*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.66 2001/04/04 20:25:38 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.81 2001/07/23 09:06:28 markus Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
#include "key.h"
#include "sshconnect.h"
#include "authfile.h"
-#include "cli.h"
#include "dh.h"
#include "authfd.h"
#include "log.h"
#include "readpass.h"
#include "match.h"
#include "dispatch.h"
+#include "canohost.h"
/* import */
extern char *client_version_string;
Kex *xxx_kex = NULL;
-int
-check_host_key_callback(Key *hostkey)
+static int
+verify_host_key_callback(Key *hostkey)
{
- check_host_key(xxx_host, xxx_hostaddr, hostkey,
- options.user_hostfile2, options.system_hostfile2);
+ if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1)
+ fatal("verify_host_key failed");
return 0;
}
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
}
+ if (options.hostkeyalgorithms != NULL)
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
+ options.hostkeyalgorithms;
/* start key exchange */
kex = kex_setup(myproposal);
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
- kex->check_host_key=&check_host_key_callback;
+ kex->verify_host_key=&verify_host_key_callback;
xxx_kex = kex;
struct Authctxt {
const char *server_user;
+ const char *local_user;
const char *host;
const char *service;
- AuthenticationConnection *agent;
Authmethod *method;
int success;
char *authlist;
+ /* pubkey */
Key *last_key;
sign_cb_fn *last_key_sign;
int last_key_hint;
+ AuthenticationConnection *agent;
+ /* hostbased */
+ Key **keys;
+ int nkeys;
};
struct Authmethod {
char *name; /* string to compare against server's list */
int userauth_pubkey(Authctxt *authctxt);
int userauth_passwd(Authctxt *authctxt);
int userauth_kbdint(Authctxt *authctxt);
+int userauth_hostbased(Authctxt *authctxt);
void userauth(Authctxt *authctxt, char *authlist);
-int
-sign_and_send_pubkey(Authctxt *authctxt, Key *k,
- sign_cb_fn *sign_callback);
-void clear_auth_state(Authctxt *authctxt);
+static int sign_and_send_pubkey(Authctxt *, Key *, sign_cb_fn *);
+static void clear_auth_state(Authctxt *);
-Authmethod *authmethod_get(char *authlist);
-Authmethod *authmethod_lookup(const char *name);
-char *authmethods_get(void);
+static Authmethod *authmethod_get(char *authlist);
+static Authmethod *authmethod_lookup(const char *name);
+static char *authmethods_get(void);
Authmethod authmethods[] = {
+ {"hostbased",
+ userauth_hostbased,
+ &options.hostbased_authentication,
+ NULL},
{"publickey",
userauth_pubkey,
&options.pubkey_authentication,
NULL},
- {"password",
- userauth_passwd,
- &options.password_authentication,
- &options.batch_mode},
{"keyboard-interactive",
userauth_kbdint,
&options.kbd_interactive_authentication,
&options.batch_mode},
+ {"password",
+ userauth_passwd,
+ &options.password_authentication,
+ &options.batch_mode},
{"none",
userauth_none,
NULL,
};
void
-ssh_userauth2(const char *server_user, char *host)
+ssh_userauth2(const char *local_user, const char *server_user, char *host,
+ Key **keys, int nkeys)
{
Authctxt authctxt;
int type;
int plen;
- if (options.challenge_reponse_authentication)
+ if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
debug("send SSH2_MSG_SERVICE_REQUEST");
/* setup authentication context */
authctxt.agent = ssh_get_authentication_connection();
authctxt.server_user = server_user;
+ authctxt.local_user = local_user;
authctxt.host = host;
authctxt.service = "ssh-connection"; /* service name */
authctxt.success = 0;
authctxt.method = authmethod_lookup("none");
authctxt.authlist = NULL;
+ authctxt.keys = keys;
+ authctxt.nkeys = nkeys;
if (authctxt.method == NULL)
fatal("ssh_userauth2: internal error: cannot send userauth none request");
Authctxt *authctxt = ctxt;
Key *key = NULL;
Buffer b;
- int alen, blen, pktype, sent = 0;
+ int alen, blen, sent = 0;
char *pkalg, *pkblob, *fp;
if (authctxt == NULL)
debug("no last key or no sign cb");
break;
}
- if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) {
+ if (key_type_from_name(pkalg) == KEY_UNSPEC) {
debug("unknown pkalg %s", pkalg);
break;
}
return 1;
}
-void
+static void
clear_auth_state(Authctxt *authctxt)
{
/* XXX clear authentication state */
authctxt->last_key_sign = NULL;
}
-int
+static int
sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback)
{
Buffer b;
return 1;
}
-int
+static int
send_pubkey_test(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback,
int hint)
{
return 1;
}
-Key *
+static Key *
load_identity_file(char *filename)
{
Key *private;
return private;
}
-int
+static int
identity_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp,
u_char *data, int datalen)
{
idx = authctxt->last_key_hint;
if (idx < 0)
return -1;
+
+ /* private key is stored in external hardware */
+ if (options.identity_keys[idx]->flags & KEY_FLAG_EXT)
+ return key_sign(options.identity_keys[idx], sigp, lenp, data, datalen);
+
private = load_identity_file(options.identity_files[idx]);
if (private == NULL)
return -1;
return ret;
}
-int agent_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp,
+static int
+agent_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp,
u_char *data, int datalen)
{
return ssh_agent_sign(authctxt->agent, key, sigp, lenp, data, datalen);
}
-int key_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp,
+static int
+key_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp,
u_char *data, int datalen)
{
- return key_sign(key, sigp, lenp, data, datalen);
+ return key_sign(key, sigp, lenp, data, datalen);
}
-int
+static int
userauth_pubkey_agent(Authctxt *authctxt)
{
static int called = 0;
inst = packet_get_string(NULL);
lang = packet_get_string(NULL);
if (strlen(name) > 0)
- cli_mesg(name);
+ log("%s", name);
if (strlen(inst) > 0)
- cli_mesg(inst);
+ log("%s", inst);
xfree(name);
xfree(inst);
xfree(lang);
packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);
packet_put_int(num_prompts);
+ debug2("input_userauth_info_req: num_prompts %d", num_prompts);
for (i = 0; i < num_prompts; i++) {
prompt = packet_get_string(NULL);
echo = packet_get_char();
- response = cli_prompt(prompt, echo);
+ response = read_passphrase(prompt, echo ? RP_ECHO : 0);
packet_put_cstring(response);
memset(response, 0, strlen(response));
packet_send();
}
+/*
+ * this will be move to an external program (ssh-keysign) ASAP. ssh-keysign
+ * will be setuid-root and the sbit can be removed from /usr/bin/ssh.
+ */
+int
+userauth_hostbased(Authctxt *authctxt)
+{
+ Key *private = NULL;
+ Buffer b;
+ u_char *signature, *blob;
+ char *chost, *pkalg, *p;
+ const char *service;
+ u_int blen, slen;
+ int ok, i, len, found = 0;
+
+ p = get_local_name(packet_get_connection_in());
+ if (p == NULL) {
+ error("userauth_hostbased: cannot get local ipaddr/name");
+ return 0;
+ }
+ len = strlen(p) + 2;
+ chost = xmalloc(len);
+ strlcpy(chost, p, len);
+ strlcat(chost, ".", len);
+ debug2("userauth_hostbased: chost %s", chost);
+ /* check for a useful key */
+ for (i = 0; i < authctxt->nkeys; i++) {
+ private = authctxt->keys[i];
+ if (private && private->type != KEY_RSA1) {
+ found = 1;
+ /* we take and free the key */
+ authctxt->keys[i] = NULL;
+ break;
+ }
+ }
+ if (!found) {
+ xfree(chost);
+ return 0;
+ }
+ if (key_to_blob(private, &blob, &blen) == 0) {
+ key_free(private);
+ xfree(chost);
+ return 0;
+ }
+ service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
+ authctxt->service;
+ pkalg = xstrdup(key_ssh_name(private));
+ buffer_init(&b);
+ /* construct data */
+ buffer_put_string(&b, session_id2, session_id2_len);
+ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+ buffer_put_cstring(&b, authctxt->server_user);
+ buffer_put_cstring(&b, service);
+ buffer_put_cstring(&b, authctxt->method->name);
+ buffer_put_cstring(&b, pkalg);
+ buffer_put_string(&b, blob, blen);
+ buffer_put_cstring(&b, chost);
+ buffer_put_cstring(&b, authctxt->local_user);
+#ifdef DEBUG_PK
+ buffer_dump(&b);
+#endif
+ debug2("xxx: chost %s", chost);
+ ok = key_sign(private, &signature, &slen, buffer_ptr(&b), buffer_len(&b));
+ key_free(private);
+ buffer_free(&b);
+ if (ok != 0) {
+ error("key_sign failed");
+ xfree(chost);
+ xfree(pkalg);
+ return 0;
+ }
+ packet_start(SSH2_MSG_USERAUTH_REQUEST);
+ packet_put_cstring(authctxt->server_user);
+ packet_put_cstring(authctxt->service);
+ packet_put_cstring(authctxt->method->name);
+ packet_put_cstring(pkalg);
+ packet_put_string(blob, blen);
+ packet_put_cstring(chost);
+ packet_put_cstring(authctxt->local_user);
+ packet_put_string(signature, slen);
+ memset(signature, 's', slen);
+ xfree(signature);
+ xfree(chost);
+ xfree(pkalg);
+
+ packet_send();
+ return 1;
+}
+
/* find auth method */
/*
* given auth method name, if configurable options permit this method fill
* in auth_ident field and return true, otherwise return false.
*/
-int
+static int
authmethod_is_enabled(Authmethod *method)
{
if (method == NULL)
return 1;
}
-Authmethod *
+static Authmethod *
authmethod_lookup(const char *name)
{
Authmethod *method = NULL;
/*
* Given the authentication method list sent by the server, return the
* next method we should try. If the server initially sends a nil list,
- * use a built-in default list.
+ * use a built-in default list.
*/
-Authmethod *
+static Authmethod *
authmethod_get(char *authlist)
{
#define DELIM ","
-char *
+
+static char *
authmethods_get(void)
{
Authmethod *method = NULL;