summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2018-09-14 05:26:27 +0000
committerDamien Miller <djm@mindrot.org>2018-09-14 15:27:43 +1000
commitbeb9e522dc7717df08179f9e59f36b361bfa14ab (patch)
tree040a2fbdab7cd8eddea608e59d7fab811329396d
parent6bc5a24ac867bfdc3ed615589d69ac640f51674b (diff)
upstream: second try, deals properly with missing and private-only
Use consistent format in debug log for keys readied, offered and received during public key authentication. This makes it a little easier to see what is going on, as each message now contains (where available) the key filename, its type and fingerprint, and whether the key is hosted in an agent or a token. OpenBSD-Commit-ID: f1c6a8e9cfc4e108c359db77f24f9a40e1e25ea7
-rw-r--r--sshconnect2.c79
1 files changed, 53 insertions, 26 deletions
diff --git a/sshconnect2.c b/sshconnect2.c
index 41d1a56bd..86a0254be 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect2.c,v 1.286 2018/09/14 04:44:04 djm Exp $ */ 1/* $OpenBSD: sshconnect2.c,v 1.287 2018/09/14 05:26:27 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved. 4 * Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -581,6 +581,30 @@ input_userauth_failure(int type, u_int32_t seq, struct ssh *ssh)
581 return 0; 581 return 0;
582} 582}
583 583
584/*
585 * Format an identity for logging including filename, key type, fingerprint
586 * and location (agent, etc.). Caller must free.
587 */
588static char *
589format_identity(Identity *id)
590{
591 char *fp = NULL, *ret = NULL;
592
593 if (id->key != NULL) {
594 fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
595 SSH_FP_DEFAULT);
596 }
597 xasprintf(&ret, "%s %s%s%s%s%s%s",
598 id->filename,
599 id->key ? sshkey_type(id->key) : "", id->key ? " " : "",
600 fp ? fp : "",
601 id->userprovided ? " explicit" : "",
602 (id->key && (id->key->flags & SSHKEY_FLAG_EXT)) ? " token" : "",
603 id->agent_fd != -1 ? " agent" : "");
604 free(fp);
605 return ret;
606}
607
584/* ARGSUSED */ 608/* ARGSUSED */
585int 609int
586input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) 610input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
@@ -588,9 +612,9 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
588 Authctxt *authctxt = ssh->authctxt; 612 Authctxt *authctxt = ssh->authctxt;
589 struct sshkey *key = NULL; 613 struct sshkey *key = NULL;
590 Identity *id = NULL; 614 Identity *id = NULL;
591 int pktype, sent = 0; 615 int pktype, found = 0, sent = 0;
592 size_t blen; 616 size_t blen;
593 char *pkalg = NULL, *fp; 617 char *pkalg = NULL, *fp = NULL, *ident = NULL;
594 u_char *pkblob = NULL; 618 u_char *pkblob = NULL;
595 int r; 619 int r;
596 620
@@ -602,10 +626,8 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
602 (r = sshpkt_get_end(ssh)) != 0) 626 (r = sshpkt_get_end(ssh)) != 0)
603 goto done; 627 goto done;
604 628
605 debug("Server accepts key: pkalg %s blen %zu", pkalg, blen);
606
607 if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) { 629 if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
608 debug("unknown pkalg %s", pkalg); 630 debug("%s: server sent unknown pkalg %s", __func__, pkalg);
609 goto done; 631 goto done;
610 } 632 }
611 if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { 633 if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
@@ -618,11 +640,6 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
618 key->type, pktype); 640 key->type, pktype);
619 goto done; 641 goto done;
620 } 642 }
621 if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
622 SSH_FP_DEFAULT)) == NULL)
623 goto done;
624 debug2("input_userauth_pk_ok: fp %s", fp);
625 free(fp);
626 643
627 /* 644 /*
628 * search keys in the reverse order, because last candidate has been 645 * search keys in the reverse order, because last candidate has been
@@ -631,13 +648,25 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
631 */ 648 */
632 TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) { 649 TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) {
633 if (sshkey_equal(key, id->key)) { 650 if (sshkey_equal(key, id->key)) {
634 sent = sign_and_send_pubkey(ssh, authctxt, id); 651 found = 1;
635 break; 652 break;
636 } 653 }
637 } 654 }
655 if (!found || id == NULL) {
656 fp = sshkey_fingerprint(key, options.fingerprint_hash,
657 SSH_FP_DEFAULT);
658 error("%s: server replied with unknown key: %s %s", __func__,
659 sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
660 goto done;
661 }
662 ident = format_identity(id);
663 debug("Server accepts key: %s", ident);
664 sent = sign_and_send_pubkey(ssh, authctxt, id);
638 r = 0; 665 r = 0;
639 done: 666 done:
640 sshkey_free(key); 667 sshkey_free(key);
668 free(ident);
669 free(fp);
641 free(pkalg); 670 free(pkalg);
642 free(pkblob); 671 free(pkblob);
643 672
@@ -1458,6 +1487,7 @@ pubkey_prepare(Authctxt *authctxt)
1458 int agent_fd = -1, i, r, found; 1487 int agent_fd = -1, i, r, found;
1459 size_t j; 1488 size_t j;
1460 struct ssh_identitylist *idlist; 1489 struct ssh_identitylist *idlist;
1490 char *ident;
1461 1491
1462 TAILQ_INIT(&agent); /* keys from the agent */ 1492 TAILQ_INIT(&agent); /* keys from the agent */
1463 TAILQ_INIT(&files); /* keys from the config file */ 1493 TAILQ_INIT(&files); /* keys from the config file */
@@ -1574,10 +1604,14 @@ pubkey_prepare(Authctxt *authctxt)
1574 memset(id, 0, sizeof(*id)); 1604 memset(id, 0, sizeof(*id));
1575 continue; 1605 continue;
1576 } 1606 }
1577 debug2("key: %s (%p)%s%s", id->filename, id->key,
1578 id->userprovided ? ", explicit" : "",
1579 id->agent_fd != -1 ? ", agent" : "");
1580 } 1607 }
1608 /* List the keys we plan on using */
1609 TAILQ_FOREACH_SAFE(id, preferred, next, id2) {
1610 ident = format_identity(id);
1611 debug("Will attempt key: %s", ident);
1612 free(ident);
1613 }
1614 debug2("%s: done", __func__);
1581} 1615}
1582 1616
1583static void 1617static void
@@ -1625,7 +1659,7 @@ userauth_pubkey(Authctxt *authctxt)
1625 struct ssh *ssh = active_state; /* XXX */ 1659 struct ssh *ssh = active_state; /* XXX */
1626 Identity *id; 1660 Identity *id;
1627 int sent = 0; 1661 int sent = 0;
1628 char *fp; 1662 char *ident;
1629 1663
1630 while ((id = TAILQ_FIRST(&authctxt->keys))) { 1664 while ((id = TAILQ_FIRST(&authctxt->keys))) {
1631 if (id->tried++) 1665 if (id->tried++)
@@ -1640,16 +1674,9 @@ userauth_pubkey(Authctxt *authctxt)
1640 */ 1674 */
1641 if (id->key != NULL) { 1675 if (id->key != NULL) {
1642 if (try_identity(id)) { 1676 if (try_identity(id)) {
1643 if ((fp = sshkey_fingerprint(id->key, 1677 ident = format_identity(id);
1644 options.fingerprint_hash, 1678 debug("Offering public key: %s", ident);
1645 SSH_FP_DEFAULT)) == NULL) { 1679 free(ident);
1646 error("%s: sshkey_fingerprint failed",
1647 __func__);
1648 return 0;
1649 }
1650 debug("Offering public key: %s %s %s",
1651 sshkey_type(id->key), fp, id->filename);
1652 free(fp);
1653 sent = send_pubkey_test(ssh, authctxt, id); 1680 sent = send_pubkey_test(ssh, authctxt, id);
1654 } 1681 }
1655 } else { 1682 } else {