1 /* $OpenBSD: auth2-chall.c,v 1.48 2017/05/30 14:29:59 markus Exp $ */
3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2001 Per Allansson. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 #include <sys/types.h>
48 extern ServerOptions options
;
50 static int auth2_challenge_start(struct ssh
*);
51 static int send_userauth_info_request(Authctxt
*);
52 static int input_userauth_info_response(int, u_int32_t
, struct ssh
*);
55 extern KbdintDevice bsdauth_device
;
58 extern KbdintDevice sshpam_device
;
61 extern KbdintDevice skey_device
;
65 KbdintDevice
*devices
[] = {
79 typedef struct KbdintAuthctxt KbdintAuthctxt
;
91 remove_kbdint_device(const char *devname
)
95 for (i
= 0; devices
[i
] != NULL
; i
++)
96 if (strcmp(devices
[i
]->name
, devname
) == 0) {
97 for (j
= i
; devices
[j
] != NULL
; j
++)
98 devices
[j
] = devices
[j
+1];
104 static KbdintAuthctxt
*
105 kbdint_alloc(const char *devs
)
107 KbdintAuthctxt
*kbdintctxt
;
112 if (!options
.use_pam
)
113 remove_kbdint_device("pam");
116 kbdintctxt
= xcalloc(1, sizeof(KbdintAuthctxt
));
117 if (strcmp(devs
, "") == 0) {
119 for (i
= 0; devices
[i
]; i
++) {
120 if (buffer_len(&b
) > 0)
121 buffer_append(&b
, ",", 1);
122 buffer_append(&b
, devices
[i
]->name
,
123 strlen(devices
[i
]->name
));
125 if ((kbdintctxt
->devices
= sshbuf_dup_string(&b
)) == NULL
)
126 fatal("%s: sshbuf_dup_string failed", __func__
);
129 kbdintctxt
->devices
= xstrdup(devs
);
131 debug("kbdint_alloc: devices '%s'", kbdintctxt
->devices
);
132 kbdintctxt
->ctxt
= NULL
;
133 kbdintctxt
->device
= NULL
;
134 kbdintctxt
->nreq
= 0;
139 kbdint_reset_device(KbdintAuthctxt
*kbdintctxt
)
141 if (kbdintctxt
->ctxt
) {
142 kbdintctxt
->device
->free_ctx(kbdintctxt
->ctxt
);
143 kbdintctxt
->ctxt
= NULL
;
145 kbdintctxt
->device
= NULL
;
148 kbdint_free(KbdintAuthctxt
*kbdintctxt
)
150 if (kbdintctxt
->device
)
151 kbdint_reset_device(kbdintctxt
);
152 free(kbdintctxt
->devices
);
153 explicit_bzero(kbdintctxt
, sizeof(*kbdintctxt
));
156 /* get next device */
158 kbdint_next_device(Authctxt
*authctxt
, KbdintAuthctxt
*kbdintctxt
)
164 if (kbdintctxt
->device
)
165 kbdint_reset_device(kbdintctxt
);
167 len
= kbdintctxt
->devices
?
168 strcspn(kbdintctxt
->devices
, ",") : 0;
172 for (i
= 0; devices
[i
]; i
++) {
173 if ((kbdintctxt
->devices_done
& (1 << i
)) != 0 ||
174 !auth2_method_allowed(authctxt
,
175 "keyboard-interactive", devices
[i
]->name
))
177 if (strncmp(kbdintctxt
->devices
, devices
[i
]->name
,
179 kbdintctxt
->device
= devices
[i
];
180 kbdintctxt
->devices_done
|= 1 << i
;
183 t
= kbdintctxt
->devices
;
184 kbdintctxt
->devices
= t
[len
] ? xstrdup(t
+len
+1) : NULL
;
186 debug2("kbdint_next_device: devices %s", kbdintctxt
->devices
?
187 kbdintctxt
->devices
: "<empty>");
188 } while (kbdintctxt
->devices
&& !kbdintctxt
->device
);
190 return kbdintctxt
->device
? 1 : 0;
194 * try challenge-response, set authctxt->postponed if we have to
195 * wait for the response.
198 auth2_challenge(struct ssh
*ssh
, char *devs
)
200 Authctxt
*authctxt
= ssh
->authctxt
;
201 debug("auth2_challenge: user=%s devs=%s",
202 authctxt
->user
? authctxt
->user
: "<nouser>",
203 devs
? devs
: "<no devs>");
205 if (authctxt
->user
== NULL
|| !devs
)
207 if (authctxt
->kbdintctxt
== NULL
)
208 authctxt
->kbdintctxt
= kbdint_alloc(devs
);
209 return auth2_challenge_start(ssh
);
212 /* unregister kbd-int callbacks and context */
214 auth2_challenge_stop(struct ssh
*ssh
)
216 Authctxt
*authctxt
= ssh
->authctxt
;
217 /* unregister callback */
218 ssh_dispatch_set(ssh
, SSH2_MSG_USERAUTH_INFO_RESPONSE
, NULL
);
219 if (authctxt
->kbdintctxt
!= NULL
) {
220 kbdint_free(authctxt
->kbdintctxt
);
221 authctxt
->kbdintctxt
= NULL
;
225 /* side effect: sets authctxt->postponed if a reply was sent*/
227 auth2_challenge_start(struct ssh
*ssh
)
229 Authctxt
*authctxt
= ssh
->authctxt
;
230 KbdintAuthctxt
*kbdintctxt
= authctxt
->kbdintctxt
;
232 debug2("auth2_challenge_start: devices %s",
233 kbdintctxt
->devices
? kbdintctxt
->devices
: "<empty>");
235 if (kbdint_next_device(authctxt
, kbdintctxt
) == 0) {
236 auth2_challenge_stop(ssh
);
239 debug("auth2_challenge_start: trying authentication method '%s'",
240 kbdintctxt
->device
->name
);
242 if ((kbdintctxt
->ctxt
= kbdintctxt
->device
->init_ctx(authctxt
)) == NULL
) {
243 auth2_challenge_stop(ssh
);
246 if (send_userauth_info_request(authctxt
) == 0) {
247 auth2_challenge_stop(ssh
);
250 ssh_dispatch_set(ssh
, SSH2_MSG_USERAUTH_INFO_RESPONSE
,
251 &input_userauth_info_response
);
253 authctxt
->postponed
= 1;
258 send_userauth_info_request(Authctxt
*authctxt
)
260 KbdintAuthctxt
*kbdintctxt
;
261 char *name
, *instr
, **prompts
;
264 kbdintctxt
= authctxt
->kbdintctxt
;
265 if (kbdintctxt
->device
->query(kbdintctxt
->ctxt
,
266 &name
, &instr
, &kbdintctxt
->nreq
, &prompts
, &echo_on
))
269 packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST
);
270 packet_put_cstring(name
);
271 packet_put_cstring(instr
);
272 packet_put_cstring(""); /* language not used */
273 packet_put_int(kbdintctxt
->nreq
);
274 for (i
= 0; i
< kbdintctxt
->nreq
; i
++) {
275 packet_put_cstring(prompts
[i
]);
276 packet_put_char(echo_on
[i
]);
281 for (i
= 0; i
< kbdintctxt
->nreq
; i
++)
291 input_userauth_info_response(int type
, u_int32_t seq
, struct ssh
*ssh
)
293 Authctxt
*authctxt
= ssh
->authctxt
;
294 KbdintAuthctxt
*kbdintctxt
;
295 int authenticated
= 0, res
;
297 const char *devicename
= NULL
;
298 char **response
= NULL
;
300 if (authctxt
== NULL
)
301 fatal("input_userauth_info_response: no authctxt");
302 kbdintctxt
= authctxt
->kbdintctxt
;
303 if (kbdintctxt
== NULL
|| kbdintctxt
->ctxt
== NULL
)
304 fatal("input_userauth_info_response: no kbdintctxt");
305 if (kbdintctxt
->device
== NULL
)
306 fatal("input_userauth_info_response: no device");
308 authctxt
->postponed
= 0; /* reset */
309 nresp
= packet_get_int();
310 if (nresp
!= kbdintctxt
->nreq
)
311 fatal("input_userauth_info_response: wrong number of replies");
313 fatal("input_userauth_info_response: too many replies");
315 response
= xcalloc(nresp
, sizeof(char *));
316 for (i
= 0; i
< nresp
; i
++)
317 response
[i
] = packet_get_string(NULL
);
321 res
= kbdintctxt
->device
->respond(kbdintctxt
->ctxt
, nresp
, response
);
323 for (i
= 0; i
< nresp
; i
++) {
324 explicit_bzero(response
[i
], strlen(response
[i
]));
332 authenticated
= authctxt
->valid
? 1 : 0;
335 /* Authentication needs further interaction */
336 if (send_userauth_info_request(authctxt
) == 1)
337 authctxt
->postponed
= 1;
343 devicename
= kbdintctxt
->device
->name
;
344 if (!authctxt
->postponed
) {
346 auth2_challenge_stop(ssh
);
348 /* start next device */
349 /* may set authctxt->postponed */
350 auth2_challenge_start(ssh
);
353 userauth_finish(ssh
, authenticated
, "keyboard-interactive",
359 privsep_challenge_enable(void)
361 #if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY)
365 extern KbdintDevice mm_bsdauth_device
;
368 extern KbdintDevice mm_sshpam_device
;
371 extern KbdintDevice mm_skey_device
;
375 devices
[n
++] = &mm_bsdauth_device
;
378 devices
[n
++] = &mm_sshpam_device
;
381 devices
[n
++] = &mm_skey_device
;