Mercurial > dropbear

comparison cli-auth.c @ 285:1b9e69c058d2

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
propagate from branch 'au.asn.ucc.matt.ltc.dropbear' (head 20dccfc09627970a312d77fb41dc2970b62689c3) to branch 'au.asn.ucc.matt.dropbear' (head fdf4a7a3b97ae5046139915de7e40399cceb2c01)
author Matt Johnston <matt@ucc.asn.au>
date Wed, 08 Mar 2006 13:23:58 +0000
parents 475a818dd6e7
children 64abb124763d baea1d43e7eb
comparison
equal deleted inserted replaced
281:997e6f7dc01e 285:1b9e69c058d2
1 /*
2 * Dropbear SSH
3 *
4 * Copyright (c) 2002,2003 Matt Johnston
5 * Copyright (c) 2004 by Mihnea Stoenescu
6 * All rights reserved.
7 *
8 * Permission is hereby granted, free of charge, to any person obtaining a copy
9 * of this software and associated documentation files (the "Software"), to deal
10 * in the Software without restriction, including without limitation the rights
11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12 * copies of the Software, and to permit persons to whom the Software is
13 * furnished to do so, subject to the following conditions:
14 *
15 * The above copyright notice and this permission notice shall be included in
16 * all copies or substantial portions of the Software.
17 *
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
24 * SOFTWARE. */
25
26 #include "includes.h"
27 #include "session.h"
28 #include "auth.h"
29 #include "dbutil.h"
30 #include "buffer.h"
31 #include "ssh.h"
32 #include "packet.h"
33 #include "runopts.h"
34
35 void cli_authinitialise() {
36
37 memset(&ses.authstate, 0, sizeof(ses.authstate));
38 }
39
40
41 /* Send a "none" auth request to get available methods */
42 void cli_auth_getmethods() {
43
44 TRACE(("enter cli_auth_getmethods"))
45
46 CHECKCLEARTOWRITE();
47
48 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST);
49 buf_putstring(ses.writepayload, cli_opts.username,
50 strlen(cli_opts.username));
51 buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION,
52 SSH_SERVICE_CONNECTION_LEN);
53 buf_putstring(ses.writepayload, "none", 4); /* 'none' method */
54
55 encrypt_packet();
56 TRACE(("leave cli_auth_getmethods"))
57
58 }
59
60 void recv_msg_userauth_banner() {
61
62 unsigned char* banner = NULL;
63 unsigned int bannerlen;
64 unsigned int i, linecount;
65
66 TRACE(("enter recv_msg_userauth_banner"))
67 if (ses.authstate.authdone) {
68 TRACE(("leave recv_msg_userauth_banner: banner after auth done"))
69 return;
70 }
71
72 banner = buf_getstring(ses.payload, &bannerlen);
73 buf_eatstring(ses.payload); /* The language string */
74
75 if (bannerlen > MAX_BANNER_SIZE) {
76 TRACE(("recv_msg_userauth_banner: bannerlen too long: %d", bannerlen))
77 goto out;
78 }
79
80 cleantext(banner);
81
82 /* Limit to 25 lines */
83 linecount = 1;
84 for (i = 0; i < bannerlen; i++) {
85 if (banner[i] == '\n') {
86 if (linecount >= MAX_BANNER_LINES) {
87 banner[i] = '\0';
88 break;
89 }
90 linecount++;
91 }
92 }
93
94 printf("%s\n", banner);
95
96 out:
97 m_free(banner);
98 TRACE(("leave recv_msg_userauth_banner"))
99 }
100
101 /* This handles the message-specific types which
102 * all have a value of 60. These are
103 * SSH_MSG_USERAUTH_PASSWD_CHANGEREQ,
104 * SSH_MSG_USERAUTH_PK_OK, &
105 * SSH_MSG_USERAUTH_INFO_REQUEST. */
106 void recv_msg_userauth_specific_60() {
107
108 #ifdef ENABLE_CLI_PUBKEY_AUTH
109 if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) {
110 recv_msg_userauth_pk_ok();
111 return;
112 }
113 #endif
114
115 #ifdef ENABLE_CLI_INTERACT_AUTH
116 if (cli_ses.lastauthtype == AUTH_TYPE_INTERACT) {
117 recv_msg_userauth_info_request();
118 return;
119 }
120 #endif
121
122 #ifdef ENABLE_CLI_PASSWORD_AUTH
123 if (cli_ses.lastauthtype == AUTH_TYPE_PASSWORD) {
124 /* Eventually there could be proper password-changing
125 * support. However currently few servers seem to
126 * implement it, and password auth is last-resort
127 * regardless - keyboard-interactive is more likely
128 * to be used anyway. */
129 dropbear_close("Your password has expired.");
130 }
131 #endif
132
133 dropbear_exit("Unexpected userauth packet");
134 }
135
136 void recv_msg_userauth_failure() {
137
138 unsigned char * methods = NULL;
139 unsigned char * tok = NULL;
140 unsigned int methlen = 0;
141 unsigned int partial = 0;
142 unsigned int i = 0;
143
144 TRACE(("<- MSG_USERAUTH_FAILURE"))
145 TRACE(("enter recv_msg_userauth_failure"))
146
147 if (cli_ses.state != USERAUTH_REQ_SENT) {
148 /* Perhaps we should be more fatal? */
149 dropbear_exit("Unexpected userauth failure");
150 }
151
152 #ifdef ENABLE_CLI_PUBKEY_AUTH
153 /* If it was a pubkey auth request, we should cross that key
154 * off the list. */
155 if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) {
156 cli_pubkeyfail();
157 }
158 #endif
159
160 #ifdef ENABLE_CLI_INTERACT_AUTH
161 /* If we get a failure message for keyboard interactive without
162 * receiving any request info packet, then we don't bother trying
163 * keyboard interactive again */
164 if (cli_ses.lastauthtype == AUTH_TYPE_INTERACT
165 && !cli_ses.interact_request_received) {
166 TRACE(("setting auth_interact_failed = 1"))
167 cli_ses.auth_interact_failed = 1;
168 }
169 #endif
170
171 cli_ses.lastauthtype = AUTH_TYPE_NONE;
172
173 methods = buf_getstring(ses.payload, &methlen);
174
175 partial = buf_getbool(ses.payload);
176
177 if (partial) {
178 dropbear_log(LOG_INFO, "Authentication partially succeeded, more attempts required");
179 } else {
180 ses.authstate.failcount++;
181 }
182
183 TRACE(("Methods (len %d): '%s'", methlen, methods))
184
185 ses.authstate.authdone=0;
186 ses.authstate.authtypes=0;
187
188 /* Split with nulls rather than commas */
189 for (i = 0; i < methlen; i++) {
190 if (methods[i] == ',') {
191 methods[i] = '\0';
192 }
193 }
194
195 tok = methods; /* tok stores the next method we'll compare */
196 for (i = 0; i <= methlen; i++) {
197 if (methods[i] == '\0') {
198 TRACE(("auth method '%s'", tok))
199 #ifdef ENABLE_CLI_PUBKEY_AUTH
200 if (strncmp(AUTH_METHOD_PUBKEY, tok,
201 AUTH_METHOD_PUBKEY_LEN) == 0) {
202 ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
203 }
204 #endif
205 #ifdef ENABLE_CLI_INTERACT_AUTH
206 if (strncmp(AUTH_METHOD_INTERACT, tok,
207 AUTH_METHOD_INTERACT_LEN) == 0) {
208 ses.authstate.authtypes |= AUTH_TYPE_INTERACT;
209 }
210 #endif
211 #ifdef ENABLE_CLI_PASSWORD_AUTH
212 if (strncmp(AUTH_METHOD_PASSWORD, tok,
213 AUTH_METHOD_PASSWORD_LEN) == 0) {
214 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
215 }
216 #endif
217 tok = &methods[i+1]; /* Must make sure we don't use it after the
218 last loop, since it'll point to something
219 undefined */
220 }
221 }
222
223 m_free(methods);
224
225 cli_ses.state = USERAUTH_FAIL_RCVD;
226
227 TRACE(("leave recv_msg_userauth_failure"))
228 }
229
230 void recv_msg_userauth_success() {
231 TRACE(("received msg_userauth_success"))
232 ses.authstate.authdone = 1;
233 cli_ses.state = USERAUTH_SUCCESS_RCVD;
234 cli_ses.lastauthtype = AUTH_TYPE_NONE;
235 }
236
237 void cli_auth_try() {
238
239 TRACE(("enter cli_auth_try"))
240 int finished = 0;
241
242 CHECKCLEARTOWRITE();
243
244 /* Order to try is pubkey, interactive, password.
245 * As soon as "finished" is set for one, we don't do any more. */
246 #ifdef ENABLE_CLI_PUBKEY_AUTH
247 if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) {
248 finished = cli_auth_pubkey();
249 cli_ses.lastauthtype = AUTH_TYPE_PUBKEY;
250 }
251 #endif
252
253 #ifdef ENABLE_CLI_INTERACT_AUTH
254 if (!finished && ses.authstate.authtypes & AUTH_TYPE_INTERACT) {
255 if (cli_ses.auth_interact_failed) {
256 finished = 0;
257 } else {
258 cli_auth_interactive();
259 cli_ses.lastauthtype = AUTH_TYPE_INTERACT;
260 finished = 1;
261 }
262 }
263 #endif
264
265 #ifdef ENABLE_CLI_PASSWORD_AUTH
266 if (!finished && ses.authstate.authtypes & AUTH_TYPE_PASSWORD) {
267 cli_auth_password();
268 finished = 1;
269 cli_ses.lastauthtype = AUTH_TYPE_PASSWORD;
270 }
271 #endif
272
273 TRACE(("cli_auth_try lastauthtype %d", cli_ses.lastauthtype))
274
275 if (!finished) {
276 dropbear_exit("No auth methods could be used.");
277 }
278
279 TRACE(("leave cli_auth_try"))
280 }
281
282 /* A helper for getpass() that exits if the user cancels. The returned
283 * password is statically allocated by getpass() */
284 char* getpass_or_cancel()
285 {
286 char* password = NULL;
287
288 password = getpass("Password: ");
289
290 /* 0x03 is a ctrl-c character in the buffer. */
291 if (password == NULL || strchr(password, '\3') != NULL) {
292 dropbear_close("Interrupted.");
293 }
294 return password;
295 }