5 Author: Tatu Ylonen <ylo@cs.hut.fi>
7 Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
10 Created: Sat Mar 18 22:15:47 1995 ylo
12 Code to connect to a remote host, and to perform the client side of the
13 login (authentication) dialog.
22 #include <openssl/bn.h>
23 #include <openssl/md5.h>
41 /* Session id for the current session. */
42 unsigned char session_id[16];
44 /* Connect to the given ssh server using a proxy command. */
47 ssh_proxy_connect(const char *host, int port, uid_t original_real_uid,
48 const char *proxy_command)
57 /* Convert the port number into a string. */
58 snprintf(portstring, sizeof portstring, "%d", port);
60 /* Build the final command string in the buffer by making the appropriate
61 substitutions to the given proxy command. */
62 buffer_init(&command);
63 for (cp = proxy_command; *cp; cp++)
65 if (cp[0] == '%' && cp[1] == '%')
67 buffer_append(&command, "%", 1);
71 if (cp[0] == '%' && cp[1] == 'h')
73 buffer_append(&command, host, strlen(host));
77 if (cp[0] == '%' && cp[1] == 'p')
79 buffer_append(&command, portstring, strlen(portstring));
83 buffer_append(&command, cp, 1);
85 buffer_append(&command, "\0", 1);
87 /* Get the final command string. */
88 command_string = buffer_ptr(&command);
90 /* Create pipes for communicating with the proxy. */
91 if (pipe(pin) < 0 || pipe(pout) < 0)
92 fatal("Could not create pipes to communicate with the proxy: %.100s",
95 debug("Executing proxy command: %.500s", command_string);
97 /* Fork and execute the proxy command. */
98 if ((pid = fork()) == 0)
102 /* Child. Permanently give up superuser privileges. */
103 permanently_set_uid(original_real_uid);
105 /* Redirect stdin and stdout. */
109 if (dup2(pin[0], 0) < 0)
110 perror("dup2 stdin");
114 if (dup2(pout[1], 1) < 0)
115 perror("dup2 stdout");
116 close(pout[1]); /* Cannot be 1 because pin allocated two descriptors. */
118 /* Stderr is left as it is so that error messages get printed on
119 the user's terminal. */
122 argv[2] = command_string;
125 /* Execute the proxy command. Note that we gave up any extra
127 execv("/bin/sh", argv);
133 fatal("fork failed: %.100s", strerror(errno));
135 /* Close child side of the descriptors. */
139 /* Free the command name. */
140 buffer_free(&command);
142 /* Set the connection file descriptors. */
143 packet_set_connection(pout[0], pin[1]);
148 /* Creates a (possibly privileged) socket for use as the ssh connection. */
150 int ssh_create_socket(uid_t original_real_uid, int privileged)
154 /* If we are running as root and want to connect to a privileged port,
155 bind our own socket to a privileged port. */
158 int p = IPPORT_RESERVED - 1;
160 sock = rresvport(&p);
162 fatal("rresvport: %.100s", strerror(errno));
163 debug("Allocated local port %d.", p);
167 /* Just create an ordinary socket on arbitrary port. We use the
168 user's uid to create the socket. */
169 temporarily_use_uid(original_real_uid);
170 sock = socket(AF_INET, SOCK_STREAM, 0);
172 fatal("socket: %.100s", strerror(errno));
178 /* Opens a TCP/IP connection to the remote server on the given host. If
179 port is 0, the default port will be used. If anonymous is zero,
180 a privileged port will be allocated to make the connection.
181 This requires super-user privileges if anonymous is false.
182 Connection_attempts specifies the maximum number of tries (one per
183 second). If proxy_command is non-NULL, it specifies the command (with %h
184 and %p substituted for host and port, respectively) to use to contact
187 int ssh_connect(const char *host, struct sockaddr_in *hostaddr,
188 int port, int connection_attempts,
189 int anonymous, uid_t original_real_uid,
190 const char *proxy_command)
192 int sock = -1, attempt, i;
196 struct linger linger;
198 debug("ssh_connect: getuid %d geteuid %d anon %d",
199 (int)getuid(), (int)geteuid(), anonymous);
201 /* Get default port if port has not been set. */
204 sp = getservbyname(SSH_SERVICE_NAME, "tcp");
206 port = ntohs(sp->s_port);
208 port = SSH_DEFAULT_PORT;
211 /* If a proxy command is given, connect using it. */
212 if (proxy_command != NULL)
213 return ssh_proxy_connect(host, port, original_real_uid, proxy_command);
215 /* No proxy command. */
217 /* No host lookup made yet. */
220 /* Try to connect several times. On some machines, the first time will
221 sometimes fail. In general socket code appears to behave quite
222 magically on many machines. */
223 for (attempt = 0; attempt < connection_attempts; attempt++)
226 debug("Trying again...");
228 /* Try to parse the host name as a numeric inet address. */
229 memset(hostaddr, 0, sizeof(hostaddr));
230 hostaddr->sin_family = AF_INET;
231 hostaddr->sin_port = htons(port);
232 hostaddr->sin_addr.s_addr = inet_addr(host);
233 if ((hostaddr->sin_addr.s_addr & 0xffffffff) != 0xffffffff)
235 /* Valid numeric IP address */
236 debug("Connecting to %.100s port %d.",
237 inet_ntoa(hostaddr->sin_addr), port);
239 /* Create a socket. */
240 sock = ssh_create_socket(original_real_uid,
241 !anonymous && geteuid() == 0 &&
242 port < IPPORT_RESERVED);
244 /* Connect to the host. We use the user's uid in the hope that
245 it will help with the problems of tcp_wrappers showing the
246 remote uid as root. */
247 temporarily_use_uid(original_real_uid);
248 if (connect(sock, (struct sockaddr *)hostaddr, sizeof(*hostaddr))
251 /* Successful connect. */
255 debug("connect: %.100s", strerror(errno));
258 /* Destroy the failed socket. */
259 shutdown(sock, SHUT_RDWR);
264 /* Not a valid numeric inet address. */
265 /* Map host name to an address. */
267 hp = gethostbyname(host);
269 fatal("Bad host name: %.100s", host);
270 if (!hp->h_addr_list[0])
271 fatal("Host does not have an IP address: %.100s", host);
273 /* Loop through addresses for this host, and try each one in
274 sequence until the connection succeeds. */
275 for (i = 0; hp->h_addr_list[i]; i++)
277 /* Set the address to connect to. */
278 hostaddr->sin_family = hp->h_addrtype;
279 memcpy(&hostaddr->sin_addr, hp->h_addr_list[i],
280 sizeof(hostaddr->sin_addr));
282 debug("Connecting to %.200s [%.100s] port %d.",
283 host, inet_ntoa(hostaddr->sin_addr), port);
285 /* Create a socket for connecting. */
286 sock = ssh_create_socket(original_real_uid,
287 !anonymous && geteuid() == 0 &&
288 port < IPPORT_RESERVED);
290 /* Connect to the host. We use the user's uid in the hope that
291 it will help with tcp_wrappers showing the remote uid as
293 temporarily_use_uid(original_real_uid);
294 if (connect(sock, (struct sockaddr *)hostaddr,
295 sizeof(*hostaddr)) >= 0)
297 /* Successful connection. */
301 debug("connect: %.100s", strerror(errno));
304 /* Close the failed socket; there appear to be some problems
305 when reusing a socket for which connect() has already
306 returned an error. */
307 shutdown(sock, SHUT_RDWR);
310 if (hp->h_addr_list[i])
311 break; /* Successful connection. */
314 /* Sleep a moment before retrying. */
317 /* Return failure if we didn't get a successful connection. */
318 if (attempt >= connection_attempts)
321 debug("Connection established.");
323 /* Set socket options. We would like the socket to disappear as soon as
324 it has been closed for whatever reason. */
325 /* setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */
326 setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void *)&on, sizeof(on));
329 setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
331 /* Set the connection. */
332 packet_set_connection(sock, sock);
337 /* Checks if the user has an authentication agent, and if so, tries to
338 authenticate using the agent. */
341 try_agent_authentication()
343 int status, type, bits;
345 AuthenticationConnection *auth;
346 unsigned char response[16];
348 BIGNUM *e, *n, *challenge;
350 /* Get connection to the agent. */
351 auth = ssh_get_authentication_connection();
357 challenge = BN_new();
359 /* Loop through identities served by the agent. */
360 for (status = ssh_get_first_identity(auth, &bits, e, n, &comment);
362 status = ssh_get_next_identity(auth, &bits, e, n, &comment))
366 /* Try this identity. */
367 debug("Trying RSA authentication via agent with '%.100s'", comment);
370 /* Tell the server that we are willing to authenticate using this key. */
371 packet_start(SSH_CMSG_AUTH_RSA);
372 packet_put_bignum(n);
376 /* Wait for server's response. */
377 type = packet_read(&plen);
379 /* The server sends failure if it doesn\'t like our key or does not
380 support RSA authentication. */
381 if (type == SSH_SMSG_FAILURE)
383 debug("Server refused our key.");
387 /* Otherwise it should have sent a challenge. */
388 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
389 packet_disconnect("Protocol error during RSA authentication: %d",
392 packet_get_bignum(challenge, &clen);
394 packet_integrity_check(plen, clen, type);
396 debug("Received RSA challenge from server.");
398 /* Ask the agent to decrypt the challenge. */
399 if (!ssh_decrypt_challenge(auth, bits, e, n, challenge,
400 session_id, 1, response))
402 /* The agent failed to authenticate this identifier although it
403 advertised it supports this. Just return a wrong value. */
404 log("Authentication agent failed to decrypt challenge.");
405 memset(response, 0, sizeof(response));
408 debug("Sending response to RSA challenge.");
410 /* Send the decrypted challenge back to the server. */
411 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
412 for (i = 0; i < 16; i++)
413 packet_put_char(response[i]);
417 /* Wait for response from the server. */
418 type = packet_read(&plen);
420 /* The server returns success if it accepted the authentication. */
421 if (type == SSH_SMSG_SUCCESS)
423 debug("RSA authentication accepted by server.");
426 BN_clear_free(challenge);
430 /* Otherwise it should return failure. */
431 if (type != SSH_SMSG_FAILURE)
432 packet_disconnect("Protocol error waiting RSA auth response: %d",
438 BN_clear_free(challenge);
440 debug("RSA authentication using agent refused.");
444 /* Computes the proper response to a RSA challenge, and sends the response to
448 respond_to_rsa_challenge(BIGNUM *challenge, RSA *prv)
450 unsigned char buf[32], response[16];
454 /* Decrypt the challenge using the private key. */
455 rsa_private_decrypt(challenge, challenge, prv);
457 /* Compute the response. */
458 /* The response is MD5 of decrypted challenge plus session id. */
459 len = BN_num_bytes(challenge);
460 if (len <= 0 || len > sizeof(buf))
461 packet_disconnect("respond_to_rsa_challenge: bad challenge length %d",
464 memset(buf, 0, sizeof(buf));
465 BN_bn2bin(challenge, buf + sizeof(buf) - len);
467 MD5_Update(&md, buf, 32);
468 MD5_Update(&md, session_id, 16);
469 MD5_Final(response, &md);
471 debug("Sending response to host key RSA challenge.");
473 /* Send the response back to the server. */
474 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
475 for (i = 0; i < 16; i++)
476 packet_put_char(response[i]);
480 memset(buf, 0, sizeof(buf));
481 memset(response, 0, sizeof(response));
482 memset(&md, 0, sizeof(md));
485 /* Checks if the user has authentication file, and if so, tries to authenticate
486 the user using it. */
489 try_rsa_authentication(struct passwd *pw, const char *authfile,
490 int may_ask_passphrase)
495 char *passphrase, *comment;
499 /* Try to load identification for the authentication key. */
500 public_key = RSA_new();
501 if (!load_public_key(authfile, public_key, &comment)) {
502 RSA_free(public_key);
503 return 0; /* Could not load it. Fail. */
506 debug("Trying RSA authentication with key '%.100s'", comment);
508 /* Tell the server that we are willing to authenticate using this key. */
509 packet_start(SSH_CMSG_AUTH_RSA);
510 packet_put_bignum(public_key->n);
514 /* We no longer need the public key. */
515 RSA_free(public_key);
517 /* Wait for server's response. */
518 type = packet_read(&plen);
520 /* The server responds with failure if it doesn\'t like our key or doesn\'t
521 support RSA authentication. */
522 if (type == SSH_SMSG_FAILURE)
524 debug("Server refused our key.");
526 return 0; /* Server refuses to authenticate with this key. */
529 /* Otherwise, the server should respond with a challenge. */
530 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
531 packet_disconnect("Protocol error during RSA authentication: %d", type);
533 /* Get the challenge from the packet. */
534 challenge = BN_new();
535 packet_get_bignum(challenge, &clen);
537 packet_integrity_check(plen, clen, type);
539 debug("Received RSA challenge from server.");
541 private_key = RSA_new();
542 /* Load the private key. Try first with empty passphrase; if it fails,
543 ask for a passphrase. */
544 if (!load_private_key(authfile, "", private_key, NULL))
547 /* Request passphrase from the user. We read from /dev/tty to make
548 this work even if stdin has been redirected. If running in
549 batch mode, we just use the empty passphrase, which will fail and
551 snprintf(buf, sizeof buf,
552 "Enter passphrase for RSA key '%.100s': ", comment);
553 if (may_ask_passphrase)
554 passphrase = read_passphrase(buf, 0);
557 debug("Will not query passphrase for %.100s in batch mode.",
559 passphrase = xstrdup("");
562 /* Load the authentication file using the pasphrase. */
563 if (!load_private_key(authfile, passphrase, private_key, NULL))
565 memset(passphrase, 0, strlen(passphrase));
567 error("Bad passphrase.");
569 /* Send a dummy response packet to avoid protocol error. */
570 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
571 for (i = 0; i < 16; i++)
576 /* Expect the server to reject it... */
577 packet_read_expect(&plen, SSH_SMSG_FAILURE);
582 /* Destroy the passphrase. */
583 memset(passphrase, 0, strlen(passphrase));
587 /* We no longer need the comment. */
590 /* Compute and send a response to the challenge. */
591 respond_to_rsa_challenge(challenge, private_key);
593 /* Destroy the private key. */
594 RSA_free(private_key);
596 /* We no longer need the challenge. */
597 BN_clear_free(challenge);
599 /* Wait for response from the server. */
600 type = packet_read(&plen);
601 if (type == SSH_SMSG_SUCCESS)
603 debug("RSA authentication accepted by server.");
606 if (type != SSH_SMSG_FAILURE)
607 packet_disconnect("Protocol error waiting RSA auth response: %d", type);
608 debug("RSA authentication refused.");
612 /* Tries to authenticate the user using combined rhosts or /etc/hosts.equiv
613 authentication and RSA host authentication. */
616 try_rhosts_rsa_authentication(const char *local_user, RSA *host_key)
622 debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication.");
624 /* Tell the server that we are willing to authenticate using this key. */
625 packet_start(SSH_CMSG_AUTH_RHOSTS_RSA);
626 packet_put_string(local_user, strlen(local_user));
627 packet_put_int(BN_num_bits(host_key->n));
628 packet_put_bignum(host_key->e);
629 packet_put_bignum(host_key->n);
633 /* Wait for server's response. */
634 type = packet_read(&plen);
636 /* The server responds with failure if it doesn't admit our .rhosts
637 authentication or doesn't know our host key. */
638 if (type == SSH_SMSG_FAILURE)
640 debug("Server refused our rhosts authentication or host key.");
641 return 0; /* Server refuses to authenticate us with this method. */
644 /* Otherwise, the server should respond with a challenge. */
645 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
646 packet_disconnect("Protocol error during RSA authentication: %d", type);
648 /* Get the challenge from the packet. */
649 challenge = BN_new();
650 packet_get_bignum(challenge, &clen);
652 packet_integrity_check(plen, clen, type);
654 debug("Received RSA challenge for host key from server.");
656 /* Compute a response to the challenge. */
657 respond_to_rsa_challenge(challenge, host_key);
659 /* We no longer need the challenge. */
660 BN_clear_free(challenge);
662 /* Wait for response from the server. */
663 type = packet_read(&plen);
664 if (type == SSH_SMSG_SUCCESS)
666 debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server.");
669 if (type != SSH_SMSG_FAILURE)
670 packet_disconnect("Protocol error waiting RSA auth response: %d", type);
671 debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused.");
676 int try_kerberos_authentication()
678 KTEXT_ST auth; /* Kerberos data */
684 Key_schedule schedule;
685 u_long checksum, cksum;
687 struct sockaddr_in local, foreign;
690 /* Don't do anything if we don't have any tickets. */
691 if (stat(tkt_string(), &st) < 0) return 0;
693 strncpy(inst, (char *) krb_get_phost(get_canonical_hostname()), INST_SZ);
695 realm = (char *)krb_realmofhost(get_canonical_hostname());
697 debug("Kerberos V4: no realm for %s", get_canonical_hostname());
700 /* This can really be anything. */
701 checksum = (u_long) getpid();
703 r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
705 debug("Kerberos V4 krb_mk_req failed: %s", krb_err_txt[r]);
708 /* Get session key to decrypt the server's reply with. */
709 r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
711 debug("get_cred failed: %s", krb_err_txt[r]);
714 des_key_sched((des_cblock *)cred.session, schedule);
716 /* Send authentication info to server. */
717 packet_start(SSH_CMSG_AUTH_KERBEROS);
718 packet_put_string((char *)auth.dat, auth.length);
722 /* Zero the buffer. */
723 (void) memset(auth.dat, 0, MAX_KTXT_LEN);
726 memset(&local, 0, sizeof(local));
727 if (getsockname(packet_get_connection_in(),
728 (struct sockaddr *) &local, &r) < 0)
729 debug("getsockname failed: %s", strerror(errno));
732 memset(&foreign, 0, sizeof(foreign));
733 if (getpeername(packet_get_connection_in(),
734 (struct sockaddr *)&foreign, &r) < 0)
735 debug("getpeername failed: %s", strerror(errno));
737 /* Get server reply. */
738 type = packet_read(&plen);
741 case SSH_SMSG_FAILURE: /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
742 debug("Kerberos V4 authentication failed.");
746 case SSH_SMSG_AUTH_KERBEROS_RESPONSE: /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
747 debug("Kerberos V4 authentication accepted.");
749 /* Get server's response. */
750 reply = packet_get_string((unsigned int *)&auth.length);
751 memcpy(auth.dat, reply, auth.length);
754 packet_integrity_check(plen, 4 + auth.length, type);
756 /* If his response isn't properly encrypted with the session key,
757 and the decrypted checksum fails to match, he's bogus. Bail out. */
758 r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
759 &foreign, &local, &msg_data);
761 debug("Kerberos V4 krb_rd_priv failed: %s", krb_err_txt[r]);
762 packet_disconnect("Kerberos V4 challenge failed!");
764 /* Fetch the (incremented) checksum that we supplied in the request. */
765 (void)memcpy((char *)&cksum, (char *)msg_data.app_data, sizeof(cksum));
766 cksum = ntohl(cksum);
768 /* If it matches, we're golden. */
769 if (cksum == checksum + 1) {
770 debug("Kerberos V4 challenge successful.");
774 packet_disconnect("Kerberos V4 challenge failed!");
778 packet_disconnect("Protocol error on Kerberos V4 response: %d", type);
785 int send_kerberos_tgt()
788 char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
790 unsigned char buffer[8192];
793 /* Don't do anything if we don't have any tickets. */
794 if (stat(tkt_string(), &st) < 0) return 0;
796 creds = xmalloc(sizeof(*creds));
798 if ((r = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm)) != KSUCCESS) {
799 debug("Kerberos V4 tf_fullname failed: %s",krb_err_txt[r]);
802 if ((r = krb_get_cred("krbtgt", prealm, prealm, creds)) != GC_OK) {
803 debug("Kerberos V4 get_cred failed: %s", krb_err_txt[r]);
806 if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
807 debug("Kerberos V4 ticket expired: %s", TKT_FILE);
811 creds_to_radix(creds, buffer);
814 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
815 packet_put_string((char *)buffer, strlen(buffer));
819 type = packet_read(&plen);
821 if (type == SSH_SMSG_FAILURE)
822 debug("Kerberos TGT for realm %s rejected.", prealm);
823 else if (type != SSH_SMSG_SUCCESS)
824 packet_disconnect("Protocol error on Kerberos TGT response: %d", type);
829 void send_afs_tokens(void)
832 struct ViceIoctl parms;
833 struct ClearToken ct;
834 int i, type, len, plen;
835 char buf[2048], *p, *server_cell;
836 unsigned char buffer[8192];
838 /* Move over ktc_GetToken, here's something leaner. */
839 for (i = 0; i < 100; i++) { /* just in case */
840 parms.in = (char *)&i;
841 parms.in_size = sizeof(i);
843 parms.out_size = sizeof(buf);
844 if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0) break;
847 /* Get secret token. */
848 memcpy(&creds.ticket_st.length, p, sizeof(unsigned int));
849 if (creds.ticket_st.length > MAX_KTXT_LEN) break;
850 p += sizeof(unsigned int);
851 memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
852 p += creds.ticket_st.length;
854 /* Get clear token. */
855 memcpy(&len, p, sizeof(len));
856 if (len != sizeof(struct ClearToken)) break;
860 p += sizeof(len); /* primary flag */
863 /* Flesh out our credentials. */
864 strlcpy(creds.service, "afs", sizeof creds.service);
865 creds.instance[0] = '\0';
866 strlcpy(creds.realm, server_cell, REALM_SZ);
867 memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
868 creds.issue_date = ct.BeginTimestamp;
869 creds.lifetime = krb_time_to_life(creds.issue_date, ct.EndTimestamp);
870 creds.kvno = ct.AuthHandle;
871 snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
872 creds.pinst[0] = '\0';
874 /* Encode token, ship it off. */
875 if (!creds_to_radix(&creds, buffer)) break;
876 packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
877 packet_put_string((char *)buffer, strlen(buffer));
881 /* Roger, Roger. Clearance, Clarence. What's your vector, Victor? */
882 type = packet_read(&plen);
884 if (type == SSH_SMSG_FAILURE)
885 debug("AFS token for cell %s rejected.", server_cell);
886 else if (type != SSH_SMSG_SUCCESS)
887 packet_disconnect("Protocol error on AFS token response: %d", type);
892 /* Waits for the server identification string, and sends our own identification
895 void ssh_exchange_identification()
897 char buf[256], remote_version[256]; /* must be same size! */
898 int remote_major, remote_minor, i;
899 int connection_in = packet_get_connection_in();
900 int connection_out = packet_get_connection_out();
901 extern Options options;
903 /* Read other side\'s version identification. */
904 for (i = 0; i < sizeof(buf) - 1; i++)
906 if (read(connection_in, &buf[i], 1) != 1)
907 fatal("read: %.100s", strerror(errno));
920 buf[sizeof(buf) - 1] = 0;
922 /* Check that the versions match. In future this might accept several
923 versions and set appropriate flags to handle them. */
924 if (sscanf(buf, "SSH-%d.%d-%[^\n]\n", &remote_major, &remote_minor,
925 remote_version) != 3)
926 fatal("Bad remote protocol version identification: '%.100s'", buf);
927 debug("Remote protocol version %d.%d, remote software version %.100s",
928 remote_major, remote_minor, remote_version);
930 /* Check if the remote protocol version is too old. */
931 if (remote_major == 1 && remote_minor < 3)
932 fatal("Remote machine has too old SSH software version.");
934 /* We speak 1.3, too. */
935 if (remote_major == 1 && remote_minor == 3) {
937 if (options.forward_agent && strcmp(remote_version, SSH_VERSION) != 0) {
938 log("Agent forwarding disabled, remote version '%s' is not compatible.",
940 options.forward_agent = 0;
944 /* Removed for now, to permit compatibility with latter versions. The server
945 will reject our version and disconnect if it doesn't support it. */
946 if (remote_major != PROTOCOL_MAJOR)
947 fatal("Protocol major versions differ: %d vs. %d",
948 PROTOCOL_MAJOR, remote_major);
951 /* Send our own protocol version identification. */
952 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n",
953 PROTOCOL_MAJOR, PROTOCOL_MINOR, SSH_VERSION);
954 if (write(connection_out, buf, strlen(buf)) != strlen(buf))
955 fatal("write: %.100s", strerror(errno));
958 int ssh_cipher_default = SSH_CIPHER_3DES;
960 int read_yes_or_no(const char *prompt, int defval)
969 f = fopen("/dev/tty", "rw");
978 fprintf(stderr, "%s", prompt);
979 if (fgets(buf, sizeof(buf), f) == NULL)
981 /* Print a newline (the prompt probably didn\'t have one). */
982 fprintf(stderr, "\n");
983 strlcpy(buf, "no", sizeof buf);
985 /* Remove newline from response. */
986 if (strchr(buf, '\n'))
987 *strchr(buf, '\n') = 0;
991 if (strcmp(buf, "yes") == 0)
993 if (strcmp(buf, "no") == 0)
1005 /* Starts a dialog with the server, and authenticates the current user on the
1006 server. This does not need any extra privileges. The basic connection
1007 to the server must already have been established before this is called.
1008 User is the remote user; if it is NULL, the current local user name will
1009 be used. Anonymous indicates that no rhosts authentication will be used.
1010 If login fails, this function prints an error and never returns.
1011 This function does not require super-user privileges. */
1013 void ssh_login(int host_key_valid,
1015 const char *orighost,
1016 struct sockaddr_in *hostaddr,
1017 Options *options, uid_t original_real_uid)
1023 RSA *host_key, *file_key;
1025 unsigned char session_key[SSH_SESSION_KEY_LENGTH];
1026 const char *server_user, *local_user;
1027 char *cp, *host, *ip = NULL;
1028 unsigned char check_bytes[8];
1029 unsigned int supported_ciphers, supported_authentications, protocol_flags;
1030 HostStatus host_status;
1031 HostStatus ip_status;
1032 int host_ip_differ = 0;
1033 int local = (ntohl(hostaddr->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
1034 int payload_len, clen, sum_len = 0;
1037 if (options->check_host_ip)
1038 ip = xstrdup(inet_ntoa(hostaddr->sin_addr));
1040 /* Convert the user-supplied hostname into all lowercase. */
1041 host = xstrdup(orighost);
1042 for (cp = host; *cp; cp++)
1046 /* Exchange protocol version identification strings with the server. */
1047 ssh_exchange_identification();
1049 /* Put the connection into non-blocking mode. */
1050 packet_set_nonblocking();
1052 /* Get local user name. Use it as server user if no user name
1054 pw = getpwuid(original_real_uid);
1056 fatal("User id %d not found from user database.", original_real_uid);
1057 local_user = xstrdup(pw->pw_name);
1058 server_user = options->user ? options->user : local_user;
1060 debug("Waiting for server public key.");
1062 /* Wait for a public key packet from the server. */
1063 packet_read_expect(&payload_len, SSH_SMSG_PUBLIC_KEY);
1065 /* Get check bytes from the packet. */
1066 for (i = 0; i < 8; i++)
1067 check_bytes[i] = packet_get_char();
1069 /* Get the public key. */
1070 public_key = RSA_new();
1071 packet_get_int(); /* bits */
1072 public_key->e = BN_new();
1073 packet_get_bignum(public_key->e, &clen);
1075 public_key->n = BN_new();
1076 packet_get_bignum(public_key->n, &clen);
1079 /* Get the host key. */
1080 host_key = RSA_new();
1081 packet_get_int(); /* bits */
1082 host_key->e = BN_new();
1083 packet_get_bignum(host_key->e, &clen);
1085 host_key->n = BN_new();
1086 packet_get_bignum(host_key->n, &clen);
1089 /* Store the host key from the known host file in here
1090 * so that we can compare it with the key for the IP
1092 file_key = RSA_new();
1093 file_key->n = BN_new();
1094 file_key->e = BN_new();
1096 /* Get protocol flags. */
1097 protocol_flags = packet_get_int();
1098 packet_set_protocol_flags(protocol_flags);
1100 /* Get supported cipher types. */
1101 supported_ciphers = packet_get_int();
1103 /* Get supported authentication types. */
1104 supported_authentications = packet_get_int();
1106 debug("Received server public key (%d bits) and host key (%d bits).",
1107 BN_num_bits(public_key->n), BN_num_bits(host_key->n));
1109 packet_integrity_check(payload_len,
1110 8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4,
1111 SSH_SMSG_PUBLIC_KEY);
1113 /* Compute the session id. */
1114 compute_session_id(session_id, check_bytes,
1115 BN_num_bits(host_key->n), host_key->n,
1116 BN_num_bits(public_key->n), public_key->n);
1118 /* Check if the host key is present in the user\'s list of known hosts
1119 or in the systemwide list. */
1120 host_status = check_host_in_hostfile(options->user_hostfile,
1121 host, BN_num_bits(host_key->n),
1122 host_key->e, host_key->n,
1123 file_key->e, file_key->n);
1124 if (host_status == HOST_NEW)
1125 host_status = check_host_in_hostfile(options->system_hostfile, host,
1126 BN_num_bits(host_key->n),
1127 host_key->e, host_key->n,
1128 file_key->e, file_key->n);
1129 /* Force accepting of the host key for localhost and 127.0.0.1.
1130 The problem is that if the home directory is NFS-mounted to multiple
1131 machines, localhost will refer to a different machine in each of them,
1132 and the user will get bogus HOST_CHANGED warnings. This essentially
1133 disables host authentication for localhost; however, this is probably
1134 not a real problem. */
1136 debug("Forcing accepting of host key for localhost.");
1137 host_status = HOST_OK;
1140 /* Also perform check for the ip address, skip the check if we are
1141 localhost or the hostname was an ip address to begin with */
1142 if (options->check_host_ip && !local && strcmp(host, ip)) {
1143 RSA *ip_key = RSA_new();
1144 ip_key->n = BN_new();
1145 ip_key->e = BN_new();
1146 ip_status = check_host_in_hostfile(options->user_hostfile, ip,
1147 BN_num_bits(host_key->n),
1148 host_key->e, host_key->n,
1149 ip_key->e, ip_key->n);
1151 if (ip_status == HOST_NEW)
1152 ip_status = check_host_in_hostfile(options->system_hostfile, ip,
1153 BN_num_bits(host_key->n),
1154 host_key->e, host_key->n,
1155 ip_key->e, ip_key->n);
1156 if (host_status == HOST_CHANGED &&
1157 (ip_status != HOST_CHANGED ||
1158 (BN_cmp(ip_key->e, file_key->e) || BN_cmp(ip_key->n, file_key->n))))
1163 ip_status = host_status;
1167 switch (host_status) {
1169 /* The host is known and the key matches. */
1170 debug("Host '%.200s' is known and matches the host key.", host);
1171 if (options->check_host_ip) {
1172 if (ip_status == HOST_NEW) {
1173 if (!add_host_to_hostfile(options->user_hostfile, ip,
1174 BN_num_bits(host_key->n),
1175 host_key->e, host_key->n))
1176 log("Failed to add the host ip to the list of known hosts (%.30s).",
1177 options->user_hostfile);
1179 log("Warning: Permanently added host ip '%.30s' to the list of known hosts.", ip);
1180 } else if (ip_status != HOST_OK)
1181 log("Warning: the host key differ from the key of the ip address '%.30s' differs", ip);
1187 char hostline[1000], *hostp = hostline;
1188 /* The host is new. */
1189 if (options->strict_host_key_checking == 1) {
1190 /* User has requested strict host key checking. We will not
1191 add the host key automatically. The only alternative left
1193 fatal("No host key is known for %.200s and you have requested strict checking.", host);
1194 } else if (options->strict_host_key_checking == 2) { /* The default */
1196 snprintf(prompt, sizeof(prompt),
1197 "The authenticity of host '%.200s' can't be established.\n"
1198 "Are you sure you want to continue connecting (yes/no)? ",
1200 if (!read_yes_or_no(prompt, -1))
1201 fatal("Aborted by user!\n");
1204 if (options->check_host_ip && ip_status == HOST_NEW && strcmp(host, ip))
1205 snprintf(hostline, sizeof(hostline), "%s,%s", host, ip);
1209 /* If not in strict mode, add the key automatically to the local
1210 known_hosts file. */
1211 if (!add_host_to_hostfile(options->user_hostfile, hostp,
1212 BN_num_bits(host_key->n),
1213 host_key->e, host_key->n))
1214 log("Failed to add the host to the list of known hosts (%.500s).",
1215 options->user_hostfile);
1217 log("Warning: Permanently added '%.200s' to the list of known hosts.",
1222 if (options->check_host_ip) {
1223 if (host_ip_differ) {
1224 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
1225 error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @");
1226 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
1227 error("The host key for %s has changed,", host);
1228 error("but the key for the according IP address %s has", ip);
1229 error("a different status. This could either mean that DNS");
1230 error("SPOOFING is happening or the IP address for the host");
1231 error("and its host key have changed at the same time");
1235 /* The host key has changed. */
1236 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
1237 error("@ WARNING: HOST IDENTIFICATION HAS CHANGED! @");
1238 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
1239 error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
1240 error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
1241 error("It is also possible that the host key has just been changed.");
1242 error("Please contact your system administrator.");
1243 error("Add correct host key in %.100s to get rid of this message.",
1244 options->user_hostfile);
1246 /* If strict host key checking is in use, the user will have to edit
1247 the key manually and we can only abort. */
1248 if (options->strict_host_key_checking)
1249 fatal("Host key for %.200s has changed and you have requested strict checking.", host);
1251 /* If strict host key checking has not been requested, allow the
1252 connection but without password authentication or
1253 agent forwarding. */
1254 if (options->password_authentication) {
1255 error("Password authentication is disabled to avoid trojan horses.");
1256 options->password_authentication = 0;
1258 if (options->forward_agent) {
1259 error("Agent forwarding is disabled to avoid trojan horses.");
1260 options->forward_agent = 0;
1262 /* XXX Should permit the user to change to use the new id. This could
1263 be done by converting the host key to an identifying sentence, tell
1264 that the host identifies itself by that sentence, and ask the user
1265 if he/she whishes to accept the authentication. */
1269 if (options->check_host_ip)
1272 /* Generate a session key. */
1275 /* Generate an encryption key for the session. The key is a 256 bit
1276 random number, interpreted as a 32-byte key, with the least significant
1277 8 bits being the first byte of the key. */
1278 for (i = 0; i < 32; i++) {
1280 rand = arc4random();
1281 session_key[i] = rand & 0xff;
1285 /* According to the protocol spec, the first byte of the session key is
1286 the highest byte of the integer. The session key is xored with the
1287 first 16 bytes of the session id. */
1289 BN_set_word(key, 0);
1290 for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++)
1292 BN_lshift(key, key, 8);
1294 BN_add_word(key, session_key[i] ^ session_id[i]);
1296 BN_add_word(key, session_key[i]);
1299 /* Encrypt the integer using the public key and host key of the server
1300 (key with smaller modulus first). */
1301 if (BN_cmp(public_key->n, host_key->n) < 0)
1303 /* Public key has smaller modulus. */
1304 if (BN_num_bits(host_key->n) <
1305 BN_num_bits(public_key->n) + SSH_KEY_BITS_RESERVED) {
1306 fatal("respond_to_rsa_challenge: host_key %d < public_key %d + "
1307 "SSH_KEY_BITS_RESERVED %d",
1308 BN_num_bits(host_key->n),
1309 BN_num_bits(public_key->n),
1310 SSH_KEY_BITS_RESERVED);
1313 rsa_public_encrypt(key, key, public_key);
1314 rsa_public_encrypt(key, key, host_key);
1318 /* Host key has smaller modulus (or they are equal). */
1319 if (BN_num_bits(public_key->n) <
1320 BN_num_bits(host_key->n) + SSH_KEY_BITS_RESERVED) {
1321 fatal("respond_to_rsa_challenge: public_key %d < host_key %d + "
1322 "SSH_KEY_BITS_RESERVED %d",
1323 BN_num_bits(public_key->n),
1324 BN_num_bits(host_key->n),
1325 SSH_KEY_BITS_RESERVED);
1328 rsa_public_encrypt(key, key, host_key);
1329 rsa_public_encrypt(key, key, public_key);
1332 if (options->cipher == SSH_CIPHER_NOT_SET) {
1333 if (cipher_mask() & supported_ciphers & (1 << ssh_cipher_default))
1334 options->cipher = ssh_cipher_default;
1336 debug("Cipher %d not supported, using %.100s instead.",
1337 cipher_name(ssh_cipher_default),
1338 cipher_name(SSH_FALLBACK_CIPHER));
1339 options->cipher = SSH_FALLBACK_CIPHER;
1343 /* Check that the selected cipher is supported. */
1344 if (!(supported_ciphers & (1 << options->cipher)))
1345 fatal("Selected cipher type %.100s not supported by server.",
1346 cipher_name(options->cipher));
1348 debug("Encryption type: %.100s", cipher_name(options->cipher));
1350 /* Send the encrypted session key to the server. */
1351 packet_start(SSH_CMSG_SESSION_KEY);
1352 packet_put_char(options->cipher);
1354 /* Send the check bytes back to the server. */
1355 for (i = 0; i < 8; i++)
1356 packet_put_char(check_bytes[i]);
1358 /* Send the encrypted encryption key. */
1359 packet_put_bignum(key);
1361 /* Send protocol flags. */
1362 packet_put_int(SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
1364 /* Send the packet now. */
1366 packet_write_wait();
1368 /* Destroy the session key integer and the public keys since we no longer
1371 RSA_free(public_key);
1374 debug("Sent encrypted session key.");
1376 /* Set the encryption key. */
1377 packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH,
1378 options->cipher, 1);
1380 /* We will no longer need the session key here. Destroy any extra copies. */
1381 memset(session_key, 0, sizeof(session_key));
1383 /* Expect a success message from the server. Note that this message will
1384 be received in encrypted form. */
1385 packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
1387 debug("Received encrypted confirmation.");
1389 /* Send the name of the user to log in as on the server. */
1390 packet_start(SSH_CMSG_USER);
1391 packet_put_string(server_user, strlen(server_user));
1393 packet_write_wait();
1395 /* The server should respond with success if no authentication is needed
1396 (the user has no password). Otherwise the server responds with
1398 type = packet_read(&payload_len);
1399 if (type == SSH_SMSG_SUCCESS)
1400 return; /* Connection was accepted without authentication. */
1401 if (type != SSH_SMSG_FAILURE)
1402 packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER",
1406 /* Try Kerberos tgt passing if the server supports it. */
1407 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
1408 options->kerberos_tgt_passing)
1410 if (options->cipher == SSH_CIPHER_NONE)
1411 log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
1412 (void)send_kerberos_tgt();
1415 /* Try AFS token passing if the server supports it. */
1416 if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
1417 options->afs_token_passing && k_hasafs()) {
1418 if (options->cipher == SSH_CIPHER_NONE)
1419 log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
1425 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
1426 options->kerberos_authentication)
1428 debug("Trying Kerberos authentication.");
1429 if (try_kerberos_authentication()) {
1430 /* The server should respond with success or failure. */
1431 type = packet_read(&payload_len);
1432 if (type == SSH_SMSG_SUCCESS)
1433 return; /* Successful connection. */
1434 if (type != SSH_SMSG_FAILURE)
1435 packet_disconnect("Protocol error: got %d in response to Kerberos auth", type);
1440 /* Use rhosts authentication if running in privileged socket and we do not
1441 wish to remain anonymous. */
1442 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) &&
1443 options->rhosts_authentication)
1445 debug("Trying rhosts authentication.");
1446 packet_start(SSH_CMSG_AUTH_RHOSTS);
1447 packet_put_string(local_user, strlen(local_user));
1449 packet_write_wait();
1451 /* The server should respond with success or failure. */
1452 type = packet_read(&payload_len);
1453 if (type == SSH_SMSG_SUCCESS)
1454 return; /* Successful connection. */
1455 if (type != SSH_SMSG_FAILURE)
1456 packet_disconnect("Protocol error: got %d in response to rhosts auth",
1460 /* Try .rhosts or /etc/hosts.equiv authentication with RSA host
1462 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) &&
1463 options->rhosts_rsa_authentication && host_key_valid)
1465 if (try_rhosts_rsa_authentication(local_user, own_host_key))
1466 return; /* Successful authentication. */
1469 /* Try RSA authentication if the server supports it. */
1470 if ((supported_authentications & (1 << SSH_AUTH_RSA)) &&
1471 options->rsa_authentication)
1473 /* Try RSA authentication using the authentication agent. The agent
1474 is tried first because no passphrase is needed for it, whereas
1475 identity files may require passphrases. */
1476 if (try_agent_authentication())
1477 return; /* Successful connection. */
1479 /* Try RSA authentication for each identity. */
1480 for (i = 0; i < options->num_identity_files; i++)
1481 if (try_rsa_authentication(pw, options->identity_files[i],
1482 !options->batch_mode))
1483 return; /* Successful connection. */
1486 /* Try password authentication if the server supports it. */
1487 if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) &&
1488 options->password_authentication && !options->batch_mode)
1491 snprintf(prompt, sizeof(prompt), "%.30s@%.30s's password: ",
1493 debug("Doing password authentication.");
1494 if (options->cipher == SSH_CIPHER_NONE)
1495 log("WARNING: Encryption is disabled! Password will be transmitted in clear text.");
1496 for (i = 0; i < options->number_of_password_prompts; i++) {
1498 error("Permission denied, please try again.");
1499 password = read_passphrase(prompt, 0);
1500 packet_start(SSH_CMSG_AUTH_PASSWORD);
1501 packet_put_string(password, strlen(password));
1502 memset(password, 0, strlen(password));
1505 packet_write_wait();
1507 type = packet_read(&payload_len);
1508 if (type == SSH_SMSG_SUCCESS)
1509 return; /* Successful connection. */
1510 if (type != SSH_SMSG_FAILURE)
1511 packet_disconnect("Protocol error: got %d in response to passwd auth", type);
1515 /* All authentication methods have failed. Exit with an error message. */
1516 fatal("Permission denied.");