aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <mail@cynapses.org>2009-02-06 09:46:10 +0000
committerAndreas Schneider <mail@cynapses.org>2009-02-06 09:46:10 +0000
commit73cde232be40f850467cc8bcc3e85429a82e0e08 (patch)
treedd87ca9a0b92cbafd4cbf0e05634ddb374657f17
parent53226f98f245da9b0260709bc4866f67b479b825 (diff)
downloadlibssh-73cde232be40f850467cc8bcc3e85429a82e0e08.tar.gz
libssh-73cde232be40f850467cc8bcc3e85429a82e0e08.tar.xz
libssh-73cde232be40f850467cc8bcc3e85429a82e0e08.zip
Complete ssh client agent support.
git-svn-id: svn+ssh://svn.berlios.de/svnroot/repos/libssh/trunk@231 7dcaeef0-15fb-0310-b436-a5af3365683c
-rw-r--r--include/libssh/libssh.h2
-rw-r--r--include/libssh/priv.h23
-rw-r--r--libssh/agent.c215
-rw-r--r--libssh/auth.c154
-rw-r--r--libssh/keys.c51
5 files changed, 397 insertions, 48 deletions
diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h
index 03265cb3..8b918e6f 100644
--- a/include/libssh/libssh.h
+++ b/include/libssh/libssh.h
@@ -331,6 +331,8 @@ int ssh_userauth_none(SSH_SESSION *session, const char *username);
int ssh_userauth_password(SSH_SESSION *session, const char *username, const char *password);
int ssh_userauth_offer_pubkey(SSH_SESSION *session, const char *username, int type, STRING *publickey);
int ssh_userauth_pubkey(SSH_SESSION *session, const char *username, STRING *publickey, PRIVATE_KEY *privatekey);
+int ssh_userauth_agent_pubkey(SSH_SESSION *session, const char *username,
+ PUBLIC_KEY *publickey);
int ssh_userauth_autopubkey(SSH_SESSION *session, const char *passphrase);
int ssh_userauth_kbdint(SSH_SESSION *session, const char *user, const char *submethods);
int ssh_userauth_kbdint_getnprompts(SSH_SESSION *session);
diff --git a/include/libssh/priv.h b/include/libssh/priv.h
index 67cd6bf1..1713e327 100644
--- a/include/libssh/priv.h
+++ b/include/libssh/priv.h
@@ -289,7 +289,7 @@ struct channel_struct {
struct agent_struct {
struct socket *sock;
- STRING *ident;
+ BUFFER *ident;
unsigned int count;
};
@@ -450,7 +450,17 @@ void agent_free(struct agent_struct *agent);
*/
int agent_running(struct ssh_session *session);
-int agent_ident_count(struct ssh_session *session);
+int agent_get_ident_count(struct ssh_session *session);
+
+struct public_key_struct *agent_get_next_ident(struct ssh_session *session,
+ char **comment);
+
+struct public_key_struct *agent_get_first_ident(struct ssh_session *session,
+ char **comment);
+
+STRING *agent_sign_data(struct ssh_session *session,
+ struct buffer_struct *data,
+ struct public_key_struct *pubkey);
#endif
/* socket.c */
@@ -560,11 +570,20 @@ PRIVATE_KEY *_privatekey_from_file(void *session,char *filename,int type);
/* in keys.c */
char *ssh_type_to_char(int type);
+int ssh_type_from_name(char *name);
+
+PRIVATE_KEY *privatekey_make_dss(SSH_SESSION *session, BUFFER *buffer);
+PRIVATE_KEY *privatekey_make_rsa(SSH_SESSION *session, BUFFER *buffer,
+ char *type);
+PRIVATE_KEY *privatekey_from_string(SSH_SESSION *session, STRING *privkey_s);
+
PUBLIC_KEY *publickey_make_dss(SSH_SESSION *session, BUFFER *buffer);
PUBLIC_KEY *publickey_make_rsa(SSH_SESSION *session, BUFFER *buffer,char *type);
PUBLIC_KEY *publickey_from_string(SSH_SESSION *session, STRING *pubkey_s);
SIGNATURE *signature_from_string(SSH_SESSION *session, STRING *signature,PUBLIC_KEY *pubkey,int needed_type);
void signature_free(SIGNATURE *sign);
+STRING *ssh_do_sign_with_agent(struct ssh_session *session,
+ struct buffer_struct *buf, struct public_key_struct *publickey);
STRING *ssh_do_sign(SSH_SESSION *session,BUFFER *sigbuf,
PRIVATE_KEY *privatekey);
STRING *ssh_sign_session_id(SSH_SESSION *session, PRIVATE_KEY *privatekey);
diff --git a/libssh/agent.c b/libssh/agent.c
index 0c3ee445..7e95a614 100644
--- a/libssh/agent.c
+++ b/libssh/agent.c
@@ -23,6 +23,17 @@
/* This file is based on authfd.c from OpenSSH */
+/*
+ * How does the ssh-agent work?
+ *
+ * a) client sends a request to get a list of all keys
+ * the agent returns the cound and all public keys
+ * b) iterate over them to check if the server likes one
+ * c) the client sends a sign request to the agent
+ * type, pubkey as blob, data to sign, flags
+ * the agent returns the signed data
+ */
+
#ifndef _WIN32
#include <stdlib.h>
@@ -50,7 +61,7 @@ static u32 agent_get_u32(const void *vp) {
v |= (u32)p[2] << 8;
v |= (u32)p[3];
- return (v);
+ return v;
}
static void agent_put_u32(void *vp, u32 v) {
@@ -107,7 +118,7 @@ static size_t atomicio(struct socket *s, void *buf, size_t n, int do_read) {
AGENT *agent_new(struct ssh_session *session) {
AGENT *agent = NULL;
- agent = malloc(sizeof(*agent));
+ agent = calloc(1, sizeof(*agent));
if (agent) {
agent->count = 0;
agent->sock = ssh_socket_new(session);
@@ -124,7 +135,9 @@ void agent_close(struct agent_struct *agent) {
void agent_free(AGENT *agent) {
if (agent) {
- string_free(agent->ident);
+ if (agent->ident) {
+ buffer_free(agent->ident);
+ }
if (agent->sock) {
agent_close(agent);
ssh_socket_free(agent->sock);
@@ -152,76 +165,68 @@ static int agent_connect(SSH_SESSION *session) {
return -1;
}
-static int agent_decode_reply(int type) {
+#if 0
+static int agent_decode_reply(struct ssh_session *session, int type) {
switch (type) {
case SSH_AGENT_FAILURE:
case SSH2_AGENT_FAILURE:
case SSH_COM_AGENT2_FAILURE:
- ssh_say(1, "SSH_AGENT_FAILURE\n");
+ ssh_log(session, SSH_LOG_RARE, "SSH_AGENT_FAILURE");
return 0;
case SSH_AGENT_SUCCESS:
return 1;
default:
+ ssh_set_error(session, SSH_FATAL,
+ "Bad response from authentication agent: %d", type);
/* TODO: fatal */
break;
}
return -1;
}
+#endif
static int agent_talk(struct ssh_session *session,
struct buffer_struct *request, struct buffer_struct *reply) {
- size_t len = 0;
- unsigned char payload[1024] = {0};
+ u32 len = 0;
+ u8 payload[1024] = {0};
len = buffer_get_len(request);
- ssh_say(2, "agent_talk - len of request: %u\n", len);
+ ssh_log(session, SSH_LOG_PACKET, "agent_talk - len of request: %u", len);
agent_put_u32(payload, len);
-#if 0
- /* send length and then the request packet */
- if (ssh_socket_completewrite(session->agent->sock, payload, 4) == SSH_OK) {
- buffer_get_data(request, payload, len);
- fprintf(stderr, "agent_talk - sending request, payload = %u\n", payload[0]);
- if (ssh_socket_completewrite(session->agent->sock, payload, len)
- != SSH_OK) {
- return -1;
- }
- } else {
- return -1;
- }
-#endif
/* send length and then the request packet */
if (atomicio(session->agent->sock, payload, 4, 0) == 4) {
buffer_get_data(request, payload, len);
- ssh_say(2, "agent_talk - sending request, payload = %u\n", payload[0]);
+ ssh_log(session, SSH_LOG_PACKET,
+ "agent_talk - sending request, payload[0] = %u", payload[0]);
if (atomicio(session->agent->sock, payload, len, 0)
!= len) {
+ ssh_log(session, SSH_LOG_PACKET, "atomicio sending request failed: %s",
+ strerror(errno));
return -1;
}
} else {
+ ssh_log(session, SSH_LOG_PACKET,
+ "atomicio sending request length failed: %s",
+ strerror(errno));
return -1;
}
- session->blocking = 0;
-
-#if 0
- /* wait for response, read the length of the response packet */
- if (ssh_socket_read(session->agent->sock, payload, 4) != SSH_OK) {
- fprintf(stderr, "agent_talk - error: %s\n", ssh_get_error(session));
- return -1;
- }
-#endif
/* wait for response, read the length of the response packet */
if (atomicio(session->agent->sock, payload, 4, 1) != 4) {
+ ssh_log(session, SSH_LOG_PACKET, "atomicio read response length failed: %s",
+ strerror(errno));
return -1;
}
len = agent_get_u32(payload);
if (len > 256 * 1024) {
+ ssh_set_error(session, SSH_FATAL,
+ "Authentication response too long: %u", len);
return -1;
}
- ssh_say(2, "agent_talk - response length: %u\n", len);
+ ssh_log(session, SSH_LOG_PACKET, "agent_talk - response length: %u", len);
while (len > 0) {
size_t n = len;
@@ -229,7 +234,8 @@ static int agent_talk(struct ssh_session *session,
n = sizeof(payload);
}
if (atomicio(session->agent->sock, payload, n, 1) != n) {
- ssh_say(1, "Error reading response from authentication socket.");
+ ssh_log(session, SSH_LOG_RARE,
+ "Error reading response from authentication socket.");
return -1;
}
buffer_add_data(reply, payload, n);
@@ -239,12 +245,12 @@ static int agent_talk(struct ssh_session *session,
return 0;
}
-int agent_ident_count(SSH_SESSION *session) {
+int agent_get_ident_count(struct ssh_session *session) {
BUFFER *request = NULL;
BUFFER *reply = NULL;
unsigned int type = 0;
unsigned int c1 = 0, c2 = 0;
- unsigned char buf[4] = {0};
+ u8 buf[4] = {0};
switch (session->version) {
case 1:
@@ -273,26 +279,157 @@ int agent_ident_count(SSH_SESSION *session) {
/* get message type and verify the answer */
buffer_get_u8(reply, (u8 *) &type);
- ssh_say(2, "agent_ident_count - answer type: %d, expected answer: %d\n",
+ ssh_log(session, SSH_LOG_PACKET,
+ "agent_ident_count - answer type: %d, expected answer: %d",
type, c2);
if (agent_failed(type)) {
return 0;
} else if (type != c2) {
- /* TODO: fatal, set ssh error? */
+ ssh_set_error(session, SSH_FATAL,
+ "Bad authentication reply message type: %d", type);
return -1;
}
buffer_get_u32(reply, (u32 *) buf);
session->agent->count = agent_get_u32(buf);
- ssh_say(2, "agent_ident_count - count: %d\n", session->agent->count);
+ ssh_log(session, SSH_LOG_PACKET, "agent_ident_count - count: %d",
+ session->agent->count);
if (session->agent->count > 1024) {
- /* TODO: fatal, set ssh error? */
+ ssh_set_error(session, SSH_FATAL,
+ "Too many identities in authentication reply: %d",
+ session->agent->count);
+ buffer_free(reply);
return -1;
}
+ if (session->agent->ident) {
+ buffer_free(session->agent->ident);
+ }
+ session->agent->ident = reply;
+
return session->agent->count;
}
+/* caller has to free commment */
+struct public_key_struct *agent_get_first_ident(struct ssh_session *session,
+ char **comment) {
+ if (agent_get_ident_count(session) > 0) {
+ return agent_get_next_ident(session, comment);
+ }
+
+ return NULL;
+}
+
+/* caller has to free commment */
+struct public_key_struct *agent_get_next_ident(struct ssh_session *session,
+ char **comment) {
+ struct public_key_struct *pubkey = NULL;
+ struct string_struct *blob = NULL;
+ struct string_struct *tmp = NULL;
+
+ if (session->agent->count == 0) {
+ return NULL;
+ }
+
+ switch(session->version) {
+ case 1:
+ /* TODO */
+ break;
+ case 2:
+ /* get the blob */
+ blob = buffer_get_ssh_string(session->agent->ident);
+ if (blob == NULL) {
+ return NULL;
+ }
+
+ /* get the comment */
+ tmp = buffer_get_ssh_string(session->agent->ident);
+ if (tmp == NULL) {
+ string_free(blob);
+
+ return NULL;
+ }
+
+ if (comment) {
+ *comment = string_to_char(tmp);
+ } else {
+ string_free(blob);
+ string_free(tmp);
+
+ return NULL;
+ }
+ string_free(tmp);
+
+ /* get key from blob */
+ pubkey = publickey_from_string(session, blob);
+ string_free(blob);
+ break;
+ default:
+ return NULL;
+ }
+
+ return pubkey;
+}
+
+STRING *agent_sign_data(struct ssh_session *session,
+ struct buffer_struct *data,
+ struct public_key_struct *pubkey) {
+ struct string_struct *blob = NULL;
+ struct string_struct *sig = NULL;
+ struct buffer_struct *request = NULL;
+ struct buffer_struct *reply = NULL;
+ int type = SSH2_AGENT_FAILURE;
+ int flags = 0;
+ u32 dlen = 0;
+
+ /* create blob from the pubkey */
+ blob = publickey_to_string(pubkey);
+
+ request = buffer_new();
+
+ /* create request */
+ buffer_add_u8(request, SSH2_AGENTC_SIGN_REQUEST);
+
+ /* adds len + blob */
+ buffer_add_ssh_string(request, blob);
+
+ /* Add data */
+ dlen = buffer_get_len(data);
+ buffer_add_u32(request, htonl(dlen));
+ buffer_add_data(request, buffer_get(data), dlen);
+
+ buffer_add_u32(request, htonl(flags));
+
+ string_free(blob);
+
+ reply = buffer_new();
+
+ /* send the request */
+ if (agent_talk(session, request, reply) < 0) {
+ buffer_free(request);
+ return NULL;
+ }
+ buffer_free(request);
+
+ /* check if reply is valid */
+ buffer_get_u8(reply, (u8 *) &type);
+ if (agent_failed(type)) {
+ ssh_log(session, SSH_LOG_RARE, "Agent reports failure in signing the key");
+ buffer_free(reply);
+ return NULL;
+ } else if (type != SSH2_AGENT_SIGN_RESPONSE) {
+ ssh_set_error(session, SSH_FATAL, "Bad authentication response: %d", type);
+ buffer_free(reply);
+ return NULL;
+ }
+
+ sig = buffer_get_ssh_string(reply);
+
+ buffer_free(reply);
+
+ return sig;
+}
+
int agent_running(SSH_SESSION *session) {
if (session == NULL || session->agent == NULL) {
return 0;
diff --git a/libssh/auth.c b/libssh/auth.c
index 2c072adf..3b865b83 100644
--- a/libssh/auth.c
+++ b/libssh/auth.c
@@ -332,6 +332,87 @@ int ssh_userauth_pubkey(SSH_SESSION *session, const char *username, STRING *publ
return err;
}
+/** \brief Try to authenticate through public key with ssh agent
+ * \param session ssh session
+ * \param username username to authenticate. You can specify NULL if
+ * ssh_option_set_username() has been used. You cannot try two different logins in a row.
+ * \param publickey a public key returned by publickey_from_file()
+ * \param privatekey a private key returned by privatekey_from_file()
+ * \returns SSH_AUTH_ERROR : a serious error happened\n
+ * SSH_AUTH_DENIED : Authentication failed : use another method\n
+ * SSH_AUTH_PARTIAL : You've been partially authenticated, you still have to use another method\n
+ * SSH_AUTH_SUCCESS : Authentication success
+ * \see publickey_from_file()
+ * \see privatekey_from_file()
+ * \see private_key_free()
+ * \see ssh_userauth_offer_pubkey()
+ */
+
+int ssh_userauth_agent_pubkey(SSH_SESSION *session, const char *username,
+ PUBLIC_KEY *publickey) {
+ STRING *user;
+ STRING *service;
+ STRING *method;
+ STRING *algo;
+ STRING *key;
+ STRING *sign;
+ int err = SSH_AUTH_ERROR;
+
+ enter_function();
+ if (! agent_running(session)) {
+ return err;
+ }
+
+ if(username == NULL) {
+ if((username = session->options->username) == NULL) {
+ if (ssh_options_default_username(session->options)) {
+ leave_function();
+ return err;
+ } else {
+ username=session->options->username;
+ }
+ }
+ }
+ if (ask_userauth(session)) {
+ leave_function();
+ return err;
+ }
+
+ user = string_from_char(username);
+ service = string_from_char("ssh-connection");
+ method = string_from_char("publickey");
+ algo = string_from_char(ssh_type_to_char(publickey->type));
+ key = publickey_to_string(publickey);
+
+ /* we said previously the public key was accepted */
+ buffer_add_u8(session->out_buffer, SSH2_MSG_USERAUTH_REQUEST);
+ buffer_add_ssh_string(session->out_buffer, user);
+ buffer_add_ssh_string(session->out_buffer, service);
+ buffer_add_ssh_string(session->out_buffer, method);
+ buffer_add_u8(session->out_buffer, 1);
+ buffer_add_ssh_string(session->out_buffer, algo);
+ buffer_add_ssh_string(session->out_buffer, key);
+#if 0
+ sign=ssh_do_sign(session,session->out_buffer,privatekey);
+ sign = agent_sign_data(session, session->out_buffer, publickey);
+#endif
+ sign = ssh_do_sign_with_agent(session, session->out_buffer, publickey);
+
+ if (sign) {
+ buffer_add_ssh_string(session->out_buffer, sign);
+ string_free(sign);
+ packet_send(session);
+ err = wait_auth_status(session,0);
+ }
+ string_free(user);
+ string_free(service);
+ string_free(method);
+ string_free(algo);
+ leave_function();
+
+ return err;
+}
+
/** \brief Try to authenticate by password
* \param session ssh session
* \param username username to authenticate. You can specify NULL if
@@ -421,10 +502,13 @@ int ssh_userauth_autopubkey(SSH_SESSION *session, const char *passphrase) {
int type=0;
int err;
STRING *pubkey;
+ struct public_key_struct *publickey;
char *privkeyfile=NULL;
PRIVATE_KEY *privkey;
- char *id=NULL;
+ char *id = NULL;
+
enter_function();
+
// always testing none
err=ssh_userauth_none(session,NULL);
if(err==SSH_AUTH_ERROR || err==SSH_AUTH_SUCCESS){
@@ -434,13 +518,69 @@ int ssh_userauth_autopubkey(SSH_SESSION *session, const char *passphrase) {
/* try ssh-agent keys first */
#ifndef _WIN32
-#if 0
if (agent_running(session)) {
- ssh_say(1, "SSH Agent is running\n");
- count = agent_ident_count(session);
- ssh_say(1, "SSH Agent has %d key(s)\n", count);
- }
-#endif
+ ssh_log(session, SSH_LOG_RARE,
+ "Trying to authenticate with SSH agent keys");
+
+ for (publickey = agent_get_first_ident(session, &privkeyfile);
+ publickey != NULL;
+ publickey = agent_get_next_ident(session, &privkeyfile)) {
+
+ ssh_log(session, SSH_LOG_RARE, "Trying identity %s", privkeyfile);
+
+ pubkey = publickey_to_string(publickey);
+ if (pubkey) {
+ err = ssh_userauth_offer_pubkey(session, NULL, publickey->type, pubkey);
+ string_free(pubkey);
+ if (err == SSH_AUTH_ERROR) {
+ SAFE_FREE(id);
+ SAFE_FREE(privkeyfile);
+ publickey_free(publickey);
+ leave_function();
+
+ return err;
+ } else if (err != SSH_AUTH_SUCCESS) {
+ ssh_log(session, SSH_LOG_PACKET, "Public key refused by server\n");
+ SAFE_FREE(id);
+ SAFE_FREE(privkeyfile);
+ publickey_free(publickey);
+ continue;
+ }
+ ssh_log(session, SSH_LOG_RARE, "Public key accepted");
+ /* pubkey accepted by server ! */
+ err = ssh_userauth_agent_pubkey(session, NULL, publickey);
+ if (err == SSH_AUTH_ERROR) {
+ SAFE_FREE(id);
+ SAFE_FREE(privkeyfile);
+ publickey_free(publickey);
+ leave_function();
+
+ return err;
+ } else if (err != SSH_AUTH_SUCCESS) {
+ ssh_log(session, SSH_LOG_RARE,
+ "Server accepted public key but refused the signature\n"
+ "It might be a bug of libssh\n");
+ SAFE_FREE(id);
+ SAFE_FREE(privkeyfile);
+ publickey_free(publickey);
+ continue;
+ }
+ /* auth success */
+ ssh_log(session, SSH_LOG_RARE, "Authentication using %s success\n",
+ privkeyfile);
+ SAFE_FREE(id);
+ SAFE_FREE(privkeyfile);
+ publickey_free(publickey);
+
+ leave_function();
+
+ return SSH_AUTH_SUCCESS;
+ } /* if pubkey */
+ SAFE_FREE(id);
+ SAFE_FREE(privkeyfile);
+ publickey_free(publickey);
+ } /* for each privkey */
+ } /* if agent is running */
#endif
if(session->options->identity){
diff --git a/libssh/keys.c b/libssh/keys.c
index 2b981ac6..406bcdd8 100644
--- a/libssh/keys.c
+++ b/libssh/keys.c
@@ -45,6 +45,25 @@ char *ssh_type_to_char(int type){
}
}
+int ssh_type_from_name(char *name) {
+ if (strcmp(name, "rsa1") == 0) {
+ return TYPE_RSA1;
+ } else if (strcmp(name, "rsa") == 0) {
+ return TYPE_RSA;
+ } else if (strcmp(name, "dsa") == 0) {
+ return TYPE_DSS;
+ } else if (strcmp(name, "ssh-rsa1") == 0) {
+ return TYPE_RSA1;
+ } else if (strcmp(name, "ssh-rsa") == 0) {
+ return TYPE_RSA;
+ } else if (strcmp(name, "ssh-dss") == 0) {
+ return TYPE_DSS;
+ }
+
+ ssh_say(2, "key_type_from_name: unknown key type '%s'\n", name);
+ return -1;
+}
+
PUBLIC_KEY *publickey_make_dss(SSH_SESSION *session, BUFFER *buffer){
STRING *p,*q,*g,*pubkey;
PUBLIC_KEY *key=malloc(sizeof(PUBLIC_KEY));
@@ -601,6 +620,38 @@ static STRING *RSA_do_sign(void *payload,int len,RSA *privkey){
}
#endif
+STRING *ssh_do_sign_with_agent(struct ssh_session *session,
+ struct buffer_struct *buf, struct public_key_struct *publickey) {
+ struct buffer_struct *sigbuf = NULL;
+ struct string_struct *signature = NULL;
+ struct string_struct *session_id = NULL;
+ struct ssh_crypto_struct *crypto = NULL;
+
+ if (session->current_crypto) {
+ crypto = session->current_crypto;
+ } else {
+ crypto = session->next_crypto;
+ }
+
+ /* prepend session identifier */
+ session_id = string_new(SHA_DIGEST_LEN);
+ string_fill(session_id, crypto->session_id, SHA_DIGEST_LEN);
+
+ sigbuf = buffer_new();
+
+ buffer_add_ssh_string(sigbuf, session_id);
+
+ /* append out buffer */
+ buffer_add_buffer(sigbuf, buf);
+
+ /* create signature */
+ signature = agent_sign_data(session, sigbuf, publickey);
+
+ buffer_free(sigbuf);
+
+ return signature;
+}
+
/* this function signs the session id (known as H) as a string then the content of sigbuf */
STRING *ssh_do_sign(SSH_SESSION *session,BUFFER *sigbuf, PRIVATE_KEY *privatekey){
SHACTX ctx;