diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-09-14 04:17:12 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-09-14 14:18:48 +1000 |
| commit | 1f24ac5fc05252ceb1c1d0e8cab6a283b883c780 (patch) | |
| tree | 147d5547d9e1d0d3a1025b1c78f5fec398a66113 | |
| parent | 488c9325bb7233e975dbfbf89fa055edc3d3eddc (diff) | |
upstream: Use consistent format in debug log for keys readied,
offered and received during public key authentication.
This makes it a little easier to see what is going on, as each message
now contains the key filename, its type and fingerprint, and whether
the key is hosted in an agent or a token.
OpenBSD-Commit-ID: 2a01d59285a8a7e01185bb0a43316084b4f06a1f
| -rw-r--r-- | sshconnect2.c | 73 |
1 files changed, 47 insertions, 26 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index 10e4f0a08..ad9b850d2 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect2.c,v 1.284 2018/08/13 02:41:05 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.285 2018/09/14 04:17:12 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
| @@ -581,6 +581,27 @@ input_userauth_failure(int type, u_int32_t seq, struct ssh *ssh) | |||
| 581 | return 0; | 581 | return 0; |
| 582 | } | 582 | } |
| 583 | 583 | ||
| 584 | /* | ||
| 585 | * Format an identity for logging including filename, key type, fingerprint | ||
| 586 | * and location (agent, etc.). Caller must free. | ||
| 587 | */ | ||
| 588 | static char * | ||
| 589 | format_identity(Identity *id) | ||
| 590 | { | ||
| 591 | char *fp, *ret = NULL; | ||
| 592 | |||
| 593 | if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash, | ||
| 594 | SSH_FP_DEFAULT)) == NULL) | ||
| 595 | fatal("%s: sshkey_fingerprint failed", __func__); | ||
| 596 | xasprintf(&ret, "%s %s %s%s%s%s", | ||
| 597 | id->filename, sshkey_type(id->key), fp, | ||
| 598 | id->userprovided ? ", explicit" : "", | ||
| 599 | (id->key->flags & SSHKEY_FLAG_EXT) ? ", token" : "", | ||
| 600 | id->agent_fd != -1 ? ", agent" : ""); | ||
| 601 | free(fp); | ||
| 602 | return ret; | ||
| 603 | } | ||
| 604 | |||
| 584 | /* ARGSUSED */ | 605 | /* ARGSUSED */ |
| 585 | int | 606 | int |
| 586 | input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) | 607 | input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) |
| @@ -588,9 +609,9 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) | |||
| 588 | Authctxt *authctxt = ssh->authctxt; | 609 | Authctxt *authctxt = ssh->authctxt; |
| 589 | struct sshkey *key = NULL; | 610 | struct sshkey *key = NULL; |
| 590 | Identity *id = NULL; | 611 | Identity *id = NULL; |
| 591 | int pktype, sent = 0; | 612 | int pktype, found = 0, sent = 0; |
| 592 | size_t blen; | 613 | size_t blen; |
| 593 | char *pkalg = NULL, *fp; | 614 | char *pkalg = NULL, *fp = NULL, *ident = NULL; |
| 594 | u_char *pkblob = NULL; | 615 | u_char *pkblob = NULL; |
| 595 | int r; | 616 | int r; |
| 596 | 617 | ||
| @@ -602,10 +623,8 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) | |||
| 602 | (r = sshpkt_get_end(ssh)) != 0) | 623 | (r = sshpkt_get_end(ssh)) != 0) |
| 603 | goto done; | 624 | goto done; |
| 604 | 625 | ||
| 605 | debug("Server accepts key: pkalg %s blen %zu", pkalg, blen); | ||
| 606 | |||
| 607 | if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) { | 626 | if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) { |
| 608 | debug("unknown pkalg %s", pkalg); | 627 | debug("%s: server sent unknown pkalg %s", __func__, pkalg); |
| 609 | goto done; | 628 | goto done; |
| 610 | } | 629 | } |
| 611 | if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { | 630 | if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { |
| @@ -618,11 +637,6 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) | |||
| 618 | key->type, pktype); | 637 | key->type, pktype); |
| 619 | goto done; | 638 | goto done; |
| 620 | } | 639 | } |
| 621 | if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, | ||
| 622 | SSH_FP_DEFAULT)) == NULL) | ||
| 623 | goto done; | ||
| 624 | debug2("input_userauth_pk_ok: fp %s", fp); | ||
| 625 | free(fp); | ||
| 626 | 640 | ||
| 627 | /* | 641 | /* |
| 628 | * search keys in the reverse order, because last candidate has been | 642 | * search keys in the reverse order, because last candidate has been |
| @@ -631,13 +645,25 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) | |||
| 631 | */ | 645 | */ |
| 632 | TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) { | 646 | TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) { |
| 633 | if (sshkey_equal(key, id->key)) { | 647 | if (sshkey_equal(key, id->key)) { |
| 634 | sent = sign_and_send_pubkey(ssh, authctxt, id); | 648 | found = 1; |
| 635 | break; | 649 | break; |
| 636 | } | 650 | } |
| 637 | } | 651 | } |
| 652 | if (!found || id == NULL) { | ||
| 653 | fp = sshkey_fingerprint(key, options.fingerprint_hash, | ||
| 654 | SSH_FP_DEFAULT); | ||
| 655 | error("%s: server replied with unknown key: %s %s", __func__, | ||
| 656 | sshkey_type(key), fp == NULL ? "<ERROR>" : fp); | ||
| 657 | goto done; | ||
| 658 | } | ||
| 659 | ident = format_identity(id); | ||
| 660 | debug("Server accepts key: %s", ident); | ||
| 661 | sent = sign_and_send_pubkey(ssh, authctxt, id); | ||
| 638 | r = 0; | 662 | r = 0; |
| 639 | done: | 663 | done: |
| 640 | sshkey_free(key); | 664 | sshkey_free(key); |
| 665 | free(ident); | ||
| 666 | free(fp); | ||
| 641 | free(pkalg); | 667 | free(pkalg); |
| 642 | free(pkblob); | 668 | free(pkblob); |
| 643 | 669 | ||
| @@ -1458,6 +1484,7 @@ pubkey_prepare(Authctxt *authctxt) | |||
| 1458 | int agent_fd = -1, i, r, found; | 1484 | int agent_fd = -1, i, r, found; |
| 1459 | size_t j; | 1485 | size_t j; |
| 1460 | struct ssh_identitylist *idlist; | 1486 | struct ssh_identitylist *idlist; |
| 1487 | char *ident; | ||
| 1461 | 1488 | ||
| 1462 | TAILQ_INIT(&agent); /* keys from the agent */ | 1489 | TAILQ_INIT(&agent); /* keys from the agent */ |
| 1463 | TAILQ_INIT(&files); /* keys from the config file */ | 1490 | TAILQ_INIT(&files); /* keys from the config file */ |
| @@ -1574,10 +1601,11 @@ pubkey_prepare(Authctxt *authctxt) | |||
| 1574 | memset(id, 0, sizeof(*id)); | 1601 | memset(id, 0, sizeof(*id)); |
| 1575 | continue; | 1602 | continue; |
| 1576 | } | 1603 | } |
| 1577 | debug2("key: %s (%p)%s%s", id->filename, id->key, | 1604 | ident = format_identity(id); |
| 1578 | id->userprovided ? ", explicit" : "", | 1605 | debug("Will attempt key: %s", ident); |
| 1579 | id->agent_fd != -1 ? ", agent" : ""); | 1606 | free(ident); |
| 1580 | } | 1607 | } |
| 1608 | debug2("%s: done", __func__); | ||
| 1581 | } | 1609 | } |
| 1582 | 1610 | ||
| 1583 | static void | 1611 | static void |
| @@ -1625,7 +1653,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 1625 | struct ssh *ssh = active_state; /* XXX */ | 1653 | struct ssh *ssh = active_state; /* XXX */ |
| 1626 | Identity *id; | 1654 | Identity *id; |
| 1627 | int sent = 0; | 1655 | int sent = 0; |
| 1628 | char *fp; | 1656 | char *ident; |
| 1629 | 1657 | ||
| 1630 | while ((id = TAILQ_FIRST(&authctxt->keys))) { | 1658 | while ((id = TAILQ_FIRST(&authctxt->keys))) { |
| 1631 | if (id->tried++) | 1659 | if (id->tried++) |
| @@ -1640,16 +1668,9 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 1640 | */ | 1668 | */ |
| 1641 | if (id->key != NULL) { | 1669 | if (id->key != NULL) { |
| 1642 | if (try_identity(id)) { | 1670 | if (try_identity(id)) { |
| 1643 | if ((fp = sshkey_fingerprint(id->key, | 1671 | ident = format_identity(id); |
| 1644 | options.fingerprint_hash, | 1672 | debug("Offering public key: %s", ident); |
| 1645 | SSH_FP_DEFAULT)) == NULL) { | 1673 | free(ident); |
| 1646 | error("%s: sshkey_fingerprint failed", | ||
| 1647 | __func__); | ||
| 1648 | return 0; | ||
| 1649 | } | ||
| 1650 | debug("Offering public key: %s %s %s", | ||
| 1651 | sshkey_type(id->key), fp, id->filename); | ||
| 1652 | free(fp); | ||
| 1653 | sent = send_pubkey_test(ssh, authctxt, id); | 1674 | sent = send_pubkey_test(ssh, authctxt, id); |
| 1654 | } | 1675 | } |
| 1655 | } else { | 1676 | } else { |