTXT_LEN);
433 slen = sizeof(local);
434 memset(&local, 0, sizeof(local));
435 if (getsockname(packet_get_connection_in(),
436 (struct sockaddr *) & local, &slen) < 0)
437 debug("getsockname failed: %s", strerror(errno));
439 slen = sizeof(foreign);
440 memset(&foreign, 0, sizeof(foreign));
441 if (getpeername(packet_get_connection_in(),
442 (struct sockaddr *) & foreign, &slen) < 0) {
443 debug("getpeername failed: %s", strerror(errno));
446 /* Get server reply. */
447 type = packet_read(&plen);
449 case SSH_SMSG_FAILURE:
450 /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
451 debug("Kerberos V4 authentication failed.");
455 case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
456 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
457 debug("Kerberos V4 authentication accepted.");
459 /* Get server's response. */
460 reply = packet_get_string((u_int *) &auth.length);
461 memcpy(auth.dat, reply, auth.length);
464 packet_integrity_check(plen, 4 + auth.length, type);
467 * If his response isn't properly encrypted with the session
468 * key, and the decrypted checksum fails to match, he's
471 r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
472 &foreign, &local, &msg_data);
474 debug("Kerberos V4 krb_rd_priv failed: %s", krb_err_txt[r]);
475 packet_disconnect("Kerberos V4 challenge failed!");
477 /* Fetch the (incremented) checksum that we supplied in the request. */
478 (void) memcpy((char *) &cksum, (char *) msg_data.app_data, sizeof(cksum));
479 cksum = ntohl(cksum);
481 /* If it matches, we're golden. */
482 if (cksum == checksum + 1) {
483 debug("Kerberos V4 challenge successful.");
486 packet_disconnect("Kerberos V4 challenge failed!");
490 packet_disconnect("Protocol error on Kerberos V4 response: %d", type);
499 send_kerberos_tgt(void)
502 char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
507 /* Don't do anything if we don't have any tickets. */
508 if (stat(tkt_string(), &st) < 0)
511 creds = xmalloc(sizeof(*creds));
513 if ((r = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm)) != KSUCCESS) {
514 debug("Kerberos V4 tf_fullname failed: %s", krb_err_txt[r]);
517 if ((r = krb_get_cred("krbtgt", prealm, prealm, creds)) != GC_OK) {
518 debug("Kerberos V4 get_cred failed: %s", krb_err_txt[r]);
521 if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
522 debug("Kerberos V4 ticket expired: %s", TKT_FILE);
525 creds_to_radix(creds, (u_char *)buffer, sizeof buffer);
528 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
529 packet_put_cstring(buffer);
533 type = packet_read(&plen);
535 if (type == SSH_SMSG_FAILURE)
536 debug("Kerberos TGT for realm %s rejected.", prealm);
537 else if (type != SSH_SMSG_SUCCESS)
538 packet_disconnect("Protocol error on Kerberos TGT response: %d", type);
544 send_afs_tokens(void)
547 struct ViceIoctl parms;
548 struct ClearToken ct;
549 int i, type, len, plen;
550 char buf[2048], *p, *server_cell;
553 /* Move over ktc_GetToken, here's something leaner. */
554 for (i = 0; i < 100; i++) { /* just in case */
555 parms.in = (char *) &i;
556 parms.in_size = sizeof(i);
558 parms.out_size = sizeof(buf);
559 if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
563 /* Get secret token. */
564 memcpy(&creds.ticket_st.length, p, sizeof(u_int));
565 if (creds.ticket_st.length > MAX_KTXT_LEN)
568 memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
569 p += creds.ticket_st.length;
571 /* Get clear token. */
572 memcpy(&len, p, sizeof(len));
573 if (len != sizeof(struct ClearToken))
578 p += sizeof(len); /* primary flag */
581 /* Flesh out our credentials. */
582 strlcpy(creds.service, "afs", sizeof creds.service);
583 creds.instance[0] = '\0';
584 strlcpy(creds.realm, server_cell, REALM_SZ);
585 memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
586 creds.issue_date = ct.BeginTimestamp;
587 creds.lifetime = krb_time_to_life(creds.issue_date, ct.EndTimestamp);
588 creds.kvno = ct.AuthHandle;
589 snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
590 creds.pinst[0] = '\0';
592 /* Encode token, ship it off. */
593 if (creds_to_radix(&creds, (u_char *) buffer, sizeof buffer) <= 0)
595 packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
596 packet_put_cstring(buffer);
600 /* Roger, Roger. Clearance, Clarence. What's your vector,
602 type = packet_read(&plen);
604 if (type == SSH_SMSG_FAILURE)
605 debug("AFS token for cell %s rejected.", server_cell);
606 else if (type != SSH_SMSG_SUCCESS)
607 packet_disconnect("Protocol error on AFS token response: %d", type);
614 * Tries to authenticate with any string-based challenge/response system.
615 * Note that the client code is not tied to s/key or TIS.
618 try_challenge_response_authentication(void)
624 char *challenge, *response;
626 debug("Doing challenge reponse authentication.");
628 for (i = 0; i < options.number_of_password_prompts; i++) {
629 /* request a challenge */
630 packet_start(SSH_CMSG_AUTH_TIS);
634 type = packet_read(&payload_len);
635 if (type != SSH_SMSG_FAILURE &&
636 type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
637 packet_disconnect("Protocol error: got %d in response "
638 "to SSH_CMSG_AUTH_TIS", type);
640 if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
641 debug("No challenge.");
644 challenge = packet_get_string(&clen);
645 packet_integrity_check(payload_len, (4 + clen), type);
646 snprintf(prompt, sizeof prompt, "%s%s", challenge,
647 strchr(challenge, '\n') ? "" : "\nResponse: ");
650 error("Permission denied, please try again.");
651 if (options.cipher == SSH_CIPHER_NONE)
652 log("WARNING: Encryption is disabled! "
653 "Reponse will be transmitted in clear text.");
654 response = read_passphrase(prompt, 0);
655 if (strcmp(response, "") == 0) {
659 packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
660 ssh_put_password(response);
661 memset(response, 0, strlen(response));
665 type = packet_read(&payload_len);
666 if (type == SSH_SMSG_SUCCESS)
668 if (type != SSH_SMSG_FAILURE)
669 packet_disconnect("Protocol error: got %d in response "
670 "to SSH_CMSG_AUTH_TIS_RESPONSE", type);
677 * Tries to authenticate with plain passwd authentication.
680 try_password_authentication(char *prompt)
682 int type, i, payload_len;
685 debug("Doing password authentication.");
686 if (options.cipher == SSH_CIPHER_NONE)
687 log("WARNING: Encryption is disabled! Password will be transmitted in clear text.");
688 for (i = 0; i < options.number_of_password_prompts; i++) {
690 error("Permission denied, please try again.");
691 password = read_passphrase(prompt, 0);
692 packet_start(SSH_CMSG_AUTH_PASSWORD);
693 ssh_put_password(password);
694 memset(password, 0, strlen(password));
699 type = packet_read(&payload_len);
700 if (type == SSH_SMSG_SUCCESS)
702 if (type != SSH_SMSG_FAILURE)
703 packet_disconnect("Protocol error: got %d in response to passwd auth", type);
713 ssh_kex(char *host, struct sockaddr *hostaddr)
721 int ssh_cipher_default = SSH_CIPHER_3DES;
722 u_char session_key[SSH_SESSION_KEY_LENGTH];
724 u_int supported_ciphers;
725 u_int server_flags, client_flags;
726 int payload_len, clen, sum_len = 0;
729 debug("Waiting for server public key.");
731 /* Wait for a public key packet from the server. */
732 packet_read_expect(&payload_len, SSH_SMSG_PUBLIC_KEY);
734 /* Get cookie from the packet. */
735 for (i = 0; i < 8; i++)
736 cookie[i] = packet_get_char();
738 /* Get the public key. */
739 public_key = RSA_new();
740 bits = packet_get_int();/* bits */
741 public_key->e = BN_new();
742 packet_get_bignum(public_key->e, &clen);
744 public_key->n = BN_new();
745 packet_get_bignum(public_key->n, &clen);
748 rbits = BN_num_bits(public_key->n);
750 log("Warning: Server lies about size of server public key: "
751 "actual size is %d bits vs. announced %d.", rbits, bits);
752 log("Warning: This may be due to an old implementation of ssh.");
754 /* Get the host key. */
755 host_key = RSA_new();
756 bits = packet_get_int();/* bits */
757 host_key->e = BN_new();
758 packet_get_bignum(host_key->e, &clen);
760 host_key->n = BN_new();
761 packet_get_bignum(host_key->n, &clen);
764 rbits = BN_num_bits(host_key->n);
766 log("Warning: Server lies about size of server host key: "
767 "actual size is %d bits vs. announced %d.", rbits, bits);
768 log("Warning: This may be due to an old implementation of ssh.");
771 /* Get protocol flags. */
772 server_flags = packet_get_int();
773 packet_set_protocol_flags(server_flags);
775 supported_ciphers = packet_get_int();
776 supported_authentications = packet_get_int();
778 debug("Received server public key (%d bits) and host key (%d bits).",
779 BN_num_bits(public_key->n), BN_num_bits(host_key->n));
781 packet_integrity_check(payload_len,
782 8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4,
783 SSH_SMSG_PUBLIC_KEY);
786 if (verify_host_key(host, hostaddr, &k) == -1)
787 fatal("host_key verification failed");
789 client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN;
791 compute_session_id(session_id, cookie, host_key->n, public_key->n);
793 /* Generate a session key. */
797 * Generate an encryption key for the session. The key is a 256 bit
798 * random number, interpreted as a 32-byte key, with the least
799 * significant 8 bits being the first byte of the key.
801 for (i = 0; i < 32; i++) {
804 session_key[i] = rand & 0xff;
809 * According to the protocol spec, the first byte of the session key
810 * is the highest byte of the integer. The session key is xored with
811 * the first 16 bytes of the session id.
815 for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
816 BN_lshift(key, key, 8);
818 BN_add_word(key, session_key[i] ^ session_id[i]);
820 BN_add_word(key, session_key[i]);
824 * Encrypt the integer using the public key and host key of the
825 * server (key with smaller modulus first).
827 if (BN_cmp(public_key->n, host_key->n) < 0) {
828 /* Public key has smaller modulus. */
829 if (BN_num_bits(host_key->n) <
830 BN_num_bits(public_key->n) + SSH_KEY_BITS_RESERVED) {
831 fatal("respond_to_rsa_challenge: host_key %d < public_key %d + "
832 "SSH_KEY_BITS_RESERVED %d",
833 BN_num_bits(host_key->n),
834 BN_num_bits(public_key->n),
835 SSH_KEY_BITS_RESERVED);
837 rsa_public_encrypt(key, key, public_key);
838 rsa_public_encrypt(key, key, host_key);
840 /* Host key has smaller modulus (or they are equal). */
841 if (BN_num_bits(public_key->n) <
842 BN_num_bits(host_key->n) + SSH_KEY_BITS_RESERVED) {
843 fatal("respond_to_rsa_challenge: public_key %d < host_key %d + "
844 "SSH_KEY_BITS_RESERVED %d",
845 BN_num_bits(public_key->n),
846 BN_num_bits(host_key->n),
847 SSH_KEY_BITS_RESERVED);
849 rsa_public_encrypt(key, key, host_key);
850 rsa_public_encrypt(key, key, public_key);
853 /* Destroy the public keys since we no longer need them. */
854 RSA_free(public_key);
857 if (options.cipher == SSH_CIPHER_NOT_SET) {
858 if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default))
859 options.cipher = ssh_cipher_default;
860 } else if (options.cipher == SSH_CIPHER_ILLEGAL ||
861 !(cipher_mask_ssh1(1) & (1 << options.cipher))) {
862 log("No valid SSH1 cipher, using %.100s instead.",
863 cipher_name(ssh_cipher_default));
864 options.cipher = ssh_cipher_default;
866 /* Check that the selected cipher is supported. */
867 if (!(supported_ciphers & (1 << options.cipher)))
868 fatal("Selected cipher type %.100s not supported by server.",
869 cipher_name(options.cipher));
871 debug("Encryption type: %.100s", cipher_name(options.cipher));
873 /* Send the encrypted session key to the server. */
874 packet_start(SSH_CMSG_SESSION_KEY);
875 packet_put_char(options.cipher);
877 /* Send the cookie back to the server. */
878 for (i = 0; i < 8; i++)
879 packet_put_char(cookie[i]);
881 /* Send and destroy the encrypted encryption key integer. */
882 packet_put_bignum(key);
885 /* Send protocol flags. */
886 packet_put_int(client_flags);
888 /* Send the packet now. */
892 debug("Sent encrypted session key.");
894 /* Set the encryption key. */
895 packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher);
897 /* We will no longer need the session key here. Destroy any extra copies. */
898 memset(session_key, 0, sizeof(session_key));
901 * Expect a success message from the server. Note that this message
902 * will be received in encrypted form.
904 packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
906 debug("Received encrypted confirmation.");
913 ssh_userauth1(const char *local_user, const char *server_user, char *host,
914 Key **keys, int nkeys)
919 if (supported_authentications == 0)
920 fatal("ssh_userauth1: server supports no auth methods");
922 /* Send the name of the user to log in as on the server. */
923 packet_start(SSH_CMSG_USER);
924 packet_put_cstring(server_user);
929 * The server should respond with success if no authentication is
930 * needed (the user has no password). Otherwise the server responds
933 type = packet_read(&payload_len);
935 /* check whether the connection was accepted without authentication. */
936 if (type == SSH_SMSG_SUCCESS)
938 if (type != SSH_SMSG_FAILURE)
939 packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER",
943 /* Try Kerberos tgt passing if the server supports it. */
944 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
945 options.kerberos_tgt_passing) {
946 if (options.cipher == SSH_CIPHER_NONE)
947 log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
948 (void) send_kerberos_tgt();
950 /* Try AFS token passing if the server supports it. */
951 if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
952 options.afs_token_passing && k_hasafs()) {
953 if (options.cipher == SSH_CIPHER_NONE)
954 log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
960 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
961 options.kerberos_authentication) {
962 debug("Trying Kerberos authentication.");
963 if (try_kerberos_authentication()) {
964 /* The server should respond with success or failure. */
965 type = packet_read(&payload_len);
966 if (type == SSH_SMSG_SUCCESS)
968 if (type != SSH_SMSG_FAILURE)
969 packet_disconnect("Protocol error: got %d in response to Kerberos auth", type);
975 * Use rhosts authentication if running in privileged socket and we
976 * do not wish to remain anonymous.
978 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) &&
979 options.rhosts_authentication) {
980 debug("Trying rhosts authentication.");
981 packet_start(SSH_CMSG_AUTH_RHOSTS);
982 packet_put_cstring(local_user);
986 /* The server should respond with success or failure. */
987 type = packet_read(&payload_len);
988 if (type == SSH_SMSG_SUCCESS)
990 if (type != SSH_SMSG_FAILURE)
991 packet_disconnect("Protocol error: got %d in response to rhosts auth",
995 * Try .rhosts or /etc/hosts.equiv authentication with RSA host
998 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) &&
999 options.rhosts_rsa_authentication) {
1000 for (i = 0; i < nkeys; i++) {
1001 if (keys[i] != NULL && keys[i]->type == KEY_RSA1 &&
1002 try_rhosts_rsa_authentication(local_user, keys[i]))
1006 /* Try RSA authentication if the server supports it. */
1007 if ((supported_authentications & (1 << SSH_AUTH_RSA)) &&
1008 options.rsa_authentication) {
1010 * Try RSA authentication using the authentication agent. The
1011 * agent is tried first because no passphrase is needed for
1012 * it, whereas identity files may require passphrases.
1014 if (try_agent_authentication())
1017 /* Try RSA authentication for each identity. */
1018 for (i = 0; i < options.num_identity_files; i++)
1019 if (options.identity_keys[i] != NULL &&
1020 options.identity_keys[i]->type == KEY_RSA1 &&
1021 try_rsa_authentication(options.identity_files[i]))
1024 /* Try challenge response authentication if the server supports it. */
1025 if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
1026 options.challenge_response_authentication && !options.batch_mode) {
1027 if (try_challenge_response_authentication())
1030 /* Try password authentication if the server supports it. */
1031 if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) &&
1032 options.password_authentication && !options.batch_mode) {
1035 snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
1037 if (try_password_authentication(prompt))
1040 /* All authentication methods have failed. Exit with an error message. */
1041 fatal("Permission denied.");