2 files changed, 41 insertions, 38 deletions
diff --git a/ChangeLog b/ChangeLog
index 986baa43e..a638c64c2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -88,6 +88,10 @@
   - markus@cvs.openbsd.org 2001/06/23 19:12:43
     [sshd.c]
     pidfile/sigterm race; bbraun@synack.net
+   - markus@cvs.openbsd.org 2001/06/23 22:37:46
+     [sshconnect1.c]
+     consistent with ssh2: skip key if empty passphrase is entered,
+     retry num_of_passwd_prompt times if passphrase is wrong. ok fgsch@
 20010622
 - (stevesk) handle systems without pw_expire and pw_change.
@@ -5772,4 +5776,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1
-$Id: ChangeLog,v 1.1318 2001/06/25 05:10:20 mouring Exp $
+$Id: ChangeLog,v 1.1319 2001/06/25 05:16:02 mouring Exp $
diff --git a/sshconnect1.c b/sshconnect1.c
index a03233f28..ec0a5c96c 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,7 +13,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.35 2001/06/23 15:12:21 itojun Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.36 2001/06/23 22:37:46 markus Exp $");
 #include <openssl/bn.h>
 #include <openssl/evp.h>
@@ -204,11 +204,9 @@ static int
 try_rsa_authentication(const char *authfile)
 {
        BIGNUM *challenge;
-        Key *public;
+        Key *public, *private;
-        Key *private;
+        char buf[300], *passphrase, *comment;
-        char *passphrase, *comment;
+        int i, type, quit, plen, clen;
-        int type, i;
-        int plen, clen;
        /* Try to load identification for the authentication key. */
        /* XXKEYLOAD */
@@ -257,45 +255,46 @@ try_rsa_authentication(const char *authfile)
         * fails, ask for a passphrase.
         */
        private = key_load_private_type(KEY_RSA1, authfile, "", NULL);
-        if (private == NULL) {
+        if (private == NULL && !options.batch_mode) {
-                char buf[300];
+                snprintf(buf, sizeof(buf),
-                snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ",
+                    "Enter passphrase for RSA key '%.100s': ", comment);
-                    comment);
+                for (i = 0; i < options.number_of_password_prompts; i++) {
-                if (!options.batch_mode)
                        passphrase = read_passphrase(buf, 0);
-                else {
+                        if (strcmp(passphrase, "") != 0) {
-                        debug("Will not query passphrase for %.100s in batch mode.",
+                                private = key_load_private_type(KEY_RSA1,
-                              comment);
+                                    authfile, passphrase, NULL);
-                        passphrase = xstrdup("");
+                                quit = 0;
-                }
+                        } else {
+                                debug2("no passphrase given, try next key");
-                /* Load the authentication file using the pasphrase. */
+                                quit = 1;
-                private = key_load_private_type(KEY_RSA1, authfile, passphrase, NULL);
+                        }
-                if (private == NULL) {
                        memset(passphrase, 0, strlen(passphrase));
                        xfree(passphrase);
-                        error("Bad passphrase.");
+                        if (private != NULL || quit)
+                                break;
-                        /* Send a dummy response packet to avoid protocol error. */
+                        debug2("bad passphrase given, try again...");
-                        packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
-                        for (i = 0; i < 16; i++)
-                                packet_put_char(0);
-                        packet_send();
-                        packet_write_wait();
-                        /* Expect the server to reject it... */
-                        packet_read_expect(&plen, SSH_SMSG_FAILURE);
-                        xfree(comment);
-                        BN_clear_free(challenge);
-                        return 0;
                }
-                /* Destroy the passphrase. */
-                memset(passphrase, 0, strlen(passphrase));
-                xfree(passphrase);
        }
        /* We no longer need the comment. */
        xfree(comment);
+        if (private == NULL) {
+                if (!options.batch_mode)
+                        error("Bad passphrase.");
+                /* Send a dummy response packet to avoid protocol error. */
+                packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
+                for (i = 0; i < 16; i++)
+                        packet_put_char(0);
+                packet_send();
+                packet_write_wait();
+                /* Expect the server to reject it... */
+                packet_read_expect(&plen, SSH_SMSG_FAILURE);
+                BN_clear_free(challenge);
+                return 0;
+        }
        /* Compute and send a response to the challenge. */
        respond_to_rsa_challenge(challenge, private->rsa);

diff --git a/ChangeLog b/ChangeLog index 986baa43e..a638c64c2 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -88,6 +88,10 @@
88	- markus@cvs.openbsd.org 2001/06/23 19:12:43	88	- markus@cvs.openbsd.org 2001/06/23 19:12:43
89	[sshd.c]	89	[sshd.c]
90	pidfile/sigterm race; bbraun@synack.net	90	pidfile/sigterm race; bbraun@synack.net
		91	- markus@cvs.openbsd.org 2001/06/23 22:37:46
		92	[sshconnect1.c]
		93	consistent with ssh2: skip key if empty passphrase is entered,
		94	retry num_of_passwd_prompt times if passphrase is wrong. ok fgsch@
91		95
92	20010622	96	20010622
93	- (stevesk) handle systems without pw_expire and pw_change.	97	- (stevesk) handle systems without pw_expire and pw_change.
@@ -5772,4 +5776,4 @@
5772	- Wrote replacements for strlcpy and mkdtemp	5776	- Wrote replacements for strlcpy and mkdtemp
5773	- Released 1.0pre1	5777	- Released 1.0pre1
5774		5778
5775	$Id: ChangeLog,v 1.1318 2001/06/25 05:10:20 mouring Exp $	5779	$Id: ChangeLog,v 1.1319 2001/06/25 05:16:02 mouring Exp $


diff --git a/sshconnect1.c b/sshconnect1.c index a03233f28..ec0a5c96c 100644 --- a/sshconnect1.c +++ b/sshconnect1.c
@@ -13,7 +13,7 @@
13	*/	13	*/
14		14
15	#include "includes.h"	15	#include "includes.h"
16	RCSID("$OpenBSD: sshconnect1.c,v 1.35 2001/06/23 15:12:21 itojun Exp $");	16	RCSID("$OpenBSD: sshconnect1.c,v 1.36 2001/06/23 22:37:46 markus Exp $");
17		17
18	#include <openssl/bn.h>	18	#include <openssl/bn.h>
19	#include <openssl/evp.h>	19	#include <openssl/evp.h>
@@ -204,11 +204,9 @@ static int
204	try_rsa_authentication(const char *authfile)	204	try_rsa_authentication(const char *authfile)
205	{	205	{
206	BIGNUM *challenge;	206	BIGNUM *challenge;
207	Key *public;	207	Key public, private;
208	Key *private;	208	char buf[300], passphrase, comment;
209	char passphrase, comment;	209	int i, type, quit, plen, clen;
210	int type, i;
211	int plen, clen;
212		210
213	/* Try to load identification for the authentication key. */	211	/* Try to load identification for the authentication key. */
214	/* XXKEYLOAD */	212	/* XXKEYLOAD */
@@ -257,45 +255,46 @@ try_rsa_authentication(const char *authfile)
257	* fails, ask for a passphrase.	255	* fails, ask for a passphrase.
258	*/	256	*/
259	private = key_load_private_type(KEY_RSA1, authfile, "", NULL);	257	private = key_load_private_type(KEY_RSA1, authfile, "", NULL);
260	if (private == NULL) {	258	if (private == NULL && !options.batch_mode) {
261	char buf[300];	259	snprintf(buf, sizeof(buf),
262	snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ",	260	"Enter passphrase for RSA key '%.100s': ", comment);
263	comment);	261	for (i = 0; i < options.number_of_password_prompts; i++) {
264	if (!options.batch_mode)
265	passphrase = read_passphrase(buf, 0);	262	passphrase = read_passphrase(buf, 0);
266	else {	263	if (strcmp(passphrase, "") != 0) {
267	debug("Will not query passphrase for %.100s in batch mode.",	264	private = key_load_private_type(KEY_RSA1,
268	comment);	265	authfile, passphrase, NULL);
269	passphrase = xstrdup("");	266	quit = 0;
270	}	267	} else {
271		268	debug2("no passphrase given, try next key");
272	/* Load the authentication file using the pasphrase. */	269	quit = 1;
273	private = key_load_private_type(KEY_RSA1, authfile, passphrase, NULL);	270	}
274	if (private == NULL) {
275	memset(passphrase, 0, strlen(passphrase));	271	memset(passphrase, 0, strlen(passphrase));
276	xfree(passphrase);	272	xfree(passphrase);
277	error("Bad passphrase.");	273	if (private != NULL \|\| quit)
278		274	break;
279	/* Send a dummy response packet to avoid protocol error. */	275	debug2("bad passphrase given, try again...");
280	packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
281	for (i = 0; i < 16; i++)
282	packet_put_char(0);
283	packet_send();
284	packet_write_wait();
285
286	/* Expect the server to reject it... */
287	packet_read_expect(&plen, SSH_SMSG_FAILURE);
288	xfree(comment);
289	BN_clear_free(challenge);
290	return 0;
291	}	276	}
292	/* Destroy the passphrase. */
293	memset(passphrase, 0, strlen(passphrase));
294	xfree(passphrase);
295	}	277	}
296	/* We no longer need the comment. */	278	/* We no longer need the comment. */
297	xfree(comment);	279	xfree(comment);
298		280
		281	if (private == NULL) {
		282	if (!options.batch_mode)
		283	error("Bad passphrase.");
		284
		285	/* Send a dummy response packet to avoid protocol error. */
		286	packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
		287	for (i = 0; i < 16; i++)
		288	packet_put_char(0);
		289	packet_send();
		290	packet_write_wait();
		291
		292	/* Expect the server to reject it... */
		293	packet_read_expect(&plen, SSH_SMSG_FAILURE);
		294	BN_clear_free(challenge);
		295	return 0;
		296	}
		297
299	/* Compute and send a response to the challenge. */	298	/* Compute and send a response to the challenge. */
300	respond_to_rsa_challenge(challenge, private->rsa);	299	respond_to_rsa_challenge(challenge, private->rsa);
301		300