Mercurial > dropbear
comparison cli-auth.c @ 734:619b1ed837fd
Be a bit more careful about when we want to use CLI_AUTH_IMMEDIATE
Only use it if we have pubkeys to try, or we have $DROPBEAR_PASSWORD set
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Tue, 02 Apr 2013 00:11:53 +0800 |
| parents | 2e5f2bc60e40 |
| children | ff597bf2cfb0 |
comparison
equal
deleted
inserted
replaced
| 733:70811267715c | 734:619b1ed837fd |
|---|---|
| 40 | 40 |
| 41 /* Send a "none" auth request to get available methods */ | 41 /* Send a "none" auth request to get available methods */ |
| 42 void cli_auth_getmethods() { | 42 void cli_auth_getmethods() { |
| 43 TRACE(("enter cli_auth_getmethods")) | 43 TRACE(("enter cli_auth_getmethods")) |
| 44 #ifdef CLI_IMMEDIATE_AUTH | 44 #ifdef CLI_IMMEDIATE_AUTH |
| 45 ses.authstate.authtypes = AUTH_TYPE_PUBKEY | AUTH_TYPE_PASSWORD | AUTH_TYPE_INTERACT; | 45 ses.authstate.authtypes = AUTH_TYPE_PUBKEY; |
| 46 cli_auth_try(); | 46 if (getenv(DROPBEAR_PASSWORD_ENV)) { |
| 47 #else | 47 ses.authstate.authtypes |= AUTH_TYPE_PASSWORD | AUTH_TYPE_INTERACT; |
| 48 } | |
| 49 if (cli_auth_try() == DROPBEAR_SUCCESS) { | |
| 50 TRACE(("skipped initial none auth query")) | |
| 51 return; | |
| 52 } | |
| 53 #endif | |
| 48 CHECKCLEARTOWRITE(); | 54 CHECKCLEARTOWRITE(); |
| 49 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST); | 55 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST); |
| 50 buf_putstring(ses.writepayload, cli_opts.username, | 56 buf_putstring(ses.writepayload, cli_opts.username, |
| 51 strlen(cli_opts.username)); | 57 strlen(cli_opts.username)); |
| 52 buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION, | 58 buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION, |
| 53 SSH_SERVICE_CONNECTION_LEN); | 59 SSH_SERVICE_CONNECTION_LEN); |
| 54 buf_putstring(ses.writepayload, "none", 4); /* 'none' method */ | 60 buf_putstring(ses.writepayload, "none", 4); /* 'none' method */ |
| 55 | 61 |
| 56 encrypt_packet(); | 62 encrypt_packet(); |
| 57 #endif | |
| 58 TRACE(("leave cli_auth_getmethods")) | 63 TRACE(("leave cli_auth_getmethods")) |
| 59 } | 64 } |
| 60 | 65 |
| 61 void recv_msg_userauth_banner() { | 66 void recv_msg_userauth_banner() { |
| 62 | 67 |
| 239 #ifdef ENABLE_CLI_PUBKEY_AUTH | 244 #ifdef ENABLE_CLI_PUBKEY_AUTH |
| 240 cli_auth_pubkey_cleanup(); | 245 cli_auth_pubkey_cleanup(); |
| 241 #endif | 246 #endif |
| 242 } | 247 } |
| 243 | 248 |
| 244 void cli_auth_try() { | 249 int cli_auth_try() { |
| 245 | 250 |
| 246 int finished = 0; | 251 int finished = 0; |
| 247 TRACE(("enter cli_auth_try")) | 252 TRACE(("enter cli_auth_try")) |
| 248 | 253 |
| 249 CHECKCLEARTOWRITE(); | 254 CHECKCLEARTOWRITE(); |
| 256 cli_ses.lastauthtype = AUTH_TYPE_PUBKEY; | 261 cli_ses.lastauthtype = AUTH_TYPE_PUBKEY; |
| 257 } | 262 } |
| 258 #endif | 263 #endif |
| 259 | 264 |
| 260 #ifdef ENABLE_CLI_PASSWORD_AUTH | 265 #ifdef ENABLE_CLI_PASSWORD_AUTH |
| 261 if (ses.keys->trans.algo_crypt->cipherdesc == NULL) { | 266 if (!finished && (ses.authstate.authtypes & AUTH_TYPE_PASSWORD)) { |
| 262 fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n"); | 267 if (ses.keys->trans.algo_crypt->cipherdesc == NULL) { |
| 263 } else if (!finished && ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { | 268 fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n"); |
| 264 cli_auth_password(); | 269 } else { |
| 265 finished = 1; | 270 cli_auth_password(); |
| 266 cli_ses.lastauthtype = AUTH_TYPE_PASSWORD; | 271 finished = 1; |
| 272 cli_ses.lastauthtype = AUTH_TYPE_PASSWORD; | |
| 273 } | |
| 267 } | 274 } |
| 268 #endif | 275 #endif |
| 269 | 276 |
| 270 #ifdef ENABLE_CLI_INTERACT_AUTH | 277 #ifdef ENABLE_CLI_INTERACT_AUTH |
| 271 if (ses.keys->trans.algo_crypt->cipherdesc == NULL) { | 278 if (!finished && (ses.authstate.authtypes & AUTH_TYPE_INTERACT)) { |
| 272 fprintf(stderr, "Sorry, I won't let you use interactive auth unencrypted.\n"); | 279 if (ses.keys->trans.algo_crypt->cipherdesc == NULL) { |
| 273 } else if (!finished && ses.authstate.authtypes & AUTH_TYPE_INTERACT) { | 280 fprintf(stderr, "Sorry, I won't let you use interactive auth unencrypted.\n"); |
| 274 if (cli_ses.auth_interact_failed) { | |
| 275 finished = 0; | |
| 276 } else { | 281 } else { |
| 277 cli_auth_interactive(); | 282 if (!cli_ses.auth_interact_failed) { |
| 278 cli_ses.lastauthtype = AUTH_TYPE_INTERACT; | 283 cli_auth_interactive(); |
| 279 finished = 1; | 284 cli_ses.lastauthtype = AUTH_TYPE_INTERACT; |
| 285 finished = 1; | |
| 286 } | |
| 280 } | 287 } |
| 281 } | 288 } |
| 282 #endif | 289 #endif |
| 283 | 290 |
| 284 TRACE(("cli_auth_try lastauthtype %d", cli_ses.lastauthtype)) | 291 TRACE(("cli_auth_try lastauthtype %d", cli_ses.lastauthtype)) |
| 285 | 292 |
| 286 if (!finished) { | 293 if (finished) { |
| 287 dropbear_exit("No auth methods could be used."); | 294 TRACE(("leave cli_auth_try success")) |
| 288 } | 295 return DROPBEAR_SUCCESS; |
| 289 | 296 } |
| 290 TRACE(("leave cli_auth_try")) | 297 TRACE(("leave cli_auth_try failure")) |
| 298 return DROPBEAR_FAILURE; | |
| 291 } | 299 } |
| 292 | 300 |
| 293 /* A helper for getpass() that exits if the user cancels. The returned | 301 /* A helper for getpass() that exits if the user cancels. The returned |
| 294 * password is statically allocated by getpass() */ | 302 * password is statically allocated by getpass() */ |
| 295 char* getpass_or_cancel(char* prompt) | 303 char* getpass_or_cancel(char* prompt) |