comparison cli-auth.c @ 734:619b1ed837fd

Be a bit more careful about when we want to use CLI_AUTH_IMMEDIATE Only use it if we have pubkeys to try, or we have $DROPBEAR_PASSWORD set
author Matt Johnston <matt@ucc.asn.au>
date Tue, 02 Apr 2013 00:11:53 +0800
parents 2e5f2bc60e40
children ff597bf2cfb0
comparison
equal deleted inserted replaced
733:70811267715c 734:619b1ed837fd
40 40
41 /* Send a "none" auth request to get available methods */ 41 /* Send a "none" auth request to get available methods */
42 void cli_auth_getmethods() { 42 void cli_auth_getmethods() {
43 TRACE(("enter cli_auth_getmethods")) 43 TRACE(("enter cli_auth_getmethods"))
44 #ifdef CLI_IMMEDIATE_AUTH 44 #ifdef CLI_IMMEDIATE_AUTH
45 ses.authstate.authtypes = AUTH_TYPE_PUBKEY | AUTH_TYPE_PASSWORD | AUTH_TYPE_INTERACT; 45 ses.authstate.authtypes = AUTH_TYPE_PUBKEY;
46 cli_auth_try(); 46 if (getenv(DROPBEAR_PASSWORD_ENV)) {
47 #else 47 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD | AUTH_TYPE_INTERACT;
48 }
49 if (cli_auth_try() == DROPBEAR_SUCCESS) {
50 TRACE(("skipped initial none auth query"))
51 return;
52 }
53 #endif
48 CHECKCLEARTOWRITE(); 54 CHECKCLEARTOWRITE();
49 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST); 55 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST);
50 buf_putstring(ses.writepayload, cli_opts.username, 56 buf_putstring(ses.writepayload, cli_opts.username,
51 strlen(cli_opts.username)); 57 strlen(cli_opts.username));
52 buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION, 58 buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION,
53 SSH_SERVICE_CONNECTION_LEN); 59 SSH_SERVICE_CONNECTION_LEN);
54 buf_putstring(ses.writepayload, "none", 4); /* 'none' method */ 60 buf_putstring(ses.writepayload, "none", 4); /* 'none' method */
55 61
56 encrypt_packet(); 62 encrypt_packet();
57 #endif
58 TRACE(("leave cli_auth_getmethods")) 63 TRACE(("leave cli_auth_getmethods"))
59 } 64 }
60 65
61 void recv_msg_userauth_banner() { 66 void recv_msg_userauth_banner() {
62 67
239 #ifdef ENABLE_CLI_PUBKEY_AUTH 244 #ifdef ENABLE_CLI_PUBKEY_AUTH
240 cli_auth_pubkey_cleanup(); 245 cli_auth_pubkey_cleanup();
241 #endif 246 #endif
242 } 247 }
243 248
244 void cli_auth_try() { 249 int cli_auth_try() {
245 250
246 int finished = 0; 251 int finished = 0;
247 TRACE(("enter cli_auth_try")) 252 TRACE(("enter cli_auth_try"))
248 253
249 CHECKCLEARTOWRITE(); 254 CHECKCLEARTOWRITE();
256 cli_ses.lastauthtype = AUTH_TYPE_PUBKEY; 261 cli_ses.lastauthtype = AUTH_TYPE_PUBKEY;
257 } 262 }
258 #endif 263 #endif
259 264
260 #ifdef ENABLE_CLI_PASSWORD_AUTH 265 #ifdef ENABLE_CLI_PASSWORD_AUTH
261 if (ses.keys->trans.algo_crypt->cipherdesc == NULL) { 266 if (!finished && (ses.authstate.authtypes & AUTH_TYPE_PASSWORD)) {
262 fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n"); 267 if (ses.keys->trans.algo_crypt->cipherdesc == NULL) {
263 } else if (!finished && ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { 268 fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n");
264 cli_auth_password(); 269 } else {
265 finished = 1; 270 cli_auth_password();
266 cli_ses.lastauthtype = AUTH_TYPE_PASSWORD; 271 finished = 1;
272 cli_ses.lastauthtype = AUTH_TYPE_PASSWORD;
273 }
267 } 274 }
268 #endif 275 #endif
269 276
270 #ifdef ENABLE_CLI_INTERACT_AUTH 277 #ifdef ENABLE_CLI_INTERACT_AUTH
271 if (ses.keys->trans.algo_crypt->cipherdesc == NULL) { 278 if (!finished && (ses.authstate.authtypes & AUTH_TYPE_INTERACT)) {
272 fprintf(stderr, "Sorry, I won't let you use interactive auth unencrypted.\n"); 279 if (ses.keys->trans.algo_crypt->cipherdesc == NULL) {
273 } else if (!finished && ses.authstate.authtypes & AUTH_TYPE_INTERACT) { 280 fprintf(stderr, "Sorry, I won't let you use interactive auth unencrypted.\n");
274 if (cli_ses.auth_interact_failed) {
275 finished = 0;
276 } else { 281 } else {
277 cli_auth_interactive(); 282 if (!cli_ses.auth_interact_failed) {
278 cli_ses.lastauthtype = AUTH_TYPE_INTERACT; 283 cli_auth_interactive();
279 finished = 1; 284 cli_ses.lastauthtype = AUTH_TYPE_INTERACT;
285 finished = 1;
286 }
280 } 287 }
281 } 288 }
282 #endif 289 #endif
283 290
284 TRACE(("cli_auth_try lastauthtype %d", cli_ses.lastauthtype)) 291 TRACE(("cli_auth_try lastauthtype %d", cli_ses.lastauthtype))
285 292
286 if (!finished) { 293 if (finished) {
287 dropbear_exit("No auth methods could be used."); 294 TRACE(("leave cli_auth_try success"))
288 } 295 return DROPBEAR_SUCCESS;
289 296 }
290 TRACE(("leave cli_auth_try")) 297 TRACE(("leave cli_auth_try failure"))
298 return DROPBEAR_FAILURE;
291 } 299 }
292 300
293 /* A helper for getpass() that exits if the user cancels. The returned 301 /* A helper for getpass() that exits if the user cancels. The returned
294 * password is statically allocated by getpass() */ 302 * password is statically allocated by getpass() */
295 char* getpass_or_cancel(char* prompt) 303 char* getpass_or_cancel(char* prompt)