summaryrefslogtreecommitdiffstats
path: root/crypto/openssh/sshconnect2.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssh/sshconnect2.c')
-rw-r--r--crypto/openssh/sshconnect2.c65
1 files changed, 44 insertions, 21 deletions
diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c
index 260c630..2a5943e 100644
--- a/crypto/openssh/sshconnect2.c
+++ b/crypto/openssh/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.171 2009/03/05 07:18:19 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.180 2010/02/26 20:29:54 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -32,6 +32,7 @@
#include <sys/stat.h>
#include <errno.h>
+#include <fcntl.h>
#include <netdb.h>
#include <pwd.h>
#include <signal.h>
@@ -152,6 +153,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
+ if (options.use_roaming && !kex->roaming) {
+ debug("Roaming not allowed by server");
+ options.use_roaming = 0;
+ }
+
session_id2 = kex->session_id;
session_id2_len = kex->session_id_len;
@@ -210,6 +216,7 @@ struct Authmethod {
};
void input_userauth_success(int, u_int32_t, void *);
+void input_userauth_success_unexpected(int, u_int32_t, void *);
void input_userauth_failure(int, u_int32_t, void *);
void input_userauth_banner(int, u_int32_t, void *);
void input_userauth_error(int, u_int32_t, void *);
@@ -414,7 +421,7 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt)
if (len > 65536)
len = 65536;
msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
- strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL);
+ strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
fprintf(stderr, "%s", msg);
xfree(msg);
}
@@ -427,12 +434,15 @@ void
input_userauth_success(int type, u_int32_t seq, void *ctxt)
{
Authctxt *authctxt = ctxt;
+
if (authctxt == NULL)
fatal("input_userauth_success: no authentication context");
if (authctxt->authlist) {
xfree(authctxt->authlist);
authctxt->authlist = NULL;
}
+ if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
+ authctxt->method->cleanup(authctxt);
if (authctxt->methoddata) {
xfree(authctxt->methoddata);
authctxt->methoddata = NULL;
@@ -440,6 +450,18 @@ input_userauth_success(int type, u_int32_t seq, void *ctxt)
authctxt->success = 1; /* break out */
}
+void
+input_userauth_success_unexpected(int type, u_int32_t seq, void *ctxt)
+{
+ Authctxt *authctxt = ctxt;
+
+ if (authctxt == NULL)
+ fatal("%s: no authentication context", __func__);
+
+ fatal("Unexpected authentication success during %s.",
+ authctxt->method->name);
+}
+
/* ARGSUSED */
void
input_userauth_failure(int type, u_int32_t seq, void *ctxt)
@@ -782,6 +804,8 @@ userauth_passwd(Authctxt *authctxt)
static int attempt = 0;
char prompt[150];
char *password;
+ const char *host = options.host_key_alias ? options.host_key_alias :
+ authctxt->host;
if (attempt++ >= options.number_of_password_prompts)
return 0;
@@ -790,7 +814,7 @@ userauth_passwd(Authctxt *authctxt)
error("Permission denied, please try again.");
snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
- authctxt->server_user, authctxt->host);
+ authctxt->server_user, host);
password = read_passphrase(prompt, 0);
packet_start(SSH2_MSG_USERAUTH_REQUEST);
packet_put_cstring(authctxt->server_user);
@@ -819,6 +843,8 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
Authctxt *authctxt = ctxt;
char *info, *lang, *password = NULL, *retype = NULL;
char prompt[150];
+ const char *host = options.host_key_alias ? options.host_key_alias :
+ authctxt->host;
debug2("input_userauth_passwd_changereq");
@@ -839,7 +865,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
packet_put_char(1); /* additional info */
snprintf(prompt, sizeof(prompt),
"Enter %.30s@%.128s's old password: ",
- authctxt->server_user, authctxt->host);
+ authctxt->server_user, host);
password = read_passphrase(prompt, 0);
packet_put_cstring(password);
memset(password, 0, strlen(password));
@@ -848,7 +874,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
while (password == NULL) {
snprintf(prompt, sizeof(prompt),
"Enter %.30s@%.128s's new password: ",
- authctxt->server_user, authctxt->host);
+ authctxt->server_user, host);
password = read_passphrase(prompt, RP_ALLOW_EOF);
if (password == NULL) {
/* bail out */
@@ -856,7 +882,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
}
snprintf(prompt, sizeof(prompt),
"Retype %.30s@%.128s's new password: ",
- authctxt->server_user, authctxt->host);
+ authctxt->server_user, host);
retype = read_passphrase(prompt, 0);
if (strcmp(password, retype) != 0) {
memset(password, 0, strlen(password));
@@ -1224,7 +1250,7 @@ load_identity_file(char *filename)
{
Key *private;
char prompt[300], *passphrase;
- int perm_ok, quit, i;
+ int perm_ok = 0, quit, i;
struct stat st;
if (stat(filename, &st) < 0) {
@@ -1285,6 +1311,8 @@ pubkey_prepare(Authctxt *authctxt)
key = options.identity_keys[i];
if (key && key->type == KEY_RSA1)
continue;
+ if (key && key->cert && key->cert->type != SSH2_CERT_TYPE_USER)
+ continue;
options.identity_keys[i] = NULL;
id = xcalloc(1, sizeof(*id));
id->key = key;
@@ -1488,7 +1516,7 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
debug2("ssh_keysign called");
if (stat(_PATH_SSH_KEY_SIGN, &st) < 0) {
- error("ssh_keysign: no installed: %s", strerror(errno));
+ error("ssh_keysign: not installed: %s", strerror(errno));
return -1;
}
if (fflush(stdout) != 0)
@@ -1506,6 +1534,8 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
return -1;
}
if (pid == 0) {
+ /* keep the socket on exec */
+ fcntl(packet_get_connection_in(), F_SETFD, 0);
permanently_drop_suid(getuid());
close(from[0]);
if (dup2(from[1], STDOUT_FILENO) < 0)
@@ -1558,10 +1588,10 @@ userauth_hostbased(Authctxt *authctxt)
Sensitive *sensitive = authctxt->sensitive;
Buffer b;
u_char *signature, *blob;
- char *chost, *pkalg, *p, myname[NI_MAXHOST];
+ char *chost, *pkalg, *p;
const char *service;
u_int blen, slen;
- int ok, i, len, found = 0;
+ int ok, i, found = 0;
/* check for a useful key */
for (i = 0; i < sensitive->nkeys; i++) {
@@ -1582,23 +1612,13 @@ userauth_hostbased(Authctxt *authctxt)
return 0;
}
/* figure out a name for the client host */
- p = NULL;
- if (packet_connection_is_on_socket())
- p = get_local_name(packet_get_connection_in());
- if (p == NULL) {
- if (gethostname(myname, sizeof(myname)) == -1) {
- verbose("userauth_hostbased: gethostname: %s",
- strerror(errno));
- } else
- p = xstrdup(myname);
- }
+ p = get_local_name(packet_get_connection_in());
if (p == NULL) {
error("userauth_hostbased: cannot get local ipaddr/name");
key_free(private);
xfree(blob);
return 0;
}
- len = strlen(p) + 2;
xasprintf(&chost, "%s.", p);
debug2("userauth_hostbased: chost %s", chost);
xfree(p);
@@ -1709,6 +1729,8 @@ userauth_jpake(Authctxt *authctxt)
/* Expect step 1 packet from peer */
dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1,
input_userauth_jpake_server_step1);
+ dispatch_set(SSH2_MSG_USERAUTH_SUCCESS,
+ &input_userauth_success_unexpected);
return 1;
}
@@ -1721,6 +1743,7 @@ userauth_jpake_cleanup(Authctxt *authctxt)
jpake_free(authctxt->methoddata);
authctxt->methoddata = NULL;
}
+ dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
}
#endif /* JPAKE */
OpenPOWER on IntegriCloud