cli-auth.c 9.75 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
/*
 * Dropbear SSH
 * 
 * Copyright (c) 2002,2003 Matt Johnston
 * Copyright (c) 2004 by Mihnea Stoenescu
 * All rights reserved.
 * 
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 * 
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 * 
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE. */

Matt Johnston's avatar
Matt Johnston committed
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#include "includes.h"
#include "session.h"
#include "auth.h"
#include "dbutil.h"
#include "buffer.h"
#include "ssh.h"
#include "packet.h"
#include "runopts.h"

void cli_authinitialise() {

	memset(&ses.authstate, 0, sizeof(ses.authstate));
}


/* Send a "none" auth request to get available methods */
void cli_auth_getmethods() {
43
	TRACE(("enter cli_auth_getmethods"))
Matt Johnston's avatar
Matt Johnston committed
44
45
	CHECKCLEARTOWRITE();
	buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST);
46
	buf_putstring(ses.writepayload, cli_opts.username,
Matt Johnston's avatar
Matt Johnston committed
47
			strlen(cli_opts.username));
48
	buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION,
Matt Johnston's avatar
Matt Johnston committed
49
			SSH_SERVICE_CONNECTION_LEN);
50
	buf_putstring(ses.writepayload, "none", 4); /* 'none' method */
Matt Johnston's avatar
Matt Johnston committed
51
52

	encrypt_packet();
53

54
#if DROPBEAR_CLI_IMMEDIATE_AUTH
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
	/* We can't haven't two auth requests in-flight with delayed zlib mode
	since if the first one succeeds then the remote side will 
	expect the second one to be compressed. 
	Race described at
	http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/zlib-openssh.html
	*/
	if (ses.keys->trans.algo_comp != DROPBEAR_COMP_ZLIB_DELAY) {
		ses.authstate.authtypes = AUTH_TYPE_PUBKEY;
		if (getenv(DROPBEAR_PASSWORD_ENV)) {
			ses.authstate.authtypes |= AUTH_TYPE_PASSWORD | AUTH_TYPE_INTERACT;
		}
		if (cli_auth_try() == DROPBEAR_SUCCESS) {
			TRACE(("skipped initial none auth query"))
			/* Note that there will be two auth responses in-flight */
			cli_ses.ignore_next_auth_response = 1;
		}
71
72
	}
#endif
73
	TRACE(("leave cli_auth_getmethods"))
Matt Johnston's avatar
Matt Johnston committed
74
75
}

Matt Johnston's avatar
Matt Johnston committed
76
77
void recv_msg_userauth_banner() {

78
	char* banner = NULL;
Matt Johnston's avatar
Matt Johnston committed
79
80
	unsigned int bannerlen;
	unsigned int i, linecount;
Matt Johnston's avatar
Matt Johnston committed
81
	int truncated = 0;
Matt Johnston's avatar
Matt Johnston committed
82

83
	TRACE(("enter recv_msg_userauth_banner"))
Matt Johnston's avatar
Matt Johnston committed
84
	if (ses.authstate.authdone) {
85
		TRACE(("leave recv_msg_userauth_banner: banner after auth done"))
Matt Johnston's avatar
Matt Johnston committed
86
87
88
		return;
	}

89
	banner = buf_getstring(ses.payload, &bannerlen);
Matt Johnston's avatar
Matt Johnston committed
90
91
92
	buf_eatstring(ses.payload); /* The language string */

	if (bannerlen > MAX_BANNER_SIZE) {
93
		TRACE(("recv_msg_userauth_banner: bannerlen too long: %d", bannerlen))
Matt Johnston's avatar
Matt Johnston committed
94
95
96
97
98
99
100
101
102
103
104
105
106
107
		truncated = 1;
	} else {
		cleantext(banner);

		/* Limit to 24 lines */
		linecount = 1;
		for (i = 0; i < bannerlen; i++) {
			if (banner[i] == '\n') {
				if (linecount >= MAX_BANNER_LINES) {
					banner[i] = '\0';
					truncated = 1;
					break;
				}
				linecount++;
Matt Johnston's avatar
Matt Johnston committed
108
109
			}
		}
Matt Johnston's avatar
Matt Johnston committed
110
		fprintf(stderr, "%s\n", banner);
Matt Johnston's avatar
Matt Johnston committed
111
112
	}

Matt Johnston's avatar
Matt Johnston committed
113
114
115
	if (truncated) {
		fprintf(stderr, "[Banner from the server is too long]\n");
	}
Matt Johnston's avatar
Matt Johnston committed
116
117

	m_free(banner);
118
	TRACE(("leave recv_msg_userauth_banner"))
Matt Johnston's avatar
Matt Johnston committed
119
120
}

121
122
123
124
125
126
127
/* This handles the message-specific types which
 * all have a value of 60. These are
 * SSH_MSG_USERAUTH_PASSWD_CHANGEREQ,
 * SSH_MSG_USERAUTH_PK_OK, &
 * SSH_MSG_USERAUTH_INFO_REQUEST. */
void recv_msg_userauth_specific_60() {

128
#if DROPBEAR_CLI_PUBKEY_AUTH
129
130
131
132
133
134
	if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) {
		recv_msg_userauth_pk_ok();
		return;
	}
#endif

135
#if DROPBEAR_CLI_INTERACT_AUTH
136
137
138
139
140
141
	if (cli_ses.lastauthtype == AUTH_TYPE_INTERACT) {
		recv_msg_userauth_info_request();
		return;
	}
#endif

142
#if DROPBEAR_CLI_PASSWORD_AUTH
143
144
145
146
147
148
149
150
151
152
153
154
	if (cli_ses.lastauthtype == AUTH_TYPE_PASSWORD) {
		/* Eventually there could be proper password-changing
		 * support. However currently few servers seem to
		 * implement it, and password auth is last-resort
		 * regardless - keyboard-interactive is more likely
		 * to be used anyway. */
		dropbear_close("Your password has expired.");
	}
#endif

	dropbear_exit("Unexpected userauth packet");
}
Matt Johnston's avatar
Matt Johnston committed
155

Matt Johnston's avatar
Matt Johnston committed
156
157
void recv_msg_userauth_failure() {

158
159
	char * methods = NULL;
	char * tok = NULL;
Matt Johnston's avatar
Matt Johnston committed
160
161
162
163
	unsigned int methlen = 0;
	unsigned int partial = 0;
	unsigned int i = 0;

164
165
	TRACE(("<- MSG_USERAUTH_FAILURE"))
	TRACE(("enter recv_msg_userauth_failure"))
Matt Johnston's avatar
Matt Johnston committed
166

167
168
169
170
171
	if (ses.authstate.authdone) {
		TRACE(("leave recv_msg_userauth_failure, already authdone."))
		return;
	}

172
173
	if (cli_ses.state != USERAUTH_REQ_SENT) {
		/* Perhaps we should be more fatal? */
174
		dropbear_exit("Unexpected userauth failure");
175
176
	}

177
178
179
180
181
	/* When DROPBEAR_CLI_IMMEDIATE_AUTH is set there will be an initial response for 
	the "none" auth request, and then a response to the immediate auth request. 
	We need to be careful handling them. */
	if (cli_ses.ignore_next_auth_response) {
		cli_ses.state = USERAUTH_REQ_SENT;
182
183
184
		cli_ses.ignore_next_auth_response = 0;
		TRACE(("leave recv_msg_userauth_failure, ignored response, state set to USERAUTH_REQ_SENT"));
		return;
185
	} else  {
186
#if DROPBEAR_CLI_PUBKEY_AUTH
187
188
189
190
191
		/* If it was a pubkey auth request, we should cross that key 
		 * off the list. */
		if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) {
			cli_pubkeyfail();
		}
192
193
#endif

194
#if DROPBEAR_CLI_INTERACT_AUTH
195
196
197
198
199
200
201
202
		/* If we get a failure message for keyboard interactive without
		 * receiving any request info packet, then we don't bother trying
		 * keyboard interactive again */
		if (cli_ses.lastauthtype == AUTH_TYPE_INTERACT
				&& !cli_ses.interact_request_received) {
			TRACE(("setting auth_interact_failed = 1"))
			cli_ses.auth_interact_failed = 1;
		}
203
#endif
204
205
		cli_ses.state = USERAUTH_FAIL_RCVD;
		cli_ses.lastauthtype = AUTH_TYPE_NONE;
206
	}
207

208
	methods = buf_getstring(ses.payload, &methlen);
Matt Johnston's avatar
Matt Johnston committed
209

210
	partial = buf_getbool(ses.payload);
Matt Johnston's avatar
Matt Johnston committed
211
212
213
214
215
216
217

	if (partial) {
		dropbear_log(LOG_INFO, "Authentication partially succeeded, more attempts required");
	} else {
		ses.authstate.failcount++;
	}

218
	TRACE(("Methods (len %d): '%s'", methlen, methods))
Matt Johnston's avatar
Matt Johnston committed
219
220
221
222
223
224
225
226
227
228
229
230
231
232

	ses.authstate.authdone=0;
	ses.authstate.authtypes=0;

	/* Split with nulls rather than commas */
	for (i = 0; i < methlen; i++) {
		if (methods[i] == ',') {
			methods[i] = '\0';
		}
	}

	tok = methods; /* tok stores the next method we'll compare */
	for (i = 0; i <= methlen; i++) {
		if (methods[i] == '\0') {
233
			TRACE(("auth method '%s'", tok))
234
#if DROPBEAR_CLI_PUBKEY_AUTH
Matt Johnston's avatar
Matt Johnston committed
235
236
237
238
239
			if (strncmp(AUTH_METHOD_PUBKEY, tok,
				AUTH_METHOD_PUBKEY_LEN) == 0) {
				ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
			}
#endif
240
#if DROPBEAR_CLI_INTERACT_AUTH
241
242
243
244
245
			if (strncmp(AUTH_METHOD_INTERACT, tok,
				AUTH_METHOD_INTERACT_LEN) == 0) {
				ses.authstate.authtypes |= AUTH_TYPE_INTERACT;
			}
#endif
246
#if DROPBEAR_CLI_PASSWORD_AUTH
Matt Johnston's avatar
Matt Johnston committed
247
248
249
250
251
			if (strncmp(AUTH_METHOD_PASSWORD, tok,
				AUTH_METHOD_PASSWORD_LEN) == 0) {
				ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
			}
#endif
252
253
254
			tok = &methods[i+1]; /* Must make sure we don't use it after the
									last loop, since it'll point to something
									undefined */
Matt Johnston's avatar
Matt Johnston committed
255
256
257
		}
	}

258
	m_free(methods);
Matt Johnston's avatar
Matt Johnston committed
259
		
260
	TRACE(("leave recv_msg_userauth_failure"))
Matt Johnston's avatar
Matt Johnston committed
261
262
263
}

void recv_msg_userauth_success() {
264
265
266
	/* This function can validly get called multiple times
	if DROPBEAR_CLI_IMMEDIATE_AUTH is set */

267
	TRACE(("received msg_userauth_success"))
268
269
	/* Note: in delayed-zlib mode, setting authdone here 
	 * will enable compression in the transport layer */
Matt Johnston's avatar
Matt Johnston committed
270
	ses.authstate.authdone = 1;
Matt Johnston's avatar
Matt Johnston committed
271
	cli_ses.state = USERAUTH_SUCCESS_RCVD;
272
	cli_ses.lastauthtype = AUTH_TYPE_NONE;
273

274
#if DROPBEAR_CLI_PUBKEY_AUTH
275
276
	cli_auth_pubkey_cleanup();
#endif
Matt Johnston's avatar
Matt Johnston committed
277
278
}

279
int cli_auth_try() {
Matt Johnston's avatar
Matt Johnston committed
280
281

	int finished = 0;
282
	TRACE(("enter cli_auth_try"))
Matt Johnston's avatar
Matt Johnston committed
283
284
285

	CHECKCLEARTOWRITE();
	
286
287
	/* Order to try is pubkey, interactive, password.
	 * As soon as "finished" is set for one, we don't do any more. */
288
#if DROPBEAR_CLI_PUBKEY_AUTH
Matt Johnston's avatar
Matt Johnston committed
289
290
	if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) {
		finished = cli_auth_pubkey();
291
		cli_ses.lastauthtype = AUTH_TYPE_PUBKEY;
Matt Johnston's avatar
Matt Johnston committed
292
293
294
	}
#endif

295
#if DROPBEAR_CLI_PASSWORD_AUTH
296
297
298
299
300
301
302
303
	if (!finished && (ses.authstate.authtypes & AUTH_TYPE_PASSWORD)) {
		if (ses.keys->trans.algo_crypt->cipherdesc == NULL) {
			fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n");
		} else {
			cli_auth_password();
			finished = 1;
			cli_ses.lastauthtype = AUTH_TYPE_PASSWORD;
		}
304
305
306
	}
#endif

307
#if DROPBEAR_CLI_INTERACT_AUTH
308
309
310
	if (!finished && (ses.authstate.authtypes & AUTH_TYPE_INTERACT)) {
		if (ses.keys->trans.algo_crypt->cipherdesc == NULL) {
			fprintf(stderr, "Sorry, I won't let you use interactive auth unencrypted.\n");
311
		} else {
312
313
314
315
316
			if (!cli_ses.auth_interact_failed) {
				cli_auth_interactive();
				cli_ses.lastauthtype = AUTH_TYPE_INTERACT;
				finished = 1;
			}
317
318
319
320
321
322
		}
	}
#endif

	TRACE(("cli_auth_try lastauthtype %d", cli_ses.lastauthtype))

323
324
325
	if (finished) {
		TRACE(("leave cli_auth_try success"))
		return DROPBEAR_SUCCESS;
Matt Johnston's avatar
Matt Johnston committed
326
	}
327
328
	TRACE(("leave cli_auth_try failure"))
	return DROPBEAR_FAILURE;
Matt Johnston's avatar
Matt Johnston committed
329
}
330

331
#if DROPBEAR_CLI_PASSWORD_AUTH || DROPBEAR_CLI_INTERACT_AUTH
332
333
/* A helper for getpass() that exits if the user cancels. The returned
 * password is statically allocated by getpass() */
334
char* getpass_or_cancel(char* prompt)
335
336
{
	char* password = NULL;
337
338
	
#ifdef DROPBEAR_PASSWORD_ENV
339
340
341
342
343
344
	/* Password provided in an environment var */
	password = getenv(DROPBEAR_PASSWORD_ENV);
	if (password)
	{
		return password;
	}
345
#endif
346

347
	password = getpass(prompt);
348
349
350
351
352
353
354

	/* 0x03 is a ctrl-c character in the buffer. */
	if (password == NULL || strchr(password, '\3') != NULL) {
		dropbear_close("Interrupted.");
	}
	return password;
}
Mike Frysinger's avatar
Mike Frysinger committed
355
#endif