| blob | 3caa062fd751a3b964c14bb0fefc0e80c6474c70 |
1 /*
2 * Packet protocol layer for the client side of the SSH-2 userauth
3 * protocol (RFC 4252).
4 */
6 #include <assert.h>
14 #ifndef NO_GSSAPI
17 #endif
19 #define BANNER_LIMIT 131072
23 ptrlen algorithm;
37 ptrlen session_id;
39 AUTH_TYPE_NONE,
40 AUTH_TYPE_PUBLICKEY,
41 AUTH_TYPE_PUBLICKEY_OFFER_LOUD,
42 AUTH_TYPE_PUBLICKEY_OFFER_QUIET,
43 AUTH_TYPE_PASSWORD,
45 AUTH_TYPE_KEYBOARD_INTERACTIVE,
46 AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET
49 SeatPromptResult spr;
52 #ifndef NO_GSSAPI
58 Ssh_gss_buf gss_buf;
60 Ssh_gss_stat gss_stat;
61 #endif
76 ptrlen agent_response;
81 ptrlen agent_keyalg;
88 bufchain banner;
89 bufchain_sink banner_bs;
96 Plug authplugin_plug;
97 bufchain authplugin_bc;
107 PacketProtocolLayer ppl;
108 };
126 #ifndef NO_GSSAPI
129 #endif
150 };
161 {
190 }
194 {
198 }
201 {
213 }
215 }
247 }
251 {
265 }
269 else
271 }
274 {
286 }
287 }
288 }
291 {
294 }
298 {
315 }
319 }
323 {
330 }
334 {
339 }
343 {
348 }
351 {
356 }
363 };
366 {
371 }
374 {
379 }
383 {
387 }
398 }
402 size);
409 }
413 {
428 #define CASEDECL(name, value) \
429 case name: \
432 break;
434 #undef CASEDECL
435 }
443 }
446 }
449 {
458 #ifndef NO_GSSAPI
461 #endif
463 /*
464 * Misc one-time setup for authentication.
465 */
469 /*
470 * Load the public half of any configured public key file for
471 * later use.
472 */
496 }
504 }
505 }
507 /*
508 * If the user provided a detached certificate file, load that.
509 */
523 }
533 }
540 }
546 }
548 /* OK, store the certificate blob to substitute for the
549 * public blob in all publickey auth packets. */
555 cert_load_done:
558 cert_error);
563 }
569 }
571 /*
572 * Find out about any keys Pageant has (but if there's a public
573 * key configured, filter out all others).
574 */
578 /* Request the keys held by the agent. */
579 {
585 }
593 /*
594 * Check that the agent response is well formed.
595 */
602 }
603 }
605 /*
606 * Copy the list of public-key blobs out of the Pageant
607 * response.
608 */
616 /* Also, extract the algorithm string from the start
617 * of the public-key blob. */
620 }
625 /*
626 * If we've been given a specific public key blob,
627 * filter the list of keys to try from the agent down
628 * to only that one, or none if it's not there.
629 */
637 }
648 }
650 /*
651 * Otherwise, try them all.
652 */
655 }
658 }
659 done_agent_query:;
660 }
669 }
690 }
696 }
702 }
704 }
711 }
712 /* This is a controlled error, so we need not completely
713 * abandon the connection. Instead, inform the user, and
714 * proceed as if the plugin was not present */
722 }
727 }
728 }
730 /*
731 * We repeat this whole loop, including the username prompt,
732 * until we manage a successful authentication. If the user
733 * types the wrong _password_, they can be sent back to the
734 * beginning to try another username, if this is configured on.
735 * (If they specify a username in the config, they are never
736 * asked, even if they do give a wrong password.)
737 *
738 * I think this best serves the needs of
739 *
740 * - the people who have no configuration, no keys, and just
741 * want to try repeated (username,password) pairs until they
742 * type both correctly
743 *
744 * - people who have keys and configuration but occasionally
745 * need to fall back to passwords
746 *
747 * - people with a key held in Pageant, who might not have
748 * logged in to a particular machine before; so they want to
749 * type a username, and then _either_ their key will be
750 * accepted, _or_ they will type a password. If they mistype
751 * the username they will want to be able to get back and
752 * retype it!
753 */
755 /*
756 * Get a username.
757 */
759 /*
760 * We got a username last time round this loop, and
761 * with change_username turned off we don't try to get
762 * it again.
763 */
773 crReturnV;
776 }
778 /*
779 * seat_get_userpass_input() failed to get a username.
780 * Terminate.
781 */
786 }
795 }
798 /*
799 * Send an authentication request using method "none": (a)
800 * just in case it succeeds, and (b) so that we know what
801 * authentication methods we can usefully try next.
802 */
817 /*
818 * Wait for the result of the last authentication request,
819 * unless the request terminated for some reason on our
820 * own side.
821 */
827 }
829 /*
830 * Now is a convenient point to spew any banner material
831 * that we've accumulated. (This should ensure that when
832 * we exit the auth loop, we haven't any left to deal
833 * with.)
834 *
835 * Don't show the banner if we're operating in non-verbose
836 * non-interactive mode. (It's probably a script, which
837 * means nobody will read the banner _anyway_, and
838 * moreover the printing of the banner will screw up
839 * processing on the output of (say) plink.)
840 *
841 * The banner data has been sanitised already by this
842 * point, but we still need to precede and follow it with
843 * anti-spoofing header lines.
844 */
850 }
855 "in response to authentication request, "
861 }
863 /*
864 * OK, we're now sitting on a USERAUTH_FAILURE message, so
865 * we can look at the string in it and know what we can
866 * helpfully try next.
867 */
873 /*
874 * We have received an unequivocal Access
875 * Denied. This can translate to a variety of
876 * messages, or no message at all.
877 *
878 * For forms of authentication which are attempted
879 * implicitly, by which I mean without printing
880 * anything in the window indicating that we're
881 * trying them, we should never print 'Access
882 * denied'.
883 *
884 * If we do print a message saying that we're
885 * attempting some kind of authentication, it's OK
886 * to print a followup message saying it failed -
887 * but the message may sometimes be more specific
888 * than simply 'Access denied'.
889 *
890 * Additionally, if we'd just tried password
891 * authentication, we should break out of this
892 * whole loop so as to go back to the username
893 * prompt (iff we're configured to allow
894 * username change attempts).
895 */
897 /* do nothing */
904 /* This _shouldn't_ happen except by a
905 * protocol bug causing client and server to
906 * disagree on what is a correct signature. */
912 /* quiet, so no ppl_printf */
916 /* always quiet, so no ppl_printf */
917 /* also, the code down in the GSSAPI block has
918 * already logged this in the Event Log */
929 /* XXX perhaps we should allow
930 * keyboard-interactive to do this too? */
932 }
933 }
937 }
939 /*
940 * Save the methods string for use in error messages.
941 */
945 /*
946 * Scan it for method identifiers we know about.
947 */
950 #ifndef NO_GSSAPI
952 #endif
961 #ifndef NO_GSSAPI
966 #endif
967 }
969 /*
970 * And combine those flags with our own configuration
971 * and context to set the main can_foo variables.
972 */
976 #ifndef NO_GSSAPI
980 srv_gssapi_keyex_auth &&
982 #endif
983 }
987 #ifndef NO_GSSAPI
990 /* gssapi-keyex authentication */
1012 /*
1013 * Attempt public-key authentication using a key from Pageant.
1014 */
1026 /* See if server will accept it */
1032 /* method */
1043 /* Offer of key refused, presumably via
1044 * USERAUTH_FAILURE. Requeue for the next iteration. */
1057 /*
1058 * Server is willing to accept the key.
1059 * Construct a SIGN_REQUEST.
1060 */
1066 /* method */
1072 /* Ask agent for signature. */
1077 /* Now the data to be signed... */
1083 /* And finally the flags word. */
1090 ptrlen sigblob;
1102 sigblob);
1112 }
1120 }
1121 }
1123 /* Do we have any keys left to try? */
1137 /*
1138 * Try the public key supplied in the configuration.
1139 *
1140 * First, try to upgrade its algorithm.
1141 */
1146 }
1148 /*
1149 * Offer the public blob to see if the server is willing to
1150 * accept it.
1151 */
1158 /* no signature included */
1167 /* Key refused. Give up. */
1171 }
1174 /*
1175 * Actually attempt a serious authentication using
1176 * the key.
1177 */
1186 /*
1187 * Get a passphrase from the user.
1188 */
1200 crReturnV;
1203 }
1205 /* Failed to get a passphrase. Terminate. */
1210 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER);
1214 }
1215 passphrase =
1221 }
1223 /*
1224 * Try decrypting the key.
1225 */
1228 /* burn the evidence */
1231 }
1237 /* and loop again */
1240 error);
1244 }
1246 /* FIXME: if we ever support variable signature
1247 * flags, this is somewhere they'll need to be
1248 * put */
1252 invalid);
1260 }
1261 }
1262 }
1267 /*
1268 * We have loaded the private key and the server
1269 * has announced that it's willing to accept it.
1270 * Hallelujah. Generate a signature and send it.
1271 */
1285 /*
1286 * The data to be signed is:
1287 *
1288 * string session-id
1289 *
1290 * followed by everything so far placed in the
1291 * outgoing packet.
1292 */
1314 }
1316 #ifndef NO_GSSAPI
1319 /* gssapi-with-mic authentication */
1321 ptrlen data;
1330 /* Sending USERAUTH_REQUEST with "gssapi-with-mic" method */
1339 /* add mechanism info */
1342 /* number of GSSAPI mechanisms */
1345 /* length of OID + 2 */
1349 /* length of OID */
1359 }
1361 /* check returned packet ... */
1374 }
1376 /* Import server name if not cached from KEX */
1384 else
1387 }
1388 }
1390 /* Allocate our gss_ctx */
1396 /* The failure was on our side, so the server
1397 * won't be sending a response packet indicating
1398 * failure. Avoid waiting for it next time round
1399 * the loop. */
1402 }
1404 /* initial tokens are empty */
1408 /* now enter the loop */
1410 /*
1411 * When acquire_cred yields no useful expiration, go with
1412 * the service ticket expiration.
1413 */
1421 NULL,
1422 NULL);
1434 }
1438 }
1441 /*
1442 * Client and server now exchange tokens until GSSAPI
1443 * no longer says CONTINUE_NEEDED
1444 */
1454 }
1460 /*
1461 * Per RFC 4462 section 3.9, this packet
1462 * type MUST immediately precede an
1463 * ordinary USERAUTH_FAILURE.
1464 *
1465 * We currently don't know how to do
1466 * anything with the GSSAPI error token
1467 * contained in this packet, so we ignore
1468 * it and just wait for the following
1469 * FAILURE.
1470 */
1476 "after SSH_MSG_USERAUTH_GSSAPI_ERRTOK "
1477 "(expected SSH_MSG_USERAUTH_FAILURE): "
1483 }
1484 }
1492 SSH2_MSG_USERAUTH_GSSAPI_TOKEN) {
1497 }
1501 }
1507 }
1510 /* Now send the MIC */
1517 #endif
1520 /*
1521 * Keyboard-interactive authentication.
1522 */
1533 /* method */
1552 /* draft protocol didn't include a message here */
1554 }
1557 "PLUGIN_PROTOCOL_REJECT from auth "
1560 }
1562 /* If the plugin sent a message about
1563 * _why_ it didn't want to do k-i, pass
1564 * that message on to the user. (It might
1565 * say, for example, what went wrong when
1566 * it tried to open its config file.) */
1568 "up keyboard-interactive "
1574 "help with keyboard-interactive: "
1579 }
1582 }
1593 }
1596 }
1604 }
1608 /* Server is not willing to do keyboard-interactive
1609 * at all (or, bizarrely but legally, accepts the
1610 * user without actually issuing any prompts).
1611 * Give up on it entirely. */
1616 }
1620 /*
1621 * Loop while we still have prompts to send to the user.
1622 */
1624 /*
1625 * The simple case: INFO_REQUESTs are passed on to
1626 * the user, and responses are sent straight back
1627 * to the SSH server.
1628 */
1636 /*
1637 * Failed to get responses. Terminate.
1638 */
1643 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER);
1647 }
1649 /*
1650 * Send the response(s) to the server.
1651 */
1659 /*
1660 * Get the next packet in case it's another
1661 * INFO_REQUEST.
1662 */
1665 }
1667 /*
1668 * The case where a plugin is involved:
1669 * INFO_REQUEST from the server is sent to the
1670 * plugin, which sends responses that we hand back
1671 * to the server. But in the meantime, the plugin
1672 * might send USER_REQUEST for us to pass to the
1673 * user, and then we send responses to that.
1674 */
1677 PLUGIN_KI_SERVER_REQUEST);
1694 /*
1695 * Failed to get responses. Terminate.
1696 */
1701 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER);
1706 }
1708 /*
1709 * Send the responses on to the plugin.
1710 */
1712 PLUGIN_KI_USER_RESPONSE);
1716 }
1723 }
1731 /*
1732 * Get the next packet in case it's another
1733 * INFO_REQUEST.
1734 */
1737 }
1738 }
1740 /*
1741 * Print our trailer line, if we printed a header.
1742 */
1750 }
1752 /*
1753 * We should have SUCCESS or FAILURE now.
1754 */
1758 /*
1759 * As our last communication with the plugin, tell
1760 * it whether the k-i authentication succeeded.
1761 */
1766 /*
1767 * Peek in the failure packet to see if it's a
1768 * partial success.
1769 */
1778 }
1779 }
1785 /* Wait until we've actually sent it, in case
1786 * we close the connection to the plugin
1787 * before that outgoing message has left our
1788 * own buffers */
1790 }
1791 }
1794 /*
1795 * Plain old password authentication.
1796 */
1812 crReturnV;
1815 }
1817 /*
1818 * Failed to get responses. Terminate.
1819 */
1824 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER);
1827 }
1828 /*
1829 * Squirrel away the password. (We may need it later if
1830 * asked to change it.)
1831 */
1836 /*
1837 * Send the password packet.
1838 *
1839 * We pad out the password packet to 256 bytes to make
1840 * it harder for an attacker to find the length of the
1841 * user's password.
1842 *
1843 * Anyone using a password longer than 256 bytes
1844 * probably doesn't have much to worry about from
1845 * people who find out how long their password is!
1846 */
1859 /*
1860 * Wait for next packet, in case it's a password change
1861 * request.
1862 */
1868 /*
1869 * We're being asked for a new password
1870 * (perhaps not for the first time).
1871 * Loop until the server accepts it.
1872 */
1877 {
1881 else
1885 }
1895 /*
1896 * There's no explicit requirement in the protocol
1897 * for the "old" passwords in the original and
1898 * password-change messages to be the same, and
1899 * apparently some Cisco kit supports password change
1900 * by the user entering a blank password originally
1901 * and the real password subsequently, so,
1902 * reluctantly, we prompt for the old password again.
1903 *
1904 * (On the other hand, some servers don't even bother
1905 * to check this field.)
1906 */
1915 /*
1916 * Loop until the user manages to enter the same
1917 * password twice.
1918 */
1923 crReturnV;
1926 }
1928 /*
1929 * Failed to get responses. Terminate.
1930 */
1931 /* burn the evidence */
1938 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER);
1942 }
1944 /*
1945 * If the user specified a new original password
1946 * (IYSWIM), overwrite any previously specified
1947 * one.
1948 * (A side effect is that the user doesn't have to
1949 * re-enter it if they louse up the new password.)
1950 */
1953 /* burn the evidence */
1957 }
1959 /*
1960 * Check the two new passwords match.
1961 */
1966 /* They don't. Silly user. */
1969 }
1971 /*
1972 * Send the new password (along with the old one).
1973 * (see above for padding rationale)
1974 */
1990 /*
1991 * Now see what the server has to say about it.
1992 * (If it's CHANGEREQ again, it's not happy with the
1993 * new password.)
1994 */
1998 }
2000 /*
2001 * We need to reexamine the current pktin at the top
2002 * of the loop. Either:
2003 * - we weren't asked to change password at all, in
2004 * which case it's a SUCCESS or FAILURE with the
2005 * usual meaning
2006 * - we sent a new password, and the server was
2007 * either OK with it (SUCCESS or FAILURE w/partial
2008 * success) or unhappy with the _old_ password
2009 * (FAILURE w/o partial success)
2010 * In any of these cases, we go back to the top of
2011 * the loop and start again.
2012 */
2015 /*
2016 * We don't need the old password any more, in any
2017 * case. Burn the evidence.
2018 */
2026 SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE);
2031 }
2033 }
2034 try_new_username:;
2035 }
2037 userauth_success:
2042 }
2044 /*
2045 * We've just received USERAUTH_SUCCESS, and we haven't sent
2046 * any packets since. Signal the transport layer to consider
2047 * doing an immediate rekey, if it has any reason to want to.
2048 */
2051 /*
2052 * Finally, hand over to our successor layer, and return
2053 * immediately without reaching the crFinishV: ssh_ppl_replace
2054 * will have freed us, so crFinishV's zeroing-out of crState would
2055 * be a use-after-free bug.
2056 */
2057 {
2062 }
2064 crFinishV;
2065 }
2068 {
2076 }
2082 mid_line =
2085 }
2096 }
2097 }
2098 }
2102 {
2106 /*
2107 * We've got a fresh USERAUTH_INFO_REQUEST. Get the preamble and
2108 * start building a prompt.
2109 */
2117 /*
2118 * Get any prompt(s) from the packet.
2119 */
2132 }
2144 }
2146 }
2148 /*
2149 * Make the header strings. This includes the 'name' (optional
2150 * dialog-box title) and 'instruction' from the server.
2151 *
2152 * First, display our disambiguating header line if this is the
2153 * first time round the loop - _unless_ the server has sent a
2154 * completely empty k-i packet with no prompts _or_ text, which
2155 * apparently some do. In that situation there's no need to alert
2156 * the user that the following text is server- supplied, because,
2157 * well, _what_ text?
2158 *
2159 * We also only do this if we got a stripctrl, because if we
2160 * didn't, that suggests this is all being done via dialog boxes
2161 * anyway.
2162 */
2172 }
2182 }
2188 else
2191 }
2202 }
2206 }
2209 else
2213 }
2216 {
2220 }
2224 {
2229 /*
2230 * Free the prompts structure from this iteration. If there's
2231 * another, a new one will be allocated when we return to the top
2232 * of this while loop.
2233 */
2236 }
2240 {
2245 }
2246 }
2250 {
2261 }
2264 {
2272 }
2274 /*
2275 * Helper function to add the algorithm and public key strings to a
2276 * "publickey" auth packet. Deals with overriding both strings if the
2277 * user has provided a detached certificate which matches the public
2278 * key in question.
2279 */
2282 {
2294 /*
2295 * Whether or not we send the certificate, we're likely to
2296 * generate a log message about it. But we don't want to log
2297 * once for the offer and once for the real auth attempt, so
2298 * we de-duplicate by remembering the last public key this
2299 * function saw. */
2303 pkblob)) {
2306 /* Log this time, but arrange that we don't mention it next time */
2309 }
2311 /*
2312 * Check that the public key we're replacing is compatible
2313 * with the certificate, in that they should have the same
2314 * base public key.
2315 */
2325 }
2333 /*
2334 * If we reach here, the certificate's base key was not
2335 * identical to the key we're given. But it might still be
2336 * identical to the _base_ key of the key we're given, if we
2337 * were using a differently certified version of the same key.
2338 * In that situation, the detached cert should still override.
2339 */
2343 }
2349 }
2357 /* Give up; we've tried to match these keys up and failed. */
2361 match:
2362 /*
2363 * The two keys match, so insert the detached certificate into
2364 * the output packet in place of the public key we were given.
2365 *
2366 * However, we need to be a bit careful with the algorithm
2367 * name: we might need to upgrade it to one that matches the
2368 * original algorithm name. (If we were asked to add an
2369 * ssh-rsa key but were given algorithm name "rsa-sha2-512",
2370 * then instead of the certificate's algorithm name
2371 * ssh-rsa-cert-v01@... we need to write the corresponding
2372 * SHA-512 name rsa-sha2-512-cert-v01@... .)
2373 */
2377 }
2378 {
2379 /* Strip off any existing certificate-nature from pkalg,
2380 * for the case where we're replacing a cert embedded in
2381 * the key with the detached one. The second argument of
2382 * ssh_keyalg_related_alg is expected to be one of the
2383 * bare key algorithms, or nothing useful will happen. */
2387 /* Construct an algorithm string that includes both the
2388 * signature subtype (e.g. rsa-sha2-512) and the
2389 * certificate-ness. Exception: in earlier versions of
2390 * OpenSSH we don't want to do that, and must send just
2391 * ssh-rsa-cert-... even when we're delivering a non-SHA-1
2392 * signature. */
2399 }
2404 no_match:
2405 /* Log that we didn't send the certificate, if this public key
2406 * isn't the same one as last call to this function. (Need to
2407 * avoid verbosely logging once for the offer and once for the
2408 * real auth attempt.) */
2414 /* If the user provided a specific key file to use (i.e.
2415 * this wasn't just a key we picked opportunistically out
2416 * of an agent), then they probably _care_ that we didn't
2417 * send the certificate, so we should make a loud error
2418 * message about it as well as just commenting in the
2419 * Event Log. */
2425 }
2426 }
2428 out:
2429 /* Whether we did that or not, free our stuff. */
2440 /* And if we did, don't fall through to the alternative below */
2443 }
2445 /* In all other cases, basically just put in what we were given -
2446 * except for the same bug workaround as above. */
2450 }
2454 {
2457 /*
2458 * No need to try to do this in a general way based on the
2459 * relations between ssh_keyalgs; we know there are a limited
2460 * number of affected versions of OpenSSH, so this doesn't have to
2461 * be futureproof against later additions to the family.
2462 */
2467 }
2469 /*
2470 * Helper function to add an SSH-2 signature blob to a packet. Expects
2471 * to be shown the public key blob as well as the signature blob.
2472 * Normally just appends the sig blob unmodified as a string, except
2473 * that it optionally breaks it open and fiddle with it to work around
2474 * BUG_SSH2_RSA_PADDING.
2475 */
2478 {
2483 /* dmemdump(pkblob, pkblob_len); */
2484 /* dmemdump(sigblob, sigblob_len); */
2486 /*
2487 * See if this is in fact an ssh-rsa signature and a buggy
2488 * server; otherwise we can just do this the easy way.
2489 */
2496 /*
2497 * Find the modulus and signature integers.
2498 */
2506 /*
2507 * Find the byte length of the modulus, not counting leading
2508 * zeroes.
2509 */
2513 }
2515 /* debug("modulus length is %d\n", len); */
2516 /* debug("signature length is %d\n", siglen); */
2526 }
2528 /* Otherwise fall through and do it the easy way. We also come
2529 * here as a fallback if we discover above that the key blob
2530 * is misformatted in some way. */
2531 give_up:;
2532 }
2535 }
2537 #ifndef NO_GSSAPI
2540 {
2543 Ssh_gss_buf buf;
2544 Ssh_gss_buf mic;
2546 /*
2547 * The mic is computed over the session id + intended
2548 * USERAUTH_REQUEST packet.
2549 */
2557 /* Compute the mic */
2563 /* Now we can build the real packet */
2571 }
2575 }
2576 #endif
2580 {
2581 /* No specials provided by this layer. */
2583 }
2587 {
2588 /* No specials provided by this layer. */
2589 }
2592 {
2596 }
2599 {
2603 /*
2604 * Check for any unconsumed banner packets that might have landed
2605 * in our queue just before the server closed the connection, and
2606 * add them to our banner buffer.
2607 */
2612 }
2614 /* And now make sure we've shown the banner, before exiting */
2616 }