diff options
author | markus@openbsd.org <markus@openbsd.org> | 2016-08-13 17:47:40 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-08-14 11:19:14 +1000 |
commit | 6cb6dcffe1a2204ba9006de20f73255c268fcb6b (patch) | |
tree | 235267a1264f9363c39c4c0b11b59384e9acbdcf | |
parent | 42d47adc5ad1187f22c726cbc52e71d6b1767ca2 (diff) |
upstream commit
remove ssh1 server code; ok djm@
Upstream-ID: c24c0c32c49b91740d5a94ae914fb1898ea5f534
-rw-r--r-- | Makefile.in | 6 | ||||
-rw-r--r-- | auth-chall.c | 125 | ||||
-rw-r--r-- | auth-rh-rsa.c | 109 | ||||
-rw-r--r-- | auth-rhosts.c | 23 | ||||
-rw-r--r-- | auth-rsa.c | 349 | ||||
-rw-r--r-- | auth.c | 10 | ||||
-rw-r--r-- | auth.h | 19 | ||||
-rw-r--r-- | auth1.c | 444 | ||||
-rw-r--r-- | monitor.c | 305 | ||||
-rw-r--r-- | monitor_wrap.c | 151 | ||||
-rw-r--r-- | monitor_wrap.h | 13 | ||||
-rw-r--r-- | serverloop.c | 596 | ||||
-rw-r--r-- | serverloop.h | 3 | ||||
-rw-r--r-- | session.c | 212 | ||||
-rw-r--r-- | session.h | 3 | ||||
-rw-r--r-- | sshd.c | 479 |
16 files changed, 84 insertions, 2763 deletions
diff --git a/Makefile.in b/Makefile.in index 12991cd9..62fdb09f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -97,11 +97,11 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o -SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ +SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ audit.o audit-bsm.o audit-linux.o platform.o \ sshpty.o sshlogin.o servconf.o serverloop.o \ - auth.o auth1.o auth2.o auth-options.o session.o \ - auth-chall.o auth2-chall.o groupaccess.o \ + auth.o auth2.o auth-options.o session.o \ + auth2-chall.o groupaccess.o \ auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \ monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \ diff --git a/auth-chall.c b/auth-chall.c deleted file mode 100644 index 60c9f14c..00000000 --- a/auth-chall.c +++ /dev/null @@ -1,125 +0,0 @@ -/* $OpenBSD: auth-chall.c,v 1.14 2014/06/24 01:13:21 djm Exp $ */ -/* - * Copyright (c) 2001 Markus Friedl. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "includes.h" - -#include <sys/types.h> -#include <stdarg.h> -#include <stdlib.h> -#include <stdio.h> - -#include "xmalloc.h" -#include "key.h" -#include "hostfile.h" -#include "auth.h" -#include "log.h" -#include "misc.h" -#include "servconf.h" - -/* limited protocol v1 interface to kbd-interactive authentication */ - -extern KbdintDevice *devices[]; -static KbdintDevice *device; -extern ServerOptions options; - -char * -get_challenge(Authctxt *authctxt) -{ - char *challenge, *name, *info, **prompts; - u_int i, numprompts; - u_int *echo_on; - -#ifdef USE_PAM - if (!options.use_pam) - remove_kbdint_device("pam"); -#endif - - device = devices[0]; /* we always use the 1st device for protocol 1 */ - if (device == NULL) - return NULL; - if ((authctxt->kbdintctxt = device->init_ctx(authctxt)) == NULL) - return NULL; - if (device->query(authctxt->kbdintctxt, &name, &info, - &numprompts, &prompts, &echo_on)) { - device->free_ctx(authctxt->kbdintctxt); - authctxt->kbdintctxt = NULL; - return NULL; - } - if (numprompts < 1) - fatal("get_challenge: numprompts < 1"); - challenge = xstrdup(prompts[0]); - for (i = 0; i < numprompts; i++) - free(prompts[i]); - free(prompts); - free(name); - free(echo_on); - free(info); - - return (challenge); -} -int -verify_response(Authctxt *authctxt, const char *response) -{ - char *resp[1], *name, *info, **prompts; - u_int i, numprompts, *echo_on; - int authenticated = 0; - - if (device == NULL) - return 0; - if (authctxt->kbdintctxt == NULL) - return 0; - resp[0] = (char *)response; - switch (device->respond(authctxt->kbdintctxt, 1, resp)) { - case 0: /* Success */ - authenticated = 1; - break; - case 1: /* Postponed - retry with empty query for PAM */ - if ((device->query(authctxt->kbdintctxt, &name, &info, - &numprompts, &prompts, &echo_on)) != 0) - break; - if (numprompts == 0 && - device->respond(authctxt->kbdintctxt, 0, resp) == 0) - authenticated = 1; - - for (i = 0; i < numprompts; i++) - free(prompts[i]); - free(prompts); - free(name); - free(echo_on); - free(info); - break; - } - device->free_ctx(authctxt->kbdintctxt); - authctxt->kbdintctxt = NULL; - return authenticated; -} -void -abandon_challenge_response(Authctxt *authctxt) -{ - if (authctxt->kbdintctxt != NULL) { - device->free_ctx(authctxt->kbdintctxt); - authctxt->kbdintctxt = NULL; - } -} diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c deleted file mode 100644 index 057335ba..00000000 --- a/auth-rh-rsa.c +++ /dev/null @@ -1,109 +0,0 @@ -/* $OpenBSD: auth-rh-rsa.c,v 1.45 2016/03/07 19:02:43 djm Exp $ */ -/* - * Author: Tatu Ylonen <ylo@cs.hut.fi> - * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland - * All rights reserved - * Rhosts or /etc/hosts.equiv authentication combined with RSA host - * authentication. - * - * As far as I am concerned, the code I have written for this software - * can be used freely for any purpose. Any derived versions of this - * software must be clearly marked as such, and if the derived work is - * incompatible with the protocol description in the RFC file, it must be - * called by a name other than "ssh" or "Secure Shell". - */ - -#include "includes.h" - -#ifdef WITH_SSH1 - -#include <sys/types.h> - -#include <pwd.h> -#include <stdarg.h> - -#include "packet.h" -#include "uidswap.h" -#include "log.h" -#include "buffer.h" -#include "misc.h" -#include "servconf.h" -#include "key.h" -#include "hostfile.h" -#include "pathnames.h" -#include "auth.h" -#include "canohost.h" -#ifdef GSSAPI -#include "ssh-gss.h" -#endif -#include "monitor_wrap.h" - -/* import */ -extern ServerOptions options; - -int -auth_rhosts_rsa_key_allowed(struct passwd *pw, const char *cuser, - const char *chost, Key *client_host_key) -{ - HostStatus host_status; - - if (auth_key_is_revoked(client_host_key)) - return 0; - - /* Check if we would accept it using rhosts authentication. */ - if (!auth_rhosts(pw, cuser)) - return 0; - - host_status = check_key_in_hostfiles(pw, client_host_key, - chost, _PATH_SSH_SYSTEM_HOSTFILE, - options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE); - - return (host_status == HOST_OK); -} - -/* - * Tries to authenticate the user using the .rhosts file and the host using - * its host key. Returns true if authentication succeeds. - */ -int -auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key) -{ - struct ssh *ssh = active_state; /* XXX */ - const char *chost; - struct passwd *pw = authctxt->pw; - - debug("Trying rhosts with RSA host authentication for client user %.100s", - cuser); - - if (!authctxt->valid || client_host_key == NULL || - client_host_key->rsa == NULL) - return 0; - - chost = auth_get_canonical_hostname(ssh, options.use_dns); - debug("Rhosts RSA authentication: canonical host %.900s", chost); - - if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) { - debug("Rhosts with RSA host authentication denied: unknown or invalid host key"); - packet_send_debug("Your host key cannot be verified: unknown or invalid host key."); - return 0; - } - /* A matching host key was found and is known. */ - - /* Perform the challenge-response dialog with the client for the host key. */ - if (!auth_rsa_challenge_dialog(client_host_key)) { - logit("Client on %.800s failed to respond correctly to host authentication.", - chost); - return 0; - } - /* - * We have authenticated the user using .rhosts or /etc/hosts.equiv, - * and the host using RSA. We accept the authentication. - */ - - verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.", - pw->pw_name, cuser, chost); - packet_send_debug("Rhosts with RSA host authentication accepted."); - return 1; -} - -#endif /* WITH_SSH1 */ diff --git a/auth-rhosts.c b/auth-rhosts.c index 0ef34471..ecf956f0 100644 --- a/auth-rhosts.c +++ b/auth-rhosts.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rhosts.c,v 1.47 2016/03/07 19:02:43 djm Exp $ */ +/* $OpenBSD: auth-rhosts.c,v 1.48 2016/08/13 17:47:41 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -186,20 +186,8 @@ check_rhosts_file(const char *filename, const char *hostname, * true if authentication succeeds. If ignore_rhosts is true, only * /etc/hosts.equiv will be considered (.rhosts and .shosts are ignored). */ - int -auth_rhosts(struct passwd *pw, const char *client_user) -{ - struct ssh *ssh = active_state; /* XXX */ - const char *hostname, *ipaddr; - - hostname = auth_get_canonical_hostname(ssh, options.use_dns); - ipaddr = ssh_remote_ipaddr(ssh); - return auth_rhosts2(pw, client_user, hostname, ipaddr); -} - -static int -auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostname, +auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, const char *ipaddr) { char buf[1024]; @@ -334,10 +322,3 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam restore_uid(); return 0; } - -int -auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, - const char *ipaddr) -{ - return auth_rhosts2_raw(pw, client_user, hostname, ipaddr); -} diff --git a/auth-rsa.c b/auth-rsa.c deleted file mode 100644 index cbd971be..00000000 --- a/auth-rsa.c +++ /dev/null @@ -1,349 +0,0 @@ -/* $OpenBSD: auth-rsa.c,v 1.90 2015/01/28 22:36:00 djm Exp $ */ -/* - * Author: Tatu Ylonen <ylo@cs.hut.fi> - * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland - * All rights reserved - * RSA-based authentication. This code determines whether to admit a login - * based on RSA authentication. This file also contains functions to check - * validity of the host key. - * - * As far as I am concerned, the code I have written for this software - * can be used freely for any purpose. Any derived versions of this - * software must be clearly marked as such, and if the derived work is - * incompatible with the protocol description in the RFC file, it must be - * called by a name other than "ssh" or "Secure Shell". - */ - -#include "includes.h" - -#ifdef WITH_SSH1 - -#include <sys/types.h> -#include <sys/stat.h> - -#include <openssl/rsa.h> - -#include <pwd.h> -#include <stdio.h> -#include <stdarg.h> -#include <string.h> - -#include "xmalloc.h" -#include "rsa.h" -#include "packet.h" -#include "ssh1.h" -#include "uidswap.h" -#include "match.h" -#include "buffer.h" -#include "pathnames.h" -#include "log.h" -#include "misc.h" -#include "servconf.h" -#include "key.h" -#include "auth-options.h" -#include "hostfile.h" -#include "auth.h" -#ifdef GSSAPI -#include "ssh-gss.h" -#endif -#include "monitor_wrap.h" -#include "ssh.h" - -#include "digest.h" - -/* import */ -extern ServerOptions options; - -/* - * Session identifier that is used to bind key exchange and authentication - * responses to a particular session. - */ -extern u_char session_id[16]; - -/* - * The .ssh/authorized_keys file contains public keys, one per line, in the - * following format: - * options bits e n comment - * where bits, e and n are decimal numbers, - * and comment is any string of characters up to newline. The maximum - * length of a line is SSH_MAX_PUBKEY_BYTES characters. See sshd(8) for a - * description of the options. - */ - -BIGNUM * -auth_rsa_generate_challenge(Key *key) -{ - BIGNUM *challenge; - BN_CTX *ctx; - - if ((challenge = BN_new()) == NULL) - fatal("auth_rsa_generate_challenge: BN_new() failed"); - /* Generate a random challenge. */ - if (BN_rand(challenge, 256, 0, 0) == 0) - fatal("auth_rsa_generate_challenge: BN_rand failed"); - if ((ctx = BN_CTX_new()) == NULL) - fatal("auth_rsa_generate_challenge: BN_CTX_new failed"); - if (BN_mod(challenge, challenge, key->rsa->n, ctx) == 0) - fatal("auth_rsa_generate_challenge: BN_mod failed"); - BN_CTX_free(ctx); - - return challenge; -} - -int -auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) -{ - u_char buf[32], mdbuf[16]; - struct ssh_digest_ctx *md; - int len; - - /* don't allow short keys */ - if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { - error("%s: RSA modulus too small: %d < minimum %d bits", - __func__, - BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); - return (0); - } - - /* The response is MD5 of decrypted challenge plus session id. */ - len = BN_num_bytes(challenge); - if (len <= 0 || len > 32) - fatal("%s: bad challenge length %d", __func__, len); - memset(buf, 0, 32); - BN_bn2bin(challenge, buf + 32 - len); - if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL || - ssh_digest_update(md, buf, 32) < 0 || - ssh_digest_update(md, session_id, 16) < 0 || - ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0) - fatal("%s: md5 failed", __func__); - ssh_digest_free(md); - - /* Verify that the response is the original challenge. */ - if (timingsafe_bcmp(response, mdbuf, 16) != 0) { - /* Wrong answer. */ - return (0); - } - /* Correct answer. */ - return (1); -} - -/* - * Performs the RSA authentication challenge-response dialog with the client, - * and returns true (non-zero) if the client gave the correct answer to - * our challenge; returns zero if the client gives a wrong answer. - */ - -int -auth_rsa_challenge_dialog(Key *key) -{ - BIGNUM *challenge, *encrypted_challenge; - u_char response[16]; - int i, success; - - if ((encrypted_challenge = BN_new()) == NULL) - fatal("auth_rsa_challenge_dialog: BN_new() failed"); - - challenge = PRIVSEP(auth_rsa_generate_challenge(key)); - - /* Encrypt the challenge with the public key. */ - if (rsa_public_encrypt(encrypted_challenge, challenge, key->rsa) != 0) - fatal("%s: rsa_public_encrypt failed", __func__); - - /* Send the encrypted challenge to the client. */ - packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE); - packet_put_bignum(encrypted_challenge); - packet_send(); - BN_clear_free(encrypted_challenge); - packet_write_wait(); - - /* Wait for a response. */ - packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE); - for (i = 0; i < 16; i++) - response[i] = (u_char)packet_get_char(); - packet_check_eom(); - - success = PRIVSEP(auth_rsa_verify_response(key, challenge, response)); - BN_clear_free(challenge); - return (success); -} - -static int -rsa_key_allowed_in_file(struct passwd *pw, char *file, - const BIGNUM *client_n, Key **rkey) -{ - char *fp, line[SSH_MAX_PUBKEY_BYTES]; - int allowed = 0, bits; - FILE *f; - u_long linenum = 0; - Key *key; - - debug("trying public RSA key file %s", file); - if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) - return 0; - - /* - * Go though the accepted keys, looking for the current key. If - * found, perform a challenge-response dialog to verify that the - * user really has the corresponding private key. - */ - key = key_new(KEY_RSA1); - while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { - char *cp; - char *key_options; - int keybits; - - /* Skip leading whitespace, empty and comment lines. */ - for (cp = line; *cp == ' ' || *cp == '\t'; cp++) - ; - if (!*cp || *cp == '\n' || *cp == '#') - continue; - - /* - * Check if there are options for this key, and if so, - * save their starting address and skip the option part - * for now. If there are no options, set the starting - * address to NULL. - */ - if (*cp < '0' || *cp > '9') { - int quoted = 0; - key_options = cp; - for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { - if (*cp == '\\' && cp[1] == '"') - cp++; /* Skip both */ - else if (*cp == '"') - quoted = !quoted; - } - } else - key_options = NULL; - - /* Parse the key from the line. */ - if (hostfile_read_key(&cp, &bits, key) == 0) { - debug("%.100s, line %lu: non ssh1 key syntax", - file, linenum); - continue; - } - /* cp now points to the comment part. */ - - /* - * Check if the we have found the desired key (identified - * by its modulus). - */ - if (BN_cmp(key->rsa->n, client_n) != 0) - continue; - - /* check the real bits */ - keybits = BN_num_bits(key->rsa->n); - if (keybits < 0 || bits != keybits) - logit("Warning: %s, line %lu: keysize mismatch: " - "actual %d vs. announced %d.", - file, linenum, BN_num_bits(key->rsa->n), bits); - - if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, - SSH_FP_DEFAULT)) == NULL) - continue; - debug("matching key found: file %s, line %lu %s %s", - file, linenum, key_type(key), fp); - free(fp); - - /* Never accept a revoked key */ - if (auth_key_is_revoked(key)) - break; - - /* We have found the desired key. */ - /* - * If our options do not allow this key to be used, - * do not send challenge. - */ - if (!auth_parse_options(pw, key_options, file, linenum)) - continue; - if (key_is_cert_authority) - continue; - /* break out, this key is allowed */ - allowed = 1; - break; - } - - /* Close the file. */ - fclose(f); - - /* return key if allowed */ - if (allowed && rkey != NULL) - *rkey = key; - else - key_free(key); - - return allowed; -} - -/* - * check if there's user key matching client_n, - * return key if login is allowed, NULL otherwise - */ - -int -auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) -{ - char *file; - u_int i, allowed = 0; - - temporarily_use_uid(pw); - - for (i = 0; !allowed && i < options.num_authkeys_files; i++) { - if (strcasecmp(options.authorized_keys_files[i], "none") == 0) - continue; - file = expand_authorized_keys( - options.authorized_keys_files[i], pw); - allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey); - free(file); - } - - restore_uid(); - - return allowed; -} - -/* - * Performs the RSA authentication dialog with the client. This returns - * 0 if the client could not be authenticated, and 1 if authentication was - * successful. This may exit if there is a serious protocol violation. - */ -int -auth_rsa(Authctxt *authctxt, BIGNUM *client_n) -{ - Key *key; - struct passwd *pw = authctxt->pw; - - /* no user given */ - if (!authctxt->valid) - return 0; - - if (!PRIVSEP(auth_rsa_key_allowed(pw, client_n, &key))) { - auth_clear_options(); - return (0); - } - - /* Perform the challenge-response dialog for this key. */ - if (!auth_rsa_challenge_dialog(key)) { - /* Wrong response. */ - verbose("Wrong response to RSA authentication challenge."); - packet_send_debug("Wrong response to RSA authentication challenge."); - /* - * Break out of the loop. Otherwise we might send - * another challenge and break the protocol. - */ - key_free(key); - return (0); - } - /* - * Correct response. The client has been successfully - * authenticated. Note that we have not yet processed the - * options; this will be reset if the options cause the - * authentication to be rejected. - */ - pubkey_auth_info(authctxt, key, NULL); - - packet_send_debug("RSA authentication accepted."); - return (1); -} - -#endif /* WITH_SSH1 */ @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.115 2016/06/15 00:40:40 dtucker Exp $ */ +/* $OpenBSD: auth.c,v 1.116 2016/08/13 17:47:41 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -298,7 +298,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, else authmsg = authenticated ? "Accepted" : "Failed"; - authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s", + authlog("%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s", authmsg, method, submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, @@ -306,7 +306,6 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, authctxt->user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), - compat20 ? "ssh2" : "ssh1", authctxt->info != NULL ? ": " : "", authctxt->info != NULL ? authctxt->info : ""); free(authctxt->info); @@ -339,12 +338,11 @@ auth_maxtries_exceeded(Authctxt *authctxt) struct ssh *ssh = active_state; /* XXX */ error("maximum authentication attempts exceeded for " - "%s%.100s from %.200s port %d %s", + "%s%.100s from %.200s port %d ssh2", authctxt->valid ? "" : "invalid user ", authctxt->user, ssh_remote_ipaddr(ssh), - ssh_remote_port(ssh), - compat20 ? "ssh2" : "ssh1"); + ssh_remote_port(ssh)); packet_disconnect("Too many authentication failures"); /* NOTREACHED */ } @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.88 2016/05/04 14:04:40 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.89 2016/08/13 17:47:41 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -112,20 +112,11 @@ struct KbdintDevice void (*free_ctx)(void *ctx); }; -int auth_rhosts(struct passwd *, const char *); int auth_rhosts2(struct passwd *, const char *, const char *, const char *); -int auth_rhosts_rsa(Authctxt *, char *, Key *); int auth_password(Authctxt *, const char *); -int auth_rsa(Authctxt *, BIGNUM *); -int auth_rsa_challenge_dialog(Key *); -BIGNUM *auth_rsa_generate_challenge(Key *); -int auth_rsa_verify_response(Key *, BIGNUM *, u_char[]); -int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); - -int auth_rhosts_rsa_key_allowed(struct passwd *, const char *, - const char *, Key *); + int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); int user_key_allowed(struct passwd *, Key *, int); void pubkey_auth_info(Authctxt *, const Key *, const char *, ...) @@ -156,7 +147,6 @@ void remove_kbdint_device(const char *); void disable_forwarding(void); -void do_authentication(Authctxt *); void do_authentication2(Authctxt *); void auth_info(Authctxt *authctxt, const char *, ...) @@ -187,10 +177,6 @@ int skey_respond(void *, u_int, char **); int allowed_user(struct passwd *); struct passwd * getpwnamallow(const char *user); -char *get_challenge(Authctxt *); -int verify_response(Authctxt *, const char *); -void abandon_challenge_response(Authctxt *); - char *expand_authorized_keys(const char *, struct passwd *pw); char *authorized_principals_file(struct passwd *); @@ -210,7 +196,6 @@ Key *get_hostkey_public_by_index(int, struct ssh *); Key *get_hostkey_public_by_type(int, int, struct ssh *); Key *get_hostkey_private_by_type(int, int, struct ssh *); int get_hostkey_index(Key *, int, struct ssh *); -int ssh1_session_key(BIGNUM *); int sshd_hostkey_sign(Key *, Key *, u_char **, size_t *, const u_char *, size_t, const char *, u_int); diff --git a/auth1.c b/auth1.c deleted file mode 100644 index 5073c49b..00000000 --- a/auth1.c +++ /dev/null @@ -1,444 +0,0 @@ -/* $OpenBSD: auth1.c,v 1.82 2014/07/15 15:54:14 millert Exp $ */ -/* - * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland - * All rights reserved - * - * As far as I am concerned, the code I have written for this software - * can be used freely for any purpose. Any derived versions of this - * software must be clearly marked as such, and if the derived work is - * incompatible with the protocol description in the RFC file, it must be - * called by a name other than "ssh" or "Secure Shell". - */ - -#include "includes.h" - -#ifdef WITH_SSH1 - -#include <sys/types.h> - -#include <stdarg.h> -#include <stdio.h> -#include <string.h> -#include <unistd.h> -#include <pwd.h> - -#include "openbsd-compat/sys-queue.h" -#include "xmalloc.h" -#include "rsa.h" -#include "ssh1.h" -#include "packet.h" -#include "buffer.h" -#include "log.h" -#include "misc.h" -#include "servconf.h" -#include "compat.h" -#include "key.h" -#include "hostfile.h" -#include "auth.h" -#include "channels.h" -#include "session.h" -#include "uidswap.h" -#ifdef GSSAPI -#include "ssh-gss.h" -#endif -#include "monitor_wrap.h" -#include "buffer.h" - -/* import */ -extern ServerOptions options; -extern Buffer loginmsg; - -static int auth1_process_password(Authctxt *); -static int auth1_process_rsa(Authctxt *); -static int auth1_process_rhosts_rsa(Authctxt *); -static int auth1_process_tis_challenge(Authctxt *); -static int auth1_process_tis_response(Authctxt *); - -static char *client_user = NULL; /* Used to fill in remote user for PAM */ - -struct AuthMethod1 { - int type; - char *name; - int *enabled; - int (*method)(Authctxt *); -}; - -const struct AuthMethod1 auth1_methods[] = { - { - SSH_CMSG_AUTH_PASSWORD, "password", - &options.password_authentication, auth1_process_password - }, - { - SSH_CMSG_AUTH_RSA, "rsa", - &options.rsa_authentication, auth1_process_rsa - }, - { - SSH_CMSG_AUTH_RHOSTS_RSA, "rhosts-rsa", - &options.rhosts_rsa_authentication, auth1_process_rhosts_rsa - }, - { - SSH_CMSG_AUTH_TIS, "challenge-response", - &options.challenge_response_authentication, - auth1_process_tis_challenge - }, - { - SSH_CMSG_AUTH_TIS_RESPONSE, "challenge-response", - &options.challenge_response_authentication, - auth1_process_tis_response - }, - { -1, NULL, NULL, NULL} -}; - -static const struct AuthMethod1 -*lookup_authmethod1(int type) -{ - int i; - - for (i = 0; auth1_methods[i].name != NULL; i++) - if (auth1_methods[i].type == type) - return (&(auth1_methods[i])); - - return (NULL); -} - -static char * -get_authname(int type) -{ - const struct AuthMethod1 *a; - static char buf[64]; - - if ((a = lookup_authmethod1(type)) != NULL) - return (a->name); - snprintf(buf, sizeof(buf), "bad-auth-msg-%d", type); - return (buf); -} - -/*ARGSUSED*/ -static int -auth1_process_password(Authctxt *authctxt) -{ - int authenticated = 0; - char *password; - u_int dlen; - - /* - * Read user password. It is in plain text, but was - * transmitted over the encrypted channel so it is - * not visible to an outside observer. - */ - password = packet_get_string(&dlen); - packet_check_eom(); - - /* Try authentication with the password. */ - authenticated = PRIVSEP(auth_password(authctxt, password)); - - explicit_bzero(password, dlen); - free(password); - - return (authenticated); -} - -/*ARGSUSED*/ -static int -auth1_process_rsa(Authctxt *authctxt) -{ - int authenticated = 0; - BIGNUM *n; - - /* RSA authentication requested. */ - if ((n = BN_new()) == NULL) - fatal("do_authloop: BN_new failed"); - packet_get_bignum(n); - packet_check_eom(); - authenticated = auth_rsa(authctxt, n); - BN_clear_free(n); - - return (authenticated); -} - -/*ARGSUSED*/ -static int -auth1_process_rhosts_rsa(Authctxt *authctxt) -{ - int keybits, authenticated = 0; - u_int bits; - Key *client_host_key; - u_int ulen; - - /* - * Get client user name. Note that we just have to - * trust the client; root on the client machine can - * claim to be any user. - */ - client_user = packet_get_cstring(&ulen); - - /* Get the client host key. */ - client_host_key = key_new(KEY_RSA1); - bits = packet_get_int(); - packet_get_bignum(client_host_key->rsa->e); - packet_get_bignum(client_host_key->rsa->n); - - keybits = BN_num_bits(client_host_key->rsa->n); - if (keybits < 0 || bits != (u_int)keybits) { - verbose("Warning: keysize mismatch for client_host_key: " - "actual %d, announced %d", - BN_num_bits(client_host_key->rsa->n), bits); - } - packet_check_eom(); - - authenticated = auth_rhosts_rsa(authctxt, client_user, - client_host_key); - key_free(client_host_key); - - auth_info(authctxt, "ruser %.100s", client_user); - - return (authenticated); -} - -/*ARGSUSED*/ -static int -auth1_process_tis_challenge(Authctxt *authctxt) -{ - char *challenge; - - if ((challenge = get_challenge(authctxt)) == NULL) - return (0); - - debug("sending challenge '%s'", challenge); - packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); - packet_put_cstring(challenge); - free(challenge); - packet_send(); - |