+/* $OpenBSD: sshconnect2.c,v 1.169 2008/11/01 04:50:08 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
#include "includes.h"
#include <sys/types.h>
+#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/stat.h>
+#include <errno.h>
+#include <netdb.h>
+#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
+#include <vis.h>
+#endif
+
#include "openbsd-compat/sys-queue.h"
+#include "xmalloc.h"
#include "ssh.h"
#include "ssh2.h"
-#include "xmalloc.h"
#include "buffer.h"
#include "packet.h"
#include "compat.h"
-#include "bufaux.h"
#include "cipher.h"
+#include "key.h"
#include "kex.h"
#include "myproposal.h"
#include "sshconnect.h"
#include "canohost.h"
#include "msg.h"
#include "pathnames.h"
+#include "uidswap.h"
#ifdef GSSAPI
#include "ssh-gss.h"
options.hostkeyalgorithms;
if (options.rekey_limit)
- packet_set_rekey_limit(options.rekey_limit);
+ packet_set_rekey_limit((u_int32_t)options.rekey_limit);
/* start key exchange */
kex = kex_setup(myproposal);
int userauth_passwd(Authctxt *);
int userauth_kbdint(Authctxt *);
int userauth_hostbased(Authctxt *);
-int userauth_kerberos(Authctxt *);
#ifdef GSSAPI
int userauth_gssapi(Authctxt *authctxt);
}
}
+/* ARGSUSED */
void
input_userauth_error(int type, u_int32_t seq, void *ctxt)
{
"type %d", type);
}
+/* ARGSUSED */
void
input_userauth_banner(int type, u_int32_t seq, void *ctxt)
{
- char *msg, *lang;
+ char *msg, *raw, *lang;
+ u_int len;
debug3("input_userauth_banner");
- msg = packet_get_string(NULL);
+ raw = packet_get_string(&len);
lang = packet_get_string(NULL);
- if (options.log_level > SYSLOG_LEVEL_QUIET)
+ if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
+ if (len > 65536)
+ len = 65536;
+ msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
+ strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL);
fprintf(stderr, "%s", msg);
- xfree(msg);
+ xfree(msg);
+ }
+ xfree(raw);
xfree(lang);
}
+/* ARGSUSED */
void
input_userauth_success(int type, u_int32_t seq, void *ctxt)
{
authctxt->success = 1; /* break out */
}
+/* ARGSUSED */
void
input_userauth_failure(int type, u_int32_t seq, void *ctxt)
{
userauth(authctxt, authlist);
}
+
+/* ARGSUSED */
void
input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
{
/* Check to see if the mechanism is usable before we offer it */
while (mech < gss_supported->count && !ok) {
- if (gssctxt)
- ssh_gssapi_delete_ctx(&gssctxt);
- ssh_gssapi_build_ctx(&gssctxt);
- ssh_gssapi_set_oid(gssctxt, &gss_supported->elements[mech]);
-
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
- !GSS_ERROR(ssh_gssapi_import_name(gssctxt,
- authctxt->host))) {
+ ssh_gssapi_check_mechanism(&gssctxt,
+ &gss_supported->elements[mech], authctxt->host)) {
ok = 1; /* Mechanism works */
} else {
mech++;
}
}
- if (!ok) {
- ssh_gssapi_delete_ctx(&gssctxt);
+ if (!ok)
return 0;
- }
authctxt->methoddata=(void *)gssctxt;
return status;
}
+/* ARGSUSED */
void
input_gssapi_response(int type, u_int32_t plen, void *ctxt)
{
}
}
+/* ARGSUSED */
void
input_gssapi_token(int type, u_int32_t plen, void *ctxt)
{
}
}
+/* ARGSUSED */
void
input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
{
/* Server will be returning a failed packet after this one */
}
+/* ARGSUSED */
void
input_gssapi_error(int type, u_int32_t plen, void *ctxt)
{
return 1;
}
+
/*
* parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST
*/
+/* ARGSUSED */
void
input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
{
{
Key *private;
char prompt[300], *passphrase;
- int quit, i;
+ int perm_ok, quit, i;
struct stat st;
if (stat(filename, &st) < 0) {
debug3("no such identity: %s", filename);
return NULL;
}
- private = key_load_private_type(KEY_UNSPEC, filename, "", NULL);
+ private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok);
+ if (!perm_ok)
+ return NULL;
if (private == NULL) {
if (options.batch_mode)
return NULL;
for (i = 0; i < options.number_of_password_prompts; i++) {
passphrase = read_passphrase(prompt, 0);
if (strcmp(passphrase, "") != 0) {
- private = key_load_private_type(KEY_UNSPEC, filename,
- passphrase, NULL);
+ private = key_load_private_type(KEY_UNSPEC,
+ filename, passphrase, NULL, NULL);
quit = 0;
} else {
debug2("no passphrase given, try next key");
if (key && key->type == KEY_RSA1)
continue;
options.identity_keys[i] = NULL;
- id = xmalloc(sizeof(*id));
- memset(id, 0, sizeof(*id));
+ id = xcalloc(1, sizeof(*id));
id->key = key;
id->filename = xstrdup(options.identity_files[i]);
TAILQ_INSERT_TAIL(&files, id, next);
}
}
if (!found && !options.identities_only) {
- id = xmalloc(sizeof(*id));
- memset(id, 0, sizeof(*id));
+ id = xcalloc(1, sizeof(*id));
id->key = key;
id->filename = comment;
id->ac = ac;
return -1;
}
if (pid == 0) {
- seteuid(getuid());
- setuid(getuid());
+ permanently_drop_suid(getuid());
close(from[0]);
if (dup2(from[1], STDOUT_FILENO) < 0)
fatal("ssh_keysign: dup2: %s", strerror(errno));
Sensitive *sensitive = authctxt->sensitive;
Buffer b;
u_char *signature, *blob;
- char *chost, *pkalg, *p;
+ char *chost, *pkalg, *p, myname[NI_MAXHOST];
const char *service;
u_int blen, slen;
int ok, i, len, found = 0;
return 0;
}
/* figure out a name for the client host */
- p = get_local_name(packet_get_connection_in());
+ p = NULL;
+ if (packet_connection_is_on_socket())
+ p = get_local_name(packet_get_connection_in());
+ if (p == NULL) {
+ if (gethostname(myname, sizeof(myname)) == -1) {
+ verbose("userauth_hostbased: gethostname: %s",
+ strerror(errno));
+ } else
+ p = xstrdup(myname);
+ }
if (p == NULL) {
error("userauth_hostbased: cannot get local ipaddr/name");
key_free(private);
return 0;
}
len = strlen(p) + 2;
- chost = xmalloc(len);
- strlcpy(chost, p, len);
- strlcat(chost, ".", len);
+ xasprintf(&chost, "%s.", p);
debug2("userauth_hostbased: chost %s", chost);
xfree(p);