*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.68 2001/04/12 19:15:25 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.81 2001/07/23 09:06:28 markus Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
#include "key.h"
#include "sshconnect.h"
#include "authfile.h"
-#include "cli.h"
#include "dh.h"
#include "authfd.h"
#include "log.h"
Kex *xxx_kex = NULL;
-int
-check_host_key_callback(Key *hostkey)
+static int
+verify_host_key_callback(Key *hostkey)
{
- check_host_key(xxx_host, xxx_hostaddr, hostkey,
- options.user_hostfile2, options.system_hostfile2);
+ if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1)
+ fatal("verify_host_key failed");
return 0;
}
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
}
+ if (options.hostkeyalgorithms != NULL)
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
+ options.hostkeyalgorithms;
/* start key exchange */
kex = kex_setup(myproposal);
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
- kex->check_host_key=&check_host_key_callback;
+ kex->verify_host_key=&verify_host_key_callback;
xxx_kex = kex;
void userauth(Authctxt *authctxt, char *authlist);
-int
-sign_and_send_pubkey(Authctxt *authctxt, Key *k,
- sign_cb_fn *sign_callback);
-void clear_auth_state(Authctxt *authctxt);
+static int sign_and_send_pubkey(Authctxt *, Key *, sign_cb_fn *);
+static void clear_auth_state(Authctxt *);
-Authmethod *authmethod_get(char *authlist);
-Authmethod *authmethod_lookup(const char *name);
-char *authmethods_get(void);
+static Authmethod *authmethod_get(char *authlist);
+static Authmethod *authmethod_lookup(const char *name);
+static char *authmethods_get(void);
Authmethod authmethods[] = {
+ {"hostbased",
+ userauth_hostbased,
+ &options.hostbased_authentication,
+ NULL},
{"publickey",
userauth_pubkey,
&options.pubkey_authentication,
NULL},
- {"password",
- userauth_passwd,
- &options.password_authentication,
- &options.batch_mode},
{"keyboard-interactive",
userauth_kbdint,
&options.kbd_interactive_authentication,
&options.batch_mode},
- {"hostbased",
- userauth_hostbased,
- &options.hostbased_authentication,
- NULL},
+ {"password",
+ userauth_passwd,
+ &options.password_authentication,
+ &options.batch_mode},
{"none",
userauth_none,
NULL,
int type;
int plen;
- if (options.challenge_reponse_authentication)
+ if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
debug("send SSH2_MSG_SERVICE_REQUEST");
Authctxt *authctxt = ctxt;
Key *key = NULL;
Buffer b;
- int alen, blen, pktype, sent = 0;
+ int alen, blen, sent = 0;
char *pkalg, *pkblob, *fp;
if (authctxt == NULL)
debug("no last key or no sign cb");
break;
}
- if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) {
+ if (key_type_from_name(pkalg) == KEY_UNSPEC) {
debug("unknown pkalg %s", pkalg);
break;
}
return 1;
}
-void
+static void
clear_auth_state(Authctxt *authctxt)
{
/* XXX clear authentication state */
authctxt->last_key_sign = NULL;
}
-int
+static int
sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback)
{
Buffer b;
return 1;
}
-int
+static int
send_pubkey_test(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback,
int hint)
{
return 1;
}
-Key *
+static Key *
load_identity_file(char *filename)
{
Key *private;
return private;
}
-int
+static int
identity_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp,
u_char *data, int datalen)
{
idx = authctxt->last_key_hint;
if (idx < 0)
return -1;
+
+ /* private key is stored in external hardware */
+ if (options.identity_keys[idx]->flags & KEY_FLAG_EXT)
+ return key_sign(options.identity_keys[idx], sigp, lenp, data, datalen);
+
private = load_identity_file(options.identity_files[idx]);
if (private == NULL)
return -1;
return ret;
}
-int agent_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp,
+static int
+agent_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp,
u_char *data, int datalen)
{
return ssh_agent_sign(authctxt->agent, key, sigp, lenp, data, datalen);
}
-int key_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp,
+static int
+key_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp,
u_char *data, int datalen)
{
return key_sign(key, sigp, lenp, data, datalen);
}
-int
+static int
userauth_pubkey_agent(Authctxt *authctxt)
{
static int called = 0;
inst = packet_get_string(NULL);
lang = packet_get_string(NULL);
if (strlen(name) > 0)
- cli_mesg(name);
+ log("%s", name);
if (strlen(inst) > 0)
- cli_mesg(inst);
+ log("%s", inst);
xfree(name);
xfree(inst);
xfree(lang);
packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);
packet_put_int(num_prompts);
+ debug2("input_userauth_info_req: num_prompts %d", num_prompts);
for (i = 0; i < num_prompts; i++) {
prompt = packet_get_string(NULL);
echo = packet_get_char();
- response = cli_prompt(prompt, echo);
+ response = read_passphrase(prompt, echo ? RP_ECHO : 0);
packet_put_cstring(response);
memset(response, 0, strlen(response));
Buffer b;
u_char *signature, *blob;
char *chost, *pkalg, *p;
+ const char *service;
u_int blen, slen;
- int ok, i, found = 0;
+ int ok, i, len, found = 0;
p = get_local_name(packet_get_connection_in());
if (p == NULL) {
error("userauth_hostbased: cannot get local ipaddr/name");
return 0;
}
- chost = xstrdup(p);
+ len = strlen(p) + 2;
+ chost = xmalloc(len);
+ strlcpy(chost, p, len);
+ strlcat(chost, ".", len);
debug2("userauth_hostbased: chost %s", chost);
/* check for a useful key */
for (i = 0; i < authctxt->nkeys; i++) {
xfree(chost);
return 0;
}
+ service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
+ authctxt->service;
pkalg = xstrdup(key_ssh_name(private));
buffer_init(&b);
- if (datafellows & SSH_OLD_SESSIONID) {
- buffer_append(&b, session_id2, session_id2_len);
- } else {
- buffer_put_string(&b, session_id2, session_id2_len);
- }
/* construct data */
+ buffer_put_string(&b, session_id2, session_id2_len);
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
buffer_put_cstring(&b, authctxt->server_user);
- buffer_put_cstring(&b,
- datafellows & SSH_BUG_HBSERVICE ?
- "ssh-userauth" :
- authctxt->service);
+ buffer_put_cstring(&b, service);
buffer_put_cstring(&b, authctxt->method->name);
buffer_put_cstring(&b, pkalg);
buffer_put_string(&b, blob, blen);
* given auth method name, if configurable options permit this method fill
* in auth_ident field and return true, otherwise return false.
*/
-int
+static int
authmethod_is_enabled(Authmethod *method)
{
if (method == NULL)
return 1;
}
-Authmethod *
+static Authmethod *
authmethod_lookup(const char *name)
{
Authmethod *method = NULL;
* next method we should try. If the server initially sends a nil list,
* use a built-in default list.
*/
-Authmethod *
+static Authmethod *
authmethod_get(char *authlist)
{
#define DELIM ","
-char *
+
+static char *
authmethods_get(void)
{
Authmethod *method = NULL;
andersk / openssh.git / blobdiff