1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Code to connect to a remote host, and to perform the client side of the 6 * login (authentication) dialog. 7 * 8 * As far as I am concerned, the code I have written for this software 9 * can be used freely for any purpose. Any derived versions of this 10 * software must be clearly marked as such, and if the derived work is 11 * incompatible with the protocol description in the RFC file, it must be 12 * called by a name other than "ssh" or "Secure Shell". 13 */ 14 /* 15 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 16 * Use is subject to license terms. 17 */ 18 19 #include "includes.h" 20 RCSID("$OpenBSD: sshconnect1.c,v 1.52 2002/08/08 13:50:23 aaron Exp $"); 21 22 #include <openssl/bn.h> 23 #include <openssl/md5.h> 24 25 #ifdef KRB4 26 #include <krb.h> 27 #endif 28 #ifdef KRB5 29 #include <krb5.h> 30 #ifndef HEIMDAL 31 #define krb5_get_err_text(context,code) error_message(code) 32 #endif /* !HEIMDAL */ 33 #endif 34 #ifdef AFS 35 #include <kafs.h> 36 #include "radix.h" 37 #endif 38 39 #include "ssh.h" 40 #include "ssh1.h" 41 #include "xmalloc.h" 42 #include "rsa.h" 43 #include "buffer.h" 44 #include "packet.h" 45 #include "mpaux.h" 46 #include "uidswap.h" 47 #include "log.h" 48 #include "readconf.h" 49 #include "key.h" 50 #include "authfd.h" 51 #include "sshconnect.h" 52 #include "authfile.h" 53 #include "readpass.h" 54 #include "cipher.h" 55 #include "canohost.h" 56 #include "auth.h" 57 58 /* Session id for the current session. */ 59 u_char session_id[16]; 60 u_int supported_authentications = 0; 61 62 extern Options options; 63 extern char *__progname; 64 65 /* 66 * Checks if the user has an authentication agent, and if so, tries to 67 * authenticate using the agent. 68 */ 69 static int 70 try_agent_authentication(void) 71 { 72 int type; 73 char *comment; 74 AuthenticationConnection *auth; 75 u_char response[16]; 76 u_int i; 77 Key *key; 78 BIGNUM *challenge; 79 80 /* Get connection to the agent. */ 81 auth = ssh_get_authentication_connection(); 82 if (!auth) 83 return 0; 84 85 if ((challenge = BN_new()) == NULL) 86 fatal("try_agent_authentication: BN_new failed"); 87 /* Loop through identities served by the agent. */ 88 for (key = ssh_get_first_identity(auth, &comment, 1); 89 key != NULL; 90 key = ssh_get_next_identity(auth, &comment, 1)) { 91 92 /* Try this identity. */ 93 debug("Trying RSA authentication via agent with '%.100s'", comment); 94 xfree(comment); 95 96 /* Tell the server that we are willing to authenticate using this key. */ 97 packet_start(SSH_CMSG_AUTH_RSA); 98 packet_put_bignum(key->rsa->n); 99 packet_send(); 100 packet_write_wait(); 101 102 /* Wait for server's response. */ 103 type = packet_read(); 104 105 /* The server sends failure if it doesn\'t like our key or 106 does not support RSA authentication. */ 107 if (type == SSH_SMSG_FAILURE) { 108 debug("Server refused our key."); 109 key_free(key); 110 continue; 111 } 112 /* Otherwise it should have sent a challenge. */ 113 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 114 packet_disconnect("Protocol error during RSA authentication: %d", 115 type); 116 117 packet_get_bignum(challenge); 118 packet_check_eom(); 119 120 debug("Received RSA challenge from server."); 121 122 /* Ask the agent to decrypt the challenge. */ 123 if (!ssh_decrypt_challenge(auth, key, challenge, session_id, 1, response)) { 124 /* 125 * The agent failed to authenticate this identifier 126 * although it advertised it supports this. Just 127 * return a wrong value. 128 */ 129 log("Authentication agent failed to decrypt challenge."); 130 memset(response, 0, sizeof(response)); 131 } 132 key_free(key); 133 debug("Sending response to RSA challenge."); 134 135 /* Send the decrypted challenge back to the server. */ 136 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 137 for (i = 0; i < 16; i++) 138 packet_put_char(response[i]); 139 packet_send(); 140 packet_write_wait(); 141 142 /* Wait for response from the server. */ 143 type = packet_read(); 144 145 /* The server returns success if it accepted the authentication. */ 146 if (type == SSH_SMSG_SUCCESS) { 147 ssh_close_authentication_connection(auth); 148 BN_clear_free(challenge); 149 debug("RSA authentication accepted by server."); 150 return 1; 151 } 152 /* Otherwise it should return failure. */ 153 if (type != SSH_SMSG_FAILURE) 154 packet_disconnect("Protocol error waiting RSA auth response: %d", 155 type); 156 } 157 ssh_close_authentication_connection(auth); 158 BN_clear_free(challenge); 159 debug("RSA authentication using agent refused."); 160 return 0; 161 } 162 163 /* 164 * Computes the proper response to a RSA challenge, and sends the response to 165 * the server. 166 */ 167 static void 168 respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv) 169 { 170 u_char buf[32], response[16]; 171 MD5_CTX md; 172 int i, len; 173 174 /* Decrypt the challenge using the private key. */ 175 /* XXX think about Bleichenbacher, too */ 176 if (rsa_private_decrypt(challenge, challenge, prv) <= 0) 177 packet_disconnect( 178 "respond_to_rsa_challenge: rsa_private_decrypt failed"); 179 180 /* Compute the response. */ 181 /* The response is MD5 of decrypted challenge plus session id. */ 182 len = BN_num_bytes(challenge); 183 if (len <= 0 || len > sizeof(buf)) 184 packet_disconnect( 185 "respond_to_rsa_challenge: bad challenge length %d", len); 186 187 memset(buf, 0, sizeof(buf)); 188 BN_bn2bin(challenge, buf + sizeof(buf) - len); 189 MD5_Init(&md); 190 MD5_Update(&md, buf, 32); 191 MD5_Update(&md, session_id, 16); 192 MD5_Final(response, &md); 193 194 debug("Sending response to host key RSA challenge."); 195 196 /* Send the response back to the server. */ 197 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 198 for (i = 0; i < 16; i++) 199 packet_put_char(response[i]); 200 packet_send(); 201 packet_write_wait(); 202 203 memset(buf, 0, sizeof(buf)); 204 memset(response, 0, sizeof(response)); 205 memset(&md, 0, sizeof(md)); 206 } 207 208 /* 209 * Checks if the user has authentication file, and if so, tries to authenticate 210 * the user using it. 211 */ 212 static int 213 try_rsa_authentication(int idx) 214 { 215 BIGNUM *challenge; 216 Key *public, *private; 217 char buf[300], *passphrase, *comment, *authfile; 218 int i, type, quit; 219 220 public = options.identity_keys[idx]; 221 authfile = options.identity_files[idx]; 222 comment = xstrdup(authfile); 223 224 debug("Trying RSA authentication with key '%.100s'", comment); 225 226 /* Tell the server that we are willing to authenticate using this key. */ 227 packet_start(SSH_CMSG_AUTH_RSA); 228 packet_put_bignum(public->rsa->n); 229 packet_send(); 230 packet_write_wait(); 231 232 /* Wait for server's response. */ 233 type = packet_read(); 234 235 /* 236 * The server responds with failure if it doesn\'t like our key or 237 * doesn\'t support RSA authentication. 238 */ 239 if (type == SSH_SMSG_FAILURE) { 240 debug("Server refused our key."); 241 xfree(comment); 242 return 0; 243 } 244 /* Otherwise, the server should respond with a challenge. */ 245 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 246 packet_disconnect("Protocol error during RSA authentication: %d", type); 247 248 /* Get the challenge from the packet. */ 249 if ((challenge = BN_new()) == NULL) 250 fatal("try_rsa_authentication: BN_new failed"); 251 packet_get_bignum(challenge); 252 packet_check_eom(); 253 254 debug("Received RSA challenge from server."); 255 256 /* 257 * If the key is not stored in external hardware, we have to 258 * load the private key. Try first with empty passphrase; if it 259 * fails, ask for a passphrase. 260 */ 261 if (public->flags & KEY_FLAG_EXT) 262 private = public; 263 else 264 private = key_load_private_type(KEY_RSA1, authfile, "", NULL); 265 if (private == NULL && !options.batch_mode) { 266 snprintf(buf, sizeof(buf), 267 gettext("Enter passphrase for RSA key '%.100s': "), 268 comment); 269 for (i = 0; i < options.number_of_password_prompts; i++) { 270 passphrase = read_passphrase(buf, 0); 271 if (strcmp(passphrase, "") != 0) { 272 private = key_load_private_type(KEY_RSA1, 273 authfile, passphrase, NULL); 274 quit = 0; 275 } else { 276 debug2("no passphrase given, try next key"); 277 quit = 1; 278 } 279 memset(passphrase, 0, strlen(passphrase)); 280 xfree(passphrase); 281 if (private != NULL || quit) 282 break; 283 debug2("bad passphrase given, try again..."); 284 } 285 } 286 /* We no longer need the comment. */ 287 xfree(comment); 288 289 if (private == NULL) { 290 if (!options.batch_mode) 291 error("Bad passphrase."); 292 293 /* Send a dummy response packet to avoid protocol error. */ 294 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE); 295 for (i = 0; i < 16; i++) 296 packet_put_char(0); 297 packet_send(); 298 packet_write_wait(); 299 300 /* Expect the server to reject it... */ 301 packet_read_expect(SSH_SMSG_FAILURE); 302 BN_clear_free(challenge); 303 return 0; 304 } 305 306 /* Compute and send a response to the challenge. */ 307 respond_to_rsa_challenge(challenge, private->rsa); 308 309 /* Destroy the private key unless it in external hardware. */ 310 if (!(private->flags & KEY_FLAG_EXT)) 311 key_free(private); 312 313 /* We no longer need the challenge. */ 314 BN_clear_free(challenge); 315 316 /* Wait for response from the server. */ 317 type = packet_read(); 318 if (type == SSH_SMSG_SUCCESS) { 319 debug("RSA authentication accepted by server."); 320 return 1; 321 } 322 if (type != SSH_SMSG_FAILURE) 323 packet_disconnect("Protocol error waiting RSA auth response: %d", type); 324 debug("RSA authentication refused."); 325 return 0; 326 } 327 328 /* 329 * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv 330 * authentication and RSA host authentication. 331 */ 332 static int 333 try_rhosts_rsa_authentication(const char *local_user, Key * host_key) 334 { 335 int type; 336 BIGNUM *challenge; 337 338 debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication."); 339 340 /* Tell the server that we are willing to authenticate using this key. */ 341 packet_start(SSH_CMSG_AUTH_RHOSTS_RSA); 342 packet_put_cstring(local_user); 343 packet_put_int(BN_num_bits(host_key->rsa->n)); 344 packet_put_bignum(host_key->rsa->e); 345 packet_put_bignum(host_key->rsa->n); 346 packet_send(); 347 packet_write_wait(); 348 349 /* Wait for server's response. */ 350 type = packet_read(); 351 352 /* The server responds with failure if it doesn't admit our 353 .rhosts authentication or doesn't know our host key. */ 354 if (type == SSH_SMSG_FAILURE) { 355 debug("Server refused our rhosts authentication or host key."); 356 return 0; 357 } 358 /* Otherwise, the server should respond with a challenge. */ 359 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) 360 packet_disconnect("Protocol error during RSA authentication: %d", type); 361 362 /* Get the challenge from the packet. */ 363 if ((challenge = BN_new()) == NULL) 364 fatal("try_rhosts_rsa_authentication: BN_new failed"); 365 packet_get_bignum(challenge); 366 packet_check_eom(); 367 368 debug("Received RSA challenge for host key from server."); 369 370 /* Compute a response to the challenge. */ 371 respond_to_rsa_challenge(challenge, host_key->rsa); 372 373 /* We no longer need the challenge. */ 374 BN_clear_free(challenge); 375 376 /* Wait for response from the server. */ 377 type = packet_read(); 378 if (type == SSH_SMSG_SUCCESS) { 379 debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server."); 380 return 1; 381 } 382 if (type != SSH_SMSG_FAILURE) 383 packet_disconnect("Protocol error waiting RSA auth response: %d", type); 384 debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused."); 385 return 0; 386 } 387 388 #ifdef KRB4 389 static int 390 try_krb4_authentication(void) 391 { 392 KTEXT_ST auth; /* Kerberos data */ 393 char *reply; 394 char inst[INST_SZ]; 395 char *realm; 396 CREDENTIALS cred; 397 int r, type; 398 socklen_t slen; 399 Key_schedule schedule; 400 u_long checksum, cksum; 401 MSG_DAT msg_data; 402 struct sockaddr_in local, foreign; 403 struct stat st; 404 405 /* Don't do anything if we don't have any tickets. */ 406 if (stat(tkt_string(), &st) < 0) 407 return 0; 408 409 strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)), 410 INST_SZ); 411 412 realm = (char *)krb_realmofhost(get_canonical_hostname(1)); 413 if (!realm) { 414 debug("Kerberos v4: no realm for %s", get_canonical_hostname(1)); 415 return 0; 416 } 417 /* This can really be anything. */ 418 checksum = (u_long)getpid(); 419 420 r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum); 421 if (r != KSUCCESS) { 422 debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]); 423 return 0; 424 } 425 /* Get session key to decrypt the server's reply with. */ 426 r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred); 427 if (r != KSUCCESS) { 428 debug("get_cred failed: %s", krb_err_txt[r]); 429 return 0; 430 } 431 des_key_sched((des_cblock *) cred.session, schedule); 432 433 /* Send authentication info to server. */ 434 packet_start(SSH_CMSG_AUTH_KERBEROS); 435 packet_put_string((char *) auth.dat, auth.length); 436 packet_send(); 437 packet_write_wait(); 438 439 /* Zero the buffer. */ 440 (void) memset(auth.dat, 0, MAX_KTXT_LEN); 441 442 slen = sizeof(local); 443 memset(&local, 0, sizeof(local)); 444 if (getsockname(packet_get_connection_in(), 445 (struct sockaddr *)&local, &slen) < 0) 446 debug("getsockname failed: %s", strerror(errno)); 447 448 slen = sizeof(foreign); 449 memset(&foreign, 0, sizeof(foreign)); 450 if (getpeername(packet_get_connection_in(), 451 (struct sockaddr *)&foreign, &slen) < 0) { 452 debug("getpeername failed: %s", strerror(errno)); 453 fatal_cleanup(); 454 } 455 /* Get server reply. */ 456 type = packet_read(); 457 switch (type) { 458 case SSH_SMSG_FAILURE: 459 /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ 460 debug("Kerberos v4 authentication failed."); 461 return 0; 462 break; 463 464 case SSH_SMSG_AUTH_KERBEROS_RESPONSE: 465 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ 466 debug("Kerberos v4 authentication accepted."); 467 468 /* Get server's response. */ 469 reply = packet_get_string((u_int *) &auth.length); 470 if (auth.length >= MAX_KTXT_LEN) 471 fatal("Kerberos v4: Malformed response from server"); 472 memcpy(auth.dat, reply, auth.length); 473 xfree(reply); 474 475 packet_check_eom(); 476 477 /* 478 * If his response isn't properly encrypted with the session 479 * key, and the decrypted checksum fails to match, he's 480 * bogus. Bail out. 481 */ 482 r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session, 483 &foreign, &local, &msg_data); 484 if (r != KSUCCESS) { 485 debug("Kerberos v4 krb_rd_priv failed: %s", 486 krb_err_txt[r]); 487 packet_disconnect("Kerberos v4 challenge failed!"); 488 } 489 /* Fetch the (incremented) checksum that we supplied in the request. */ 490 memcpy((char *)&cksum, (char *)msg_data.app_data, 491 sizeof(cksum)); 492 cksum = ntohl(cksum); 493 494 /* If it matches, we're golden. */ 495 if (cksum == checksum + 1) { 496 debug("Kerberos v4 challenge successful."); 497 return 1; 498 } else 499 packet_disconnect("Kerberos v4 challenge failed!"); 500 break; 501 502 default: 503 packet_disconnect("Protocol error on Kerberos v4 response: %d", type); 504 } 505 return 0; 506 } 507 508 #endif /* KRB4 */ 509 510 #ifdef KRB5 511 static int 512 try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context) 513 { 514 krb5_error_code problem; 515 const char *tkfile; 516 struct stat buf; 517 krb5_ccache ccache = NULL; 518 const char *remotehost; 519 krb5_data ap; 520 int type; 521 krb5_ap_rep_enc_part *reply = NULL; 522 int ret; 523 524 memset(&ap, 0, sizeof(ap)); 525 526 problem = krb5_init_context(context); 527 if (problem) { 528 debug("Kerberos v5: krb5_init_context failed"); 529 ret = 0; 530 goto out; 531 } 532 533 problem = krb5_auth_con_init(*context, auth_context); 534 if (problem) { 535 debug("Kerberos v5: krb5_auth_con_init failed"); 536 ret = 0; 537 goto out; 538 } 539 540 #ifndef HEIMDAL 541 problem = krb5_auth_con_setflags(*context, *auth_context, 542 KRB5_AUTH_CONTEXT_RET_TIME); 543 if (problem) { 544 debug("Keberos v5: krb5_auth_con_setflags failed"); 545 ret = 0; 546 goto out; 547 } 548 #endif 549 550 tkfile = krb5_cc_default_name(*context); 551 if (strncmp(tkfile, "FILE:", 5) == 0) 552 tkfile += 5; 553 554 if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) { 555 debug("Kerberos v5: could not get default ccache (permission denied)."); 556 ret = 0; 557 goto out; 558 } 559 560 problem = krb5_cc_default(*context, &ccache); 561 if (problem) { 562 debug("Kerberos v5: krb5_cc_default failed: %s", 563 krb5_get_err_text(*context, problem)); 564 ret = 0; 565 goto out; 566 } 567 568 remotehost = get_canonical_hostname(1); 569 570 problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED, 571 "host", remotehost, NULL, ccache, &ap); 572 if (problem) { 573 debug("Kerberos v5: krb5_mk_req failed: %s", 574 krb5_get_err_text(*context, problem)); 575 ret = 0; 576 goto out; 577 } 578 579 packet_start(SSH_CMSG_AUTH_KERBEROS); 580 packet_put_string((char *) ap.data, ap.length); 581 packet_send(); 582 packet_write_wait(); 583 584 xfree(ap.data); 585 ap.length = 0; 586 587 type = packet_read(); 588 switch (type) { 589 case SSH_SMSG_FAILURE: 590 /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ 591 debug("Kerberos v5 authentication failed."); 592 ret = 0; 593 break; 594 595 case SSH_SMSG_AUTH_KERBEROS_RESPONSE: 596 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ 597 debug("Kerberos v5 authentication accepted."); 598 599 /* Get server's response. */ 600 ap.data = packet_get_string((unsigned int *) &ap.length); 601 packet_check_eom(); 602 /* XXX je to dobre? */ 603 604 problem = krb5_rd_rep(*context, *auth_context, &ap, &reply); 605 if (problem) { 606 ret = 0; 607 } 608 ret = 1; 609 break; 610 611 default: 612 packet_disconnect("Protocol error on Kerberos v5 response: %d", 613 type); 614 ret = 0; 615 break; 616 617 } 618 619 out: 620 if (ccache != NULL) 621 krb5_cc_close(*context, ccache); 622 if (reply != NULL) 623 krb5_free_ap_rep_enc_part(*context, reply); 624 if (ap.length > 0) 625 #ifdef HEIMDAL 626 krb5_data_free(&ap); 627 #else 628 krb5_free_data_contents(*context, &ap); 629 #endif 630 631 return (ret); 632 } 633 634 static void 635 send_krb5_tgt(krb5_context context, krb5_auth_context auth_context) 636 { 637 int fd, type; 638 krb5_error_code problem; 639 krb5_data outbuf; 640 krb5_ccache ccache = NULL; 641 krb5_creds creds; 642 #ifdef HEIMDAL 643 krb5_kdc_flags flags; 644 #else 645 int forwardable; 646 #endif 647 const char *remotehost; 648 649 memset(&creds, 0, sizeof(creds)); 650 memset(&outbuf, 0, sizeof(outbuf)); 651 652 fd = packet_get_connection_in(); 653 654 #ifdef HEIMDAL 655 problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd); 656 #else 657 problem = krb5_auth_con_genaddrs(context, auth_context, fd, 658 KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR | 659 KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR); 660 #endif 661 if (problem) 662 goto out; 663 664 problem = krb5_cc_default(context, &ccache); 665 if (problem) 666 goto out; 667 668 problem = krb5_cc_get_principal(context, ccache, &creds.client); 669 if (problem) 670 goto out; 671 672 remotehost = get_canonical_hostname(1); 673 674 #ifdef HEIMDAL 675 problem = krb5_build_principal(context, &creds.server, 676 strlen(creds.client->realm), creds.client->realm, 677 "krbtgt", creds.client->realm, NULL); 678 #else 679 problem = krb5_build_principal(context, &creds.server, 680 creds.client->realm.length, creds.client->realm.data, 681 "host", remotehost, NULL); 682 #endif 683 if (problem) 684 goto out; 685 686 creds.times.endtime = 0; 687 688 #ifdef HEIMDAL 689 flags.i = 0; 690 flags.b.forwarded = 1; 691 flags.b.forwardable = krb5_config_get_bool(context, NULL, 692 "libdefaults", "forwardable", NULL); 693 problem = krb5_get_forwarded_creds(context, auth_context, 694 ccache, flags.i, remotehost, &creds, &outbuf); 695 #else 696 forwardable = 1; 697 problem = krb5_fwd_tgt_creds(context, auth_context, remotehost, 698 creds.client, creds.server, ccache, forwardable, &outbuf); 699 #endif 700 701 if (problem) 702 goto out; 703 704 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); 705 packet_put_string((char *)outbuf.data, outbuf.length); 706 packet_send(); 707 packet_write_wait(); 708 709 type = packet_read(); 710 711 if (type == SSH_SMSG_SUCCESS) { 712 char *pname; 713 714 krb5_unparse_name(context, creds.client, &pname); 715 debug("Kerberos v5 TGT forwarded (%s).", pname); 716 xfree(pname); 717 } else 718 debug("Kerberos v5 TGT forwarding failed."); 719 720 return; 721 722 out: 723 if (problem) 724 debug("Kerberos v5 TGT forwarding failed: %s", 725 krb5_get_err_text(context, problem)); 726 if (creds.client) 727 krb5_free_principal(context, creds.client); 728 if (creds.server) 729 krb5_free_principal(context, creds.server); 730 if (ccache) 731 krb5_cc_close(context, ccache); 732 if (outbuf.data) 733 xfree(outbuf.data); 734 } 735 #endif /* KRB5 */ 736 737 #ifdef AFS 738 static void 739 send_krb4_tgt(void) 740 { 741 CREDENTIALS *creds; 742 struct stat st; 743 char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; 744 int problem, type; 745 746 /* Don't do anything if we don't have any tickets. */ 747 if (stat(tkt_string(), &st) < 0) 748 return; 749 750 creds = xmalloc(sizeof(*creds)); 751 752 problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm); 753 if (problem) 754 goto out; 755 756 problem = krb_get_cred("krbtgt", prealm, prealm, creds); 757 if (problem) 758 goto out; 759 760 if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) { 761 problem = RD_AP_EXP; 762 goto out; 763 } 764 creds_to_radix(creds, (u_char *)buffer, sizeof(buffer)); 765 766 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); 767 packet_put_cstring(buffer); 768 packet_send(); 769 packet_write_wait(); 770 771 type = packet_read(); 772 773 if (type == SSH_SMSG_SUCCESS) 774 debug("Kerberos v4 TGT forwarded (%s%s%s@%s).", 775 creds->pname, creds->pinst[0] ? "." : "", 776 creds->pinst, creds->realm); 777 else 778 debug("Kerberos v4 TGT rejected."); 779 780 xfree(creds); 781 return; 782 783 out: 784 debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]); 785 xfree(creds); 786 } 787 788 static void 789 send_afs_tokens(void) 790 { 791 CREDENTIALS creds; 792 struct ViceIoctl parms; 793 struct ClearToken ct; 794 int i, type, len; 795 char buf[2048], *p, *server_cell; 796 char buffer[8192]; 797 798 /* Move over ktc_GetToken, here's something leaner. */ 799 for (i = 0; i < 100; i++) { /* just in case */ 800 parms.in = (char *) &i; 801 parms.in_size = sizeof(i); 802 parms.out = buf; 803 parms.out_size = sizeof(buf); 804 if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0) 805 break; 806 p = buf; 807 808 /* Get secret token. */ 809 memcpy(&creds.ticket_st.length, p, sizeof(u_int)); 810 if (creds.ticket_st.length > MAX_KTXT_LEN) 811 break; 812 p += sizeof(u_int); 813 memcpy(creds.ticket_st.dat, p, creds.ticket_st.length); 814 p += creds.ticket_st.length; 815 816 /* Get clear token. */ 817 memcpy(&len, p, sizeof(len)); 818 if (len != sizeof(struct ClearToken)) 819 break; 820 p += sizeof(len); 821 memcpy(&ct, p, len); 822 p += len; 823 p += sizeof(len); /* primary flag */ 824 server_cell = p; 825 826 /* Flesh out our credentials. */ 827 strlcpy(creds.service, "afs", sizeof(creds.service)); 828 creds.instance[0] = '\0'; 829 strlcpy(creds.realm, server_cell, REALM_SZ); 830 memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ); 831 creds.issue_date = ct.BeginTimestamp; 832 creds.lifetime = krb_time_to_life(creds.issue_date, 833 ct.EndTimestamp); 834 creds.kvno = ct.AuthHandle; 835 snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId); 836 creds.pinst[0] = '\0'; 837 838 /* Encode token, ship it off. */ 839 if (creds_to_radix(&creds, (u_char *)buffer, 840 sizeof(buffer)) <= 0) 841 break; 842 packet_start(SSH_CMSG_HAVE_AFS_TOKEN); 843 packet_put_cstring(buffer); 844 packet_send(); 845 packet_write_wait(); 846 847 /* Roger, Roger. Clearance, Clarence. What's your vector, 848 Victor? */ 849 type = packet_read(); 850 851 if (type == SSH_SMSG_FAILURE) 852 debug("AFS token for cell %s rejected.", server_cell); 853 else if (type != SSH_SMSG_SUCCESS) 854 packet_disconnect("Protocol error on AFS token response: %d", type); 855 } 856 } 857 858 #endif /* AFS */ 859 860 /* 861 * Tries to authenticate with any string-based challenge/response system. 862 * Note that the client code is not tied to s/key or TIS. 863 */ 864 static int 865 try_challenge_response_authentication(void) 866 { 867 int type, i; 868 u_int clen; 869 char prompt[1024]; 870 char *challenge, *response; 871 872 debug("Doing challenge response authentication."); 873 874 for (i = 0; i < options.number_of_password_prompts; i++) { 875 /* request a challenge */ 876 packet_start(SSH_CMSG_AUTH_TIS); 877 packet_send(); 878 packet_write_wait(); 879 880 type = packet_read(); 881 if (type != SSH_SMSG_FAILURE && 882 type != SSH_SMSG_AUTH_TIS_CHALLENGE) { 883 packet_disconnect("Protocol error: got %d in response " 884 "to SSH_CMSG_AUTH_TIS", type); 885 } 886 if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) { 887 debug("No challenge."); 888 return 0; 889 } 890 challenge = packet_get_string(&clen); 891 packet_check_eom(); 892 snprintf(prompt, sizeof prompt, "%s%s", challenge, 893 strchr(challenge, '\n') ? "" : gettext("\nResponse: ")); 894 xfree(challenge); 895 if (i != 0) 896 error("Permission denied, please try again."); 897 if (options.cipher == SSH_CIPHER_NONE) 898 log("WARNING: Encryption is disabled! " 899 "Response will be transmitted in clear text."); 900 response = read_passphrase(prompt, 0); 901 if (strcmp(response, "") == 0) { 902 xfree(response); 903 break; 904 } 905 packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); 906 ssh_put_password(response); 907 memset(response, 0, strlen(response)); 908 xfree(response); 909 packet_send(); 910 packet_write_wait(); 911 type = packet_read(); 912 if (type == SSH_SMSG_SUCCESS) 913 return 1; 914 if (type != SSH_SMSG_FAILURE) 915 packet_disconnect("Protocol error: got %d in response " 916 "to SSH_CMSG_AUTH_TIS_RESPONSE", type); 917 } 918 /* failure */ 919 return 0; 920 } 921 922 /* 923 * Tries to authenticate with plain passwd authentication. 924 */ 925 static int 926 try_password_authentication(char *prompt) 927 { 928 int type, i; 929 char *password; 930 931 debug("Doing password authentication."); 932 if (options.cipher == SSH_CIPHER_NONE) 933 log("WARNING: Encryption is disabled! Password will be transmitted in clear text."); 934 for (i = 0; i < options.number_of_password_prompts; i++) { 935 if (i != 0) 936 error("Permission denied, please try again."); 937 password = read_passphrase(prompt, 0); 938 packet_start(SSH_CMSG_AUTH_PASSWORD); 939 ssh_put_password(password); 940 memset(password, 0, strlen(password)); 941 xfree(password); 942 packet_send(); 943 packet_write_wait(); 944 945 type = packet_read(); 946 if (type == SSH_SMSG_SUCCESS) 947 return 1; 948 if (type != SSH_SMSG_FAILURE) 949 packet_disconnect("Protocol error: got %d in response to passwd auth", type); 950 } 951 /* failure */ 952 return 0; 953 } 954 955 /* 956 * SSH1 key exchange 957 */ 958 void 959 ssh_kex(char *host, struct sockaddr *hostaddr) 960 { 961 int i; 962 BIGNUM *key; 963 Key *host_key, *server_key; 964 int bits, rbits; 965 int ssh_cipher_default = SSH_CIPHER_3DES; 966 u_char session_key[SSH_SESSION_KEY_LENGTH]; 967 u_char cookie[8]; 968 u_int supported_ciphers; 969 u_int server_flags, client_flags; 970 u_int32_t rand = 0; 971 972 debug("Waiting for server public key."); 973 974 /* Wait for a public key packet from the server. */ 975 packet_read_expect(SSH_SMSG_PUBLIC_KEY); 976 977 /* Get cookie from the packet. */ 978 for (i = 0; i < 8; i++) 979 cookie[i] = packet_get_char(); 980 981 /* Get the public key. */ 982 server_key = key_new(KEY_RSA1); 983 bits = packet_get_int(); 984 packet_get_bignum(server_key->rsa->e); 985 packet_get_bignum(server_key->rsa->n); 986 987 rbits = BN_num_bits(server_key->rsa->n); 988 if (bits != rbits) { 989 log("Warning: Server lies about size of server public key: " 990 "actual size is %d bits vs. announced %d.", rbits, bits); 991 log("Warning: This may be due to an old implementation of ssh."); 992 } 993 /* Get the host key. */ 994 host_key = key_new(KEY_RSA1); 995 bits = packet_get_int(); 996 packet_get_bignum(host_key->rsa->e); 997 packet_get_bignum(host_key->rsa->n); 998 999 rbits = BN_num_bits(host_key->rsa->n); 1000 if (bits != rbits) { 1001 log("Warning: Server lies about size of server host key: " 1002 "actual size is %d bits vs. announced %d.", rbits, bits); 1003 log("Warning: This may be due to an old implementation of ssh."); 1004 } 1005 1006 /* Get protocol flags. */ 1007 server_flags = packet_get_int(); 1008 packet_set_protocol_flags(server_flags); 1009 1010 supported_ciphers = packet_get_int(); 1011 supported_authentications = packet_get_int(); 1012 packet_check_eom(); 1013 1014 debug("Received server public key (%d bits) and host key (%d bits).", 1015 BN_num_bits(server_key->rsa->n), BN_num_bits(host_key->rsa->n)); 1016 1017 if (verify_host_key(host, hostaddr, host_key) == -1) 1018 fatal("Host key verification failed."); 1019 1020 client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN; 1021 1022 compute_session_id(session_id, cookie, host_key->rsa->n, server_key->rsa->n); 1023 1024 /* Generate a session key. */ 1025 arc4random_stir(); 1026 1027 /* 1028 * Generate an encryption key for the session. The key is a 256 bit 1029 * random number, interpreted as a 32-byte key, with the least 1030 * significant 8 bits being the first byte of the key. 1031 */ 1032 for (i = 0; i < 32; i++) { 1033 if (i % 4 == 0) 1034 rand = arc4random(); 1035 session_key[i] = rand & 0xff; 1036 rand >>= 8; 1037 } 1038 1039 /* 1040 * According to the protocol spec, the first byte of the session key 1041 * is the highest byte of the integer. The session key is xored with 1042 * the first 16 bytes of the session id. 1043 */ 1044 if ((key = BN_new()) == NULL) 1045 fatal("respond_to_rsa_challenge: BN_new failed"); 1046 BN_set_word(key, 0); 1047 for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { 1048 BN_lshift(key, key, 8); 1049 if (i < 16) 1050 BN_add_word(key, session_key[i] ^ session_id[i]); 1051 else 1052 BN_add_word(key, session_key[i]); 1053 } 1054 1055 /* 1056 * Encrypt the integer using the public key and host key of the 1057 * server (key with smaller modulus first). 1058 */ 1059 if (BN_cmp(server_key->rsa->n, host_key->rsa->n) < 0) { 1060 /* Public key has smaller modulus. */ 1061 if (BN_num_bits(host_key->rsa->n) < 1062 BN_num_bits(server_key->rsa->n) + SSH_KEY_BITS_RESERVED) { 1063 fatal("respond_to_rsa_challenge: host_key %d < server_key %d + " 1064 "SSH_KEY_BITS_RESERVED %d", 1065 BN_num_bits(host_key->rsa->n), 1066 BN_num_bits(server_key->rsa->n), 1067 SSH_KEY_BITS_RESERVED); 1068 } 1069 rsa_public_encrypt(key, key, server_key->rsa); 1070 rsa_public_encrypt(key, key, host_key->rsa); 1071 } else { 1072 /* Host key has smaller modulus (or they are equal). */ 1073 if (BN_num_bits(server_key->rsa->n) < 1074 BN_num_bits(host_key->rsa->n) + SSH_KEY_BITS_RESERVED) { 1075 fatal("respond_to_rsa_challenge: server_key %d < host_key %d + " 1076 "SSH_KEY_BITS_RESERVED %d", 1077 BN_num_bits(server_key->rsa->n), 1078 BN_num_bits(host_key->rsa->n), 1079 SSH_KEY_BITS_RESERVED); 1080 } 1081 rsa_public_encrypt(key, key, host_key->rsa); 1082 rsa_public_encrypt(key, key, server_key->rsa); 1083 } 1084 1085 /* Destroy the public keys since we no longer need them. */ 1086 key_free(server_key); 1087 key_free(host_key); 1088 1089 if (options.cipher == SSH_CIPHER_NOT_SET) { 1090 if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default)) 1091 options.cipher = ssh_cipher_default; 1092 } else if (options.cipher == SSH_CIPHER_ILLEGAL || 1093 !(cipher_mask_ssh1(1) & (1 << options.cipher))) { 1094 log("No valid SSH1 cipher, using %.100s instead.", 1095 cipher_name(ssh_cipher_default)); 1096 options.cipher = ssh_cipher_default; 1097 } 1098 /* Check that the selected cipher is supported. */ 1099 if (!(supported_ciphers & (1 << options.cipher))) 1100 fatal("Selected cipher type %.100s not supported by server.", 1101 cipher_name(options.cipher)); 1102 1103 debug("Encryption type: %.100s", cipher_name(options.cipher)); 1104 1105 /* Send the encrypted session key to the server. */ 1106 packet_start(SSH_CMSG_SESSION_KEY); 1107 packet_put_char(options.cipher); 1108 1109 /* Send the cookie back to the server. */ 1110 for (i = 0; i < 8; i++) 1111 packet_put_char(cookie[i]); 1112 1113 /* Send and destroy the encrypted encryption key integer. */ 1114 packet_put_bignum(key); 1115 BN_clear_free(key); 1116 1117 /* Send protocol flags. */ 1118 packet_put_int(client_flags); 1119 1120 /* Send the packet now. */ 1121 packet_send(); 1122 packet_write_wait(); 1123 1124 debug("Sent encrypted session key."); 1125 1126 /* Set the encryption key. */ 1127 packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher); 1128 1129 /* We will no longer need the session key here. Destroy any extra copies. */ 1130 memset(session_key, 0, sizeof(session_key)); 1131 1132 /* 1133 * Expect a success message from the server. Note that this message 1134 * will be received in encrypted form. 1135 */ 1136 packet_read_expect(SSH_SMSG_SUCCESS); 1137 1138 debug("Received encrypted confirmation."); 1139 } 1140 1141 /* 1142 * Authenticate user 1143 */ 1144 void 1145 ssh_userauth1(const char *local_user, const char *server_user, char *host, 1146 Sensitive *sensitive) 1147 { 1148 #ifdef KRB5 1149 krb5_context context = NULL; 1150 krb5_auth_context auth_context = NULL; 1151 #endif 1152 int i, type; 1153 1154 if (supported_authentications == 0) 1155 fatal("ssh_userauth1: server supports no auth methods"); 1156 1157 /* Send the name of the user to log in as on the server. */ 1158 packet_start(SSH_CMSG_USER); 1159 packet_put_cstring(server_user); 1160 packet_send(); 1161 packet_write_wait(); 1162 1163 /* 1164 * The server should respond with success if no authentication is 1165 * needed (the user has no password). Otherwise the server responds 1166 * with failure. 1167 */ 1168 type = packet_read(); 1169 1170 /* check whether the connection was accepted without authentication. */ 1171 if (type == SSH_SMSG_SUCCESS) 1172 goto success; 1173 if (type != SSH_SMSG_FAILURE) 1174 packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type); 1175 1176 #ifdef KRB5 1177 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && 1178 options.kerberos_authentication) { 1179 debug("Trying Kerberos v5 authentication."); 1180 1181 if (try_krb5_authentication(&context, &auth_context)) { 1182 type = packet_read(); 1183 if (type == SSH_SMSG_SUCCESS) 1184 goto success; 1185 if (type != SSH_SMSG_FAILURE) 1186 packet_disconnect("Protocol error: got %d in response to Kerberos v5 auth", type); 1187 } 1188 } 1189 #endif /* KRB5 */ 1190 1191 #ifdef KRB4 1192 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && 1193 options.kerberos_authentication) { 1194 debug("Trying Kerberos v4 authentication."); 1195 1196 if (try_krb4_authentication()) { 1197 type = packet_read(); 1198 if (type == SSH_SMSG_SUCCESS) 1199 goto success; 1200 if (type != SSH_SMSG_FAILURE) 1201 packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type); 1202 } 1203 } 1204 #endif /* KRB4 */ 1205 1206 /* 1207 * Use rhosts authentication if running in privileged socket and we 1208 * do not wish to remain anonymous. 1209 */ 1210 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) && 1211 options.rhosts_authentication) { 1212 debug("Trying rhosts authentication."); 1213 packet_start(SSH_CMSG_AUTH_RHOSTS); 1214 packet_put_cstring(local_user); 1215 packet_send(); 1216 packet_write_wait(); 1217 1218 /* The server should respond with success or failure. */ 1219 type = packet_read(); 1220 if (type == SSH_SMSG_SUCCESS) 1221 goto success; 1222 if (type != SSH_SMSG_FAILURE) 1223 packet_disconnect("Protocol error: got %d in response to rhosts auth", 1224 type); 1225 } 1226 /* 1227 * Try .rhosts or /etc/hosts.equiv authentication with RSA host 1228 * authentication. 1229 */ 1230 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) && 1231 options.rhosts_rsa_authentication) { 1232 for (i = 0; i < sensitive->nkeys; i++) { 1233 if (sensitive->keys[i] != NULL && 1234 sensitive->keys[i]->type == KEY_RSA1 && 1235 try_rhosts_rsa_authentication(local_user, 1236 sensitive->keys[i])) 1237 goto success; 1238 } 1239 } 1240 /* Try RSA authentication if the server supports it. */ 1241 if ((supported_authentications & (1 << SSH_AUTH_RSA)) && 1242 options.rsa_authentication) { 1243 /* 1244 * Try RSA authentication using the authentication agent. The 1245 * agent is tried first because no passphrase is needed for 1246 * it, whereas identity files may require passphrases. 1247 */ 1248 if (try_agent_authentication()) 1249 goto success; 1250 1251 /* Try RSA authentication for each identity. */ 1252 for (i = 0; i < options.num_identity_files; i++) 1253 if (options.identity_keys[i] != NULL && 1254 options.identity_keys[i]->type == KEY_RSA1 && 1255 try_rsa_authentication(i)) 1256 goto success; 1257 } 1258 /* Try challenge response authentication if the server supports it. */ 1259 if ((supported_authentications & (1 << SSH_AUTH_TIS)) && 1260 options.challenge_response_authentication && !options.batch_mode) { 1261 if (try_challenge_response_authentication()) 1262 goto success; 1263 } 1264 /* Try password authentication if the server supports it. */ 1265 if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) && 1266 options.password_authentication && !options.batch_mode) { 1267 char prompt[80]; 1268 1269 snprintf(prompt, sizeof(prompt), 1270 gettext("%.30s@%.128s's password: "), 1271 server_user, host); 1272 if (try_password_authentication(prompt)) 1273 goto success; 1274 } 1275 /* All authentication methods have failed. Exit with an error message. */ 1276 fatal("Permission denied (all authentication methods have failed)."); 1277 /* NOTREACHED */ 1278 1279 success: 1280 #ifdef KRB5 1281 /* Try Kerberos v5 TGT passing. */ 1282 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && 1283 options.kerberos_tgt_passing && context && auth_context) { 1284 if (options.cipher == SSH_CIPHER_NONE) 1285 log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); 1286 send_krb5_tgt(context, auth_context); 1287 } 1288 if (auth_context) 1289 krb5_auth_con_free(context, auth_context); 1290 if (context) 1291 krb5_free_context(context); 1292 #endif 1293 1294 #ifdef AFS 1295 /* Try Kerberos v4 TGT passing if the server supports it. */ 1296 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && 1297 options.kerberos_tgt_passing) { 1298 if (options.cipher == SSH_CIPHER_NONE) 1299 log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); 1300 send_krb4_tgt(); 1301 } 1302 /* Try AFS token passing if the server supports it. */ 1303 if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) && 1304 options.afs_token_passing && k_hasafs()) { 1305 if (options.cipher == SSH_CIPHER_NONE) 1306 log("WARNING: Encryption is disabled! Token will be transmitted in the clear!"); 1307 send_afs_tokens(); 1308 } 1309 #endif /* AFS */ 1310 1311 return; /* need statement after label */ 1312 }