5 Author: Tatu Ylonen <ylo@cs.hut.fi>
7 Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
10 Created: Sat Mar 18 22:15:47 1995 ylo
12 Code to connect to a remote host, and to perform the client side of the
13 login (authentication) dialog.
21 #include <openssl/bn.h>
22 #include <openssl/md5.h>
40 /* Session id for the current session. */
41 unsigned char session_id[16];
43 /* Connect to the given ssh server using a proxy command. */
46 ssh_proxy_connect(const char *host, int port, uid_t original_real_uid,
47 const char *proxy_command)
56 /* Convert the port number into a string. */
57 snprintf(portstring, sizeof portstring, "%d", port);
59 /* Build the final command string in the buffer by making the appropriate
60 substitutions to the given proxy command. */
61 buffer_init(&command);
62 for (cp = proxy_command; *cp; cp++)
64 if (cp[0] == '%' && cp[1] == '%')
66 buffer_append(&command, "%", 1);
70 if (cp[0] == '%' && cp[1] == 'h')
72 buffer_append(&command, host, strlen(host));
76 if (cp[0] == '%' && cp[1] == 'p')
78 buffer_append(&command, portstring, strlen(portstring));
82 buffer_append(&command, cp, 1);
84 buffer_append(&command, "\0", 1);
86 /* Get the final command string. */
87 command_string = buffer_ptr(&command);
89 /* Create pipes for communicating with the proxy. */
90 if (pipe(pin) < 0 || pipe(pout) < 0)
91 fatal("Could not create pipes to communicate with the proxy: %.100s",
94 debug("Executing proxy command: %.500s", command_string);
96 /* Fork and execute the proxy command. */
97 if ((pid = fork()) == 0)
101 /* Child. Permanently give up superuser privileges. */
102 permanently_set_uid(original_real_uid);
104 /* Redirect stdin and stdout. */
108 if (dup2(pin[0], 0) < 0)
109 perror("dup2 stdin");
113 if (dup2(pout[1], 1) < 0)
114 perror("dup2 stdout");
115 close(pout[1]); /* Cannot be 1 because pin allocated two descriptors. */
117 /* Stderr is left as it is so that error messages get printed on
118 the user's terminal. */
121 argv[2] = command_string;
124 /* Execute the proxy command. Note that we gave up any extra
126 execv("/bin/sh", argv);
132 fatal("fork failed: %.100s", strerror(errno));
134 /* Close child side of the descriptors. */
138 /* Free the command name. */
139 buffer_free(&command);
141 /* Set the connection file descriptors. */
142 packet_set_connection(pout[0], pin[1]);
147 /* Creates a (possibly privileged) socket for use as the ssh connection. */
149 int ssh_create_socket(uid_t original_real_uid, int privileged)
153 /* If we are running as root and want to connect to a privileged port,
154 bind our own socket to a privileged port. */
157 int p = IPPORT_RESERVED - 1;
159 sock = rresvport(&p);
161 fatal("rresvport: %.100s", strerror(errno));
162 debug("Allocated local port %d.", p);
166 /* Just create an ordinary socket on arbitrary port. We use the
167 user's uid to create the socket. */
168 temporarily_use_uid(original_real_uid);
169 sock = socket(AF_INET, SOCK_STREAM, 0);
171 fatal("socket: %.100s", strerror(errno));
177 /* Opens a TCP/IP connection to the remote server on the given host. If
178 port is 0, the default port will be used. If anonymous is zero,
179 a privileged port will be allocated to make the connection.
180 This requires super-user privileges if anonymous is false.
181 Connection_attempts specifies the maximum number of tries (one per
182 second). If proxy_command is non-NULL, it specifies the command (with %h
183 and %p substituted for host and port, respectively) to use to contact
186 int ssh_connect(const char *host, struct sockaddr_in *hostaddr,
187 int port, int connection_attempts,
188 int anonymous, uid_t original_real_uid,
189 const char *proxy_command)
191 int sock = -1, attempt, i;
195 struct linger linger;
197 debug("ssh_connect: getuid %d geteuid %d anon %d",
198 (int)getuid(), (int)geteuid(), anonymous);
200 /* Get default port if port has not been set. */
203 sp = getservbyname(SSH_SERVICE_NAME, "tcp");
205 port = ntohs(sp->s_port);
207 port = SSH_DEFAULT_PORT;
210 /* If a proxy command is given, connect using it. */
211 if (proxy_command != NULL)
212 return ssh_proxy_connect(host, port, original_real_uid, proxy_command);
214 /* No proxy command. */
216 /* No host lookup made yet. */
219 /* Try to connect several times. On some machines, the first time will
220 sometimes fail. In general socket code appears to behave quite
221 magically on many machines. */
222 for (attempt = 0; attempt < connection_attempts; attempt++)
225 debug("Trying again...");
227 /* Try to parse the host name as a numeric inet address. */
228 memset(hostaddr, 0, sizeof(hostaddr));
229 hostaddr->sin_family = AF_INET;
230 hostaddr->sin_port = htons(port);
231 hostaddr->sin_addr.s_addr = inet_addr(host);
232 if ((hostaddr->sin_addr.s_addr & 0xffffffff) != 0xffffffff)
234 /* Valid numeric IP address */
235 debug("Connecting to %.100s port %d.",
236 inet_ntoa(hostaddr->sin_addr), port);
238 /* Create a socket. */
239 sock = ssh_create_socket(original_real_uid,
240 !anonymous && geteuid() == 0 &&
241 port < IPPORT_RESERVED);
243 /* Connect to the host. We use the user's uid in the hope that
244 it will help with the problems of tcp_wrappers showing the
245 remote uid as root. */
246 temporarily_use_uid(original_real_uid);
247 if (connect(sock, (struct sockaddr *)hostaddr, sizeof(*hostaddr))
250 /* Successful connect. */
254 debug("connect: %.100s", strerror(errno));
257 /* Destroy the failed socket. */
258 shutdown(sock, SHUT_RDWR);
263 /* Not a valid numeric inet address. */
264 /* Map host name to an address. */
266 hp = gethostbyname(host);
268 fatal("Bad host name: %.100s", host);
269 if (!hp->h_addr_list[0])
270 fatal("Host does not have an IP address: %.100s", host);
272 /* Loop through addresses for this host, and try each one in
273 sequence until the connection succeeds. */
274 for (i = 0; hp->h_addr_list[i]; i++)
276 /* Set the address to connect to. */
277 hostaddr->sin_family = hp->h_addrtype;
278 memcpy(&hostaddr->sin_addr, hp->h_addr_list[i],
279 sizeof(hostaddr->sin_addr));
281 debug("Connecting to %.200s [%.100s] port %d.",
282 host, inet_ntoa(hostaddr->sin_addr), port);
284 /* Create a socket for connecting. */
285 sock = ssh_create_socket(original_real_uid,
286 !anonymous && geteuid() == 0 &&
287 port < IPPORT_RESERVED);
289 /* Connect to the host. We use the user's uid in the hope that
290 it will help with tcp_wrappers showing the remote uid as
292 temporarily_use_uid(original_real_uid);
293 if (connect(sock, (struct sockaddr *)hostaddr,
294 sizeof(*hostaddr)) >= 0)
296 /* Successful connection. */
300 debug("connect: %.100s", strerror(errno));
303 /* Close the failed socket; there appear to be some problems
304 when reusing a socket for which connect() has already
305 returned an error. */
306 shutdown(sock, SHUT_RDWR);
309 if (hp->h_addr_list[i])
310 break; /* Successful connection. */
313 /* Sleep a moment before retrying. */
316 /* Return failure if we didn't get a successful connection. */
317 if (attempt >= connection_attempts)
320 debug("Connection established.");
322 /* Set socket options. We would like the socket to disappear as soon as
323 it has been closed for whatever reason. */
324 /* setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */
325 setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void *)&on, sizeof(on));
328 setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
330 /* Set the connection. */
331 packet_set_connection(sock, sock);
336 /* Checks if the user has an authentication agent, and if so, tries to
337 authenticate using the agent. */
340 try_agent_authentication()
344 AuthenticationConnection *auth;
345 unsigned char response[16];
347 BIGNUM *e, *n, *challenge;
349 /* Get connection to the agent. */
350 auth = ssh_get_authentication_connection();
356 challenge = BN_new();
358 /* Loop through identities served by the agent. */
359 for (status = ssh_get_first_identity(auth, e, n, &comment);
361 status = ssh_get_next_identity(auth, e, n, &comment))
365 /* Try this identity. */
366 debug("Trying RSA authentication via agent with '%.100s'", comment);
369 /* Tell the server that we are willing to authenticate using this key. */
370 packet_start(SSH_CMSG_AUTH_RSA);
371 packet_put_bignum(n);
375 /* Wait for server's response. */
376 type = packet_read(&plen);
378 /* The server sends failure if it doesn\'t like our key or does not
379 support RSA authentication. */
380 if (type == SSH_SMSG_FAILURE)
382 debug("Server refused our key.");
386 /* Otherwise it should have sent a challenge. */
387 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
388 packet_disconnect("Protocol error during RSA authentication: %d",
391 packet_get_bignum(challenge, &clen);
393 packet_integrity_check(plen, clen, type);
395 debug("Received RSA challenge from server.");
397 /* Ask the agent to decrypt the challenge. */
398 if (!ssh_decrypt_challenge(auth, e, n, challenge,
399 session_id, 1, response))
401 /* The agent failed to authenticate this identifier although it
402 advertised it supports this. Just return a wrong value. */
403 log("Authentication agent failed to decrypt challenge.");
404 memset(response, 0, sizeof(response));
407 debug("Sending response to RSA challenge.");
409 /* Send the decrypted challenge back to the server. */
410 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
411 for (i = 0; i < 16; i++)
412 packet_put_char(response[i]);
416 /* Wait for response from the server. */
417 type = packet_read(&plen);
419 /* The server returns success if it accepted the authentication. */
420 if (type == SSH_SMSG_SUCCESS)
422 debug("RSA authentication accepted by server.");
425 BN_clear_free(challenge);
429 /* Otherwise it should return failure. */
430 if (type != SSH_SMSG_FAILURE)
431 packet_disconnect("Protocol error waiting RSA auth response: %d",
437 BN_clear_free(challenge);
439 debug("RSA authentication using agent refused.");
443 /* Computes the proper response to a RSA challenge, and sends the response to
447 respond_to_rsa_challenge(BIGNUM *challenge, RSA *prv)
449 unsigned char buf[32], response[16];
453 /* Decrypt the challenge using the private key. */
454 rsa_private_decrypt(challenge, challenge, prv);
456 /* Compute the response. */
457 /* The response is MD5 of decrypted challenge plus session id. */
458 len = BN_num_bytes(challenge);
459 if (len <= 0 || len > sizeof(buf))
460 packet_disconnect("respond_to_rsa_challenge: bad challenge length %d",
463 memset(buf, 0, sizeof(buf));
464 BN_bn2bin(challenge, buf + sizeof(buf) - len);
466 MD5_Update(&md, buf, 32);
467 MD5_Update(&md, session_id, 16);
468 MD5_Final(response, &md);
470 debug("Sending response to host key RSA challenge.");
472 /* Send the response back to the server. */
473 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
474 for (i = 0; i < 16; i++)
475 packet_put_char(response[i]);
479 memset(buf, 0, sizeof(buf));
480 memset(response, 0, sizeof(response));
481 memset(&md, 0, sizeof(md));
484 /* Checks if the user has authentication file, and if so, tries to authenticate
485 the user using it. */
488 try_rsa_authentication(struct passwd *pw, const char *authfile)
490 extern Options options;
494 char *passphrase, *comment;
498 /* Try to load identification for the authentication key. */
499 public_key = RSA_new();
500 if (!load_public_key(authfile, public_key, &comment)) {
501 RSA_free(public_key);
502 return 0; /* Could not load it. Fail. */
505 debug("Trying RSA authentication with key '%.100s'", comment);
507 /* Tell the server that we are willing to authenticate using this key. */
508 packet_start(SSH_CMSG_AUTH_RSA);
509 packet_put_bignum(public_key->n);
513 /* We no longer need the public key. */
514 RSA_free(public_key);
516 /* Wait for server's response. */
517 type = packet_read(&plen);
519 /* The server responds with failure if it doesn\'t like our key or doesn\'t
520 support RSA authentication. */
521 if (type == SSH_SMSG_FAILURE)
523 debug("Server refused our key.");
525 return 0; /* Server refuses to authenticate with this key. */
528 /* Otherwise, the server should respond with a challenge. */
529 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
530 packet_disconnect("Protocol error during RSA authentication: %d", type);
532 /* Get the challenge from the packet. */
533 challenge = BN_new();
534 packet_get_bignum(challenge, &clen);
536 packet_integrity_check(plen, clen, type);
538 debug("Received RSA challenge from server.");
540 private_key = RSA_new();
541 /* Load the private key. Try first with empty passphrase; if it fails,
542 ask for a passphrase. */
543 if (!load_private_key(authfile, "", private_key, NULL))
546 /* Request passphrase from the user. We read from /dev/tty to make
547 this work even if stdin has been redirected. If running in
548 batch mode, we just use the empty passphrase, which will fail and
550 snprintf(buf, sizeof buf,
551 "Enter passphrase for RSA key '%.100s': ", comment);
552 if (!options.batch_mode)
553 passphrase = read_passphrase(buf, 0);
556 debug("Will not query passphrase for %.100s in batch mode.",
558 passphrase = xstrdup("");
561 /* Load the authentication file using the pasphrase. */
562 if (!load_private_key(authfile, passphrase, private_key, NULL))
564 memset(passphrase, 0, strlen(passphrase));
566 error("Bad passphrase.");
568 /* Send a dummy response packet to avoid protocol error. */
569 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
570 for (i = 0; i < 16; i++)
575 /* Expect the server to reject it... */
576 packet_read_expect(&plen, SSH_SMSG_FAILURE);
581 /* Destroy the passphrase. */
582 memset(passphrase, 0, strlen(passphrase));
586 /* We no longer need the comment. */
589 /* Compute and send a response to the challenge. */
590 respond_to_rsa_challenge(challenge, private_key);
592 /* Destroy the private key. */
593 RSA_free(private_key);
595 /* We no longer need the challenge. */
596 BN_clear_free(challenge);
598 /* Wait for response from the server. */
599 type = packet_read(&plen);
600 if (type == SSH_SMSG_SUCCESS)
602 debug("RSA authentication accepted by server.");
605 if (type != SSH_SMSG_FAILURE)
606 packet_disconnect("Protocol error waiting RSA auth response: %d", type);
607 debug("RSA authentication refused.");
611 /* Tries to authenticate the user using combined rhosts or /etc/hosts.equiv
612 authentication and RSA host authentication. */
615 try_rhosts_rsa_authentication(const char *local_user, RSA *host_key)
621 debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication.");
623 /* Tell the server that we are willing to authenticate using this key. */
624 packet_start(SSH_CMSG_AUTH_RHOSTS_RSA);
625 packet_put_string(local_user, strlen(local_user));
626 packet_put_int(BN_num_bits(host_key->n));
627 packet_put_bignum(host_key->e);
628 packet_put_bignum(host_key->n);
632 /* Wait for server's response. */
633 type = packet_read(&plen);
635 /* The server responds with failure if it doesn't admit our .rhosts
636 authentication or doesn't know our host key. */
637 if (type == SSH_SMSG_FAILURE)
639 debug("Server refused our rhosts authentication or host key.");
640 return 0; /* Server refuses to authenticate us with this method. */
643 /* Otherwise, the server should respond with a challenge. */
644 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
645 packet_disconnect("Protocol error during RSA authentication: %d", type);
647 /* Get the challenge from the packet. */
648 challenge = BN_new();
649 packet_get_bignum(challenge, &clen);
651 packet_integrity_check(plen, clen, type);
653 debug("Received RSA challenge for host key from server.");
655 /* Compute a response to the challenge. */
656 respond_to_rsa_challenge(challenge, host_key);
658 /* We no longer need the challenge. */
659 BN_clear_free(challenge);
661 /* Wait for response from the server. */
662 type = packet_read(&plen);
663 if (type == SSH_SMSG_SUCCESS)
665 debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server.");
668 if (type != SSH_SMSG_FAILURE)
669 packet_disconnect("Protocol error waiting RSA auth response: %d", type);
670 debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused.");
675 int try_kerberos_authentication()
677 KTEXT_ST auth; /* Kerberos data */
683 Key_schedule schedule;
684 u_long checksum, cksum;
686 struct sockaddr_in local, foreign;
689 /* Don't do anything if we don't have any tickets. */
690 if (stat(tkt_string(), &st) < 0) return 0;
692 strncpy(inst, (char *) krb_get_phost(get_canonical_hostname()), INST_SZ);
694 realm = (char *)krb_realmofhost(get_canonical_hostname());
696 debug("Kerberos V4: no realm for %s", get_canonical_hostname());
699 /* This can really be anything. */
700 checksum = (u_long) getpid();
702 r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
704 debug("Kerberos V4 krb_mk_req failed: %s", krb_err_txt[r]);
707 /* Get session key to decrypt the server's reply with. */
708 r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
710 debug("get_cred failed: %s", krb_err_txt[r]);
713 des_key_sched((des_cblock *)cred.session, schedule);
715 /* Send authentication info to server. */
716 packet_start(SSH_CMSG_AUTH_KERBEROS);
717 packet_put_string((char *)auth.dat, auth.length);
721 /* Zero the buffer. */
722 (void) memset(auth.dat, 0, MAX_KTXT_LEN);
725 memset(&local, 0, sizeof(local));
726 if (getsockname(packet_get_connection_in(),
727 (struct sockaddr *) &local, &r) < 0)
728 debug("getsockname failed: %s", strerror(errno));
731 memset(&foreign, 0, sizeof(foreign));
732 if (getpeername(packet_get_connection_in(),
733 (struct sockaddr *)&foreign, &r) < 0) {
734 debug("getpeername failed: %s", strerror(errno));
738 /* Get server reply. */
739 type = packet_read(&plen);
742 case SSH_SMSG_FAILURE: /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
743 debug("Kerberos V4 authentication failed.");
747 case SSH_SMSG_AUTH_KERBEROS_RESPONSE: /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
748 debug("Kerberos V4 authentication accepted.");
750 /* Get server's response. */
751 reply = packet_get_string((unsigned int *)&auth.length);
752 memcpy(auth.dat, reply, auth.length);
755 packet_integrity_check(plen, 4 + auth.length, type);
757 /* If his response isn't properly encrypted with the session key,
758 and the decrypted checksum fails to match, he's bogus. Bail out. */
759 r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
760 &foreign, &local, &msg_data);
762 debug("Kerberos V4 krb_rd_priv failed: %s", krb_err_txt[r]);
763 packet_disconnect("Kerberos V4 challenge failed!");
765 /* Fetch the (incremented) checksum that we supplied in the request. */
766 (void)memcpy((char *)&cksum, (char *)msg_data.app_data, sizeof(cksum));
767 cksum = ntohl(cksum);
769 /* If it matches, we're golden. */
770 if (cksum == checksum + 1) {
771 debug("Kerberos V4 challenge successful.");
775 packet_disconnect("Kerberos V4 challenge failed!");
779 packet_disconnect("Protocol error on Kerberos V4 response: %d", type);
786 int send_kerberos_tgt()
789 char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
791 unsigned char buffer[8192];
794 /* Don't do anything if we don't have any tickets. */
795 if (stat(tkt_string(), &st) < 0) return 0;
797 creds = xmalloc(sizeof(*creds));
799 if ((r = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm)) != KSUCCESS) {
800 debug("Kerberos V4 tf_fullname failed: %s",krb_err_txt[r]);
803 if ((r = krb_get_cred("krbtgt", prealm, prealm, creds)) != GC_OK) {
804 debug("Kerberos V4 get_cred failed: %s", krb_err_txt[r]);
807 if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
808 debug("Kerberos V4 ticket expired: %s", TKT_FILE);
812 creds_to_radix(creds, buffer);
815 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
816 packet_put_string((char *)buffer, strlen(buffer));
820 type = packet_read(&plen);
822 if (type == SSH_SMSG_FAILURE)
823 debug("Kerberos TGT for realm %s rejected.", prealm);
824 else if (type != SSH_SMSG_SUCCESS)
825 packet_disconnect("Protocol error on Kerberos TGT response: %d", type);
830 void send_afs_tokens(void)
833 struct ViceIoctl parms;
834 struct ClearToken ct;
835 int i, type, len, plen;
836 char buf[2048], *p, *server_cell;
837 unsigned char buffer[8192];
839 /* Move over ktc_GetToken, here's something leaner. */
840 for (i = 0; i < 100; i++) { /* just in case */
841 parms.in = (char *)&i;
842 parms.in_size = sizeof(i);
844 parms.out_size = sizeof(buf);
845 if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0) break;
848 /* Get secret token. */
849 memcpy(&creds.ticket_st.length, p, sizeof(unsigned int));
850 if (creds.ticket_st.length > MAX_KTXT_LEN) break;
851 p += sizeof(unsigned int);
852 memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
853 p += creds.ticket_st.length;
855 /* Get clear token. */
856 memcpy(&len, p, sizeof(len));
857 if (len != sizeof(struct ClearToken)) break;
861 p += sizeof(len); /* primary flag */
864 /* Flesh out our credentials. */
865 strlcpy(creds.service, "afs", sizeof creds.service);
866 creds.instance[0] = '\0';
867 strlcpy(creds.realm, server_cell, REALM_SZ);
868 memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
869 creds.issue_date = ct.BeginTimestamp;
870 creds.lifetime = krb_time_to_life(creds.issue_date, ct.EndTimestamp);
871 creds.kvno = ct.AuthHandle;
872 snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
873 creds.pinst[0] = '\0';
875 /* Encode token, ship it off. */
876 if (!creds_to_radix(&creds, buffer)) break;
877 packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
878 packet_put_string((char *)buffer, strlen(buffer));
882 /* Roger, Roger. Clearance, Clarence. What's your vector, Victor? */
883 type = packet_read(&plen);
885 if (type == SSH_SMSG_FAILURE)
886 debug("AFS token for cell %s rejected.", server_cell);
887 else if (type != SSH_SMSG_SUCCESS)
888 packet_disconnect("Protocol error on AFS token response: %d", type);
893 /* Waits for the server identification string, and sends our own identification
896 void ssh_exchange_identification()
898 char buf[256], remote_version[256]; /* must be same size! */
899 int remote_major, remote_minor, i;
900 int connection_in = packet_get_connection_in();
901 int connection_out = packet_get_connection_out();
902 extern Options options;
904 /* Read other side\'s version identification. */
905 for (i = 0; i < sizeof(buf) - 1; i++)
907 if (read(connection_in, &buf[i], 1) != 1)
908 fatal("read: %.100s", strerror(errno));
921 buf[sizeof(buf) - 1] = 0;
923 /* Check that the versions match. In future this might accept several
924 versions and set appropriate flags to handle them. */
925 if (sscanf(buf, "SSH-%d.%d-%[^\n]\n", &remote_major, &remote_minor,
926 remote_version) != 3)
927 fatal("Bad remote protocol version identification: '%.100s'", buf);
928 debug("Remote protocol version %d.%d, remote software version %.100s",
929 remote_major, remote_minor, remote_version);
931 /* Check if the remote protocol version is too old. */
932 if (remote_major == 1 && remote_minor < 3)
933 fatal("Remote machine has too old SSH software version.");
935 /* We speak 1.3, too. */
936 if (remote_major == 1 && remote_minor == 3) {
938 if (options.forward_agent && strcmp(remote_version, SSH_VERSION) != 0) {
939 log("Agent forwarding disabled, remote version '%s' is not compatible.",
941 options.forward_agent = 0;
945 /* Removed for now, to permit compatibility with latter versions. The server
946 will reject our version and disconnect if it doesn't support it. */
947 if (remote_major != PROTOCOL_MAJOR)
948 fatal("Protocol major versions differ: %d vs. %d",
949 PROTOCOL_MAJOR, remote_major);
952 /* Send our own protocol version identification. */
953 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n",
954 PROTOCOL_MAJOR, PROTOCOL_MINOR, SSH_VERSION);
955 if (write(connection_out, buf, strlen(buf)) != strlen(buf))
956 fatal("write: %.100s", strerror(errno));
959 int ssh_cipher_default = SSH_CIPHER_3DES;
961 int read_yes_or_no(const char *prompt, int defval)
970 f = fopen("/dev/tty", "rw");
979 fprintf(stderr, "%s", prompt);
980 if (fgets(buf, sizeof(buf), f) == NULL)
982 /* Print a newline (the prompt probably didn\'t have one). */
983 fprintf(stderr, "\n");
984 strlcpy(buf, "no", sizeof buf);
986 /* Remove newline from response. */
987 if (strchr(buf, '\n'))
988 *strchr(buf, '\n') = 0;
992 if (strcmp(buf, "yes") == 0)
994 if (strcmp(buf, "no") == 0)
1006 /* Starts a dialog with the server, and authenticates the current user on the
1007 server. This does not need any extra privileges. The basic connection
1008 to the server must already have been established before this is called.
1009 User is the remote user; if it is NULL, the current local user name will
1010 be used. Anonymous indicates that no rhosts authentication will be used.
1011 If login fails, this function prints an error and never returns.
1012 This function does not require super-user privileges. */
1014 void ssh_login(int host_key_valid,
1016 const char *orighost,
1017 struct sockaddr_in *hostaddr,
1018 uid_t original_real_uid)
1020 extern Options options;
1025 RSA *host_key, *file_key;
1028 unsigned char session_key[SSH_SESSION_KEY_LENGTH];
1029 const char *server_user, *local_user;
1030 char *cp, *host, *ip = NULL;
1031 unsigned char check_bytes[8];
1032 unsigned int supported_ciphers, supported_authentications, protocol_flags;
1033 HostStatus host_status;
1034 HostStatus ip_status;
1035 int host_ip_differ = 0;
1036 int local = (ntohl(hostaddr->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
1037 int payload_len, clen, sum_len = 0;
1040 if (options.check_host_ip)
1041 ip = xstrdup(inet_ntoa(hostaddr->sin_addr));
1043 /* Convert the user-supplied hostname into all lowercase. */
1044 host = xstrdup(orighost);
1045 for (cp = host; *cp; cp++)
1049 /* Exchange protocol version identification strings with the server. */
1050 ssh_exchange_identification();
1052 /* Put the connection into non-blocking mode. */
1053 packet_set_nonblocking();
1055 /* Get local user name. Use it as server user if no user name
1057 pw = getpwuid(original_real_uid);
1059 fatal("User id %d not found from user database.", original_real_uid);
1060 local_user = xstrdup(pw->pw_name);
1061 server_user = options.user ? options.user : local_user;
1063 debug("Waiting for server public key.");
1065 /* Wait for a public key packet from the server. */
1066 packet_read_expect(&payload_len, SSH_SMSG_PUBLIC_KEY);
1068 /* Get check bytes from the packet. */
1069 for (i = 0; i < 8; i++)
1070 check_bytes[i] = packet_get_char();
1072 /* Get the public key. */
1073 public_key = RSA_new();
1074 bits = packet_get_int(); /* bits */
1075 public_key->e = BN_new();
1076 packet_get_bignum(public_key->e, &clen);
1078 public_key->n = BN_new();
1079 packet_get_bignum(public_key->n, &clen);
1082 rbits = BN_num_bits(public_key->n);
1083 if (bits != rbits) {
1084 log("Warning: Server lies about size of server public key,");
1085 log("Warning: this may be due to an old implementation of ssh.");
1086 log("Warning: (actual size %d bits, announced size %d bits)", rbits, bits);
1089 /* Get the host key. */
1090 host_key = RSA_new();
1091 bits = packet_get_int(); /* bits */
1092 host_key->e = BN_new();
1093 packet_get_bignum(host_key->e, &clen);
1095 host_key->n = BN_new();
1096 packet_get_bignum(host_key->n, &clen);
1099 rbits = BN_num_bits(host_key->n);
1100 if (bits != rbits) {
1101 log("Warning: Server lies about size of server host key,");
1102 log("Warning: this may be due to an old implementation of ssh.");
1103 log("Warning: (actual size %d bits, announced size %d bits)", rbits, bits);
1106 /* Store the host key from the known host file in here
1107 * so that we can compare it with the key for the IP
1109 file_key = RSA_new();
1110 file_key->n = BN_new();
1111 file_key->e = BN_new();
1113 /* Get protocol flags. */
1114 protocol_flags = packet_get_int();
1115 packet_set_protocol_flags(protocol_flags);
1117 /* Get supported cipher types. */
1118 supported_ciphers = packet_get_int();
1120 /* Get supported authentication types. */
1121 supported_authentications = packet_get_int();
1123 debug("Received server public key (%d bits) and host key (%d bits).",
1124 BN_num_bits(public_key->n), BN_num_bits(host_key->n));
1126 packet_integrity_check(payload_len,
1127 8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4,
1128 SSH_SMSG_PUBLIC_KEY);
1130 /* Compute the session id. */
1131 compute_session_id(session_id, check_bytes, host_key->n, public_key->n);
1133 /* Check if the host key is present in the user\'s list of known hosts
1134 or in the systemwide list. */
1135 host_status = check_host_in_hostfile(options.user_hostfile, host,
1136 host_key->e, host_key->n,
1137 file_key->e, file_key->n);
1138 if (host_status == HOST_NEW)
1139 host_status = check_host_in_hostfile(options.system_hostfile, host,
1140 host_key->e, host_key->n,
1141 file_key->e, file_key->n);
1142 /* Force accepting of the host key for localhost and 127.0.0.1.
1143 The problem is that if the home directory is NFS-mounted to multiple
1144 machines, localhost will refer to a different machine in each of them,
1145 and the user will get bogus HOST_CHANGED warnings. This essentially
1146 disables host authentication for localhost; however, this is probably
1147 not a real problem. */
1149 debug("Forcing accepting of host key for localhost.");
1150 host_status = HOST_OK;
1153 /* Also perform check for the ip address, skip the check if we are
1154 localhost or the hostname was an ip address to begin with */
1155 if (options.check_host_ip && !local && strcmp(host, ip)) {
1156 RSA *ip_key = RSA_new();
1157 ip_key->n = BN_new();
1158 ip_key->e = BN_new();
1159 ip_status = check_host_in_hostfile(options.user_hostfile, ip,
1160 host_key->e, host_key->n,
1161 ip_key->e, ip_key->n);
1163 if (ip_status == HOST_NEW)
1164 ip_status = check_host_in_hostfile(options.system_hostfile, ip,
1165 host_key->e, host_key->n,
1166 ip_key->e, ip_key->n);
1167 if (host_status == HOST_CHANGED &&
1168 (ip_status != HOST_CHANGED ||
1169 (BN_cmp(ip_key->e, file_key->e) || BN_cmp(ip_key->n, file_key->n))))
1174 ip_status = host_status;
1178 switch (host_status) {
1180 /* The host is known and the key matches. */
1181 debug("Host '%.200s' is known and matches the host key.", host);
1182 if (options.check_host_ip) {
1183 if (ip_status == HOST_NEW) {
1184 if (!add_host_to_hostfile(options.user_hostfile, ip,
1185 host_key->e, host_key->n))
1186 log("Failed to add the host key for IP address '%.30s' to the list of known hosts (%.30s).",
1187 ip, options.user_hostfile);
1189 log("Warning: Permanently added host key for IP address '%.30s' to the list of known hosts.",
1191 } else if (ip_status != HOST_OK)
1192 log("Warning: the host key for '%.200s' differs from the key for the IP address '%.30s'",
1199 char hostline[1000], *hostp = hostline;
1200 /* The host is new. */
1201 if (options.strict_host_key_checking == 1) {
1202 /* User has requested strict host key checking. We will not
1203 add the host key automatically. The only alternative left
1205 fatal("No host key is known for %.200s and you have requested strict checking.", host);
1206 } else if (options.strict_host_key_checking == 2) { /* The default */
1208 snprintf(prompt, sizeof(prompt),
1209 "The authenticity of host '%.200s' can't be established.\n"
1210 "Are you sure you want to continue connecting (yes/no)? ",
1212 if (!read_yes_or_no(prompt, -1))
1213 fatal("Aborted by user!\n");
1216 if (options.check_host_ip && ip_status == HOST_NEW && strcmp(host, ip))
1217 snprintf(hostline, sizeof(hostline), "%s,%s", host, ip);
1221 /* If not in strict mode, add the key automatically to the local
1222 known_hosts file. */
1223 if (!add_host_to_hostfile(options.user_hostfile, hostp,
1224 host_key->e, host_key->n))
1225 log("Failed to add the host to the list of known hosts (%.500s).",
1226 options.user_hostfile);
1228 log("Warning: Permanently added '%.200s' to the list of known hosts.",
1233 if (options.check_host_ip) {
1234 if (host_ip_differ) {
1236 if (ip_status == HOST_NEW)
1238 else if (ip_status == HOST_OK)
1239 msg = "is unchanged";
1241 msg = "has a different value";
1242 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
1243 error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @");
1244 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
1245 error("The host key for %s has changed,", host);
1246 error("and the key for the according IP address %s", ip);
1247 error("%s. This could either mean that", msg);
1248 error("DNS SPOOFING is happening or the IP address for the host");
1249 error("and its host key have changed at the same time");
1253 /* The host key has changed. */
1254 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
1255 error("@ WARNING: HOST IDENTIFICATION HAS CHANGED! @");
1256 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
1257 error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
1258 error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
1259 error("It is also possible that the host key has just been changed.");
1260 error("Please contact your system administrator.");
1261 error("Add correct host key in %.100s to get rid of this message.",
1262 options.user_hostfile);
1264 /* If strict host key checking is in use, the user will have to edit
1265 the key manually and we can only abort. */
1266 if (options.strict_host_key_checking)
1267 fatal("Host key for %.200s has changed and you have requested strict checking.", host);
1269 /* If strict host key checking has not been requested, allow the
1270 connection but without password authentication or
1271 agent forwarding. */
1272 if (options.password_authentication) {
1273 error("Password authentication is disabled to avoid trojan horses.");
1274 options.password_authentication = 0;
1276 if (options.forward_agent) {
1277 error("Agent forwarding is disabled to avoid trojan horses.");
1278 options.forward_agent = 0;
1280 /* XXX Should permit the user to change to use the new id. This could
1281 be done by converting the host key to an identifying sentence, tell
1282 that the host identifies itself by that sentence, and ask the user
1283 if he/she whishes to accept the authentication. */
1287 if (options.check_host_ip)
1290 /* Generate a session key. */
1293 /* Generate an encryption key for the session. The key is a 256 bit
1294 random number, interpreted as a 32-byte key, with the least significant
1295 8 bits being the first byte of the key. */
1296 for (i = 0; i < 32; i++) {
1298 rand = arc4random();
1299 session_key[i] = rand & 0xff;
1303 /* According to the protocol spec, the first byte of the session key is
1304 the highest byte of the integer. The session key is xored with the
1305 first 16 bytes of the session id. */
1307 BN_set_word(key, 0);
1308 for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++)
1310 BN_lshift(key, key, 8);
1312 BN_add_word(key, session_key[i] ^ session_id[i]);
1314 BN_add_word(key, session_key[i]);
1317 /* Encrypt the integer using the public key and host key of the server
1318 (key with smaller modulus first). */
1319 if (BN_cmp(public_key->n, host_key->n) < 0)
1321 /* Public key has smaller modulus. */
1322 if (BN_num_bits(host_key->n) <
1323 BN_num_bits(public_key->n) + SSH_KEY_BITS_RESERVED) {
1324 fatal("respond_to_rsa_challenge: host_key %d < public_key %d + "
1325 "SSH_KEY_BITS_RESERVED %d",
1326 BN_num_bits(host_key->n),
1327 BN_num_bits(public_key->n),
1328 SSH_KEY_BITS_RESERVED);
1331 rsa_public_encrypt(key, key, public_key);
1332 rsa_public_encrypt(key, key, host_key);
1336 /* Host key has smaller modulus (or they are equal). */
1337 if (BN_num_bits(public_key->n) <
1338 BN_num_bits(host_key->n) + SSH_KEY_BITS_RESERVED) {
1339 fatal("respond_to_rsa_challenge: public_key %d < host_key %d + "
1340 "SSH_KEY_BITS_RESERVED %d",
1341 BN_num_bits(public_key->n),
1342 BN_num_bits(host_key->n),
1343 SSH_KEY_BITS_RESERVED);
1346 rsa_public_encrypt(key, key, host_key);
1347 rsa_public_encrypt(key, key, public_key);
1350 if (options.cipher == SSH_CIPHER_NOT_SET) {
1351 if (cipher_mask() & supported_ciphers & (1 << ssh_cipher_default))
1352 options.cipher = ssh_cipher_default;
1354 debug("Cipher %d not supported, using %.100s instead.",
1355 cipher_name(ssh_cipher_default),
1356 cipher_name(SSH_FALLBACK_CIPHER));
1357 options.cipher = SSH_FALLBACK_CIPHER;
1361 /* Check that the selected cipher is supported. */
1362 if (!(supported_ciphers & (1 << options.cipher)))
1363 fatal("Selected cipher type %.100s not supported by server.",
1364 cipher_name(options.cipher));
1366 debug("Encryption type: %.100s", cipher_name(options.cipher));
1368 /* Send the encrypted session key to the server. */
1369 packet_start(SSH_CMSG_SESSION_KEY);
1370 packet_put_char(options.cipher);
1372 /* Send the check bytes back to the server. */
1373 for (i = 0; i < 8; i++)
1374 packet_put_char(check_bytes[i]);
1376 /* Send the encrypted encryption key. */
1377 packet_put_bignum(key);
1379 /* Send protocol flags. */
1380 packet_put_int(SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
1382 /* Send the packet now. */
1384 packet_write_wait();
1386 /* Destroy the session key integer and the public keys since we no longer
1389 RSA_free(public_key);
1392 debug("Sent encrypted session key.");
1394 /* Set the encryption key. */
1395 packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher);
1397 /* We will no longer need the session key here. Destroy any extra copies. */
1398 memset(session_key, 0, sizeof(session_key));
1400 /* Expect a success message from the server. Note that this message will
1401 be received in encrypted form. */
1402 packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
1404 debug("Received encrypted confirmation.");
1406 /* Send the name of the user to log in as on the server. */
1407 packet_start(SSH_CMSG_USER);
1408 packet_put_string(server_user, strlen(server_user));
1410 packet_write_wait();
1412 /* The server should respond with success if no authentication is needed
1413 (the user has no password). Otherwise the server responds with
1415 type = packet_read(&payload_len);
1416 if (type == SSH_SMSG_SUCCESS)
1417 return; /* Connection was accepted without authentication. */
1418 if (type != SSH_SMSG_FAILURE)
1419 packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER",
1423 /* Try Kerberos tgt passing if the server supports it. */
1424 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
1425 options.kerberos_tgt_passing)
1427 if (options.cipher == SSH_CIPHER_NONE)
1428 log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
1429 (void)send_kerberos_tgt();
1432 /* Try AFS token passing if the server supports it. */
1433 if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
1434 options.afs_token_passing && k_hasafs()) {
1435 if (options.cipher == SSH_CIPHER_NONE)
1436 log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
1442 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
1443 options.kerberos_authentication)
1445 debug("Trying Kerberos authentication.");
1446 if (try_kerberos_authentication()) {
1447 /* The server should respond with success or failure. */
1448 type = packet_read(&payload_len);
1449 if (type == SSH_SMSG_SUCCESS)
1450 return; /* Successful connection. */
1451 if (type != SSH_SMSG_FAILURE)
1452 packet_disconnect("Protocol error: got %d in response to Kerberos auth", type);
1457 /* Use rhosts authentication if running in privileged socket and we do not
1458 wish to remain anonymous. */
1459 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) &&
1460 options.rhosts_authentication)
1462 debug("Trying rhosts authentication.");
1463 packet_start(SSH_CMSG_AUTH_RHOSTS);
1464 packet_put_string(local_user, strlen(local_user));
1466 packet_write_wait();
1468 /* The server should respond with success or failure. */
1469 type = packet_read(&payload_len);
1470 if (type == SSH_SMSG_SUCCESS)
1471 return; /* Successful connection. */
1472 if (type != SSH_SMSG_FAILURE)
1473 packet_disconnect("Protocol error: got %d in response to rhosts auth",
1477 /* Try .rhosts or /etc/hosts.equiv authentication with RSA host
1479 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) &&
1480 options.rhosts_rsa_authentication && host_key_valid)
1482 if (try_rhosts_rsa_authentication(local_user, own_host_key))
1483 return; /* Successful authentication. */
1486 /* Try RSA authentication if the server supports it. */
1487 if ((supported_authentications & (1 << SSH_AUTH_RSA)) &&
1488 options.rsa_authentication)
1490 /* Try RSA authentication using the authentication agent. The agent
1491 is tried first because no passphrase is needed for it, whereas
1492 identity files may require passphrases. */
1493 if (try_agent_authentication())
1494 return; /* Successful connection. */
1496 /* Try RSA authentication for each identity. */
1497 for (i = 0; i < options.num_identity_files; i++)
1498 if (try_rsa_authentication(pw, options.identity_files[i]))
1499 return; /* Successful connection. */
1502 /* Try password authentication if the server supports it. */
1503 if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) &&
1504 options.password_authentication && !options.batch_mode)
1507 snprintf(prompt, sizeof(prompt), "%.30s@%.30s's password: ",
1509 debug("Doing password authentication.");
1510 if (options.cipher == SSH_CIPHER_NONE)
1511 log("WARNING: Encryption is disabled! Password will be transmitted in clear text.");
1512 for (i = 0; i < options.number_of_password_prompts; i++) {
1514 error("Permission denied, please try again.");
1515 password = read_passphrase(prompt, 0);
1516 packet_start(SSH_CMSG_AUTH_PASSWORD);
1517 packet_put_string(password, strlen(password));
1518 memset(password, 0, strlen(password));
1521 packet_write_wait();
1523 type = packet_read(&payload_len);
1524 if (type == SSH_SMSG_SUCCESS)
1525 return; /* Successful connection. */
1526 if (type != SSH_SMSG_FAILURE)
1527 packet_disconnect("Protocol error: got %d in response to passwd auth", type);
1531 /* All authentication methods have failed. Exit with an error message. */
1532 fatal("Permission denied.");