summaryrefslogtreecommitdiff
path: root/auth2-hostbased.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth2-hostbased.c')
-rw-r--r--auth2-hostbased.c101
1 files changed, 53 insertions, 48 deletions
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index eddf797fe..728548396 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-hostbased.c,v 1.28 2017/05/30 14:10:53 markus Exp $ */ 1/* $OpenBSD: auth2-hostbased.c,v 1.29 2017/05/30 14:25:42 markus Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -39,7 +39,7 @@
39#include "misc.h" 39#include "misc.h"
40#include "servconf.h" 40#include "servconf.h"
41#include "compat.h" 41#include "compat.h"
42#include "key.h" 42#include "sshkey.h"
43#include "hostfile.h" 43#include "hostfile.h"
44#include "auth.h" 44#include "auth.h"
45#include "canohost.h" 45#include "canohost.h"
@@ -48,6 +48,7 @@
48#endif 48#endif
49#include "monitor_wrap.h" 49#include "monitor_wrap.h"
50#include "pathnames.h" 50#include "pathnames.h"
51#include "ssherr.h"
51#include "match.h" 52#include "match.h"
52 53
53/* import */ 54/* import */
@@ -58,52 +59,54 @@ extern u_int session_id2_len;
58static int 59static int
59userauth_hostbased(Authctxt *authctxt) 60userauth_hostbased(Authctxt *authctxt)
60{ 61{
61 Buffer b; 62 struct ssh *ssh = active_state; /* XXX */
63 struct sshbuf *b;
62 struct sshkey *key = NULL; 64 struct sshkey *key = NULL;
63 char *pkalg, *cuser, *chost, *service; 65 char *pkalg, *cuser, *chost, *service;
64 u_char *pkblob, *sig; 66 u_char *pkblob, *sig;
65 u_int alen, blen, slen; 67 size_t alen, blen, slen;
66 int pktype; 68 int r, pktype, authenticated = 0;
67 int authenticated = 0;
68 69
69 if (!authctxt->valid) { 70 if (!authctxt->valid) {
70 debug2("userauth_hostbased: disabled because of invalid user"); 71 debug2("%s: disabled because of invalid user", __func__);
71 return 0; 72 return 0;
72 } 73 }
73 pkalg = packet_get_string(&alen); 74 /* XXX use sshkey_froms() */
74 pkblob = packet_get_string(&blen); 75 if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
75 chost = packet_get_string(NULL); 76 (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
76 cuser = packet_get_string(NULL); 77 (r = sshpkt_get_cstring(ssh, &chost, NULL)) != 0 ||
77 sig = packet_get_string(&slen); 78 (r = sshpkt_get_cstring(ssh, &cuser, NULL)) != 0 ||
79 (r = sshpkt_get_string(ssh, &sig, &slen)) != 0)
80 fatal("%s: packet parsing: %s", __func__, ssh_err(r));
78 81
79 debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d", 82 debug("%s: cuser %s chost %s pkalg %s slen %zu", __func__,
80 cuser, chost, pkalg, slen); 83 cuser, chost, pkalg, slen);
81#ifdef DEBUG_PK 84#ifdef DEBUG_PK
82 debug("signature:"); 85 debug("signature:");
83 buffer_init(&b); 86 sshbuf_dump_data(sig, siglen, stderr);
84 buffer_append(&b, sig, slen);
85 buffer_dump(&b);
86 buffer_free(&b);
87#endif 87#endif
88 pktype = key_type_from_name(pkalg); 88 pktype = sshkey_type_from_name(pkalg);
89 if (pktype == KEY_UNSPEC) { 89 if (pktype == KEY_UNSPEC) {
90 /* this is perfectly legal */ 90 /* this is perfectly legal */
91 logit("userauth_hostbased: unsupported " 91 logit("%s: unsupported public key algorithm: %s",
92 "public key algorithm: %s", pkalg); 92 __func__, pkalg);
93 goto done;
94 }
95 if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
96 error("%s: key_from_blob: %s", __func__, ssh_err(r));
93 goto done; 97 goto done;
94 } 98 }
95 key = key_from_blob(pkblob, blen);
96 if (key == NULL) { 99 if (key == NULL) {
97 error("userauth_hostbased: cannot decode key: %s", pkalg); 100 error("%s: cannot decode key: %s", __func__, pkalg);
98 goto done; 101 goto done;
99 } 102 }
100 if (key->type != pktype) { 103 if (key->type != pktype) {
101 error("userauth_hostbased: type mismatch for decoded key " 104 error("%s: type mismatch for decoded key "
102 "(received %d, expected %d)", key->type, pktype); 105 "(received %d, expected %d)", __func__, key->type, pktype);
103 goto done; 106 goto done;
104 } 107 }
105 if (key_type_plain(key->type) == KEY_RSA && 108 if (sshkey_type_plain(key->type) == KEY_RSA &&
106 (datafellows & SSH_BUG_RSASIGMD5) != 0) { 109 (ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
107 error("Refusing RSA key because peer uses unsafe " 110 error("Refusing RSA key because peer uses unsafe "
108 "signature format"); 111 "signature format");
109 goto done; 112 goto done;
@@ -115,21 +118,23 @@ userauth_hostbased(Authctxt *authctxt)
115 goto done; 118 goto done;
116 } 119 }
117 120
118 service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : 121 service = ssh->compat & SSH_BUG_HBSERVICE ? "ssh-userauth" :
119 authctxt->service; 122 authctxt->service;
120 buffer_init(&b); 123 if ((b = sshbuf_new()) == NULL)
121 buffer_put_string(&b, session_id2, session_id2_len); 124 fatal("%s: sshbuf_new failed", __func__);
122 /* reconstruct packet */ 125 /* reconstruct packet */
123 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); 126 if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
124 buffer_put_cstring(&b, authctxt->user); 127 (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
125 buffer_put_cstring(&b, service); 128 (r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
126 buffer_put_cstring(&b, "hostbased"); 129 (r = sshbuf_put_cstring(b, service)) != 0 ||
127 buffer_put_string(&b, pkalg, alen); 130 (r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
128 buffer_put_string(&b, pkblob, blen); 131 (r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
129 buffer_put_cstring(&b, chost); 132 (r = sshbuf_put_string(b, pkblob, blen)) != 0 ||
130 buffer_put_cstring(&b, cuser); 133 (r = sshbuf_put_cstring(b, chost)) != 0 ||
134 (r = sshbuf_put_cstring(b, cuser)) != 0)
135 fatal("%s: buffer error: %s", __func__, ssh_err(r));
131#ifdef DEBUG_PK 136#ifdef DEBUG_PK
132 buffer_dump(&b); 137 sshbuf_dump(b, stderr);
133#endif 138#endif
134 139
135 pubkey_auth_info(authctxt, key, 140 pubkey_auth_info(authctxt, key,
@@ -138,15 +143,15 @@ userauth_hostbased(Authctxt *authctxt)
138 /* test for allowed key and correct signature */ 143 /* test for allowed key and correct signature */
139 authenticated = 0; 144 authenticated = 0;
140 if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && 145 if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
141 PRIVSEP(sshkey_verify(key, sig, slen, buffer_ptr(&b), 146 PRIVSEP(sshkey_verify(key, sig, slen,
142 buffer_len(&b), 0)) == 0) 147 sshbuf_ptr(b), sshbuf_len(b), ssh->compat)) == 0)
143 authenticated = 1; 148 authenticated = 1;
144 149
145 buffer_free(&b); 150 sshbuf_free(b);
146done: 151done:
147 debug2("userauth_hostbased: authenticated %d", authenticated); 152 debug2("%s: authenticated %d", __func__, authenticated);
148 if (key != NULL) 153 if (key != NULL)
149 key_free(key); 154 sshkey_free(key);
150 free(pkalg); 155 free(pkalg);
151 free(pkblob); 156 free(pkblob);
152 free(cuser); 157 free(cuser);
@@ -203,8 +208,8 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
203 } 208 }
204 debug2("%s: access allowed by auth_rhosts2", __func__); 209 debug2("%s: access allowed by auth_rhosts2", __func__);
205 210
206 if (key_is_cert(key) && 211 if (sshkey_is_cert(key) &&
207 key_cert_check_authority(key, 1, 0, lookup, &reason)) { 212 sshkey_cert_check_authority(key, 1, 0, lookup, &reason)) {
208 error("%s", reason); 213 error("%s", reason);
209 auth_debug_add("%s", reason); 214 auth_debug_add("%s", reason);
210 return 0; 215 return 0;
@@ -223,20 +228,20 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
223 } 228 }
224 229
225 if (host_status == HOST_OK) { 230 if (host_status == HOST_OK) {
226 if (key_is_cert(key)) { 231 if (sshkey_is_cert(key)) {
227 if ((fp = sshkey_fingerprint(key->cert->signature_key, 232 if ((fp = sshkey_fingerprint(key->cert->signature_key,
228 options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) 233 options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
229 fatal("%s: sshkey_fingerprint fail", __func__); 234 fatal("%s: sshkey_fingerprint fail", __func__);
230 verbose("Accepted certificate ID \"%s\" signed by " 235 verbose("Accepted certificate ID \"%s\" signed by "
231 "%s CA %s from %s@%s", key->cert->key_id, 236 "%s CA %s from %s@%s", key->cert->key_id,
232 key_type(key->cert->signature_key), fp, 237 sshkey_type(key->cert->signature_key), fp,
233 cuser, lookup); 238 cuser, lookup);
234 } else { 239 } else {
235 if ((fp = sshkey_fingerprint(key, 240 if ((fp = sshkey_fingerprint(key,
236 options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) 241 options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
237 fatal("%s: sshkey_fingerprint fail", __func__); 242 fatal("%s: sshkey_fingerprint fail", __func__);
238 verbose("Accepted %s public key %s from %s@%s", 243 verbose("Accepted %s public key %s from %s@%s",
239 key_type(key), fp, cuser, lookup); 244 sshkey_type(key), fp, cuser, lookup);
240 } 245 }
241 free(fp); 246 free(fp);
242 } 247 }