4 * Copyright (c) 2002,2003 Matt Johnston
5 * Copyright (c) 2004 by Mihnea Stoenescu
8 * Permission is hereby granted, free of charge, to any person obtaining a copy
9 * of this software and associated documentation files (the "Software"), to deal
10 * in the Software without restriction, including without limitation the rights
11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12 * copies of the Software, and to permit persons to whom the Software is
13 * furnished to do so, subject to the following conditions:
15 * The above copyright notice and this permission notice shall be included in
16 * all copies or substantial portions of the Software.
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
35 void cli_authinitialise() {
37 memset(&ses
.authstate
, 0, sizeof(ses
.authstate
));
41 /* Send a "none" auth request to get available methods */
42 void cli_auth_getmethods() {
44 TRACE(("enter cli_auth_getmethods"))
48 buf_putbyte(ses
.writepayload
, SSH_MSG_USERAUTH_REQUEST
);
49 buf_putstring(ses
.writepayload
, cli_opts
.username
,
50 strlen(cli_opts
.username
));
51 buf_putstring(ses
.writepayload
, SSH_SERVICE_CONNECTION
,
52 SSH_SERVICE_CONNECTION_LEN
);
53 buf_putstring(ses
.writepayload
, "none", 4); /* 'none' method */
56 TRACE(("leave cli_auth_getmethods"))
60 void recv_msg_userauth_banner() {
62 unsigned char* banner
= NULL
;
63 unsigned int bannerlen
;
64 unsigned int i
, linecount
;
66 TRACE(("enter recv_msg_userauth_banner"))
67 if (ses
.authstate
.authdone
) {
68 TRACE(("leave recv_msg_userauth_banner: banner after auth done"))
72 banner
= buf_getstring(ses
.payload
, &bannerlen
);
73 buf_eatstring(ses
.payload
); /* The language string */
75 if (bannerlen
> MAX_BANNER_SIZE
) {
76 TRACE(("recv_msg_userauth_banner: bannerlen too long: %d", bannerlen
))
82 /* Limit to 25 lines */
84 for (i
= 0; i
< bannerlen
; i
++) {
85 if (banner
[i
] == '\n') {
86 if (linecount
>= MAX_BANNER_LINES
) {
94 fprintf(stderr
, "%s\n", banner
);
98 TRACE(("leave recv_msg_userauth_banner"))
101 /* This handles the message-specific types which
102 * all have a value of 60. These are
103 * SSH_MSG_USERAUTH_PASSWD_CHANGEREQ,
104 * SSH_MSG_USERAUTH_PK_OK, &
105 * SSH_MSG_USERAUTH_INFO_REQUEST. */
106 void recv_msg_userauth_specific_60() {
108 #ifdef ENABLE_CLI_PUBKEY_AUTH
109 if (cli_ses
.lastauthtype
== AUTH_TYPE_PUBKEY
) {
110 recv_msg_userauth_pk_ok();
115 #ifdef ENABLE_CLI_INTERACT_AUTH
116 if (cli_ses
.lastauthtype
== AUTH_TYPE_INTERACT
) {
117 recv_msg_userauth_info_request();
122 #ifdef ENABLE_CLI_PASSWORD_AUTH
123 if (cli_ses
.lastauthtype
== AUTH_TYPE_PASSWORD
) {
124 /* Eventually there could be proper password-changing
125 * support. However currently few servers seem to
126 * implement it, and password auth is last-resort
127 * regardless - keyboard-interactive is more likely
128 * to be used anyway. */
129 dropbear_close("Your password has expired.");
133 dropbear_exit("Unexpected userauth packet");
136 void recv_msg_userauth_failure() {
138 unsigned char * methods
= NULL
;
139 unsigned char * tok
= NULL
;
140 unsigned int methlen
= 0;
141 unsigned int partial
= 0;
144 TRACE(("<- MSG_USERAUTH_FAILURE"))
145 TRACE(("enter recv_msg_userauth_failure"))
147 if (cli_ses
.state
!= USERAUTH_REQ_SENT
) {
148 /* Perhaps we should be more fatal? */
149 dropbear_exit("Unexpected userauth failure");
152 #ifdef ENABLE_CLI_PUBKEY_AUTH
153 /* If it was a pubkey auth request, we should cross that key
155 if (cli_ses
.lastauthtype
== AUTH_TYPE_PUBKEY
) {
160 #ifdef ENABLE_CLI_INTERACT_AUTH
161 /* If we get a failure message for keyboard interactive without
162 * receiving any request info packet, then we don't bother trying
163 * keyboard interactive again */
164 if (cli_ses
.lastauthtype
== AUTH_TYPE_INTERACT
165 && !cli_ses
.interact_request_received
) {
166 TRACE(("setting auth_interact_failed = 1"))
167 cli_ses
.auth_interact_failed
= 1;
171 cli_ses
.lastauthtype
= AUTH_TYPE_NONE
;
173 methods
= buf_getstring(ses
.payload
, &methlen
);
175 partial
= buf_getbool(ses
.payload
);
178 dropbear_log(LOG_INFO
, "Authentication partially succeeded, more attempts required");
180 ses
.authstate
.failcount
++;
183 TRACE(("Methods (len %d): '%s'", methlen
, methods
))
185 ses
.authstate
.authdone
=0;
186 ses
.authstate
.authtypes
=0;
188 /* Split with nulls rather than commas */
189 for (i
= 0; i
< methlen
; i
++) {
190 if (methods
[i
] == ',') {
195 tok
= methods
; /* tok stores the next method we'll compare */
196 for (i
= 0; i
<= methlen
; i
++) {
197 if (methods
[i
] == '\0') {
198 TRACE(("auth method '%s'", tok
))
199 #ifdef ENABLE_CLI_PUBKEY_AUTH
200 if (strncmp(AUTH_METHOD_PUBKEY
, tok
,
201 AUTH_METHOD_PUBKEY_LEN
) == 0) {
202 ses
.authstate
.authtypes
|= AUTH_TYPE_PUBKEY
;
205 #ifdef ENABLE_CLI_INTERACT_AUTH
206 if (strncmp(AUTH_METHOD_INTERACT
, tok
,
207 AUTH_METHOD_INTERACT_LEN
) == 0) {
208 ses
.authstate
.authtypes
|= AUTH_TYPE_INTERACT
;
211 #ifdef ENABLE_CLI_PASSWORD_AUTH
212 if (strncmp(AUTH_METHOD_PASSWORD
, tok
,
213 AUTH_METHOD_PASSWORD_LEN
) == 0) {
214 ses
.authstate
.authtypes
|= AUTH_TYPE_PASSWORD
;
217 tok
= &methods
[i
+1]; /* Must make sure we don't use it after the
218 last loop, since it'll point to something
225 cli_ses
.state
= USERAUTH_FAIL_RCVD
;
227 TRACE(("leave recv_msg_userauth_failure"))
230 void recv_msg_userauth_success() {
231 TRACE(("received msg_userauth_success"))
232 /* Note: in delayed-zlib mode, setting authdone here
233 * will enable compression in the transport layer */
234 ses
.authstate
.authdone
= 1;
235 cli_ses
.state
= USERAUTH_SUCCESS_RCVD
;
236 cli_ses
.lastauthtype
= AUTH_TYPE_NONE
;
238 #ifdef ENABLE_CLI_PUBKEY_AUTH
239 cli_auth_pubkey_cleanup();
243 void cli_auth_try() {
246 TRACE(("enter cli_auth_try"))
250 /* Order to try is pubkey, interactive, password.
251 * As soon as "finished" is set for one, we don't do any more. */
252 #ifdef ENABLE_CLI_PUBKEY_AUTH
253 if (ses
.authstate
.authtypes
& AUTH_TYPE_PUBKEY
) {
254 finished
= cli_auth_pubkey();
255 cli_ses
.lastauthtype
= AUTH_TYPE_PUBKEY
;
259 #ifdef ENABLE_CLI_INTERACT_AUTH
260 if (!finished
&& ses
.authstate
.authtypes
& AUTH_TYPE_INTERACT
) {
261 if (cli_ses
.auth_interact_failed
) {
264 cli_auth_interactive();
265 cli_ses
.lastauthtype
= AUTH_TYPE_INTERACT
;
271 #ifdef ENABLE_CLI_PASSWORD_AUTH
272 if (!finished
&& ses
.authstate
.authtypes
& AUTH_TYPE_PASSWORD
) {
275 cli_ses
.lastauthtype
= AUTH_TYPE_PASSWORD
;
279 TRACE(("cli_auth_try lastauthtype %d", cli_ses
.lastauthtype
))
282 dropbear_exit("No auth methods could be used.");
285 TRACE(("leave cli_auth_try"))
288 /* A helper for getpass() that exits if the user cancels. The returned
289 * password is statically allocated by getpass() */
290 char* getpass_or_cancel(char* prompt
)
292 char* password
= NULL
;
294 #ifdef DROPBEAR_PASSWORD_ENV
295 /* Password provided in an environment var */
296 password
= getenv(DROPBEAR_PASSWORD_ENV
);
303 password
= getpass(prompt
);
305 /* 0x03 is a ctrl-c character in the buffer. */
306 if (password
== NULL
|| strchr(password
, '\3') != NULL
) {
307 dropbear_close("Interrupted.");