Mercurial > dropbear
annotate cli-auth.c @ 53:0fe267cc9dee
Be a bit safer with reentrant pw_name
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Sun, 08 Aug 2004 16:41:26 +0000 |
parents | 9ee8996a375f |
children | eee77ac31ccc |
rev | line source |
---|---|
33 | 1 #include "includes.h" |
2 #include "session.h" | |
3 #include "auth.h" | |
4 #include "dbutil.h" | |
5 #include "buffer.h" | |
6 #include "ssh.h" | |
7 #include "packet.h" | |
8 #include "runopts.h" | |
9 | |
40
b4874d772210
- Added terminal mode handling etc for the client, and window change
Matt Johnston <matt@ucc.asn.au>
parents:
37
diff
changeset
|
10 |
33 | 11 void cli_authinitialise() { |
12 | |
13 memset(&ses.authstate, 0, sizeof(ses.authstate)); | |
14 } | |
15 | |
16 | |
17 /* Send a "none" auth request to get available methods */ | |
18 void cli_auth_getmethods() { | |
19 | |
20 TRACE(("enter cli_auth_getmethods")); | |
21 | |
22 CHECKCLEARTOWRITE(); | |
23 | |
24 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST); | |
35
0ad5fb979f42
set the isserver flag (oops)
Matt Johnston <matt@ucc.asn.au>
parents:
34
diff
changeset
|
25 buf_putstring(ses.writepayload, cli_opts.username, |
0ad5fb979f42
set the isserver flag (oops)
Matt Johnston <matt@ucc.asn.au>
parents:
34
diff
changeset
|
26 strlen(cli_opts.username)); |
33 | 27 buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION, |
28 SSH_SERVICE_CONNECTION_LEN); | |
29 buf_putstring(ses.writepayload, "none", 4); /* 'none' method */ | |
30 | |
31 encrypt_packet(); | |
32 TRACE(("leave cli_auth_getmethods")); | |
33 | |
34 } | |
35 | |
43 | 36 void recv_msg_userauth_banner() { |
37 | |
38 unsigned char* banner = NULL; | |
39 unsigned int bannerlen; | |
40 unsigned int i, linecount; | |
41 | |
42 TRACE(("enter recv_msg_userauth_banner")); | |
43 if (ses.authstate.authdone) { | |
44 TRACE(("leave recv_msg_userauth_banner: banner after auth done")); | |
45 return; | |
46 } | |
47 | |
48 banner = buf_getstring(ses.payload, &bannerlen); | |
49 buf_eatstring(ses.payload); /* The language string */ | |
50 | |
51 if (bannerlen > MAX_BANNER_SIZE) { | |
52 TRACE(("recv_msg_userauth_banner: bannerlen too long: %d", bannerlen)); | |
53 goto out; | |
54 } | |
55 | |
56 cleantext(banner); | |
57 | |
58 /* Limit to 25 lines */ | |
59 linecount = 1; | |
60 for (i = 0; i < bannerlen; i++) { | |
61 if (banner[i] == '\n') { | |
62 if (linecount >= MAX_BANNER_LINES) { | |
63 banner[i] = '\0'; | |
64 break; | |
65 } | |
66 linecount++; | |
67 } | |
68 } | |
69 | |
70 printf("%s\n", banner); | |
71 | |
72 out: | |
73 m_free(banner); | |
74 TRACE(("leave recv_msg_userauth_banner")); | |
75 } | |
76 | |
77 | |
33 | 78 void recv_msg_userauth_failure() { |
79 | |
80 unsigned char * methods = NULL; | |
81 unsigned char * tok = NULL; | |
82 unsigned int methlen = 0; | |
83 unsigned int partial = 0; | |
84 unsigned int i = 0; | |
85 | |
86 TRACE(("<- MSG_USERAUTH_FAILURE")); | |
87 TRACE(("enter recv_msg_userauth_failure")); | |
88 | |
45
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
89 if (cli_ses.state != USERAUTH_REQ_SENT) { |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
90 /* Perhaps we should be more fatal? */ |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
91 TRACE(("But we didn't send a userauth request!!!!!!")); |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
92 return; |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
93 } |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
94 |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
95 #ifdef DROPBEAR_PUBKEY_AUTH |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
96 /* If it was a pubkey auth request, we should cross that key |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
97 * off the list. */ |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
98 if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) { |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
99 cli_pubkeyfail(); |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
100 } |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
101 #endif |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
102 |
33 | 103 methods = buf_getstring(ses.payload, &methlen); |
104 | |
105 partial = buf_getbyte(ses.payload); | |
106 | |
107 if (partial) { | |
108 dropbear_log(LOG_INFO, "Authentication partially succeeded, more attempts required"); | |
109 } else { | |
110 ses.authstate.failcount++; | |
111 } | |
112 | |
113 TRACE(("Methods (len %d): '%s'", methlen, methods)); | |
114 | |
115 ses.authstate.authdone=0; | |
116 ses.authstate.authtypes=0; | |
117 | |
118 /* Split with nulls rather than commas */ | |
119 for (i = 0; i < methlen; i++) { | |
120 if (methods[i] == ',') { | |
121 methods[i] = '\0'; | |
122 } | |
123 } | |
124 | |
125 tok = methods; /* tok stores the next method we'll compare */ | |
126 for (i = 0; i <= methlen; i++) { | |
127 if (methods[i] == '\0') { | |
34
e2a1eaa19f22
Client mostly works up to password auth
Matt Johnston <matt@ucc.asn.au>
parents:
33
diff
changeset
|
128 TRACE(("auth method '%s'", tok)); |
33 | 129 #ifdef DROPBEAR_PUBKEY_AUTH |
130 if (strncmp(AUTH_METHOD_PUBKEY, tok, | |
131 AUTH_METHOD_PUBKEY_LEN) == 0) { | |
132 ses.authstate.authtypes |= AUTH_TYPE_PUBKEY; | |
133 } | |
134 #endif | |
135 #ifdef DROPBEAR_PASSWORD_AUTH | |
136 if (strncmp(AUTH_METHOD_PASSWORD, tok, | |
137 AUTH_METHOD_PASSWORD_LEN) == 0) { | |
138 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD; | |
139 } | |
140 #endif | |
34
e2a1eaa19f22
Client mostly works up to password auth
Matt Johnston <matt@ucc.asn.au>
parents:
33
diff
changeset
|
141 tok = &methods[i+1]; /* Must make sure we don't use it after the |
e2a1eaa19f22
Client mostly works up to password auth
Matt Johnston <matt@ucc.asn.au>
parents:
33
diff
changeset
|
142 last loop, since it'll point to something |
e2a1eaa19f22
Client mostly works up to password auth
Matt Johnston <matt@ucc.asn.au>
parents:
33
diff
changeset
|
143 undefined */ |
33 | 144 } |
145 } | |
146 | |
147 cli_ses.state = USERAUTH_FAIL_RCVD; | |
148 | |
149 TRACE(("leave recv_msg_userauth_failure")); | |
150 } | |
151 | |
152 void recv_msg_userauth_success() { | |
153 TRACE(("received msg_userauth_success")); | |
154 ses.authstate.authdone = 1; | |
37 | 155 cli_ses.state = USERAUTH_SUCCESS_RCVD; |
33 | 156 } |
157 | |
158 void cli_auth_try() { | |
159 | |
160 TRACE(("enter cli_auth_try")); | |
161 int finished = 0; | |
162 | |
163 CHECKCLEARTOWRITE(); | |
164 | |
165 /* XXX We hardcode that we try a pubkey first */ | |
166 #ifdef DROPBEAR_PUBKEY_AUTH | |
167 if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) { | |
168 finished = cli_auth_pubkey(); | |
45
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
169 cli_ses.lastauthtype = AUTH_TYPE_PUBKEY; |
33 | 170 } |
171 #endif | |
172 | |
173 #ifdef DROPBEAR_PASSWORD_AUTH | |
174 if (!finished && ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { | |
175 finished = cli_auth_password(); | |
45
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
176 cli_ses.lastauthtype = AUTH_TYPE_PASSWORD; |
33 | 177 } |
178 #endif | |
179 | |
180 if (!finished) { | |
181 dropbear_exit("No auth methods could be used."); | |
182 } | |
183 | |
184 TRACE(("leave cli_auth_try")); | |
185 } |