summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2018-09-14 04:44:04 +0000
committerDamien Miller <djm@mindrot.org>2018-09-14 14:45:07 +1000
commit6c8b82fc6929b6a9a3f645151b6ec26c5507d9ef (patch)
treea5d7beadd3aa31279461138e1d38a321fd872e1f
parent6da046f9c3374ce7e269ded15d8ff8bc45017301 (diff)
upstream: revert following; deals badly with agent keys
revision 1.285 date: 2018/09/14 04:17:12; author: djm; state: Exp; lines: +47 -26; commitid: lflGFcNb2X2HebaK; Use consistent format in debug log for keys readied, offered and received during public key authentication. This makes it a little easier to see what is going on, as each message now contains the key filename, its type and fingerprint, and whether the key is hosted in an agent or a token. OpenBSD-Commit-ID: e496bd004e452d4b051f33ed9ae6a54ab918f56d
Diffstat
-rw-r--r--sshconnect2.c73
1 files changed, 26 insertions, 47 deletions
diff --git a/sshconnect2.c b/sshconnect2.c
index ad9b850d2..41d1a56bd 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect2.c,v 1.285 2018/09/14 04:17:12 djm Exp $ */ 1/* $OpenBSD: sshconnect2.c,v 1.286 2018/09/14 04:44:04 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved. 4 * Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -581,27 +581,6 @@ input_userauth_failure(int type, u_int32_t seq, struct ssh *ssh)
581 return 0; 581 return 0;
582} 582}
583 583
584/*
585 * Format an identity for logging including filename, key type, fingerprint
586 * and location (agent, etc.). Caller must free.
587 */
588static char *
589format_identity(Identity *id)
590{
591 char *fp, *ret = NULL;
592
593 if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
594 SSH_FP_DEFAULT)) == NULL)
595 fatal("%s: sshkey_fingerprint failed", __func__);
596 xasprintf(&ret, "%s %s %s%s%s%s",
597 id->filename, sshkey_type(id->key), fp,
598 id->userprovided ? ", explicit" : "",
599 (id->key->flags & SSHKEY_FLAG_EXT) ? ", token" : "",
600 id->agent_fd != -1 ? ", agent" : "");
601 free(fp);
602 return ret;
603}
604
605/* ARGSUSED */ 584/* ARGSUSED */
606int 585int
607input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) 586input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
@@ -609,9 +588,9 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
609 Authctxt *authctxt = ssh->authctxt; 588 Authctxt *authctxt = ssh->authctxt;
610 struct sshkey *key = NULL; 589 struct sshkey *key = NULL;
611 Identity *id = NULL; 590 Identity *id = NULL;
612 int pktype, found = 0, sent = 0; 591 int pktype, sent = 0;
613 size_t blen; 592 size_t blen;
614 char *pkalg = NULL, *fp = NULL, *ident = NULL; 593 char *pkalg = NULL, *fp;
615 u_char *pkblob = NULL; 594 u_char *pkblob = NULL;
616 int r; 595 int r;
617 596
@@ -623,8 +602,10 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
623 (r = sshpkt_get_end(ssh)) != 0) 602 (r = sshpkt_get_end(ssh)) != 0)
624 goto done; 603 goto done;
625 604
605 debug("Server accepts key: pkalg %s blen %zu", pkalg, blen);
606
626 if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) { 607 if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
627 debug("%s: server sent unknown pkalg %s", __func__, pkalg); 608 debug("unknown pkalg %s", pkalg);
628 goto done; 609 goto done;
629 } 610 }
630 if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { 611 if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
@@ -637,6 +618,11 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
637 key->type, pktype); 618 key->type, pktype);
638 goto done; 619 goto done;
639 } 620 }
621 if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
622 SSH_FP_DEFAULT)) == NULL)
623 goto done;
624 debug2("input_userauth_pk_ok: fp %s", fp);
625 free(fp);
640 626
641 /* 627 /*
642 * search keys in the reverse order, because last candidate has been 628 * search keys in the reverse order, because last candidate has been
@@ -645,25 +631,13 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
645 */ 631 */
646 TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) { 632 TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) {
647 if (sshkey_equal(key, id->key)) { 633 if (sshkey_equal(key, id->key)) {
648 found = 1; 634 sent = sign_and_send_pubkey(ssh, authctxt, id);
649 break; 635 break;
650 } 636 }
651 } 637 }
652 if (!found || id == NULL) {
653 fp = sshkey_fingerprint(key, options.fingerprint_hash,
654 SSH_FP_DEFAULT);
655 error("%s: server replied with unknown key: %s %s", __func__,
656 sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
657 goto done;
658 }
659 ident = format_identity(id);
660 debug("Server accepts key: %s", ident);
661 sent = sign_and_send_pubkey(ssh, authctxt, id);
662 r = 0; 638 r = 0;
663 done: 639 done:
664 sshkey_free(key); 640 sshkey_free(key);
665 free(ident);
666 free(fp);
667 free(pkalg); 641 free(pkalg);
668 free(pkblob); 642 free(pkblob);
669 643
@@ -1484,7 +1458,6 @@ pubkey_prepare(Authctxt *authctxt)
1484 int agent_fd = -1, i, r, found; 1458 int agent_fd = -1, i, r, found;
1485 size_t j; 1459 size_t j;
1486 struct ssh_identitylist *idlist; 1460 struct ssh_identitylist *idlist;
1487 char *ident;
1488 1461
1489 TAILQ_INIT(&agent); /* keys from the agent */ 1462 TAILQ_INIT(&agent); /* keys from the agent */
1490 TAILQ_INIT(&files); /* keys from the config file */ 1463 TAILQ_INIT(&files); /* keys from the config file */
@@ -1601,11 +1574,10 @@ pubkey_prepare(Authctxt *authctxt)
1601 memset(id, 0, sizeof(*id)); 1574 memset(id, 0, sizeof(*id));
1602 continue; 1575 continue;
1603 } 1576 }
1604 ident = format_identity(id); 1577 debug2("key: %s (%p)%s%s", id->filename, id->key,
1605 debug("Will attempt key: %s", ident); 1578 id->userprovided ? ", explicit" : "",
1606 free(ident); 1579 id->agent_fd != -1 ? ", agent" : "");
1607 } 1580 }
1608 debug2("%s: done", __func__);
1609} 1581}
1610 1582
1611static void 1583static void
@@ -1653,7 +1625,7 @@ userauth_pubkey(Authctxt *authctxt)
1653 struct ssh *ssh = active_state; /* XXX */ 1625 struct ssh *ssh = active_state; /* XXX */
1654 Identity *id; 1626 Identity *id;
1655 int sent = 0; 1627 int sent = 0;
1656 char *ident; 1628 char *fp;
1657 1629
1658 while ((id = TAILQ_FIRST(&authctxt->keys))) { 1630 while ((id = TAILQ_FIRST(&authctxt->keys))) {
1659 if (id->tried++) 1631 if (id->tried++)
@@ -1668,9 +1640,16 @@ userauth_pubkey(Authctxt *authctxt)
1668 */ 1640 */
1669 if (id->key != NULL) { 1641 if (id->key != NULL) {
1670 if (try_identity(id)) { 1642 if (try_identity(id)) {
1671 ident = format_identity(id); 1643 if ((fp = sshkey_fingerprint(id->key,
1672 debug("Offering public key: %s", ident); 1644 options.fingerprint_hash,
1673 free(ident); 1645 SSH_FP_DEFAULT)) == NULL) {
1646 error("%s: sshkey_fingerprint failed",
1647 __func__);
1648 return 0;
1649 }
1650 debug("Offering public key: %s %s %s",
1651 sshkey_type(id->key), fp, id->filename);
1652 free(fp);
1674 sent = send_pubkey_test(ssh, authctxt, id); 1653 sent = send_pubkey_test(ssh, authctxt, id);
1675 } 1654 }
1676 } else { 1655 } else {
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-02 09:04:10 +0000