Mercurial > dropbear
annotate cli-auth.c @ 735:73b6e5d8801b
Fix segfault when /dev/urandom isn't writable
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Tue, 02 Apr 2013 18:53:18 +0800 |
parents | 2e5f2bc60e40 |
children | 619b1ed837fd |
rev | line source |
---|---|
74
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
1 /* |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
2 * Dropbear SSH |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
3 * |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
4 * Copyright (c) 2002,2003 Matt Johnston |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
5 * Copyright (c) 2004 by Mihnea Stoenescu |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
6 * All rights reserved. |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
7 * |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
8 * Permission is hereby granted, free of charge, to any person obtaining a copy |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
9 * of this software and associated documentation files (the "Software"), to deal |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
10 * in the Software without restriction, including without limitation the rights |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
12 * copies of the Software, and to permit persons to whom the Software is |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
13 * furnished to do so, subject to the following conditions: |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
14 * |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
15 * The above copyright notice and this permission notice shall be included in |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
16 * all copies or substantial portions of the Software. |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
17 * |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
21 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
24 * SOFTWARE. */ |
e3adf4cf5465
License boilerplate etc, add Mihnea as an author to some of the files
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
25 |
33 | 26 #include "includes.h" |
27 #include "session.h" | |
28 #include "auth.h" | |
29 #include "dbutil.h" | |
30 #include "buffer.h" | |
31 #include "ssh.h" | |
32 #include "packet.h" | |
33 #include "runopts.h" | |
34 | |
35 void cli_authinitialise() { | |
36 | |
37 memset(&ses.authstate, 0, sizeof(ses.authstate)); | |
38 } | |
39 | |
40 | |
41 /* Send a "none" auth request to get available methods */ | |
42 void cli_auth_getmethods() { | |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
114
diff
changeset
|
43 TRACE(("enter cli_auth_getmethods")) |
730
714b9106e335
Send an auth packet straight away, save another roundtrip
Matt Johnston <matt@ucc.asn.au>
parents:
686
diff
changeset
|
44 #ifdef CLI_IMMEDIATE_AUTH |
714b9106e335
Send an auth packet straight away, save another roundtrip
Matt Johnston <matt@ucc.asn.au>
parents:
686
diff
changeset
|
45 ses.authstate.authtypes = AUTH_TYPE_PUBKEY | AUTH_TYPE_PASSWORD | AUTH_TYPE_INTERACT; |
714b9106e335
Send an auth packet straight away, save another roundtrip
Matt Johnston <matt@ucc.asn.au>
parents:
686
diff
changeset
|
46 cli_auth_try(); |
714b9106e335
Send an auth packet straight away, save another roundtrip
Matt Johnston <matt@ucc.asn.au>
parents:
686
diff
changeset
|
47 #else |
33 | 48 CHECKCLEARTOWRITE(); |
49 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST); | |
35
0ad5fb979f42
set the isserver flag (oops)
Matt Johnston <matt@ucc.asn.au>
parents:
34
diff
changeset
|
50 buf_putstring(ses.writepayload, cli_opts.username, |
0ad5fb979f42
set the isserver flag (oops)
Matt Johnston <matt@ucc.asn.au>
parents:
34
diff
changeset
|
51 strlen(cli_opts.username)); |
33 | 52 buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION, |
53 SSH_SERVICE_CONNECTION_LEN); | |
54 buf_putstring(ses.writepayload, "none", 4); /* 'none' method */ | |
55 | |
56 encrypt_packet(); | |
730
714b9106e335
Send an auth packet straight away, save another roundtrip
Matt Johnston <matt@ucc.asn.au>
parents:
686
diff
changeset
|
57 #endif |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
114
diff
changeset
|
58 TRACE(("leave cli_auth_getmethods")) |
33 | 59 } |
60 | |
43 | 61 void recv_msg_userauth_banner() { |
62 | |
63 unsigned char* banner = NULL; | |
64 unsigned int bannerlen; | |
65 unsigned int i, linecount; | |
66 | |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
114
diff
changeset
|
67 TRACE(("enter recv_msg_userauth_banner")) |
43 | 68 if (ses.authstate.authdone) { |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
114
diff
changeset
|
69 TRACE(("leave recv_msg_userauth_banner: banner after auth done")) |
43 | 70 return; |
71 } | |
72 | |
73 banner = buf_getstring(ses.payload, &bannerlen); | |
74 buf_eatstring(ses.payload); /* The language string */ | |
75 | |
76 if (bannerlen > MAX_BANNER_SIZE) { | |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
114
diff
changeset
|
77 TRACE(("recv_msg_userauth_banner: bannerlen too long: %d", bannerlen)) |
43 | 78 goto out; |
79 } | |
80 | |
81 cleantext(banner); | |
82 | |
83 /* Limit to 25 lines */ | |
84 linecount = 1; | |
85 for (i = 0; i < bannerlen; i++) { | |
86 if (banner[i] == '\n') { | |
87 if (linecount >= MAX_BANNER_LINES) { | |
88 banner[i] = '\0'; | |
89 break; | |
90 } | |
91 linecount++; | |
92 } | |
93 } | |
94 | |
545
00e619aa2f9a
- Print banner to stderr. Probably the right way, and avoids
Matt Johnston <matt@ucc.asn.au>
parents:
501
diff
changeset
|
95 fprintf(stderr, "%s\n", banner); |
43 | 96 |
97 out: | |
98 m_free(banner); | |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
114
diff
changeset
|
99 TRACE(("leave recv_msg_userauth_banner")) |
43 | 100 } |
101 | |
249
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
102 /* This handles the message-specific types which |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
103 * all have a value of 60. These are |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
104 * SSH_MSG_USERAUTH_PASSWD_CHANGEREQ, |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
105 * SSH_MSG_USERAUTH_PK_OK, & |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
106 * SSH_MSG_USERAUTH_INFO_REQUEST. */ |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
107 void recv_msg_userauth_specific_60() { |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
108 |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
109 #ifdef ENABLE_CLI_PUBKEY_AUTH |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
110 if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) { |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
111 recv_msg_userauth_pk_ok(); |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
112 return; |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
113 } |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
114 #endif |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
115 |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
116 #ifdef ENABLE_CLI_INTERACT_AUTH |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
117 if (cli_ses.lastauthtype == AUTH_TYPE_INTERACT) { |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
118 recv_msg_userauth_info_request(); |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
119 return; |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
120 } |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
121 #endif |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
122 |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
123 #ifdef ENABLE_CLI_PASSWORD_AUTH |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
124 if (cli_ses.lastauthtype == AUTH_TYPE_PASSWORD) { |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
125 /* Eventually there could be proper password-changing |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
126 * support. However currently few servers seem to |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
127 * implement it, and password auth is last-resort |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
128 * regardless - keyboard-interactive is more likely |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
129 * to be used anyway. */ |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
130 dropbear_close("Your password has expired."); |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
131 } |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
132 #endif |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
133 |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
134 dropbear_exit("Unexpected userauth packet"); |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
135 } |
43 | 136 |
33 | 137 void recv_msg_userauth_failure() { |
138 | |
139 unsigned char * methods = NULL; | |
140 unsigned char * tok = NULL; | |
141 unsigned int methlen = 0; | |
142 unsigned int partial = 0; | |
143 unsigned int i = 0; | |
144 | |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
114
diff
changeset
|
145 TRACE(("<- MSG_USERAUTH_FAILURE")) |
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
114
diff
changeset
|
146 TRACE(("enter recv_msg_userauth_failure")) |
33 | 147 |
45
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
148 if (cli_ses.state != USERAUTH_REQ_SENT) { |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
149 /* Perhaps we should be more fatal? */ |
249
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
150 dropbear_exit("Unexpected userauth failure"); |
45
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
151 } |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
152 |
68
eee77ac31ccc
cleaning up the pubkey defines
Matt Johnston <matt@ucc.asn.au>
parents:
45
diff
changeset
|
153 #ifdef ENABLE_CLI_PUBKEY_AUTH |
45
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
154 /* If it was a pubkey auth request, we should cross that key |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
155 * off the list. */ |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
156 if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) { |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
157 cli_pubkeyfail(); |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
158 } |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
159 #endif |
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
160 |
249
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
161 #ifdef ENABLE_CLI_INTERACT_AUTH |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
162 /* If we get a failure message for keyboard interactive without |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
163 * receiving any request info packet, then we don't bother trying |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
164 * keyboard interactive again */ |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
165 if (cli_ses.lastauthtype == AUTH_TYPE_INTERACT |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
166 && !cli_ses.interact_request_received) { |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
167 TRACE(("setting auth_interact_failed = 1")) |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
168 cli_ses.auth_interact_failed = 1; |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
169 } |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
170 #endif |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
171 |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
172 cli_ses.lastauthtype = AUTH_TYPE_NONE; |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
173 |
33 | 174 methods = buf_getstring(ses.payload, &methlen); |
175 | |
179
161557a9dde8
* fix longstanding bug with connections being closed on failure to
Matt Johnston <matt@ucc.asn.au>
parents:
165
diff
changeset
|
176 partial = buf_getbool(ses.payload); |
33 | 177 |
178 if (partial) { | |
179 dropbear_log(LOG_INFO, "Authentication partially succeeded, more attempts required"); | |
180 } else { | |
181 ses.authstate.failcount++; | |
182 } | |
183 | |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
114
diff
changeset
|
184 TRACE(("Methods (len %d): '%s'", methlen, methods)) |
33 | 185 |
186 ses.authstate.authdone=0; | |
187 ses.authstate.authtypes=0; | |
188 | |
189 /* Split with nulls rather than commas */ | |
190 for (i = 0; i < methlen; i++) { | |
191 if (methods[i] == ',') { | |
192 methods[i] = '\0'; | |
193 } | |
194 } | |
195 | |
196 tok = methods; /* tok stores the next method we'll compare */ | |
197 for (i = 0; i <= methlen; i++) { | |
198 if (methods[i] == '\0') { | |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
114
diff
changeset
|
199 TRACE(("auth method '%s'", tok)) |
68
eee77ac31ccc
cleaning up the pubkey defines
Matt Johnston <matt@ucc.asn.au>
parents:
45
diff
changeset
|
200 #ifdef ENABLE_CLI_PUBKEY_AUTH |
33 | 201 if (strncmp(AUTH_METHOD_PUBKEY, tok, |
202 AUTH_METHOD_PUBKEY_LEN) == 0) { | |
203 ses.authstate.authtypes |= AUTH_TYPE_PUBKEY; | |
204 } | |
205 #endif | |
249
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
206 #ifdef ENABLE_CLI_INTERACT_AUTH |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
207 if (strncmp(AUTH_METHOD_INTERACT, tok, |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
208 AUTH_METHOD_INTERACT_LEN) == 0) { |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
209 ses.authstate.authtypes |= AUTH_TYPE_INTERACT; |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
210 } |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
211 #endif |
68
eee77ac31ccc
cleaning up the pubkey defines
Matt Johnston <matt@ucc.asn.au>
parents:
45
diff
changeset
|
212 #ifdef ENABLE_CLI_PASSWORD_AUTH |
33 | 213 if (strncmp(AUTH_METHOD_PASSWORD, tok, |
214 AUTH_METHOD_PASSWORD_LEN) == 0) { | |
215 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD; | |
216 } | |
217 #endif | |
34
e2a1eaa19f22
Client mostly works up to password auth
Matt Johnston <matt@ucc.asn.au>
parents:
33
diff
changeset
|
218 tok = &methods[i+1]; /* Must make sure we don't use it after the |
e2a1eaa19f22
Client mostly works up to password auth
Matt Johnston <matt@ucc.asn.au>
parents:
33
diff
changeset
|
219 last loop, since it'll point to something |
e2a1eaa19f22
Client mostly works up to password auth
Matt Johnston <matt@ucc.asn.au>
parents:
33
diff
changeset
|
220 undefined */ |
33 | 221 } |
222 } | |
223 | |
114
2be6aa26a8c9
Leak found with MallocDebug - it's kinda useful
Matt Johnston <matt@ucc.asn.au>
parents:
74
diff
changeset
|
224 m_free(methods); |
2be6aa26a8c9
Leak found with MallocDebug - it's kinda useful
Matt Johnston <matt@ucc.asn.au>
parents:
74
diff
changeset
|
225 |
33 | 226 cli_ses.state = USERAUTH_FAIL_RCVD; |
227 | |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
114
diff
changeset
|
228 TRACE(("leave recv_msg_userauth_failure")) |
33 | 229 } |
230 | |
231 void recv_msg_userauth_success() { | |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
114
diff
changeset
|
232 TRACE(("received msg_userauth_success")) |
501
d58c478bd399
Add support for [email protected] delayed compression.
Matt Johnston <matt@ucc.asn.au>
parents:
441
diff
changeset
|
233 /* Note: in delayed-zlib mode, setting authdone here |
d58c478bd399
Add support for [email protected] delayed compression.
Matt Johnston <matt@ucc.asn.au>
parents:
441
diff
changeset
|
234 * will enable compression in the transport layer */ |
33 | 235 ses.authstate.authdone = 1; |
37 | 236 cli_ses.state = USERAUTH_SUCCESS_RCVD; |
249
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
237 cli_ses.lastauthtype = AUTH_TYPE_NONE; |
552
de3653483ac0
- Client auth using an agent's key works. Still need to implement client
Matt Johnston <matt@ucc.asn.au>
parents:
545
diff
changeset
|
238 |
de3653483ac0
- Client auth using an agent's key works. Still need to implement client
Matt Johnston <matt@ucc.asn.au>
parents:
545
diff
changeset
|
239 #ifdef ENABLE_CLI_PUBKEY_AUTH |
de3653483ac0
- Client auth using an agent's key works. Still need to implement client
Matt Johnston <matt@ucc.asn.au>
parents:
545
diff
changeset
|
240 cli_auth_pubkey_cleanup(); |
de3653483ac0
- Client auth using an agent's key works. Still need to implement client
Matt Johnston <matt@ucc.asn.au>
parents:
545
diff
changeset
|
241 #endif |
33 | 242 } |
243 | |
244 void cli_auth_try() { | |
245 | |
300
baea1d43e7eb
Some cleanups/fixes for various TRACE statements
Matt Johnston <matt@ucc.asn.au>
parents:
268
diff
changeset
|
246 int finished = 0; |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
114
diff
changeset
|
247 TRACE(("enter cli_auth_try")) |
33 | 248 |
249 CHECKCLEARTOWRITE(); | |
250 | |
249
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
251 /* Order to try is pubkey, interactive, password. |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
252 * As soon as "finished" is set for one, we don't do any more. */ |
68
eee77ac31ccc
cleaning up the pubkey defines
Matt Johnston <matt@ucc.asn.au>
parents:
45
diff
changeset
|
253 #ifdef ENABLE_CLI_PUBKEY_AUTH |
33 | 254 if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) { |
255 finished = cli_auth_pubkey(); | |
45
9ee8996a375f
Pubkey auth is mostly there for the client. Something strange with
Matt Johnston <matt@ucc.asn.au>
parents:
43
diff
changeset
|
256 cli_ses.lastauthtype = AUTH_TYPE_PUBKEY; |
33 | 257 } |
258 #endif | |
259 | |
732
2e5f2bc60e40
Try password before interactive - bit of a hack
Matt Johnston <matt@ucc.asn.au>
parents:
730
diff
changeset
|
260 #ifdef ENABLE_CLI_PASSWORD_AUTH |
2e5f2bc60e40
Try password before interactive - bit of a hack
Matt Johnston <matt@ucc.asn.au>
parents:
730
diff
changeset
|
261 if (ses.keys->trans.algo_crypt->cipherdesc == NULL) { |
2e5f2bc60e40
Try password before interactive - bit of a hack
Matt Johnston <matt@ucc.asn.au>
parents:
730
diff
changeset
|
262 fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n"); |
2e5f2bc60e40
Try password before interactive - bit of a hack
Matt Johnston <matt@ucc.asn.au>
parents:
730
diff
changeset
|
263 } else if (!finished && ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { |
2e5f2bc60e40
Try password before interactive - bit of a hack
Matt Johnston <matt@ucc.asn.au>
parents:
730
diff
changeset
|
264 cli_auth_password(); |
2e5f2bc60e40
Try password before interactive - bit of a hack
Matt Johnston <matt@ucc.asn.au>
parents:
730
diff
changeset
|
265 finished = 1; |
2e5f2bc60e40
Try password before interactive - bit of a hack
Matt Johnston <matt@ucc.asn.au>
parents:
730
diff
changeset
|
266 cli_ses.lastauthtype = AUTH_TYPE_PASSWORD; |
2e5f2bc60e40
Try password before interactive - bit of a hack
Matt Johnston <matt@ucc.asn.au>
parents:
730
diff
changeset
|
267 } |
2e5f2bc60e40
Try password before interactive - bit of a hack
Matt Johnston <matt@ucc.asn.au>
parents:
730
diff
changeset
|
268 #endif |
2e5f2bc60e40
Try password before interactive - bit of a hack
Matt Johnston <matt@ucc.asn.au>
parents:
730
diff
changeset
|
269 |
249
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
270 #ifdef ENABLE_CLI_INTERACT_AUTH |
681
a4b7627b3157
Update insecure-nocrypto to current head
Matt Johnston <matt@ucc.asn.au>
diff
changeset
|
271 if (ses.keys->trans.algo_crypt->cipherdesc == NULL) { |
252
29afa62b5450
- a hack for grahame to run dropbear with "none" cipher.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
272 fprintf(stderr, "Sorry, I won't let you use interactive auth unencrypted.\n"); |
686
983a817f8e41
- Only request "none" cipher after auth has succeeded
Matt Johnston <matt@ucc.asn.au>
parents:
685
diff
changeset
|
273 } else if (!finished && ses.authstate.authtypes & AUTH_TYPE_INTERACT) { |
249
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
274 if (cli_ses.auth_interact_failed) { |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
275 finished = 0; |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
276 } else { |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
277 cli_auth_interactive(); |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
278 cli_ses.lastauthtype = AUTH_TYPE_INTERACT; |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
279 finished = 1; |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
280 } |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
281 } |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
282 #endif |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
283 |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
284 TRACE(("cli_auth_try lastauthtype %d", cli_ses.lastauthtype)) |
efbaf6b03837
added keyboard-interactive client support
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
285 |
33 | 286 if (!finished) { |
287 dropbear_exit("No auth methods could be used."); | |
288 } | |
289 | |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
114
diff
changeset
|
290 TRACE(("leave cli_auth_try")) |
33 | 291 } |
268
475a818dd6e7
Cancel a dbclient password prompt if the user presses ctrl-c.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
292 |
475a818dd6e7
Cancel a dbclient password prompt if the user presses ctrl-c.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
293 /* A helper for getpass() that exits if the user cancels. The returned |
475a818dd6e7
Cancel a dbclient password prompt if the user presses ctrl-c.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
294 * password is statically allocated by getpass() */ |
334
8f3ec7c104d9
Make the dbclient password prompt more useful
Matt Johnston <matt@ucc.asn.au>
parents:
300
diff
changeset
|
295 char* getpass_or_cancel(char* prompt) |
268
475a818dd6e7
Cancel a dbclient password prompt if the user presses ctrl-c.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
296 { |
475a818dd6e7
Cancel a dbclient password prompt if the user presses ctrl-c.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
297 char* password = NULL; |
441
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
334
diff
changeset
|
298 |
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
334
diff
changeset
|
299 #ifdef DROPBEAR_PASSWORD_ENV |
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
334
diff
changeset
|
300 /* Password provided in an environment var */ |
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
334
diff
changeset
|
301 password = getenv(DROPBEAR_PASSWORD_ENV); |
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
334
diff
changeset
|
302 if (password) |
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
334
diff
changeset
|
303 { |
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
334
diff
changeset
|
304 return password; |
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
334
diff
changeset
|
305 } |
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
334
diff
changeset
|
306 #endif |
268
475a818dd6e7
Cancel a dbclient password prompt if the user presses ctrl-c.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
307 |
334
8f3ec7c104d9
Make the dbclient password prompt more useful
Matt Johnston <matt@ucc.asn.au>
parents:
300
diff
changeset
|
308 password = getpass(prompt); |
268
475a818dd6e7
Cancel a dbclient password prompt if the user presses ctrl-c.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
309 |
475a818dd6e7
Cancel a dbclient password prompt if the user presses ctrl-c.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
310 /* 0x03 is a ctrl-c character in the buffer. */ |
475a818dd6e7
Cancel a dbclient password prompt if the user presses ctrl-c.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
311 if (password == NULL || strchr(password, '\3') != NULL) { |
475a818dd6e7
Cancel a dbclient password prompt if the user presses ctrl-c.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
312 dropbear_close("Interrupted."); |
475a818dd6e7
Cancel a dbclient password prompt if the user presses ctrl-c.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
313 } |
475a818dd6e7
Cancel a dbclient password prompt if the user presses ctrl-c.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
314 return password; |
475a818dd6e7
Cancel a dbclient password prompt if the user presses ctrl-c.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
315 } |