diff options
-rw-r--r-- | sshconnect2.c | 73 |
1 files changed, 47 insertions, 26 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index 10e4f0a08..ad9b850d2 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect2.c,v 1.284 2018/08/13 02:41:05 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.285 2018/09/14 04:17:12 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
@@ -581,6 +581,27 @@ input_userauth_failure(int type, u_int32_t seq, struct ssh *ssh) | |||
581 | return 0; | 581 | return 0; |
582 | } | 582 | } |
583 | 583 | ||
584 | /* | ||
585 | * Format an identity for logging including filename, key type, fingerprint | ||
586 | * and location (agent, etc.). Caller must free. | ||
587 | */ | ||
588 | static char * | ||
589 | format_identity(Identity *id) | ||
590 | { | ||
591 | char *fp, *ret = NULL; | ||
592 | |||
593 | if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash, | ||
594 | SSH_FP_DEFAULT)) == NULL) | ||
595 | fatal("%s: sshkey_fingerprint failed", __func__); | ||
596 | xasprintf(&ret, "%s %s %s%s%s%s", | ||
597 | id->filename, sshkey_type(id->key), fp, | ||
598 | id->userprovided ? ", explicit" : "", | ||
599 | (id->key->flags & SSHKEY_FLAG_EXT) ? ", token" : "", | ||
600 | id->agent_fd != -1 ? ", agent" : ""); | ||
601 | free(fp); | ||
602 | return ret; | ||
603 | } | ||
604 | |||
584 | /* ARGSUSED */ | 605 | /* ARGSUSED */ |
585 | int | 606 | int |
586 | input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) | 607 | input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) |
@@ -588,9 +609,9 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) | |||
588 | Authctxt *authctxt = ssh->authctxt; | 609 | Authctxt *authctxt = ssh->authctxt; |
589 | struct sshkey *key = NULL; | 610 | struct sshkey *key = NULL; |
590 | Identity *id = NULL; | 611 | Identity *id = NULL; |
591 | int pktype, sent = 0; | 612 | int pktype, found = 0, sent = 0; |
592 | size_t blen; | 613 | size_t blen; |
593 | char *pkalg = NULL, *fp; | 614 | char *pkalg = NULL, *fp = NULL, *ident = NULL; |
594 | u_char *pkblob = NULL; | 615 | u_char *pkblob = NULL; |
595 | int r; | 616 | int r; |
596 | 617 | ||
@@ -602,10 +623,8 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) | |||
602 | (r = sshpkt_get_end(ssh)) != 0) | 623 | (r = sshpkt_get_end(ssh)) != 0) |
603 | goto done; | 624 | goto done; |
604 | 625 | ||
605 | debug("Server accepts key: pkalg %s blen %zu", pkalg, blen); | ||
606 | |||
607 | if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) { | 626 | if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) { |
608 | debug("unknown pkalg %s", pkalg); | 627 | debug("%s: server sent unknown pkalg %s", __func__, pkalg); |
609 | goto done; | 628 | goto done; |
610 | } | 629 | } |
611 | if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { | 630 | if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { |
@@ -618,11 +637,6 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) | |||
618 | key->type, pktype); | 637 | key->type, pktype); |
619 | goto done; | 638 | goto done; |
620 | } | 639 | } |
621 | if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, | ||
622 | SSH_FP_DEFAULT)) == NULL) | ||
623 | goto done; | ||
624 | debug2("input_userauth_pk_ok: fp %s", fp); | ||
625 | free(fp); | ||
626 | 640 | ||
627 | /* | 641 | /* |
628 | * search keys in the reverse order, because last candidate has been | 642 | * search keys in the reverse order, because last candidate has been |
@@ -631,13 +645,25 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) | |||
631 | */ | 645 | */ |
632 | TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) { | 646 | TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) { |
633 | if (sshkey_equal(key, id->key)) { | 647 | if (sshkey_equal(key, id->key)) { |
634 | sent = sign_and_send_pubkey(ssh, authctxt, id); | 648 | found = 1; |
635 | break; | 649 | break; |
636 | } | 650 | } |
637 | } | 651 | } |
652 | if (!found || id == NULL) { | ||
653 | fp = sshkey_fingerprint(key, options.fingerprint_hash, | ||
654 | SSH_FP_DEFAULT); | ||
655 | error("%s: server replied with unknown key: %s %s", __func__, | ||
656 | sshkey_type(key), fp == NULL ? "<ERROR>" : fp); | ||
657 | goto done; | ||
658 | } | ||
659 | ident = format_identity(id); | ||
660 | debug("Server accepts key: %s", ident); | ||
661 | sent = sign_and_send_pubkey(ssh, authctxt, id); | ||
638 | r = 0; | 662 | r = 0; |
639 | done: | 663 | done: |
640 | sshkey_free(key); | 664 | sshkey_free(key); |
665 | free(ident); | ||
666 | free(fp); | ||
641 | free(pkalg); | 667 | free(pkalg); |
642 | free(pkblob); | 668 | free(pkblob); |
643 | 669 | ||
@@ -1458,6 +1484,7 @@ pubkey_prepare(Authctxt *authctxt) | |||
1458 | int agent_fd = -1, i, r, found; | 1484 | int agent_fd = -1, i, r, found; |
1459 | size_t j; | 1485 | size_t j; |
1460 | struct ssh_identitylist *idlist; | 1486 | struct ssh_identitylist *idlist; |
1487 | char *ident; | ||
1461 | 1488 | ||
1462 | TAILQ_INIT(&agent); /* keys from the agent */ | 1489 | TAILQ_INIT(&agent); /* keys from the agent */ |
1463 | TAILQ_INIT(&files); /* keys from the config file */ | 1490 | TAILQ_INIT(&files); /* keys from the config file */ |
@@ -1574,10 +1601,11 @@ pubkey_prepare(Authctxt *authctxt) | |||
1574 | memset(id, 0, sizeof(*id)); | 1601 | memset(id, 0, sizeof(*id)); |
1575 | continue; | 1602 | continue; |
1576 | } | 1603 | } |
1577 | debug2("key: %s (%p)%s%s", id->filename, id->key, | 1604 | ident = format_identity(id); |
1578 | id->userprovided ? ", explicit" : "", | 1605 | debug("Will attempt key: %s", ident); |
1579 | id->agent_fd != -1 ? ", agent" : ""); | 1606 | free(ident); |
1580 | } | 1607 | } |
1608 | debug2("%s: done", __func__); | ||
1581 | } | 1609 | } |
1582 | 1610 | ||
1583 | static void | 1611 | static void |
@@ -1625,7 +1653,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
1625 | struct ssh *ssh = active_state; /* XXX */ | 1653 | struct ssh *ssh = active_state; /* XXX */ |
1626 | Identity *id; | 1654 | Identity *id; |
1627 | int sent = 0; | 1655 | int sent = 0; |
1628 | char *fp; | 1656 | char *ident; |
1629 | 1657 | ||
1630 | while ((id = TAILQ_FIRST(&authctxt->keys))) { | 1658 | while ((id = TAILQ_FIRST(&authctxt->keys))) { |
1631 | if (id->tried++) | 1659 | if (id->tried++) |
@@ -1640,16 +1668,9 @@ userauth_pubkey(Authctxt *authctxt) | |||
1640 | */ | 1668 | */ |
1641 | if (id->key != NULL) { | 1669 | if (id->key != NULL) { |
1642 | if (try_identity(id)) { | 1670 | if (try_identity(id)) { |
1643 | if ((fp = sshkey_fingerprint(id->key, | 1671 | ident = format_identity(id); |
1644 | options.fingerprint_hash, | 1672 | debug("Offering public key: %s", ident); |
1645 | SSH_FP_DEFAULT)) == NULL) { | 1673 | free(ident); |
1646 | error("%s: sshkey_fingerprint failed", | ||
1647 | __func__); | ||
1648 | return 0; | ||
1649 | } | ||
1650 | debug("Offering public key: %s %s %s", | ||
1651 | sshkey_type(id->key), fp, id->filename); | ||
1652 | free(fp); | ||
1653 | sent = send_pubkey_test(ssh, authctxt, id); | 1674 | sent = send_pubkey_test(ssh, authctxt, id); |
1654 | } | 1675 | } |
1655 | } else { | 1676 | } else { |