Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-5]: src/crypto/dist/ssh Pull up revisions 1.2-1.6 (requested by...
details: https://anonhg.NetBSD.org/src/rev/c6ac2e997a89
branches: netbsd-1-5
changeset: 490699:c6ac2e997a89
user: he <he%NetBSD.org@localhost>
date: Mon Feb 26 20:26:45 2001 +0000
description:
Pull up revisions 1.2-1.6 (requested by itojun):
Update SSH to version found on trunk as of 26 Feb 2001.
diffstat:
crypto/dist/ssh/auth1.c | 374 ++++++
crypto/dist/ssh/channels.c | 2513 +++++++++++++++++++++++++++++++++++++++++
crypto/dist/ssh/packet.c | 228 +--
crypto/dist/ssh/sshconnect.c | 779 ++++++++++++
crypto/dist/ssh/sshconnect1.c | 1043 +++++++++++++++++
crypto/dist/ssh/sshconnect2.c | 1067 +++++++++++++++++
crypto/dist/ssh/sshd.c | 1720 ++++++++++++++++++++++++++++
7 files changed, 7601 insertions(+), 123 deletions(-)
diffs (truncated from 8111 to 300 lines):
diff -r 6107af742467 -r c6ac2e997a89 crypto/dist/ssh/auth1.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ssh/auth1.c Mon Feb 26 20:26:45 2001 +0000
@@ -0,0 +1,374 @@
+/*
+ * Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
+ * All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose. Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth1.c,v 1.17 2001/02/13 22:49:40 markus Exp $");
+
+#include "xmalloc.h"
+#include "rsa.h"
+#include "ssh1.h"
+#include "packet.h"
+#include "buffer.h"
+#include "mpaux.h"
+#include "log.h"
+#include "servconf.h"
+#include "compat.h"
+#include "auth.h"
+#include "session.h"
+
+/* import */
+extern ServerOptions options;
+extern char *forced_command;
+
+/*
+ * convert ssh auth msg type into description
+ */
+static char *
+get_authname(int type)
+{
+ static char buf[1024];
+ switch (type) {
+ case SSH_CMSG_AUTH_PASSWORD:
+ return "password";
+ case SSH_CMSG_AUTH_RSA:
+ return "rsa";
+ case SSH_CMSG_AUTH_RHOSTS_RSA:
+ return "rhosts-rsa";
+ case SSH_CMSG_AUTH_RHOSTS:
+ return "rhosts";
+ case SSH_CMSG_AUTH_TIS:
+ case SSH_CMSG_AUTH_TIS_RESPONSE:
+ return "challenge-response";
+#ifdef KRB4
+ case SSH_CMSG_AUTH_KERBEROS:
+ return "kerberos";
+#endif
+ }
+ snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
+ return buf;
+}
+
+/*
+ * read packets, try to authenticate the user and
+ * return only if authentication is successful
+ */
+static void
+do_authloop(Authctxt *authctxt)
+{
+ int authenticated = 0;
+ u_int bits;
+ RSA *client_host_key;
+ BIGNUM *n;
+ char *client_user, *password;
+ char info[1024];
+ u_int dlen;
+ int plen, nlen, elen;
+ u_int ulen;
+ int type = 0;
+ struct passwd *pw = authctxt->pw;
+
+ debug("Attempting authentication for %s%.100s.",
+ authctxt->valid ? "" : "illegal user ", authctxt->user);
+
+ /* If the user has no password, accept authentication immediately. */
+ if (options.password_authentication &&
+#ifdef KRB4
+ (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
+#endif
+ auth_password(pw, "")) {
+ auth_log(authctxt, 1, "without authentication", "");
+ return;
+ }
+
+ /* Indicate that authentication is needed. */
+ packet_start(SSH_SMSG_FAILURE);
+ packet_send();
+ packet_write_wait();
+
+ for (;;) {
+ /* default to fail */
+ authenticated = 0;
+
+ info[0] = '\0';
+
+ /* Get a packet from the client. */
+ type = packet_read(&plen);
+
+ /* Process the packet. */
+ switch (type) {
+#ifdef AFS
+ case SSH_CMSG_HAVE_KERBEROS_TGT:
+ if (!options.kerberos_tgt_passing) {
+ verbose("Kerberos tgt passing disabled.");
+ break;
+ } else {
+ /* Accept Kerberos tgt. */
+ char *tgt = packet_get_string(&dlen);
+ packet_integrity_check(plen, 4 + dlen, type);
+ if (!auth_kerberos_tgt(pw, tgt))
+ verbose("Kerberos tgt REFUSED for %.100s", authctxt->user);
+ xfree(tgt);
+ }
+ continue;
+
+ case SSH_CMSG_HAVE_AFS_TOKEN:
+ if (!options.afs_token_passing || !k_hasafs()) {
+ verbose("AFS token passing disabled.");
+ break;
+ } else {
+ /* Accept AFS token. */
+ char *token_string = packet_get_string(&dlen);
+ packet_integrity_check(plen, 4 + dlen, type);
+ if (!auth_afs_token(pw, token_string))
+ verbose("AFS token REFUSED for %.100s", authctxt->user);
+ xfree(token_string);
+ }
+ continue;
+#endif /* AFS */
+#ifdef KRB4
+ case SSH_CMSG_AUTH_KERBEROS:
+ if (!options.kerberos_authentication) {
+ verbose("Kerberos authentication disabled.");
+ break;
+ } else {
+ /* Try Kerberos v4 authentication. */
+ KTEXT_ST auth;
+ char *tkt_user = NULL;
+ char *kdata = packet_get_string((u_int *) &auth.length);
+ packet_integrity_check(plen, 4 + auth.length, type);
+
+ if (authctxt->valid) {
+ if (auth.length < MAX_KTXT_LEN)
+ memcpy(auth.dat, kdata, auth.length);
+ authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user);
+ if (authenticated) {
+ snprintf(info, sizeof info,
+ " tktuser %.100s", tkt_user);
+ xfree(tkt_user);
+ }
+ }
+ xfree(kdata);
+ }
+ break;
+#endif /* KRB4 */
+
+ case SSH_CMSG_AUTH_RHOSTS:
+ if (!options.rhosts_authentication) {
+ verbose("Rhosts authentication disabled.");
+ break;
+ }
+ /*
+ * Get client user name. Note that we just have to
+ * trust the client; this is one reason why rhosts
+ * authentication is insecure. (Another is
+ * IP-spoofing on a local network.)
+ */
+ client_user = packet_get_string(&ulen);
+ packet_integrity_check(plen, 4 + ulen, type);
+
+ /* Try to authenticate using /etc/hosts.equiv and .rhosts. */
+ authenticated = auth_rhosts(pw, client_user);
+
+ snprintf(info, sizeof info, " ruser %.100s", client_user);
+ xfree(client_user);
+ break;
+
+ case SSH_CMSG_AUTH_RHOSTS_RSA:
+ if (!options.rhosts_rsa_authentication) {
+ verbose("Rhosts with RSA authentication disabled.");
+ break;
+ }
+ /*
+ * Get client user name. Note that we just have to
+ * trust the client; root on the client machine can
+ * claim to be any user.
+ */
+ client_user = packet_get_string(&ulen);
+
+ /* Get the client host key. */
+ client_host_key = RSA_new();
+ if (client_host_key == NULL)
+ fatal("RSA_new failed");
+ client_host_key->e = BN_new();
+ client_host_key->n = BN_new();
+ if (client_host_key->e == NULL || client_host_key->n == NULL)
+ fatal("BN_new failed");
+ bits = packet_get_int();
+ packet_get_bignum(client_host_key->e, &elen);
+ packet_get_bignum(client_host_key->n, &nlen);
+
+ if (bits != BN_num_bits(client_host_key->n))
+ verbose("Warning: keysize mismatch for client_host_key: "
+ "actual %d, announced %d", BN_num_bits(client_host_key->n), bits);
+ packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type);
+
+ authenticated = auth_rhosts_rsa(pw, client_user, client_host_key);
+ RSA_free(client_host_key);
+
+ snprintf(info, sizeof info, " ruser %.100s", client_user);
+ xfree(client_user);
+ break;
+
+ case SSH_CMSG_AUTH_RSA:
+ if (!options.rsa_authentication) {
+ verbose("RSA authentication disabled.");
+ break;
+ }
+ /* RSA authentication requested. */
+ n = BN_new();
+ packet_get_bignum(n, &nlen);
+ packet_integrity_check(plen, nlen, type);
+ authenticated = auth_rsa(pw, n);
+ BN_clear_free(n);
+ break;
+
+ case SSH_CMSG_AUTH_PASSWORD:
+ if (!options.password_authentication) {
+ verbose("Password authentication disabled.");
+ break;
+ }
+ /*
+ * Read user password. It is in plain text, but was
+ * transmitted over the encrypted channel so it is
+ * not visible to an outside observer.
+ */
+ password = packet_get_string(&dlen);
+ packet_integrity_check(plen, 4 + dlen, type);
+
+ /* Try authentication with the password. */
+ authenticated = auth_password(pw, password);
+
+ memset(password, 0, strlen(password));
+ xfree(password);
+ break;
+
+ case SSH_CMSG_AUTH_TIS:
+ debug("rcvd SSH_CMSG_AUTH_TIS");
+ if (options.challenge_reponse_authentication == 1) {
+ char *challenge = get_challenge(authctxt, authctxt->style);
+ if (challenge != NULL) {
+ debug("sending challenge '%s'", challenge);
+ packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
+ packet_put_cstring(challenge);
+ packet_send();
+ packet_write_wait();
+ continue;
+ }
+ }
+ break;
+ case SSH_CMSG_AUTH_TIS_RESPONSE:
+ debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
+ if (options.challenge_reponse_authentication == 1) {
+ char *response = packet_get_string(&dlen);
+ debug("got response '%s'", response);
+ packet_integrity_check(plen, 4 + dlen, type);
+ authenticated = verify_response(authctxt, response);
+ memset(response, 'r', dlen);
+ xfree(response);
+ }
+ break;
+
+ default:
+ /*
+ * Any unknown messages will be ignored (and failure
+ * returned) during authentication.
+ */
+ log("Unknown message during authentication: type %d", type);
+ break;
+ }
+ if (!authctxt->valid && authenticated)
+ fatal("INTERNAL ERROR: authenticated invalid user %s",
+ authctxt->user);
+
+ /* Special handling for root */
+ if (authenticated && authctxt->pw->pw_uid == 0 &&
+ !auth_root_allowed(get_authname(type)))
+ authenticated = 0;
+
+ /* Log before sending the reply */
Home |
Main Index |
Thread Index |
Old Index