summaryrefslogtreecommitdiff
path: root/sshconnect1.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2001-12-21 14:45:46 +1100
committerDamien Miller <djm@mindrot.org>2001-12-21 14:45:46 +1100
commit9f0f5c64bc4b6144e3fed6a7f538f7c21819a492 (patch)
treef79317ab211f59181a61b526f566e9c8cfe70c73 /sshconnect1.c
parent89681214ca2f50a1b1ed6164c3afe1ce14995ffc (diff)
- deraadt@cvs.openbsd.org 2001/12/19 07:18:56
[auth1.c auth2.c auth2-chall.c auth-bsdauth.c auth.c authfile.c auth.h] [auth-krb4.c auth-rhosts.c auth-skey.c bufaux.c canohost.c channels.c] [cipher.c clientloop.c compat.c compress.c deattack.c key.c log.c mac.c] [match.c misc.c nchan.c packet.c readconf.c rijndael.c rijndael.h scard.c] [servconf.c servconf.h serverloop.c session.c sftp.c sftp-client.c] [sftp-glob.c sftp-int.c sftp-server.c ssh-add.c ssh-agent.c ssh.c] [sshconnect1.c sshconnect2.c sshconnect.c sshd.8 sshd.c sshd_config] [ssh-keygen.c sshlogin.c sshpty.c sshtty.c ttymodes.c uidswap.c] basic KNF done while i was looking for something else
Diffstat (limited to 'sshconnect1.c')
-rw-r--r--sshconnect1.c200
1 files changed, 100 insertions, 100 deletions
diff --git a/sshconnect1.c b/sshconnect1.c
index d6b862352..2829ca5a7 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,7 +13,7 @@
13 */ 13 */
14 14
15#include "includes.h" 15#include "includes.h"
16RCSID("$OpenBSD: sshconnect1.c,v 1.41 2001/10/06 11:18:19 markus Exp $"); 16RCSID("$OpenBSD: sshconnect1.c,v 1.42 2001/12/19 07:18:56 deraadt Exp $");
17 17
18#include <openssl/bn.h> 18#include <openssl/bn.h>
19#include <openssl/evp.h> 19#include <openssl/evp.h>
@@ -80,8 +80,8 @@ try_agent_authentication(void)
80 80
81 /* Loop through identities served by the agent. */ 81 /* Loop through identities served by the agent. */
82 for (key = ssh_get_first_identity(auth, &comment, 1); 82 for (key = ssh_get_first_identity(auth, &comment, 1);
83 key != NULL; 83 key != NULL;
84 key = ssh_get_next_identity(auth, &comment, 1)) { 84 key = ssh_get_next_identity(auth, &comment, 1)) {
85 85
86 /* Try this identity. */ 86 /* Try this identity. */
87 debug("Trying RSA authentication via agent with '%.100s'", comment); 87 debug("Trying RSA authentication via agent with '%.100s'", comment);
@@ -400,10 +400,10 @@ try_krb4_authentication(void)
400 /* Don't do anything if we don't have any tickets. */ 400 /* Don't do anything if we don't have any tickets. */
401 if (stat(tkt_string(), &st) < 0) 401 if (stat(tkt_string(), &st) < 0)
402 return 0; 402 return 0;
403 403
404 strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)), 404 strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)),
405 INST_SZ); 405 INST_SZ);
406 406
407 realm = (char *)krb_realmofhost(get_canonical_hostname(1)); 407 realm = (char *)krb_realmofhost(get_canonical_hostname(1));
408 if (!realm) { 408 if (!realm) {
409 debug("Kerberos v4: no realm for %s", get_canonical_hostname(1)); 409 debug("Kerberos v4: no realm for %s", get_canonical_hostname(1));
@@ -411,7 +411,7 @@ try_krb4_authentication(void)
411 } 411 }
412 /* This can really be anything. */ 412 /* This can really be anything. */
413 checksum = (u_long)getpid(); 413 checksum = (u_long)getpid();
414 414
415 r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum); 415 r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
416 if (r != KSUCCESS) { 416 if (r != KSUCCESS) {
417 debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]); 417 debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]);
@@ -424,22 +424,22 @@ try_krb4_authentication(void)
424 return 0; 424 return 0;
425 } 425 }
426 des_key_sched((des_cblock *) cred.session, schedule); 426 des_key_sched((des_cblock *) cred.session, schedule);
427 427
428 /* Send authentication info to server. */ 428 /* Send authentication info to server. */
429 packet_start(SSH_CMSG_AUTH_KERBEROS); 429 packet_start(SSH_CMSG_AUTH_KERBEROS);
430 packet_put_string((char *) auth.dat, auth.length); 430 packet_put_string((char *) auth.dat, auth.length);
431 packet_send(); 431 packet_send();
432 packet_write_wait(); 432 packet_write_wait();
433 433
434 /* Zero the buffer. */ 434 /* Zero the buffer. */
435 (void) memset(auth.dat, 0, MAX_KTXT_LEN); 435 (void) memset(auth.dat, 0, MAX_KTXT_LEN);
436 436
437 slen = sizeof(local); 437 slen = sizeof(local);
438 memset(&local, 0, sizeof(local)); 438 memset(&local, 0, sizeof(local));
439 if (getsockname(packet_get_connection_in(), 439 if (getsockname(packet_get_connection_in(),
440 (struct sockaddr *)&local, &slen) < 0) 440 (struct sockaddr *)&local, &slen) < 0)
441 debug("getsockname failed: %s", strerror(errno)); 441 debug("getsockname failed: %s", strerror(errno));
442 442
443 slen = sizeof(foreign); 443 slen = sizeof(foreign);
444 memset(&foreign, 0, sizeof(foreign)); 444 memset(&foreign, 0, sizeof(foreign));
445 if (getpeername(packet_get_connection_in(), 445 if (getpeername(packet_get_connection_in(),
@@ -455,18 +455,18 @@ try_krb4_authentication(void)
455 debug("Kerberos v4 authentication failed."); 455 debug("Kerberos v4 authentication failed.");
456 return 0; 456 return 0;
457 break; 457 break;
458 458
459 case SSH_SMSG_AUTH_KERBEROS_RESPONSE: 459 case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
460 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ 460 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
461 debug("Kerberos v4 authentication accepted."); 461 debug("Kerberos v4 authentication accepted.");
462 462
463 /* Get server's response. */ 463 /* Get server's response. */
464 reply = packet_get_string((u_int *) &auth.length); 464 reply = packet_get_string((u_int *) &auth.length);
465 memcpy(auth.dat, reply, auth.length); 465 memcpy(auth.dat, reply, auth.length);
466 xfree(reply); 466 xfree(reply);
467 467
468 packet_integrity_check(plen, 4 + auth.length, type); 468 packet_integrity_check(plen, 4 + auth.length, type);
469 469
470 /* 470 /*
471 * If his response isn't properly encrypted with the session 471 * If his response isn't properly encrypted with the session
472 * key, and the decrypted checksum fails to match, he's 472 * key, and the decrypted checksum fails to match, he's
@@ -483,7 +483,7 @@ try_krb4_authentication(void)
483 memcpy((char *)&cksum, (char *)msg_data.app_data, 483 memcpy((char *)&cksum, (char *)msg_data.app_data,
484 sizeof(cksum)); 484 sizeof(cksum));
485 cksum = ntohl(cksum); 485 cksum = ntohl(cksum);
486 486
487 /* If it matches, we're golden. */ 487 /* If it matches, we're golden. */
488 if (cksum == checksum + 1) { 488 if (cksum == checksum + 1) {
489 debug("Kerberos v4 challenge successful."); 489 debug("Kerberos v4 challenge successful.");
@@ -491,7 +491,7 @@ try_krb4_authentication(void)
491 } else 491 } else
492 packet_disconnect("Kerberos v4 challenge failed!"); 492 packet_disconnect("Kerberos v4 challenge failed!");
493 break; 493 break;
494 494
495 default: 495 default:
496 packet_disconnect("Protocol error on Kerberos v4 response: %d", type); 496 packet_disconnect("Protocol error on Kerberos v4 response: %d", type);
497 } 497 }
@@ -513,26 +513,26 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
513 int type, payload_len; 513 int type, payload_len;
514 krb5_ap_rep_enc_part *reply = NULL; 514 krb5_ap_rep_enc_part *reply = NULL;
515 int ret; 515 int ret;
516 516
517 memset(&ap, 0, sizeof(ap)); 517 memset(&ap, 0, sizeof(ap));
518 518
519 problem = krb5_init_context(context); 519 problem = krb5_init_context(context);
520 if (problem) { 520 if (problem) {
521 debug("Kerberos v5: krb5_init_context failed"); 521 debug("Kerberos v5: krb5_init_context failed");
522 ret = 0; 522 ret = 0;
523 goto out; 523 goto out;
524 } 524 }
525 525
526 tkfile = krb5_cc_default_name(*context); 526 tkfile = krb5_cc_default_name(*context);
527 if (strncmp(tkfile, "FILE:", 5) == 0) 527 if (strncmp(tkfile, "FILE:", 5) == 0)
528 tkfile += 5; 528 tkfile += 5;
529 529
530 if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) { 530 if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
531 debug("Kerberos v5: could not get default ccache (permission denied)."); 531 debug("Kerberos v5: could not get default ccache (permission denied).");
532 ret = 0; 532 ret = 0;
533 goto out; 533 goto out;
534 } 534 }
535 535
536 problem = krb5_cc_default(*context, &ccache); 536 problem = krb5_cc_default(*context, &ccache);
537 if (problem) { 537 if (problem) {
538 debug("Kerberos v5: krb5_cc_default failed: %s", 538 debug("Kerberos v5: krb5_cc_default failed: %s",
@@ -540,9 +540,9 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
540 ret = 0; 540 ret = 0;
541 goto out; 541 goto out;
542 } 542 }
543 543
544 remotehost = get_canonical_hostname(1); 544 remotehost = get_canonical_hostname(1);
545 545
546 problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED, 546 problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
547 "host", remotehost, NULL, ccache, &ap); 547 "host", remotehost, NULL, ccache, &ap);
548 if (problem) { 548 if (problem) {
@@ -551,48 +551,48 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
551 ret = 0; 551 ret = 0;
552 goto out; 552 goto out;
553 } 553 }
554 554
555 packet_start(SSH_CMSG_AUTH_KERBEROS); 555 packet_start(SSH_CMSG_AUTH_KERBEROS);
556 packet_put_string((char *) ap.data, ap.length); 556 packet_put_string((char *) ap.data, ap.length);
557 packet_send(); 557 packet_send();
558 packet_write_wait(); 558 packet_write_wait();
559 559
560 xfree(ap.data); 560 xfree(ap.data);
561 ap.length = 0; 561 ap.length = 0;
562 562
563 type = packet_read(&payload_len); 563 type = packet_read(&payload_len);
564 switch (type) { 564 switch (type) {
565 case SSH_SMSG_FAILURE: 565 case SSH_SMSG_FAILURE:
566 /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ 566 /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
567 debug("Kerberos v5 authentication failed."); 567 debug("Kerberos v5 authentication failed.");
568 ret = 0; 568 ret = 0;
569 break; 569 break;
570 570
571 case SSH_SMSG_AUTH_KERBEROS_RESPONSE: 571 case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
572 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ 572 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
573 debug("Kerberos v5 authentication accepted."); 573 debug("Kerberos v5 authentication accepted.");
574 574
575 /* Get server's response. */ 575 /* Get server's response. */
576 ap.data = packet_get_string((unsigned int *) &ap.length); 576 ap.data = packet_get_string((unsigned int *) &ap.length);
577 577
578 packet_integrity_check(payload_len, 4 + ap.length, type); 578 packet_integrity_check(payload_len, 4 + ap.length, type);
579 /* XXX je to dobre? */ 579 /* XXX je to dobre? */
580 580
581 problem = krb5_rd_rep(*context, *auth_context, &ap, &reply); 581 problem = krb5_rd_rep(*context, *auth_context, &ap, &reply);
582 if (problem) { 582 if (problem) {
583 ret = 0; 583 ret = 0;
584 } 584 }
585 ret = 1; 585 ret = 1;
586 break; 586 break;
587 587
588 default: 588 default:
589 packet_disconnect("Protocol error on Kerberos v5 response: %d", 589 packet_disconnect("Protocol error on Kerberos v5 response: %d",
590 type); 590 type);
591 ret = 0; 591 ret = 0;
592 break; 592 break;
593 593
594 } 594 }
595 595
596 out: 596 out:
597 if (ccache != NULL) 597 if (ccache != NULL)
598 krb5_cc_close(*context, ccache); 598 krb5_cc_close(*context, ccache);
@@ -600,7 +600,7 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
600 krb5_free_ap_rep_enc_part(*context, reply); 600 krb5_free_ap_rep_enc_part(*context, reply);
601 if (ap.length > 0) 601 if (ap.length > 0)
602 krb5_data_free(&ap); 602 krb5_data_free(&ap);
603 603
604 return (ret); 604 return (ret);
605} 605}
606 606
@@ -614,62 +614,62 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
614 krb5_creds creds; 614 krb5_creds creds;
615 krb5_kdc_flags flags; 615 krb5_kdc_flags flags;
616 const char *remotehost; 616 const char *remotehost;
617 617
618 memset(&creds, 0, sizeof(creds)); 618 memset(&creds, 0, sizeof(creds));
619 memset(&outbuf, 0, sizeof(outbuf)); 619 memset(&outbuf, 0, sizeof(outbuf));
620 620
621 fd = packet_get_connection_in(); 621 fd = packet_get_connection_in();
622 622
623 problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd); 623 problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
624 if (problem) 624 if (problem)
625 goto out; 625 goto out;
626 626
627 problem = krb5_cc_default(context, &ccache); 627 problem = krb5_cc_default(context, &ccache);
628 if (problem) 628 if (problem)
629 goto out; 629 goto out;
630 630
631 problem = krb5_cc_get_principal(context, ccache, &creds.client); 631 problem = krb5_cc_get_principal(context, ccache, &creds.client);
632 if (problem) 632 if (problem)
633 goto out; 633 goto out;
634 634
635 problem = krb5_build_principal(context, &creds.server, 635 problem = krb5_build_principal(context, &creds.server,
636 strlen(creds.client->realm), creds.client->realm, 636 strlen(creds.client->realm), creds.client->realm,
637 "krbtgt", creds.client->realm, NULL); 637 "krbtgt", creds.client->realm, NULL);
638 if (problem) 638 if (problem)
639 goto out; 639 goto out;
640 640
641 creds.times.endtime = 0; 641 creds.times.endtime = 0;
642 642
643 flags.i = 0; 643 flags.i = 0;
644 flags.b.forwarded = 1; 644 flags.b.forwarded = 1;
645 flags.b.forwardable = krb5_config_get_bool(context, NULL, 645 flags.b.forwardable = krb5_config_get_bool(context, NULL,
646 "libdefaults", "forwardable", NULL); 646 "libdefaults", "forwardable", NULL);
647 647
648 remotehost = get_canonical_hostname(1); 648 remotehost = get_canonical_hostname(1);
649 649
650 problem = krb5_get_forwarded_creds(context, auth_context, 650 problem = krb5_get_forwarded_creds(context, auth_context,
651 ccache, flags.i, remotehost, &creds, &outbuf); 651 ccache, flags.i, remotehost, &creds, &outbuf);
652 if (problem) 652 if (problem)
653 goto out; 653 goto out;
654 654
655 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); 655 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
656 packet_put_string((char *)outbuf.data, outbuf.length); 656 packet_put_string((char *)outbuf.data, outbuf.length);
657 packet_send(); 657 packet_send();
658 packet_write_wait(); 658 packet_write_wait();
659 659
660 type = packet_read(&payload_len); 660 type = packet_read(&payload_len);
661 661
662 if (type == SSH_SMSG_SUCCESS) { 662 if (type == SSH_SMSG_SUCCESS) {
663 char *pname; 663 char *pname;
664 664
665 krb5_unparse_name(context, creds.client, &pname); 665 krb5_unparse_name(context, creds.client, &pname);
666 debug("Kerberos v5 TGT forwarded (%s).", pname); 666 debug("Kerberos v5 TGT forwarded (%s).", pname);
667 xfree(pname); 667 xfree(pname);
668 } else 668 } else
669 debug("Kerberos v5 TGT forwarding failed."); 669 debug("Kerberos v5 TGT forwarding failed.");
670 670
671 return; 671 return;
672 672
673 out: 673 out:
674 if (problem) 674 if (problem)
675 debug("Kerberos v5 TGT forwarding failed: %s", 675 debug("Kerberos v5 TGT forwarding failed: %s",
@@ -693,44 +693,44 @@ send_krb4_tgt(void)
693 struct stat st; 693 struct stat st;
694 char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; 694 char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
695 int problem, type, len; 695 int problem, type, len;
696 696
697 /* Don't do anything if we don't have any tickets. */ 697 /* Don't do anything if we don't have any tickets. */
698 if (stat(tkt_string(), &st) < 0) 698 if (stat(tkt_string(), &st) < 0)
699 return; 699 return;
700 700
701 creds = xmalloc(sizeof(*creds)); 701 creds = xmalloc(sizeof(*creds));
702 702
703 problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm); 703 problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm);
704 if (problem) 704 if (problem)
705 goto out; 705 goto out;
706 706
707 problem = krb_get_cred("krbtgt", prealm, prealm, creds); 707 problem = krb_get_cred("krbtgt", prealm, prealm, creds);
708 if (problem) 708 if (problem)
709 goto out; 709 goto out;
710 710
711 if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) { 711 if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
712 problem = RD_AP_EXP; 712 problem = RD_AP_EXP;
713 goto out; 713 goto out;
714 } 714 }
715 creds_to_radix(creds, (u_char *)buffer, sizeof(buffer)); 715 creds_to_radix(creds, (u_char *)buffer, sizeof(buffer));
716 716
717 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); 717 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
718 packet_put_cstring(buffer); 718 packet_put_cstring(buffer);
719 packet_send(); 719 packet_send();
720 packet_write_wait(); 720 packet_write_wait();
721 721
722 type = packet_read(&len); 722 type = packet_read(&len);
723 723
724 if (type == SSH_SMSG_SUCCESS) 724 if (type == SSH_SMSG_SUCCESS)
725 debug("Kerberos v4 TGT forwarded (%s%s%s@%s).", 725 debug("Kerberos v4 TGT forwarded (%s%s%s@%s).",
726 creds->pname, creds->pinst[0] ? "." : "", 726 creds->pname, creds->pinst[0] ? "." : "",
727 creds->pinst, creds->realm); 727 creds->pinst, creds->realm);
728 else 728 else
729 debug("Kerberos v4 TGT rejected."); 729 debug("Kerberos v4 TGT rejected.");
730 730
731 xfree(creds); 731 xfree(creds);
732 return; 732 return;
733 733
734 out: 734 out:
735 debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]); 735 debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]);
736 xfree(creds); 736 xfree(creds);
@@ -745,7 +745,7 @@ send_afs_tokens(void)
745 int i, type, len; 745 int i, type, len;
746 char buf[2048], *p, *server_cell; 746 char buf[2048], *p, *server_cell;
747 char buffer[8192]; 747 char buffer[8192];
748 748
749 /* Move over ktc_GetToken, here's something leaner. */ 749 /* Move over ktc_GetToken, here's something leaner. */
750 for (i = 0; i < 100; i++) { /* just in case */ 750 for (i = 0; i < 100; i++) { /* just in case */
751 parms.in = (char *) &i; 751 parms.in = (char *) &i;
@@ -755,7 +755,7 @@ send_afs_tokens(void)
755 if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0) 755 if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
756 break; 756 break;
757 p = buf; 757 p = buf;
758 758
759 /* Get secret token. */ 759 /* Get secret token. */
760 memcpy(&creds.ticket_st.length, p, sizeof(u_int)); 760 memcpy(&creds.ticket_st.length, p, sizeof(u_int));
761 if (creds.ticket_st.length > MAX_KTXT_LEN) 761 if (creds.ticket_st.length > MAX_KTXT_LEN)
@@ -763,7 +763,7 @@ send_afs_tokens(void)
763 p += sizeof(u_int); 763 p += sizeof(u_int);
764 memcpy(creds.ticket_st.dat, p, creds.ticket_st.length); 764 memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
765 p += creds.ticket_st.length; 765 p += creds.ticket_st.length;
766 766
767 /* Get clear token. */ 767 /* Get clear token. */
768 memcpy(&len, p, sizeof(len)); 768 memcpy(&len, p, sizeof(len));
769 if (len != sizeof(struct ClearToken)) 769 if (len != sizeof(struct ClearToken))
@@ -773,7 +773,7 @@ send_afs_tokens(void)
773 p += len; 773 p += len;
774 p += sizeof(len); /* primary flag */ 774 p += sizeof(len); /* primary flag */
775 server_cell = p; 775 server_cell = p;
776 776
777 /* Flesh out our credentials. */ 777 /* Flesh out our credentials. */
778 strlcpy(creds.service, "afs", sizeof(creds.service)); 778 strlcpy(creds.service, "afs", sizeof(creds.service));
779 creds.instance[0] = '\0'; 779 creds.instance[0] = '\0';
@@ -785,7 +785,7 @@ send_afs_tokens(void)
785 creds.kvno = ct.AuthHandle; 785 creds.kvno = ct.AuthHandle;
786 snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId); 786 snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
787 creds.pinst[0] = '\0'; 787 creds.pinst[0] = '\0';
788 788
789 /* Encode token, ship it off. */ 789 /* Encode token, ship it off. */
790 if (creds_to_radix(&creds, (u_char *)buffer, 790 if (creds_to_radix(&creds, (u_char *)buffer,
791 sizeof(buffer)) <= 0) 791 sizeof(buffer)) <= 0)
@@ -798,7 +798,7 @@ send_afs_tokens(void)
798 /* Roger, Roger. Clearance, Clarence. What's your vector, 798 /* Roger, Roger. Clearance, Clarence. What's your vector,
799 Victor? */ 799 Victor? */
800 type = packet_read(&len); 800 type = packet_read(&len);
801 801
802 if (type == SSH_SMSG_FAILURE) 802 if (type == SSH_SMSG_FAILURE)
803 debug("AFS token for cell %s rejected.", server_cell); 803 debug("AFS token for cell %s rejected.", server_cell);
804 else if (type != SSH_SMSG_SUCCESS) 804 else if (type != SSH_SMSG_SUCCESS)
@@ -842,7 +842,7 @@ try_challenge_response_authentication(void)
842 challenge = packet_get_string(&clen); 842 challenge = packet_get_string(&clen);
843 packet_integrity_check(payload_len, (4 + clen), type); 843 packet_integrity_check(payload_len, (4 + clen), type);
844 snprintf(prompt, sizeof prompt, "%s%s", challenge, 844 snprintf(prompt, sizeof prompt, "%s%s", challenge,
845 strchr(challenge, '\n') ? "" : "\nResponse: "); 845 strchr(challenge, '\n') ? "" : "\nResponse: ");
846 xfree(challenge); 846 xfree(challenge);
847 if (i != 0) 847 if (i != 0)
848 error("Permission denied, please try again."); 848 error("Permission denied, please try again.");
@@ -974,11 +974,11 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
974 supported_authentications = packet_get_int(); 974 supported_authentications = packet_get_int();
975 975
976 debug("Received server public key (%d bits) and host key (%d bits).", 976 debug("Received server public key (%d bits) and host key (%d bits).",
977 BN_num_bits(public_key->n), BN_num_bits(host_key->n)); 977 BN_num_bits(public_key->n), BN_num_bits(host_key->n));
978 978
979 packet_integrity_check(payload_len, 979 packet_integrity_check(payload_len,
980 8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4, 980 8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4,
981 SSH_SMSG_PUBLIC_KEY); 981 SSH_SMSG_PUBLIC_KEY);
982 k.type = KEY_RSA1; 982 k.type = KEY_RSA1;
983 k.rsa = host_key; 983 k.rsa = host_key;
984 if (verify_host_key(host, hostaddr, &k) == -1) 984 if (verify_host_key(host, hostaddr, &k) == -1)
@@ -1027,10 +1027,10 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
1027 if (BN_num_bits(host_key->n) < 1027 if (BN_num_bits(host_key->n) <
1028 BN_num_bits(public_key->n) + SSH_KEY_BITS_RESERVED) { 1028 BN_num_bits(public_key->n) + SSH_KEY_BITS_RESERVED) {
1029 fatal("respond_to_rsa_challenge: host_key %d < public_key %d + " 1029 fatal("respond_to_rsa_challenge: host_key %d < public_key %d + "
1030 "SSH_KEY_BITS_RESERVED %d", 1030 "SSH_KEY_BITS_RESERVED %d",
1031 BN_num_bits(host_key->n), 1031 BN_num_bits(host_key->n),
1032 BN_num_bits(public_key->n), 1032 BN_num_bits(public_key->n),
1033 SSH_KEY_BITS_RESERVED); 1033 SSH_KEY_BITS_RESERVED);
1034 } 1034 }
1035 rsa_public_encrypt(key, key, public_key); 1035 rsa_public_encrypt(key, key, public_key);
1036 rsa_public_encrypt(key, key, host_key); 1036 rsa_public_encrypt(key, key, host_key);
@@ -1039,10 +1039,10 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
1039 if (BN_num_bits(public_key->n) < 1039 if (BN_num_bits(public_key->n) <
1040 BN_num_bits(host_key->n) + SSH_KEY_BITS_RESERVED) { 1040 BN_num_bits(host_key->n) + SSH_KEY_BITS_RESERVED) {
1041 fatal("respond_to_rsa_challenge: public_key %d < host_key %d + " 1041 fatal("respond_to_rsa_challenge: public_key %d < host_key %d + "
1042 "SSH_KEY_BITS_RESERVED %d", 1042 "SSH_KEY_BITS_RESERVED %d",
1043 BN_num_bits(public_key->n), 1043 BN_num_bits(public_key->n),
1044 BN_num_bits(host_key->n), 1044 BN_num_bits(host_key->n),
1045 SSH_KEY_BITS_RESERVED); 1045 SSH_KEY_BITS_RESERVED);
1046 } 1046 }
1047 rsa_public_encrypt(key, key, host_key); 1047 rsa_public_encrypt(key, key, host_key);
1048 rsa_public_encrypt(key, key, public_key); 1048 rsa_public_encrypt(key, key, public_key);
@@ -1064,7 +1064,7 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
1064 /* Check that the selected cipher is supported. */ 1064 /* Check that the selected cipher is supported. */
1065 if (!(supported_ciphers & (1 << options.cipher))) 1065 if (!(supported_ciphers & (1 << options.cipher)))
1066 fatal("Selected cipher type %.100s not supported by server.", 1066 fatal("Selected cipher type %.100s not supported by server.",
1067 cipher_name(options.cipher)); 1067 cipher_name(options.cipher));
1068 1068
1069 debug("Encryption type: %.100s", cipher_name(options.cipher)); 1069 debug("Encryption type: %.100s", cipher_name(options.cipher));
1070 1070
@@ -1117,7 +1117,7 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
1117#endif 1117#endif
1118 int i, type; 1118 int i, type;
1119 int payload_len; 1119 int payload_len;
1120 1120
1121 if (supported_authentications == 0) 1121 if (supported_authentications == 0)
1122 fatal("ssh_userauth1: server supports no auth methods"); 1122 fatal("ssh_userauth1: server supports no auth methods");
1123 1123
@@ -1139,12 +1139,12 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
1139 goto success; 1139 goto success;
1140 if (type != SSH_SMSG_FAILURE) 1140 if (type != SSH_SMSG_FAILURE)
1141 packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type); 1141 packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
1142 1142
1143#ifdef KRB5 1143#ifdef KRB5
1144 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && 1144 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
1145 options.kerberos_authentication) { 1145 options.kerberos_authentication) {
1146 debug("Trying Kerberos v5 authentication."); 1146 debug("Trying Kerberos v5 authentication.");
1147 1147
1148 if (try_krb5_authentication(&context, &auth_context)) { 1148 if (try_krb5_authentication(&context, &auth_context)) {
1149 type = packet_read(&payload_len); 1149 type = packet_read(&payload_len);
1150 if (type == SSH_SMSG_SUCCESS) 1150 if (type == SSH_SMSG_SUCCESS)
@@ -1154,12 +1154,12 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
1154 } 1154 }
1155 } 1155 }
1156#endif /* KRB5 */ 1156#endif /* KRB5 */
1157 1157
1158#ifdef KRB4 1158#ifdef KRB4
1159 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && 1159 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
1160 options.kerberos_authentication) { 1160 options.kerberos_authentication) {
1161 debug("Trying Kerberos v4 authentication."); 1161 debug("Trying Kerberos v4 authentication.");
1162 1162
1163 if (try_krb4_authentication()) { 1163 if (try_krb4_authentication()) {
1164 type = packet_read(&payload_len); 1164 type = packet_read(&payload_len);
1165 if (type == SSH_SMSG_SUCCESS) 1165 if (type == SSH_SMSG_SUCCESS)
@@ -1169,7 +1169,7 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
1169 } 1169 }
1170 } 1170 }
1171#endif /* KRB4 */ 1171#endif /* KRB4 */
1172 1172
1173 /* 1173 /*
1174 * Use rhosts authentication if running in privileged socket and we 1174 * Use rhosts authentication if running in privileged socket and we
1175 * do not wish to remain anonymous. 1175 * do not wish to remain anonymous.
@@ -1254,7 +1254,7 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
1254 if (context) 1254 if (context)
1255 krb5_free_context(context); 1255 krb5_free_context(context);
1256#endif 1256#endif
1257 1257
1258#ifdef AFS 1258#ifdef AFS
1259 /* Try Kerberos v4 TGT passing if the server supports it. */ 1259 /* Try Kerberos v4 TGT passing if the server supports it. */
1260 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && 1260 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-30 05:48:43 +0000