*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.25 2001/02/08 23:11:43 dugsong Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.36 2001/06/23 22:37:46 markus Exp $");
#include <openssl/bn.h>
#include <openssl/evp.h>
extern Options options;
extern char *__progname;
-void
-ssh1_put_password(char *password)
-{
- int size;
- char *padded;
-
- size = roundup(strlen(password), 32);
- padded = xmalloc(size);
- strlcpy(padded, password, size);
- packet_put_string(padded, size);
- memset(padded, 0, size);
- xfree(padded);
-}
-
/*
* Checks if the user has an authentication agent, and if so, tries to
* authenticate using the agent.
*/
-int
+static int
try_agent_authentication(void)
{
int type;
* Computes the proper response to a RSA challenge, and sends the response to
* the server.
*/
-void
+static void
respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
{
u_char buf[32], response[16];
* Checks if the user has authentication file, and if so, tries to authenticate
* the user using it.
*/
-int
+static int
try_rsa_authentication(const char *authfile)
{
BIGNUM *challenge;
- Key *public;
- Key *private;
- char *passphrase, *comment;
- int type, i;
- int plen, clen;
+ Key *public, *private;
+ char buf[300], *passphrase, *comment;
+ int i, type, quit, plen, clen;
/* Try to load identification for the authentication key. */
- public = key_new(KEY_RSA1);
- if (!load_public_key(authfile, public, &comment)) {
- key_free(public);
+ /* XXKEYLOAD */
+ public = key_load_public_type(KEY_RSA1, authfile, &comment);
+ if (public == NULL) {
/* Could not load it. Fail. */
return 0;
}
debug("Received RSA challenge from server.");
- private = key_new(KEY_RSA1);
/*
* Load the private key. Try first with empty passphrase; if it
* fails, ask for a passphrase.
*/
- if (!load_private_key(authfile, "", private, NULL)) {
- char buf[300];
- snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ",
- comment);
- if (!options.batch_mode)
+ private = key_load_private_type(KEY_RSA1, authfile, "", NULL);
+ if (private == NULL && !options.batch_mode) {
+ snprintf(buf, sizeof(buf),
+ "Enter passphrase for RSA key '%.100s': ", comment);
+ for (i = 0; i < options.number_of_password_prompts; i++) {
passphrase = read_passphrase(buf, 0);
- else {
- debug("Will not query passphrase for %.100s in batch mode.",
- comment);
- passphrase = xstrdup("");
- }
-
- /* Load the authentication file using the pasphrase. */
- if (!load_private_key(authfile, passphrase, private, NULL)) {
+ if (strcmp(passphrase, "") != 0) {
+ private = key_load_private_type(KEY_RSA1,
+ authfile, passphrase, NULL);
+ quit = 0;
+ } else {
+ debug2("no passphrase given, try next key");
+ quit = 1;
+ }
memset(passphrase, 0, strlen(passphrase));
xfree(passphrase);
- error("Bad passphrase.");
-
- /* Send a dummy response packet to avoid protocol error. */
- packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
- for (i = 0; i < 16; i++)
- packet_put_char(0);
- packet_send();
- packet_write_wait();
-
- /* Expect the server to reject it... */
- packet_read_expect(&plen, SSH_SMSG_FAILURE);
- xfree(comment);
- key_free(private);
- BN_clear_free(challenge);
- return 0;
+ if (private != NULL || quit)
+ break;
+ debug2("bad passphrase given, try again...");
}
- /* Destroy the passphrase. */
- memset(passphrase, 0, strlen(passphrase));
- xfree(passphrase);
}
/* We no longer need the comment. */
xfree(comment);
+ if (private == NULL) {
+ if (!options.batch_mode)
+ error("Bad passphrase.");
+
+ /* Send a dummy response packet to avoid protocol error. */
+ packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
+ for (i = 0; i < 16; i++)
+ packet_put_char(0);
+ packet_send();
+ packet_write_wait();
+
+ /* Expect the server to reject it... */
+ packet_read_expect(&plen, SSH_SMSG_FAILURE);
+ BN_clear_free(challenge);
+ return 0;
+ }
+
/* Compute and send a response to the challenge. */
respond_to_rsa_challenge(challenge, private->rsa);
* Tries to authenticate the user using combined rhosts or /etc/hosts.equiv
* authentication and RSA host authentication.
*/
-int
-try_rhosts_rsa_authentication(const char *local_user, RSA * host_key)
+static int
+try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
{
int type;
BIGNUM *challenge;
/* Tell the server that we are willing to authenticate using this key. */
packet_start(SSH_CMSG_AUTH_RHOSTS_RSA);
- packet_put_string(local_user, strlen(local_user));
- packet_put_int(BN_num_bits(host_key->n));
- packet_put_bignum(host_key->e);
- packet_put_bignum(host_key->n);
+ packet_put_cstring(local_user);
+ packet_put_int(BN_num_bits(host_key->rsa->n));
+ packet_put_bignum(host_key->rsa->e);
+ packet_put_bignum(host_key->rsa->n);
packet_send();
packet_write_wait();
debug("Received RSA challenge for host key from server.");
/* Compute a response to the challenge. */
- respond_to_rsa_challenge(challenge, host_key);
+ respond_to_rsa_challenge(challenge, host_key->rsa);
/* We no longer need the challenge. */
BN_clear_free(challenge);
}
#ifdef KRB4
-int
+static int
try_kerberos_authentication(void)
{
KTEXT_ST auth; /* Kerberos data */
#endif /* KRB4 */
#ifdef AFS
-int
+static int
send_kerberos_tgt(void)
{
CREDENTIALS *creds;
xfree(creds);
packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
- packet_put_string(buffer, strlen(buffer));
+ packet_put_cstring(buffer);
packet_send();
packet_write_wait();
return 1;
}
-void
+static void
send_afs_tokens(void)
{
CREDENTIALS creds;
if (creds_to_radix(&creds, (u_char *) buffer, sizeof buffer) <= 0)
break;
packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
- packet_put_string(buffer, strlen(buffer));
+ packet_put_cstring(buffer);
packet_send();
packet_write_wait();
* Tries to authenticate with any string-based challenge/response system.
* Note that the client code is not tied to s/key or TIS.
*/
-int
-try_challenge_reponse_authentication(void)
+static int
+try_challenge_response_authentication(void)
{
int type, i;
int payload_len;
break;
}
packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
- ssh1_put_password(response);
+ ssh_put_password(response);
memset(response, 0, strlen(response));
xfree(response);
packet_send();
/*
* Tries to authenticate with plain passwd authentication.
*/
-int
+static int
try_password_authentication(char *prompt)
{
int type, i, payload_len;
error("Permission denied, please try again.");
password = read_passphrase(prompt, 0);
packet_start(SSH_CMSG_AUTH_PASSWORD);
- ssh1_put_password(password);
+ ssh_put_password(password);
memset(password, 0, strlen(password));
xfree(password);
packet_send();
SSH_SMSG_PUBLIC_KEY);
k.type = KEY_RSA1;
k.rsa = host_key;
- check_host_key(host, hostaddr, &k,
- options.user_hostfile, options.system_hostfile);
+ if (verify_host_key(host, hostaddr, &k) == -1)
+ fatal("host_key verification failed");
client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN;
* Authenticate user
*/
void
-ssh_userauth(
- const char *local_user,
- const char *server_user,
- char *host,
- int host_key_valid, RSA *own_host_key)
+ssh_userauth1(const char *local_user, const char *server_user, char *host,
+ Key **keys, int nkeys)
{
int i, type;
int payload_len;
if (supported_authentications == 0)
- fatal("ssh_userauth: server supports no auth methods");
+ fatal("ssh_userauth1: server supports no auth methods");
/* Send the name of the user to log in as on the server. */
packet_start(SSH_CMSG_USER);
- packet_put_string(server_user, strlen(server_user));
+ packet_put_cstring(server_user);
packet_send();
packet_write_wait();
options.rhosts_authentication) {
debug("Trying rhosts authentication.");
packet_start(SSH_CMSG_AUTH_RHOSTS);
- packet_put_string(local_user, strlen(local_user));
+ packet_put_cstring(local_user);
packet_send();
packet_write_wait();
* authentication.
*/
if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) &&
- options.rhosts_rsa_authentication && host_key_valid) {
- if (try_rhosts_rsa_authentication(local_user, own_host_key))
- return;
+ options.rhosts_rsa_authentication) {
+ for (i = 0; i < nkeys; i++) {
+ if (keys[i] != NULL && keys[i]->type == KEY_RSA1 &&
+ try_rhosts_rsa_authentication(local_user, keys[i]))
+ return;
+ }
}
/* Try RSA authentication if the server supports it. */
if ((supported_authentications & (1 << SSH_AUTH_RSA)) &&
/* Try RSA authentication for each identity. */
for (i = 0; i < options.num_identity_files; i++)
- if (options.identity_files_type[i] == KEY_RSA1 &&
+ if (options.identity_keys[i] != NULL &&
+ options.identity_keys[i]->type == KEY_RSA1 &&
try_rsa_authentication(options.identity_files[i]))
return;
}
/* Try challenge response authentication if the server supports it. */
if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
- options.challenge_reponse_authentication && !options.batch_mode) {
- if (try_challenge_reponse_authentication())
+ options.challenge_response_authentication && !options.batch_mode) {
+ if (try_challenge_response_authentication())
return;
}
/* Try password authentication if the server supports it. */