1 /* $OpenBSD: sshconnect2.c,v 1.210 2014/07/15 15:54:14 millert Exp $ */
3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 #include <sys/types.h>
30 #include <sys/socket.h>
43 #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
47 #include "openbsd-compat/sys-queue.h"
58 #include "myproposal.h"
59 #include "sshconnect.h"
70 #include "pathnames.h"
79 extern char *client_version_string
;
80 extern char *server_version_string
;
81 extern Options options
;
87 u_char
*session_id2
= NULL
;
88 u_int session_id2_len
= 0;
91 struct sockaddr
*xxx_hostaddr
;
96 verify_host_key_callback(Key
*hostkey
)
98 if (verify_host_key(xxx_host
, xxx_hostaddr
, hostkey
) == -1)
99 fatal("Host key verification failed.");
104 order_hostkeyalgs(char *host
, struct sockaddr
*hostaddr
, u_short port
)
106 char *oavail
, *avail
, *first
, *last
, *alg
, *hostname
, *ret
;
108 struct hostkeys
*hostkeys
;
112 /* Find all hostkeys for this hostname */
113 get_hostfile_hostname_ipaddr(host
, hostaddr
, port
, &hostname
, NULL
);
114 hostkeys
= init_hostkeys();
115 for (i
= 0; i
< options
.num_user_hostfiles
; i
++)
116 load_hostkeys(hostkeys
, hostname
, options
.user_hostfiles
[i
]);
117 for (i
= 0; i
< options
.num_system_hostfiles
; i
++)
118 load_hostkeys(hostkeys
, hostname
, options
.system_hostfiles
[i
]);
120 oavail
= avail
= xstrdup(KEX_DEFAULT_PK_ALG
);
121 maxlen
= strlen(avail
) + 1;
122 first
= xmalloc(maxlen
);
123 last
= xmalloc(maxlen
);
124 *first
= *last
= '\0';
126 #define ALG_APPEND(to, from) \
129 strlcat(to, ",", maxlen); \
130 strlcat(to, from, maxlen); \
133 while ((alg
= strsep(&avail
, ",")) && *alg
!= '\0') {
134 if ((ktype
= key_type_from_name(alg
)) == KEY_UNSPEC
)
135 fatal("%s: unknown alg %s", __func__
, alg
);
136 if (lookup_key_in_hostkeys_by_type(hostkeys
,
137 key_type_plain(ktype
), NULL
))
138 ALG_APPEND(first
, alg
);
140 ALG_APPEND(last
, alg
);
143 xasprintf(&ret
, "%s%s%s", first
, *first
== '\0' ? "" : ",", last
);
145 debug3("%s: prefer hostkeyalgs: %s", __func__
, first
);
151 free_hostkeys(hostkeys
);
157 ssh_kex2(char *host
, struct sockaddr
*hostaddr
, u_short port
)
159 char *myproposal
[PROPOSAL_MAX
] = { KEX_CLIENT
};
163 xxx_hostaddr
= hostaddr
;
165 if (options
.ciphers
== (char *)-1) {
166 logit("No valid ciphers for protocol version 2 given, using defaults.");
167 options
.ciphers
= NULL
;
169 if (options
.ciphers
!= NULL
) {
170 myproposal
[PROPOSAL_ENC_ALGS_CTOS
] =
171 myproposal
[PROPOSAL_ENC_ALGS_STOC
] = options
.ciphers
;
173 myproposal
[PROPOSAL_ENC_ALGS_CTOS
] =
174 compat_cipher_proposal(myproposal
[PROPOSAL_ENC_ALGS_CTOS
]);
175 myproposal
[PROPOSAL_ENC_ALGS_STOC
] =
176 compat_cipher_proposal(myproposal
[PROPOSAL_ENC_ALGS_STOC
]);
177 if (options
.compression
) {
178 myproposal
[PROPOSAL_COMP_ALGS_CTOS
] =
179 myproposal
[PROPOSAL_COMP_ALGS_STOC
] = "zlib@openssh.com,zlib,none";
181 myproposal
[PROPOSAL_COMP_ALGS_CTOS
] =
182 myproposal
[PROPOSAL_COMP_ALGS_STOC
] = "none,zlib@openssh.com,zlib";
184 if (options
.macs
!= NULL
) {
185 myproposal
[PROPOSAL_MAC_ALGS_CTOS
] =
186 myproposal
[PROPOSAL_MAC_ALGS_STOC
] = options
.macs
;
188 if (options
.hostkeyalgorithms
!= NULL
)
189 myproposal
[PROPOSAL_SERVER_HOST_KEY_ALGS
] =
190 compat_pkalg_proposal(options
.hostkeyalgorithms
);
192 /* Prefer algorithms that we already have keys for */
193 myproposal
[PROPOSAL_SERVER_HOST_KEY_ALGS
] =
194 compat_pkalg_proposal(
195 order_hostkeyalgs(host
, hostaddr
, port
));
197 if (options
.kex_algorithms
!= NULL
)
198 myproposal
[PROPOSAL_KEX_ALGS
] = options
.kex_algorithms
;
199 myproposal
[PROPOSAL_KEX_ALGS
] = compat_kex_proposal(
200 myproposal
[PROPOSAL_KEX_ALGS
]);
202 if (options
.rekey_limit
|| options
.rekey_interval
)
203 packet_set_rekey_limits((u_int32_t
)options
.rekey_limit
,
204 (time_t)options
.rekey_interval
);
206 /* start key exchange */
207 kex
= kex_setup(myproposal
);
209 kex
->kex
[KEX_DH_GRP1_SHA1
] = kexdh_client
;
210 kex
->kex
[KEX_DH_GRP14_SHA1
] = kexdh_client
;
211 kex
->kex
[KEX_DH_GEX_SHA1
] = kexgex_client
;
212 kex
->kex
[KEX_DH_GEX_SHA256
] = kexgex_client
;
213 kex
->kex
[KEX_ECDH_SHA2
] = kexecdh_client
;
215 kex
->kex
[KEX_C25519_SHA256
] = kexc25519_client
;
216 kex
->client_version_string
=client_version_string
;
217 kex
->server_version_string
=server_version_string
;
218 kex
->verify_host_key
=&verify_host_key_callback
;
222 dispatch_run(DISPATCH_BLOCK
, &kex
->done
, kex
);
224 if (options
.use_roaming
&& !kex
->roaming
) {
225 debug("Roaming not allowed by server");
226 options
.use_roaming
= 0;
229 session_id2
= kex
->session_id
;
230 session_id2_len
= kex
->session_id_len
;
233 /* send 1st encrypted/maced/compressed message */
234 packet_start(SSH2_MSG_IGNORE
);
235 packet_put_cstring("markus");
245 typedef struct Authctxt Authctxt
;
246 typedef struct Authmethod Authmethod
;
247 typedef struct identity Identity
;
248 typedef struct idlist Idlist
;
251 TAILQ_ENTRY(identity
) next
;
252 AuthenticationConnection
*ac
; /* set if agent supports key */
253 Key
*key
; /* public/private key */
254 char *filename
; /* comment for agent-only keys */
256 int isprivate
; /* key points to the private key */
259 TAILQ_HEAD(idlist
, identity
);
262 const char *server_user
;
263 const char *local_user
;
267 sig_atomic_t success
;
271 AuthenticationConnection
*agent
;
273 Sensitive
*sensitive
;
274 /* kbd-interactive */
280 char *name
; /* string to compare against server's list */
281 int (*userauth
)(Authctxt
*authctxt
);
282 void (*cleanup
)(Authctxt
*authctxt
);
283 int *enabled
; /* flag in option struct that enables method */
284 int *batch_flag
; /* flag in option struct that disables method */
287 void input_userauth_success(int, u_int32_t
, void *);
288 void input_userauth_success_unexpected(int, u_int32_t
, void *);
289 void input_userauth_failure(int, u_int32_t
, void *);
290 void input_userauth_banner(int, u_int32_t
, void *);
291 void input_userauth_error(int, u_int32_t
, void *);
292 void input_userauth_info_req(int, u_int32_t
, void *);
293 void input_userauth_pk_ok(int, u_int32_t
, void *);
294 void input_userauth_passwd_changereq(int, u_int32_t
, void *);
296 int userauth_none(Authctxt
*);
297 int userauth_pubkey(Authctxt
*);
298 int userauth_passwd(Authctxt
*);
299 int userauth_kbdint(Authctxt
*);
300 int userauth_hostbased(Authctxt
*);
303 int userauth_gssapi(Authctxt
*authctxt
);
304 void input_gssapi_response(int type
, u_int32_t
, void *);
305 void input_gssapi_token(int type
, u_int32_t
, void *);
306 void input_gssapi_hash(int type
, u_int32_t
, void *);
307 void input_gssapi_error(int, u_int32_t
, void *);
308 void input_gssapi_errtok(int, u_int32_t
, void *);
311 void userauth(Authctxt
*, char *);
313 static int sign_and_send_pubkey(Authctxt
*, Identity
*);
314 static void pubkey_prepare(Authctxt
*);
315 static void pubkey_cleanup(Authctxt
*);
316 static Key
*load_identity_file(char *, int);
318 static Authmethod
*authmethod_get(char *authlist
);
319 static Authmethod
*authmethod_lookup(const char *name
);
320 static char *authmethods_get(void);
322 Authmethod authmethods
[] = {
327 &options
.gss_authentication
,
333 &options
.hostbased_authentication
,
338 &options
.pubkey_authentication
,
340 {"keyboard-interactive",
343 &options
.kbd_interactive_authentication
,
344 &options
.batch_mode
},
348 &options
.password_authentication
,
349 &options
.batch_mode
},
355 {NULL
, NULL
, NULL
, NULL
, NULL
}
359 ssh_userauth2(const char *local_user
, const char *server_user
, char *host
,
360 Sensitive
*sensitive
)
365 if (options
.challenge_response_authentication
)
366 options
.kbd_interactive_authentication
= 1;
368 packet_start(SSH2_MSG_SERVICE_REQUEST
);
369 packet_put_cstring("ssh-userauth");
371 debug("SSH2_MSG_SERVICE_REQUEST sent");
373 type
= packet_read();
374 if (type
!= SSH2_MSG_SERVICE_ACCEPT
)
375 fatal("Server denied authentication request: %d", type
);
376 if (packet_remaining() > 0) {
377 char *reply
= packet_get_string(NULL
);
378 debug2("service_accept: %s", reply
);
381 debug2("buggy server: service_accept w/o service");
384 debug("SSH2_MSG_SERVICE_ACCEPT received");
386 if (options
.preferred_authentications
== NULL
)
387 options
.preferred_authentications
= authmethods_get();
389 /* setup authentication context */
390 memset(&authctxt
, 0, sizeof(authctxt
));
391 pubkey_prepare(&authctxt
);
392 authctxt
.server_user
= server_user
;
393 authctxt
.local_user
= local_user
;
394 authctxt
.host
= host
;
395 authctxt
.service
= "ssh-connection"; /* service name */
396 authctxt
.success
= 0;
397 authctxt
.method
= authmethod_lookup("none");
398 authctxt
.authlist
= NULL
;
399 authctxt
.methoddata
= NULL
;
400 authctxt
.sensitive
= sensitive
;
401 authctxt
.info_req_seen
= 0;
402 if (authctxt
.method
== NULL
)
403 fatal("ssh_userauth2: internal error: cannot send userauth none request");
405 /* initial userauth request */
406 userauth_none(&authctxt
);
408 dispatch_init(&input_userauth_error
);
409 dispatch_set(SSH2_MSG_USERAUTH_SUCCESS
, &input_userauth_success
);
410 dispatch_set(SSH2_MSG_USERAUTH_FAILURE
, &input_userauth_failure
);
411 dispatch_set(SSH2_MSG_USERAUTH_BANNER
, &input_userauth_banner
);
412 dispatch_run(DISPATCH_BLOCK
, &authctxt
.success
, &authctxt
); /* loop until success */
414 pubkey_cleanup(&authctxt
);
415 dispatch_range(SSH2_MSG_USERAUTH_MIN
, SSH2_MSG_USERAUTH_MAX
, NULL
);
417 debug("Authentication succeeded (%s).", authctxt
.method
->name
);
421 userauth(Authctxt
*authctxt
, char *authlist
)
423 if (authctxt
->method
!= NULL
&& authctxt
->method
->cleanup
!= NULL
)
424 authctxt
->method
->cleanup(authctxt
);
426 free(authctxt
->methoddata
);
427 authctxt
->methoddata
= NULL
;
428 if (authlist
== NULL
) {
429 authlist
= authctxt
->authlist
;
431 free(authctxt
->authlist
);
432 authctxt
->authlist
= authlist
;
435 Authmethod
*method
= authmethod_get(authlist
);
437 fatal("Permission denied (%s).", authlist
);
438 authctxt
->method
= method
;
440 /* reset the per method handler */
441 dispatch_range(SSH2_MSG_USERAUTH_PER_METHOD_MIN
,
442 SSH2_MSG_USERAUTH_PER_METHOD_MAX
, NULL
);
444 /* and try new method */
445 if (method
->userauth(authctxt
) != 0) {
446 debug2("we sent a %s packet, wait for reply", method
->name
);
449 debug2("we did not send a packet, disable method");
450 method
->enabled
= NULL
;
457 input_userauth_error(int type
, u_int32_t seq
, void *ctxt
)
459 fatal("input_userauth_error: bad message during authentication: "
465 input_userauth_banner(int type
, u_int32_t seq
, void *ctxt
)
467 char *msg
, *raw
, *lang
;
470 debug3("input_userauth_banner");
471 raw
= packet_get_string(&len
);
472 lang
= packet_get_string(NULL
);
473 if (len
> 0 && options
.log_level
>= SYSLOG_LEVEL_INFO
) {
476 msg
= xmalloc(len
* 4 + 1); /* max expansion from strnvis() */
477 strnvis(msg
, raw
, len
* 4 + 1, VIS_SAFE
|VIS_OCTAL
|VIS_NOSLASH
);
478 fprintf(stderr
, "%s", msg
);
487 input_userauth_success(int type
, u_int32_t seq
, void *ctxt
)
489 Authctxt
*authctxt
= ctxt
;
491 if (authctxt
== NULL
)
492 fatal("input_userauth_success: no authentication context");
493 free(authctxt
->authlist
);
494 authctxt
->authlist
= NULL
;
495 if (authctxt
->method
!= NULL
&& authctxt
->method
->cleanup
!= NULL
)
496 authctxt
->method
->cleanup(authctxt
);
497 free(authctxt
->methoddata
);
498 authctxt
->methoddata
= NULL
;
499 authctxt
->success
= 1; /* break out */
503 input_userauth_success_unexpected(int type
, u_int32_t seq
, void *ctxt
)
505 Authctxt
*authctxt
= ctxt
;
507 if (authctxt
== NULL
)
508 fatal("%s: no authentication context", __func__
);
510 fatal("Unexpected authentication success during %s.",
511 authctxt
->method
->name
);
516 input_userauth_failure(int type
, u_int32_t seq
, void *ctxt
)
518 Authctxt
*authctxt
= ctxt
;
519 char *authlist
= NULL
;
522 if (authctxt
== NULL
)
523 fatal("input_userauth_failure: no authentication context");
525 authlist
= packet_get_string(NULL
);
526 partial
= packet_get_char();
530 logit("Authenticated with partial success.");
532 pubkey_cleanup(authctxt
);
533 pubkey_prepare(authctxt
);
535 debug("Authentications that can continue: %s", authlist
);
537 userauth(authctxt
, authlist
);
542 input_userauth_pk_ok(int type
, u_int32_t seq
, void *ctxt
)
544 Authctxt
*authctxt
= ctxt
;
548 int pktype
, sent
= 0;
553 if (authctxt
== NULL
)
554 fatal("input_userauth_pk_ok: no authentication context");
555 if (datafellows
& SSH_BUG_PKOK
) {
556 /* this is similar to SSH_BUG_PKAUTH */
557 debug2("input_userauth_pk_ok: SSH_BUG_PKOK");
558 pkblob
= packet_get_string(&blen
);
560 buffer_append(&b
, pkblob
, blen
);
561 pkalg
= buffer_get_string(&b
, &alen
);
564 pkalg
= packet_get_string(&alen
);
565 pkblob
= packet_get_string(&blen
);
569 debug("Server accepts key: pkalg %s blen %u", pkalg
, blen
);
571 if ((pktype
= key_type_from_name(pkalg
)) == KEY_UNSPEC
) {
572 debug("unknown pkalg %s", pkalg
);
575 if ((key
= key_from_blob(pkblob
, blen
)) == NULL
) {
576 debug("no key from blob. pkalg %s", pkalg
);
579 if (key
->type
!= pktype
) {
580 error("input_userauth_pk_ok: type mismatch "
581 "for decoded key (received %d, expected %d)",
585 fp
= key_fingerprint(key
, SSH_FP_MD5
, SSH_FP_HEX
);
586 debug2("input_userauth_pk_ok: fp %s", fp
);
590 * search keys in the reverse order, because last candidate has been
591 * moved to the end of the queue. this also avoids confusion by
594 TAILQ_FOREACH_REVERSE(id
, &authctxt
->keys
, idlist
, next
) {
595 if (key_equal(key
, id
->key
)) {
596 sent
= sign_and_send_pubkey(authctxt
, id
);
606 /* try another method if we did not send a packet */
608 userauth(authctxt
, NULL
);
613 userauth_gssapi(Authctxt
*authctxt
)
615 Gssctxt
*gssctxt
= NULL
;
616 static gss_OID_set gss_supported
= NULL
;
617 static u_int mech
= 0;
621 /* Try one GSSAPI method at a time, rather than sending them all at
624 if (gss_supported
== NULL
)
625 gss_indicate_mechs(&min
, &gss_supported
);
627 /* Check to see if the mechanism is usable before we offer it */
628 while (mech
< gss_supported
->count
&& !ok
) {
629 /* My DER encoding requires length<128 */
630 if (gss_supported
->elements
[mech
].length
< 128 &&
631 ssh_gssapi_check_mechanism(&gssctxt
,
632 &gss_supported
->elements
[mech
], authctxt
->host
)) {
633 ok
= 1; /* Mechanism works */
642 authctxt
->methoddata
=(void *)gssctxt
;
644 packet_start(SSH2_MSG_USERAUTH_REQUEST
);
645 packet_put_cstring(authctxt
->server_user
);
646 packet_put_cstring(authctxt
->service
);
647 packet_put_cstring(authctxt
->method
->name
);
651 packet_put_int((gss_supported
->elements
[mech
].length
) + 2);
652 packet_put_char(SSH_GSS_OIDTYPE
);
653 packet_put_char(gss_supported
->elements
[mech
].length
);
654 packet_put_raw(gss_supported
->elements
[mech
].elements
,
655 gss_supported
->elements
[mech
].length
);
659 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE
, &input_gssapi_response
);
660 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN
, &input_gssapi_token
);
661 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERROR
, &input_gssapi_error
);
662 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK
, &input_gssapi_errtok
);
664 mech
++; /* Move along to next candidate */
670 process_gssapi_token(void *ctxt
, gss_buffer_t recv_tok
)
672 Authctxt
*authctxt
= ctxt
;
673 Gssctxt
*gssctxt
= authctxt
->methoddata
;
674 gss_buffer_desc send_tok
= GSS_C_EMPTY_BUFFER
;
675 gss_buffer_desc mic
= GSS_C_EMPTY_BUFFER
;
676 gss_buffer_desc gssbuf
;
677 OM_uint32 status
, ms
, flags
;
680 status
= ssh_gssapi_init_ctx(gssctxt
, options
.gss_deleg_creds
,
681 recv_tok
, &send_tok
, &flags
);
683 if (send_tok
.length
> 0) {
684 if (GSS_ERROR(status
))
685 packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK
);
687 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN
);
689 packet_put_string(send_tok
.value
, send_tok
.length
);
691 gss_release_buffer(&ms
, &send_tok
);
694 if (status
== GSS_S_COMPLETE
) {
695 /* send either complete or MIC, depending on mechanism */
696 if (!(flags
& GSS_C_INTEG_FLAG
)) {
697 packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE
);
700 ssh_gssapi_buildmic(&b
, authctxt
->server_user
,
701 authctxt
->service
, "gssapi-with-mic");
703 gssbuf
.value
= buffer_ptr(&b
);
704 gssbuf
.length
= buffer_len(&b
);
706 status
= ssh_gssapi_sign(gssctxt
, &gssbuf
, &mic
);
708 if (!GSS_ERROR(status
)) {
709 packet_start(SSH2_MSG_USERAUTH_GSSAPI_MIC
);
710 packet_put_string(mic
.value
, mic
.length
);
716 gss_release_buffer(&ms
, &mic
);
725 input_gssapi_response(int type
, u_int32_t plen
, void *ctxt
)
727 Authctxt
*authctxt
= ctxt
;
732 if (authctxt
== NULL
)
733 fatal("input_gssapi_response: no authentication context");
734 gssctxt
= authctxt
->methoddata
;
737 oidv
= packet_get_string(&oidlen
);
740 oidv
[0] != SSH_GSS_OIDTYPE
||
741 oidv
[1] != oidlen
- 2) {
743 debug("Badly encoded mechanism OID received");
744 userauth(authctxt
, NULL
);
748 if (!ssh_gssapi_check_oid(gssctxt
, oidv
+ 2, oidlen
- 2))
749 fatal("Server returned different OID than expected");
755 if (GSS_ERROR(process_gssapi_token(ctxt
, GSS_C_NO_BUFFER
))) {
756 /* Start again with next method on list */
757 debug("Trying to start again");
758 userauth(authctxt
, NULL
);
765 input_gssapi_token(int type
, u_int32_t plen
, void *ctxt
)
767 Authctxt
*authctxt
= ctxt
;
768 gss_buffer_desc recv_tok
;
772 if (authctxt
== NULL
)
773 fatal("input_gssapi_response: no authentication context");
775 recv_tok
.value
= packet_get_string(&slen
);
776 recv_tok
.length
= slen
; /* safe typecast */
780 status
= process_gssapi_token(ctxt
, &recv_tok
);
782 free(recv_tok
.value
);
784 if (GSS_ERROR(status
)) {
785 /* Start again with the next method in the list */
786 userauth(authctxt
, NULL
);
793 input_gssapi_errtok(int type
, u_int32_t plen
, void *ctxt
)
795 Authctxt
*authctxt
= ctxt
;
797 gss_buffer_desc send_tok
= GSS_C_EMPTY_BUFFER
;
798 gss_buffer_desc recv_tok
;
802 if (authctxt
== NULL
)
803 fatal("input_gssapi_response: no authentication context");
804 gssctxt
= authctxt
->methoddata
;
806 recv_tok
.value
= packet_get_string(&len
);
807 recv_tok
.length
= len
;
811 /* Stick it into GSSAPI and see what it says */
812 (void)ssh_gssapi_init_ctx(gssctxt
, options
.gss_deleg_creds
,
813 &recv_tok
, &send_tok
, NULL
);
815 free(recv_tok
.value
);
816 gss_release_buffer(&ms
, &send_tok
);
818 /* Server will be returning a failed packet after this one */
823 input_gssapi_error(int type
, u_int32_t plen
, void *ctxt
)
828 /* maj */(void)packet_get_int();
829 /* min */(void)packet_get_int();
830 msg
=packet_get_string(NULL
);
831 lang
=packet_get_string(NULL
);
835 debug("Server GSSAPI Error:\n%s", msg
);
842 userauth_none(Authctxt
*authctxt
)
844 /* initial userauth request */
845 packet_start(SSH2_MSG_USERAUTH_REQUEST
);
846 packet_put_cstring(authctxt
->server_user
);
847 packet_put_cstring(authctxt
->service
);
848 packet_put_cstring(authctxt
->method
->name
);
854 userauth_passwd(Authctxt
*authctxt
)
856 static int attempt
= 0;
859 const char *host
= options
.host_key_alias
? options
.host_key_alias
:
862 if (attempt
++ >= options
.number_of_password_prompts
)
866 error("Permission denied, please try again.");
868 snprintf(prompt
, sizeof(prompt
), "%.30s@%.128s's password: ",
869 authctxt
->server_user
, host
);
870 password
= read_passphrase(prompt
, 0);
871 packet_start(SSH2_MSG_USERAUTH_REQUEST
);
872 packet_put_cstring(authctxt
->server_user
);
873 packet_put_cstring(authctxt
->service
);
874 packet_put_cstring(authctxt
->method
->name
);
876 packet_put_cstring(password
);
877 explicit_bzero(password
, strlen(password
));
879 packet_add_padding(64);
882 dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ
,
883 &input_userauth_passwd_changereq
);
889 * parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST
893 input_userauth_passwd_changereq(int type
, u_int32_t seqnr
, void *ctxt
)
895 Authctxt
*authctxt
= ctxt
;
896 char *info
, *lang
, *password
= NULL
, *retype
= NULL
;
898 const char *host
= options
.host_key_alias
? options
.host_key_alias
:
901 debug2("input_userauth_passwd_changereq");
903 if (authctxt
== NULL
)
904 fatal("input_userauth_passwd_changereq: "
905 "no authentication context");
907 info
= packet_get_string(NULL
);
908 lang
= packet_get_string(NULL
);
909 if (strlen(info
) > 0)
913 packet_start(SSH2_MSG_USERAUTH_REQUEST
);
914 packet_put_cstring(authctxt
->server_user
);
915 packet_put_cstring(authctxt
->service
);
916 packet_put_cstring(authctxt
->method
->name
);
917 packet_put_char(1); /* additional info */
918 snprintf(prompt
, sizeof(prompt
),
919 "Enter %.30s@%.128s's old password: ",
920 authctxt
->server_user
, host
);
921 password
= read_passphrase(prompt
, 0);
922 packet_put_cstring(password
);
923 explicit_bzero(password
, strlen(password
));
926 while (password
== NULL
) {
927 snprintf(prompt
, sizeof(prompt
),
928 "Enter %.30s@%.128s's new password: ",
929 authctxt
->server_user
, host
);
930 password
= read_passphrase(prompt
, RP_ALLOW_EOF
);
931 if (password
== NULL
) {
935 snprintf(prompt
, sizeof(prompt
),
936 "Retype %.30s@%.128s's new password: ",
937 authctxt
->server_user
, host
);
938 retype
= read_passphrase(prompt
, 0);
939 if (strcmp(password
, retype
) != 0) {
940 explicit_bzero(password
, strlen(password
));
942 logit("Mismatch; try again, EOF to quit.");
945 explicit_bzero(retype
, strlen(retype
));
948 packet_put_cstring(password
);
949 explicit_bzero(password
, strlen(password
));
951 packet_add_padding(64);
954 dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ
,
955 &input_userauth_passwd_changereq
);
959 identity_sign(Identity
*id
, u_char
**sigp
, u_int
*lenp
,
960 u_char
*data
, u_int datalen
)
965 /* the agent supports this key */
967 return (ssh_agent_sign(id
->ac
, id
->key
, sigp
, lenp
,
970 * we have already loaded the private key or
971 * the private key is stored in external hardware
973 if (id
->isprivate
|| (id
->key
->flags
& SSHKEY_FLAG_EXT
))
974 return (key_sign(id
->key
, sigp
, lenp
, data
, datalen
));
975 /* load the private key from the file */
976 if ((prv
= load_identity_file(id
->filename
, id
->userprovided
)) == NULL
)
978 ret
= key_sign(prv
, sigp
, lenp
, data
, datalen
);
984 sign_and_send_pubkey(Authctxt
*authctxt
, Identity
*id
)
987 u_char
*blob
, *signature
;
994 fp
= key_fingerprint(id
->key
, SSH_FP_MD5
, SSH_FP_HEX
);
995 debug3("sign_and_send_pubkey: %s %s", key_type(id
->key
), fp
);
998 if (key_to_blob(id
->key
, &blob
, &bloblen
) == 0) {
999 /* we cannot handle this key */
1000 debug3("sign_and_send_pubkey: cannot handle key");
1003 /* data to be signed */
1005 if (datafellows
& SSH_OLD_SESSIONID
) {
1006 buffer_append(&b
, session_id2
, session_id2_len
);
1007 skip
= session_id2_len
;
1009 buffer_put_string(&b
, session_id2
, session_id2_len
);
1010 skip
= buffer_len(&b
);
1012 buffer_put_char(&b
, SSH2_MSG_USERAUTH_REQUEST
);
1013 buffer_put_cstring(&b
, authctxt
->server_user
);
1014 buffer_put_cstring(&b
,
1015 datafellows
& SSH_BUG_PKSERVICE
?
1018 if (datafellows
& SSH_BUG_PKAUTH
) {
1019 buffer_put_char(&b
, have_sig
);
1021 buffer_put_cstring(&b
, authctxt
->method
->name
);
1022 buffer_put_char(&b
, have_sig
);
1023 buffer_put_cstring(&b
, key_ssh_name(id
->key
));
1025 buffer_put_string(&b
, blob
, bloblen
);
1027 /* generate signature */
1028 ret
= identity_sign(id
, &signature
, &slen
,
1029 buffer_ptr(&b
), buffer_len(&b
));
1038 if (datafellows
& SSH_BUG_PKSERVICE
) {
1040 buffer_append(&b
, session_id2
, session_id2_len
);
1041 skip
= session_id2_len
;
1042 buffer_put_char(&b
, SSH2_MSG_USERAUTH_REQUEST
);
1043 buffer_put_cstring(&b
, authctxt
->server_user
);
1044 buffer_put_cstring(&b
, authctxt
->service
);
1045 buffer_put_cstring(&b
, authctxt
->method
->name
);
1046 buffer_put_char(&b
, have_sig
);
1047 if (!(datafellows
& SSH_BUG_PKAUTH
))
1048 buffer_put_cstring(&b
, key_ssh_name(id
->key
));
1049 buffer_put_string(&b
, blob
, bloblen
);
1053 /* append signature */
1054 buffer_put_string(&b
, signature
, slen
);
1057 /* skip session id and packet type */
1058 if (buffer_len(&b
) < skip
+ 1)
1059 fatal("userauth_pubkey: internal error");
1060 buffer_consume(&b
, skip
+ 1);
1062 /* put remaining data from buffer into packet */
1063 packet_start(SSH2_MSG_USERAUTH_REQUEST
);
1064 packet_put_raw(buffer_ptr(&b
), buffer_len(&b
));
1072 send_pubkey_test(Authctxt
*authctxt
, Identity
*id
)
1075 u_int bloblen
, have_sig
= 0;
1077 debug3("send_pubkey_test");
1079 if (key_to_blob(id
->key
, &blob
, &bloblen
) == 0) {
1080 /* we cannot handle this key */
1081 debug3("send_pubkey_test: cannot handle key");
1084 /* register callback for USERAUTH_PK_OK message */
1085 dispatch_set(SSH2_MSG_USERAUTH_PK_OK
, &input_userauth_pk_ok
);
1087 packet_start(SSH2_MSG_USERAUTH_REQUEST
);
1088 packet_put_cstring(authctxt
->server_user
);
1089 packet_put_cstring(authctxt
->service
);
1090 packet_put_cstring(authctxt
->method
->name
);
1091 packet_put_char(have_sig
);
1092 if (!(datafellows
& SSH_BUG_PKAUTH
))
1093 packet_put_cstring(key_ssh_name(id
->key
));
1094 packet_put_string(blob
, bloblen
);
1101 load_identity_file(char *filename
, int userprovided
)
1104 char prompt
[300], *passphrase
;
1105 int perm_ok
= 0, quit
, i
;
1108 if (stat(filename
, &st
) < 0) {
1109 (userprovided
? logit
: debug3
)("no such identity: %s: %s",
1110 filename
, strerror(errno
));
1113 private = key_load_private_type(KEY_UNSPEC
, filename
, "", NULL
, &perm_ok
);
1115 if (private != NULL
)
1119 if (private == NULL
) {
1120 if (options
.batch_mode
)
1122 snprintf(prompt
, sizeof prompt
,
1123 "Enter passphrase for key '%.100s': ", filename
);
1124 for (i
= 0; i
< options
.number_of_password_prompts
; i
++) {
1125 passphrase
= read_passphrase(prompt
, 0);
1126 if (strcmp(passphrase
, "") != 0) {
1127 private = key_load_private_type(KEY_UNSPEC
,
1128 filename
, passphrase
, NULL
, NULL
);
1131 debug2("no passphrase given, try next key");
1134 explicit_bzero(passphrase
, strlen(passphrase
));
1136 if (private != NULL
|| quit
)
1138 debug2("bad passphrase given, try again...");
1145 * try keys in the following order:
1146 * 1. agent keys that are found in the config file
1147 * 2. other agent keys
1148 * 3. keys that are only listed in the config file
1151 pubkey_prepare(Authctxt
*authctxt
)
1153 Identity
*id
, *id2
, *tmp
;
1154 Idlist agent
, files
, *preferred
;
1156 AuthenticationConnection
*ac
;
1160 TAILQ_INIT(&agent
); /* keys from the agent */
1161 TAILQ_INIT(&files
); /* keys from the config file */
1162 preferred
= &authctxt
->keys
;
1163 TAILQ_INIT(preferred
); /* preferred order of keys */
1165 /* list of keys stored in the filesystem and PKCS#11 */
1166 for (i
= 0; i
< options
.num_identity_files
; i
++) {
1167 key
= options
.identity_keys
[i
];
1168 if (key
&& key
->type
== KEY_RSA1
)
1170 if (key
&& key
->cert
&& key
->cert
->type
!= SSH2_CERT_TYPE_USER
)
1172 options
.identity_keys
[i
] = NULL
;
1173 id
= xcalloc(1, sizeof(*id
));
1175 id
->filename
= xstrdup(options
.identity_files
[i
]);
1176 id
->userprovided
= options
.identity_file_userprovided
[i
];
1177 TAILQ_INSERT_TAIL(&files
, id
, next
);
1179 /* Prefer PKCS11 keys that are explicitly listed */
1180 TAILQ_FOREACH_SAFE(id
, &files
, next
, tmp
) {
1181 if (id
->key
== NULL
|| (id
->key
->flags
& SSHKEY_FLAG_EXT
) == 0)
1184 TAILQ_FOREACH(id2
, &files
, next
) {
1185 if (id2
->key
== NULL
||
1186 (id2
->key
->flags
& SSHKEY_FLAG_EXT
) == 0)
1188 if (key_equal(id
->key
, id2
->key
)) {
1189 TAILQ_REMOVE(&files
, id
, next
);
1190 TAILQ_INSERT_TAIL(preferred
, id
, next
);
1195 /* If IdentitiesOnly set and key not found then don't use it */
1196 if (!found
&& options
.identities_only
) {
1197 TAILQ_REMOVE(&files
, id
, next
);
1198 explicit_bzero(id
, sizeof(*id
));
1202 /* list of keys supported by the agent */
1203 if ((ac
= ssh_get_authentication_connection())) {
1204 for (key
= ssh_get_first_identity(ac
, &comment
, 2);
1206 key
= ssh_get_next_identity(ac
, &comment
, 2)) {
1208 TAILQ_FOREACH(id
, &files
, next
) {
1209 /* agent keys from the config file are preferred */
1210 if (key_equal(key
, id
->key
)) {
1213 TAILQ_REMOVE(&files
, id
, next
);
1214 TAILQ_INSERT_TAIL(preferred
, id
, next
);
1220 if (!found
&& !options
.identities_only
) {
1221 id
= xcalloc(1, sizeof(*id
));
1223 id
->filename
= comment
;
1225 TAILQ_INSERT_TAIL(&agent
, id
, next
);
1228 /* append remaining agent keys */
1229 for (id
= TAILQ_FIRST(&agent
); id
; id
= TAILQ_FIRST(&agent
)) {
1230 TAILQ_REMOVE(&agent
, id
, next
);
1231 TAILQ_INSERT_TAIL(preferred
, id
, next
);
1233 authctxt
->agent
= ac
;
1235 /* append remaining keys from the config file */
1236 for (id
= TAILQ_FIRST(&files
); id
; id
= TAILQ_FIRST(&files
)) {
1237 TAILQ_REMOVE(&files
, id
, next
);
1238 TAILQ_INSERT_TAIL(preferred
, id
, next
);
1240 TAILQ_FOREACH(id
, preferred
, next
) {
1241 debug2("key: %s (%p),%s", id
->filename
, id
->key
,
1242 id
->userprovided
? " explicit" : "");
1247 pubkey_cleanup(Authctxt
*authctxt
)
1251 if (authctxt
->agent
!= NULL
)
1252 ssh_close_authentication_connection(authctxt
->agent
);
1253 for (id
= TAILQ_FIRST(&authctxt
->keys
); id
;
1254 id
= TAILQ_FIRST(&authctxt
->keys
)) {
1255 TAILQ_REMOVE(&authctxt
->keys
, id
, next
);
1264 userauth_pubkey(Authctxt
*authctxt
)
1269 while ((id
= TAILQ_FIRST(&authctxt
->keys
))) {
1272 /* move key to the end of the queue */
1273 TAILQ_REMOVE(&authctxt
->keys
, id
, next
);
1274 TAILQ_INSERT_TAIL(&authctxt
->keys
, id
, next
);
1276 * send a test message if we have the public key. for
1277 * encrypted keys we cannot do this and have to load the
1278 * private key instead
1280 if (id
->key
!= NULL
) {
1281 if (key_type_plain(id
->key
->type
) == KEY_RSA
&&
1282 (datafellows
& SSH_BUG_RSASIGMD5
) != 0) {
1283 debug("Skipped %s key %s for RSA/MD5 server",
1284 key_type(id
->key
), id
->filename
);
1285 } else if (id
->key
->type
!= KEY_RSA1
) {
1286 debug("Offering %s public key: %s",
1287 key_type(id
->key
), id
->filename
);
1288 sent
= send_pubkey_test(authctxt
, id
);
1291 debug("Trying private key: %s", id
->filename
);
1292 id
->key
= load_identity_file(id
->filename
,
1294 if (id
->key
!= NULL
) {
1296 if (key_type_plain(id
->key
->type
) == KEY_RSA
&&
1297 (datafellows
& SSH_BUG_RSASIGMD5
) != 0) {
1298 debug("Skipped %s key %s for RSA/MD5 "
1299 "server", key_type(id
->key
),
1302 sent
= sign_and_send_pubkey(
1316 * Send userauth request message specifying keyboard-interactive method.
1319 userauth_kbdint(Authctxt
*authctxt
)
1321 static int attempt
= 0;
1323 if (attempt
++ >= options
.number_of_password_prompts
)
1325 /* disable if no SSH2_MSG_USERAUTH_INFO_REQUEST has been seen */
1326 if (attempt
> 1 && !authctxt
->info_req_seen
) {
1327 debug3("userauth_kbdint: disable: no info_req_seen");
1328 dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST
, NULL
);
1332 debug2("userauth_kbdint");
1333 packet_start(SSH2_MSG_USERAUTH_REQUEST
);
1334 packet_put_cstring(authctxt
->server_user
);
1335 packet_put_cstring(authctxt
->service
);
1336 packet_put_cstring(authctxt
->method
->name
);
1337 packet_put_cstring(""); /* lang */
1338 packet_put_cstring(options
.kbd_interactive_devices
?
1339 options
.kbd_interactive_devices
: "");
1342 dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST
, &input_userauth_info_req
);
1347 * parse INFO_REQUEST, prompt user and send INFO_RESPONSE
1350 input_userauth_info_req(int type
, u_int32_t seq
, void *ctxt
)
1352 Authctxt
*authctxt
= ctxt
;
1353 char *name
, *inst
, *lang
, *prompt
, *response
;
1354 u_int num_prompts
, i
;
1357 debug2("input_userauth_info_req");
1359 if (authctxt
== NULL
)
1360 fatal("input_userauth_info_req: no authentication context");
1362 authctxt
->info_req_seen
= 1;
1364 name
= packet_get_string(NULL
);
1365 inst
= packet_get_string(NULL
);
1366 lang
= packet_get_string(NULL
);
1367 if (strlen(name
) > 0)
1369 if (strlen(inst
) > 0)
1375 num_prompts
= packet_get_int();
1377 * Begin to build info response packet based on prompts requested.
1378 * We commit to providing the correct number of responses, so if
1379 * further on we run into a problem that prevents this, we have to
1380 * be sure and clean this up and send a correct error response.
1382 packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE
);
1383 packet_put_int(num_prompts
);
1385 debug2("input_userauth_info_req: num_prompts %d", num_prompts
);
1386 for (i
= 0; i
< num_prompts
; i
++) {
1387 prompt
= packet_get_string(NULL
);
1388 echo
= packet_get_char();
1390 response
= read_passphrase(prompt
, echo
? RP_ECHO
: 0);
1392 packet_put_cstring(response
);
1393 explicit_bzero(response
, strlen(response
));
1397 packet_check_eom(); /* done with parsing incoming message. */
1399 packet_add_padding(64);
1404 ssh_keysign(Key
*key
, u_char
**sigp
, u_int
*lenp
,
1405 u_char
*data
, u_int datalen
)
1410 int to
[2], from
[2], status
, version
= 2;
1412 debug2("ssh_keysign called");
1414 if (stat(_PATH_SSH_KEY_SIGN
, &st
) < 0) {
1415 error("ssh_keysign: not installed: %s", strerror(errno
));
1418 if (fflush(stdout
) != 0)
1419 error("ssh_keysign: fflush: %s", strerror(errno
));
1421 error("ssh_keysign: pipe: %s", strerror(errno
));
1424 if (pipe(from
) < 0) {
1425 error("ssh_keysign: pipe: %s", strerror(errno
));
1428 if ((pid
= fork()) < 0) {
1429 error("ssh_keysign: fork: %s", strerror(errno
));
1433 /* keep the socket on exec */
1434 fcntl(packet_get_connection_in(), F_SETFD
, 0);
1435 permanently_drop_suid(getuid());
1437 if (dup2(from
[1], STDOUT_FILENO
) < 0)
1438 fatal("ssh_keysign: dup2: %s", strerror(errno
));
1440 if (dup2(to
[0], STDIN_FILENO
) < 0)
1441 fatal("ssh_keysign: dup2: %s", strerror(errno
));
1444 execl(_PATH_SSH_KEY_SIGN
, _PATH_SSH_KEY_SIGN
, (char *) 0);
1445 fatal("ssh_keysign: exec(%s): %s", _PATH_SSH_KEY_SIGN
,
1452 buffer_put_int(&b
, packet_get_connection_in()); /* send # of socket */
1453 buffer_put_string(&b
, data
, datalen
);
1454 if (ssh_msg_send(to
[1], version
, &b
) == -1)
1455 fatal("ssh_keysign: couldn't send request");
1457 if (ssh_msg_recv(from
[0], &b
) < 0) {
1458 error("ssh_keysign: no reply");
1465 while (waitpid(pid
, &status
, 0) < 0)
1469 if (buffer_get_char(&b
) != version
) {
1470 error("ssh_keysign: bad version");
1474 *sigp
= buffer_get_string(&b
, lenp
);
1481 userauth_hostbased(Authctxt
*authctxt
)
1483 Key
*private = NULL
;
1484 Sensitive
*sensitive
= authctxt
->sensitive
;
1486 u_char
*signature
, *blob
;
1487 char *chost
, *pkalg
, *p
;
1488 const char *service
;
1490 int ok
, i
, found
= 0;
1492 /* check for a useful key */
1493 for (i
= 0; i
< sensitive
->nkeys
; i
++) {
1494 private = sensitive
->keys
[i
];
1495 if (private && private->type
!= KEY_RSA1
) {
1497 /* we take and free the key */
1498 sensitive
->keys
[i
] = NULL
;
1503 debug("No more client hostkeys for hostbased authentication.");
1506 if (key_to_blob(private, &blob
, &blen
) == 0) {
1510 /* figure out a name for the client host */
1511 p
= get_local_name(packet_get_connection_in());
1513 error("userauth_hostbased: cannot get local ipaddr/name");
1518 xasprintf(&chost
, "%s.", p
);
1519 debug2("userauth_hostbased: chost %s", chost
);
1522 service
= datafellows
& SSH_BUG_HBSERVICE
? "ssh-userauth" :
1524 pkalg
= xstrdup(key_ssh_name(private));
1526 /* construct data */
1527 buffer_put_string(&b
, session_id2
, session_id2_len
);
1528 buffer_put_char(&b
, SSH2_MSG_USERAUTH_REQUEST
);
1529 buffer_put_cstring(&b
, authctxt
->server_user
);
1530 buffer_put_cstring(&b
, service
);
1531 buffer_put_cstring(&b
, authctxt
->method
->name
);
1532 buffer_put_cstring(&b
, pkalg
);
1533 buffer_put_string(&b
, blob
, blen
);
1534 buffer_put_cstring(&b
, chost
);
1535 buffer_put_cstring(&b
, authctxt
->local_user
);
1539 if (sensitive
->external_keysign
)
1540 ok
= ssh_keysign(private, &signature
, &slen
,
1541 buffer_ptr(&b
), buffer_len(&b
));
1543 ok
= key_sign(private, &signature
, &slen
,
1544 buffer_ptr(&b
), buffer_len(&b
));
1548 error("key_sign failed");
1554 packet_start(SSH2_MSG_USERAUTH_REQUEST
);
1555 packet_put_cstring(authctxt
->server_user
);
1556 packet_put_cstring(authctxt
->service
);
1557 packet_put_cstring(authctxt
->method
->name
);
1558 packet_put_cstring(pkalg
);
1559 packet_put_string(blob
, blen
);
1560 packet_put_cstring(chost
);
1561 packet_put_cstring(authctxt
->local_user
);
1562 packet_put_string(signature
, slen
);
1563 explicit_bzero(signature
, slen
);
1573 /* find auth method */
1576 * given auth method name, if configurable options permit this method fill
1577 * in auth_ident field and return true, otherwise return false.
1580 authmethod_is_enabled(Authmethod
*method
)
1584 /* return false if options indicate this method is disabled */
1585 if (method
->enabled
== NULL
|| *method
->enabled
== 0)
1587 /* return false if batch mode is enabled but method needs interactive mode */
1588 if (method
->batch_flag
!= NULL
&& *method
->batch_flag
!= 0)
1594 authmethod_lookup(const char *name
)
1596 Authmethod
*method
= NULL
;
1598 for (method
= authmethods
; method
->name
!= NULL
; method
++)
1599 if (strcmp(name
, method
->name
) == 0)
1601 debug2("Unrecognized authentication method name: %s", name
? name
: "NULL");
1605 /* XXX internal state */
1606 static Authmethod
*current
= NULL
;
1607 static char *supported
= NULL
;
1608 static char *preferred
= NULL
;
1611 * Given the authentication method list sent by the server, return the
1612 * next method we should try. If the server initially sends a nil list,
1613 * use a built-in default list.
1616 authmethod_get(char *authlist
)
1621 /* Use a suitable default if we're passed a nil list. */
1622 if (authlist
== NULL
|| strlen(authlist
) == 0)
1623 authlist
= options
.preferred_authentications
;
1625 if (supported
== NULL
|| strcmp(authlist
, supported
) != 0) {
1626 debug3("start over, passed a different list %s", authlist
);
1628 supported
= xstrdup(authlist
);
1629 preferred
= options
.preferred_authentications
;
1630 debug3("preferred %s", preferred
);
1632 } else if (current
!= NULL
&& authmethod_is_enabled(current
))
1636 if ((name
= match_list(preferred
, supported
, &next
)) == NULL
) {
1637 debug("No more authentication methods to try.");
1642 debug3("authmethod_lookup %s", name
);
1643 debug3("remaining preferred: %s", preferred
);
1644 if ((current
= authmethod_lookup(name
)) != NULL
&&
1645 authmethod_is_enabled(current
)) {
1646 debug3("authmethod_is_enabled %s", name
);
1647 debug("Next authentication method: %s", name
);
1656 authmethods_get(void)
1658 Authmethod
*method
= NULL
;
1663 for (method
= authmethods
; method
->name
!= NULL
; method
++) {
1664 if (authmethod_is_enabled(method
)) {
1665 if (buffer_len(&b
) > 0)
1666 buffer_append(&b
, ",", 1);
1667 buffer_append(&b
, method
->name
, strlen(method
->name
));
1670 buffer_append(&b
, "\0", 1);
1671 list
= xstrdup(buffer_ptr(&b
));