diff options
| author | Damien Miller <djm@mindrot.org> | 2000-11-13 22:57:25 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2000-11-13 22:57:25 +1100 |
| commit | 0bc1bd814e3c2b5e92d6f595930051960d17f47f (patch) | |
| tree | 176c7dc2844ecc2c1de0f72d221449556ffa5209 /sshconnect2.c | |
| parent | 559d383037b0872fcde4e6c40188b649c574be74 (diff) | |
- (djm) Merge OpenBSD changes:
- markus@cvs.openbsd.org 2000/11/06 16:04:56
[channels.c channels.h clientloop.c nchan.c serverloop.c]
[session.c ssh.c]
agent forwarding and -R for ssh2, based on work from
jhuuskon@messi.uku.fi
- markus@cvs.openbsd.org 2000/11/06 16:13:27
[ssh.c sshconnect.c sshd.c]
do not disabled rhosts(rsa) if server port > 1024; from
pekkas@netcore.fi
- markus@cvs.openbsd.org 2000/11/06 16:16:35
[sshconnect.c]
downgrade client to 1.3 if server is 1.4; help from mdb@juniper.net
- markus@cvs.openbsd.org 2000/11/09 18:04:40
[auth1.c]
typo; from mouring@pconline.com
- markus@cvs.openbsd.org 2000/11/12 12:03:28
[ssh-agent.c]
off-by-one when removing a key from the agent
- markus@cvs.openbsd.org 2000/11/12 12:50:39
[auth-rh-rsa.c auth2.c authfd.c authfd.h]
[authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h]
[readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c]
[ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config]
[sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c]
[ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h]
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only,
RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA
keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
- (djm) Fix up Makefile and Redhat init script to create RSA host keys
- (djm) Change to interim version
Diffstat (limited to 'sshconnect2.c')
| -rw-r--r-- | sshconnect2.c | 77 |
1 files changed, 43 insertions, 34 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index 6ba23d445..bb4774aa4 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
| @@ -23,7 +23,7 @@ | |||
| 23 | */ | 23 | */ |
| 24 | 24 | ||
| 25 | #include "includes.h" | 25 | #include "includes.h" |
| 26 | RCSID("$OpenBSD: sshconnect2.c,v 1.27 2000/10/19 16:45:16 provos Exp $"); | 26 | RCSID("$OpenBSD: sshconnect2.c,v 1.28 2000/11/12 19:50:38 markus Exp $"); |
| 27 | 27 | ||
| 28 | #include <openssl/bn.h> | 28 | #include <openssl/bn.h> |
| 29 | #include <openssl/rsa.h> | 29 | #include <openssl/rsa.h> |
| @@ -45,7 +45,6 @@ RCSID("$OpenBSD: sshconnect2.c,v 1.27 2000/10/19 16:45:16 provos Exp $"); | |||
| 45 | #include "kex.h" | 45 | #include "kex.h" |
| 46 | #include "myproposal.h" | 46 | #include "myproposal.h" |
| 47 | #include "key.h" | 47 | #include "key.h" |
| 48 | #include "dsa.h" | ||
| 49 | #include "sshconnect.h" | 48 | #include "sshconnect.h" |
| 50 | #include "authfile.h" | 49 | #include "authfile.h" |
| 51 | #include "cli.h" | 50 | #include "cli.h" |
| @@ -196,7 +195,7 @@ ssh_dh1_client(Kex *kex, char *host, struct sockaddr *hostaddr, | |||
| 196 | 195 | ||
| 197 | /* key, cert */ | 196 | /* key, cert */ |
| 198 | server_host_key_blob = packet_get_string(&sbloblen); | 197 | server_host_key_blob = packet_get_string(&sbloblen); |
| 199 | server_host_key = dsa_key_from_blob(server_host_key_blob, sbloblen); | 198 | server_host_key = key_from_blob(server_host_key_blob, sbloblen); |
| 200 | if (server_host_key == NULL) | 199 | if (server_host_key == NULL) |
| 201 | fatal("cannot decode server_host_key_blob"); | 200 | fatal("cannot decode server_host_key_blob"); |
| 202 | 201 | ||
| @@ -258,8 +257,8 @@ ssh_dh1_client(Kex *kex, char *host, struct sockaddr *hostaddr, | |||
| 258 | fprintf(stderr, "%02x", (hash[i])&0xff); | 257 | fprintf(stderr, "%02x", (hash[i])&0xff); |
| 259 | fprintf(stderr, "\n"); | 258 | fprintf(stderr, "\n"); |
| 260 | #endif | 259 | #endif |
| 261 | if (dsa_verify(server_host_key, (unsigned char *)signature, slen, hash, 20) != 1) | 260 | if (key_verify(server_host_key, (unsigned char *)signature, slen, hash, 20) != 1) |
| 262 | fatal("dsa_verify failed for server_host_key"); | 261 | fatal("key_verify failed for server_host_key"); |
| 263 | key_free(server_host_key); | 262 | key_free(server_host_key); |
| 264 | 263 | ||
| 265 | kex_derive_keys(kex, hash, shared_secret); | 264 | kex_derive_keys(kex, hash, shared_secret); |
| @@ -366,7 +365,7 @@ ssh_dhgex_client(Kex *kex, char *host, struct sockaddr *hostaddr, | |||
| 366 | 365 | ||
| 367 | /* key, cert */ | 366 | /* key, cert */ |
| 368 | server_host_key_blob = packet_get_string(&sbloblen); | 367 | server_host_key_blob = packet_get_string(&sbloblen); |
| 369 | server_host_key = dsa_key_from_blob(server_host_key_blob, sbloblen); | 368 | server_host_key = key_from_blob(server_host_key_blob, sbloblen); |
| 370 | if (server_host_key == NULL) | 369 | if (server_host_key == NULL) |
| 371 | fatal("cannot decode server_host_key_blob"); | 370 | fatal("cannot decode server_host_key_blob"); |
| 372 | 371 | ||
| @@ -429,8 +428,8 @@ ssh_dhgex_client(Kex *kex, char *host, struct sockaddr *hostaddr, | |||
| 429 | fprintf(stderr, "%02x", (hash[i])&0xff); | 428 | fprintf(stderr, "%02x", (hash[i])&0xff); |
| 430 | fprintf(stderr, "\n"); | 429 | fprintf(stderr, "\n"); |
| 431 | #endif | 430 | #endif |
| 432 | if (dsa_verify(server_host_key, (unsigned char *)signature, slen, hash, 20) != 1) | 431 | if (key_verify(server_host_key, (unsigned char *)signature, slen, hash, 20) != 1) |
| 433 | fatal("dsa_verify failed for server_host_key"); | 432 | fatal("key_verify failed for server_host_key"); |
| 434 | key_free(server_host_key); | 433 | key_free(server_host_key); |
| 435 | 434 | ||
| 436 | kex_derive_keys(kex, hash, shared_secret); | 435 | kex_derive_keys(kex, hash, shared_secret); |
| @@ -485,7 +484,7 @@ Authmethod *authmethod_lookup(const char *name); | |||
| 485 | Authmethod authmethods[] = { | 484 | Authmethod authmethods[] = { |
| 486 | {"publickey", | 485 | {"publickey", |
| 487 | userauth_pubkey, | 486 | userauth_pubkey, |
| 488 | &options.dsa_authentication, | 487 | &options.pubkey_authentication, |
| 489 | NULL}, | 488 | NULL}, |
| 490 | {"password", | 489 | {"password", |
| 491 | userauth_passwd, | 490 | userauth_passwd, |
| @@ -653,8 +652,10 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback) | |||
| 653 | int ret = -1; | 652 | int ret = -1; |
| 654 | int have_sig = 1; | 653 | int have_sig = 1; |
| 655 | 654 | ||
| 656 | dsa_make_key_blob(k, &blob, &bloblen); | 655 | if (key_to_blob(k, &blob, &bloblen) == 0) { |
| 657 | 656 | /* we cannot handle this key */ | |
| 657 | return 0; | ||
| 658 | } | ||
| 658 | /* data to be signed */ | 659 | /* data to be signed */ |
| 659 | buffer_init(&b); | 660 | buffer_init(&b); |
| 660 | if (datafellows & SSH_OLD_SESSIONID) { | 661 | if (datafellows & SSH_OLD_SESSIONID) { |
| @@ -672,7 +673,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback) | |||
| 672 | authctxt->service); | 673 | authctxt->service); |
| 673 | buffer_put_cstring(&b, authctxt->method->name); | 674 | buffer_put_cstring(&b, authctxt->method->name); |
| 674 | buffer_put_char(&b, have_sig); | 675 | buffer_put_char(&b, have_sig); |
| 675 | buffer_put_cstring(&b, KEX_DSS); | 676 | buffer_put_cstring(&b, key_ssh_name(k)); |
| 676 | buffer_put_string(&b, blob, bloblen); | 677 | buffer_put_string(&b, blob, bloblen); |
| 677 | 678 | ||
| 678 | /* generate signature */ | 679 | /* generate signature */ |
| @@ -682,7 +683,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback) | |||
| 682 | buffer_free(&b); | 683 | buffer_free(&b); |
| 683 | return 0; | 684 | return 0; |
| 684 | } | 685 | } |
| 685 | #ifdef DEBUG_DSS | 686 | #ifdef DEBUG_PK |
| 686 | buffer_dump(&b); | 687 | buffer_dump(&b); |
| 687 | #endif | 688 | #endif |
| 688 | if (datafellows & SSH_BUG_PUBKEYAUTH) { | 689 | if (datafellows & SSH_BUG_PUBKEYAUTH) { |
| @@ -693,7 +694,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback) | |||
| 693 | buffer_put_cstring(&b, authctxt->service); | 694 | buffer_put_cstring(&b, authctxt->service); |
| 694 | buffer_put_cstring(&b, authctxt->method->name); | 695 | buffer_put_cstring(&b, authctxt->method->name); |
| 695 | buffer_put_char(&b, have_sig); | 696 | buffer_put_char(&b, have_sig); |
| 696 | buffer_put_cstring(&b, KEX_DSS); | 697 | buffer_put_cstring(&b, key_ssh_name(k)); |
| 697 | buffer_put_string(&b, blob, bloblen); | 698 | buffer_put_string(&b, blob, bloblen); |
| 698 | } | 699 | } |
| 699 | xfree(blob); | 700 | xfree(blob); |
| @@ -719,10 +720,10 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback) | |||
| 719 | } | 720 | } |
| 720 | 721 | ||
| 721 | /* sign callback */ | 722 | /* sign callback */ |
| 722 | int dsa_sign_cb(Authctxt *authctxt, Key *key, unsigned char **sigp, int *lenp, | 723 | int key_sign_cb(Authctxt *authctxt, Key *key, unsigned char **sigp, int *lenp, |
| 723 | unsigned char *data, int datalen) | 724 | unsigned char *data, int datalen) |
| 724 | { | 725 | { |
| 725 | return dsa_sign(key, sigp, lenp, data, datalen); | 726 | return key_sign(key, sigp, lenp, data, datalen); |
| 726 | } | 727 | } |
| 727 | 728 | ||
| 728 | int | 729 | int |
| @@ -738,14 +739,13 @@ userauth_pubkey_identity(Authctxt *authctxt, char *filename) | |||
| 738 | } | 739 | } |
| 739 | debug("try pubkey: %s", filename); | 740 | debug("try pubkey: %s", filename); |
| 740 | 741 | ||
| 741 | k = key_new(KEY_DSA); | 742 | k = key_new(KEY_UNSPEC); |
| 742 | if (!load_private_key(filename, "", k, NULL)) { | 743 | if (!load_private_key(filename, "", k, NULL)) { |
| 743 | int success = 0; | 744 | int success = 0; |
| 744 | char *passphrase; | 745 | char *passphrase; |
| 745 | char prompt[300]; | 746 | char prompt[300]; |
| 746 | snprintf(prompt, sizeof prompt, | 747 | snprintf(prompt, sizeof prompt, |
| 747 | "Enter passphrase for %s key '%.100s': ", | 748 | "Enter passphrase for key '%.100s': ", filename); |
| 748 | key_type(k), filename); | ||
| 749 | for (i = 0; i < options.number_of_password_prompts; i++) { | 749 | for (i = 0; i < options.number_of_password_prompts; i++) { |
| 750 | passphrase = read_passphrase(prompt, 0); | 750 | passphrase = read_passphrase(prompt, 0); |
| 751 | if (strcmp(passphrase, "") != 0) { | 751 | if (strcmp(passphrase, "") != 0) { |
| @@ -766,7 +766,7 @@ userauth_pubkey_identity(Authctxt *authctxt, char *filename) | |||
| 766 | return 0; | 766 | return 0; |
| 767 | } | 767 | } |
| 768 | } | 768 | } |
| 769 | ret = sign_and_send_pubkey(authctxt, k, dsa_sign_cb); | 769 | ret = sign_and_send_pubkey(authctxt, k, key_sign_cb); |
| 770 | key_free(k); | 770 | key_free(k); |
| 771 | return ret; | 771 | return ret; |
| 772 | } | 772 | } |
| @@ -782,24 +782,26 @@ int | |||
| 782 | userauth_pubkey_agent(Authctxt *authctxt) | 782 | userauth_pubkey_agent(Authctxt *authctxt) |
| 783 | { | 783 | { |
| 784 | static int called = 0; | 784 | static int called = 0; |
| 785 | int ret = 0; | ||
| 785 | char *comment; | 786 | char *comment; |
| 786 | Key *k; | 787 | Key *k; |
| 787 | int ret; | ||
| 788 | 788 | ||
| 789 | if (called == 0) { | 789 | if (called == 0) { |
| 790 | k = ssh_get_first_identity(authctxt->agent, &comment, 2); | 790 | if (ssh_get_num_identities(authctxt->agent, 2) == 0) |
| 791 | debug2("userauth_pubkey_agent: no keys at all"); | ||
| 791 | called = 1; | 792 | called = 1; |
| 792 | } else { | ||
| 793 | k = ssh_get_next_identity(authctxt->agent, &comment, 2); | ||
| 794 | } | 793 | } |
| 794 | k = ssh_get_next_identity(authctxt->agent, &comment, 2); | ||
| 795 | if (k == NULL) { | 795 | if (k == NULL) { |
| 796 | debug2("no more DSA keys from agent"); | 796 | debug2("userauth_pubkey_agent: no more keys"); |
| 797 | return 0; | 797 | } else { |
| 798 | debug("userauth_pubkey_agent: trying agent key %s", comment); | ||
| 799 | xfree(comment); | ||
| 800 | ret = sign_and_send_pubkey(authctxt, k, agent_sign_cb); | ||
| 801 | key_free(k); | ||
| 798 | } | 802 | } |
| 799 | debug("trying DSA agent key %s", comment); | 803 | if (ret == 0) |
| 800 | xfree(comment); | 804 | debug2("userauth_pubkey_agent: no message sent"); |
| 801 | ret = sign_and_send_pubkey(authctxt, k, agent_sign_cb); | ||
| 802 | key_free(k); | ||
| 803 | return ret; | 805 | return ret; |
| 804 | } | 806 | } |
| 805 | 807 | ||
| @@ -809,10 +811,17 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 809 | static int idx = 0; | 811 | static int idx = 0; |
| 810 | int sent = 0; | 812 | int sent = 0; |
| 811 | 813 | ||
| 812 | if (authctxt->agent != NULL) | 814 | if (authctxt->agent != NULL) { |
| 813 | sent = userauth_pubkey_agent(authctxt); | 815 | do { |
| 814 | while (sent == 0 && idx < options.num_identity_files2) | 816 | sent = userauth_pubkey_agent(authctxt); |
| 815 | sent = userauth_pubkey_identity(authctxt, options.identity_files2[idx++]); | 817 | } while(!sent && authctxt->agent->howmany > 0); |
| 818 | } | ||
| 819 | while (!sent && idx < options.num_identity_files) { | ||
| 820 | if (options.identity_files_type[idx] != KEY_RSA1) | ||
| 821 | sent = userauth_pubkey_identity(authctxt, | ||
| 822 | options.identity_files[idx]); | ||
| 823 | idx++; | ||
| 824 | } | ||
| 816 | return sent; | 825 | return sent; |
| 817 | } | 826 | } |
| 818 | 827 | ||