sshconnect1.c 21.4 KB
Newer Older
1
/* $OpenBSD: sshconnect1.c,v 1.72 2013/09/02 22:00:34 deraadt Exp $ */
2 3 4 5 6 7 8
/*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
 * Code to connect to a remote host, and to perform the client side of the
 * login (authentication) dialog.
 *
9 10 11 12 13
 * As far as I am concerned, the code I have written for this software
 * can be used freely for any purpose.  Any derived versions of this
 * software must be clearly marked as such, and if the derived work is
 * incompatible with the protocol description in the RFC file, it must be
 * called by a name other than "ssh" or "Secure Shell".
14 15 16 17
 */

#include "includes.h"

18 19 20
#include <sys/types.h>
#include <sys/socket.h>

21
#include <openssl/bn.h>
22
#include <openssl/md5.h>
23

24
#include <stdarg.h>
25
#include <stdio.h>
26
#include <stdlib.h>
27
#include <string.h>
28 29
#include <signal.h>
#include <pwd.h>
30

31
#include "xmalloc.h"
32 33
#include "ssh.h"
#include "ssh1.h"
34 35 36
#include "rsa.h"
#include "buffer.h"
#include "packet.h"
37 38
#include "key.h"
#include "cipher.h"
39
#include "kex.h"
40
#include "uidswap.h"
41
#include "log.h"
42
#include "readconf.h"
43
#include "authfd.h"
44 45
#include "sshconnect.h"
#include "authfile.h"
46
#include "misc.h"
47
#include "canohost.h"
48
#include "hostfile.h"
49
#include "auth.h"
50 51

/* Session id for the current session. */
52 53
u_char session_id[16];
u_int supported_authentications = 0;
54 55 56 57 58 59 60 61

extern Options options;
extern char *__progname;

/*
 * Checks if the user has an authentication agent, and if so, tries to
 * authenticate using the agent.
 */
62
static int
63
try_agent_authentication(void)
64
{
65
	int type;
66 67
	char *comment;
	AuthenticationConnection *auth;
68 69
	u_char response[16];
	u_int i;
70 71
	Key *key;
	BIGNUM *challenge;
72 73 74 75 76 77

	/* Get connection to the agent. */
	auth = ssh_get_authentication_connection();
	if (!auth)
		return 0;

78 79
	if ((challenge = BN_new()) == NULL)
		fatal("try_agent_authentication: BN_new failed");
80
	/* Loop through identities served by the agent. */
81
	for (key = ssh_get_first_identity(auth, &comment, 1);
82 83
	    key != NULL;
	    key = ssh_get_next_identity(auth, &comment, 1)) {
84 85 86

		/* Try this identity. */
		debug("Trying RSA authentication via agent with '%.100s'", comment);
87
		free(comment);
88 89 90

		/* Tell the server that we are willing to authenticate using this key. */
		packet_start(SSH_CMSG_AUTH_RSA);
91
		packet_put_bignum(key->rsa->n);
92 93 94 95
		packet_send();
		packet_write_wait();

		/* Wait for server's response. */
96
		type = packet_read();
97

98
		/* The server sends failure if it doesn't like our key or
99 100 101
		   does not support RSA authentication. */
		if (type == SSH_SMSG_FAILURE) {
			debug("Server refused our key.");
102
			key_free(key);
103 104 105 106 107 108 109
			continue;
		}
		/* Otherwise it should have sent a challenge. */
		if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
			packet_disconnect("Protocol error during RSA authentication: %d",
					  type);

110
		packet_get_bignum(challenge);
111
		packet_check_eom();
112 113 114 115

		debug("Received RSA challenge from server.");

		/* Ask the agent to decrypt the challenge. */
116 117 118 119 120 121
		if (!ssh_decrypt_challenge(auth, key, challenge, session_id, 1, response)) {
			/*
			 * The agent failed to authenticate this identifier
			 * although it advertised it supports this.  Just
			 * return a wrong value.
			 */
122
			logit("Authentication agent failed to decrypt challenge.");
123 124
			memset(response, 0, sizeof(response));
		}
125
		key_free(key);
126 127 128 129 130 131 132 133 134 135
		debug("Sending response to RSA challenge.");

		/* Send the decrypted challenge back to the server. */
		packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
		for (i = 0; i < 16; i++)
			packet_put_char(response[i]);
		packet_send();
		packet_write_wait();

		/* Wait for response from the server. */
136
		type = packet_read();
137 138 139

		/* The server returns success if it accepted the authentication. */
		if (type == SSH_SMSG_SUCCESS) {
Ben Lindstrom's avatar
Ben Lindstrom committed
140
			ssh_close_authentication_connection(auth);
141
			BN_clear_free(challenge);
142
			debug("RSA authentication accepted by server.");
143 144 145 146 147 148 149
			return 1;
		}
		/* Otherwise it should return failure. */
		if (type != SSH_SMSG_FAILURE)
			packet_disconnect("Protocol error waiting RSA auth response: %d",
					  type);
	}
Ben Lindstrom's avatar
Ben Lindstrom committed
150
	ssh_close_authentication_connection(auth);
151 152 153 154 155 156 157 158 159
	BN_clear_free(challenge);
	debug("RSA authentication using agent refused.");
	return 0;
}

/*
 * Computes the proper response to a RSA challenge, and sends the response to
 * the server.
 */
160
static void
161 162
respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
{
163
	u_char buf[32], response[16];
164 165 166 167
	MD5_CTX md;
	int i, len;

	/* Decrypt the challenge using the private key. */
168 169 170 171
	/* XXX think about Bleichenbacher, too */
	if (rsa_private_decrypt(challenge, challenge, prv) <= 0)
		packet_disconnect(
		    "respond_to_rsa_challenge: rsa_private_decrypt failed");
172 173 174 175

	/* Compute the response. */
	/* The response is MD5 of decrypted challenge plus session id. */
	len = BN_num_bytes(challenge);
176
	if (len <= 0 || (u_int)len > sizeof(buf))
177 178
		packet_disconnect(
		    "respond_to_rsa_challenge: bad challenge length %d", len);
179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204

	memset(buf, 0, sizeof(buf));
	BN_bn2bin(challenge, buf + sizeof(buf) - len);
	MD5_Init(&md);
	MD5_Update(&md, buf, 32);
	MD5_Update(&md, session_id, 16);
	MD5_Final(response, &md);

	debug("Sending response to host key RSA challenge.");

	/* Send the response back to the server. */
	packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
	for (i = 0; i < 16; i++)
		packet_put_char(response[i]);
	packet_send();
	packet_write_wait();

	memset(buf, 0, sizeof(buf));
	memset(response, 0, sizeof(response));
	memset(&md, 0, sizeof(md));
}

/*
 * Checks if the user has authentication file, and if so, tries to authenticate
 * the user using it.
 */
205
static int
206
try_rsa_authentication(int idx)
207 208
{
	BIGNUM *challenge;
209
	Key *public, *private;
210
	char buf[300], *passphrase, *comment, *authfile;
211
	int i, perm_ok = 1, type, quit;
212

213 214 215 216
	public = options.identity_keys[idx];
	authfile = options.identity_files[idx];
	comment = xstrdup(authfile);

217 218 219 220 221 222 223 224 225
	debug("Trying RSA authentication with key '%.100s'", comment);

	/* Tell the server that we are willing to authenticate using this key. */
	packet_start(SSH_CMSG_AUTH_RSA);
	packet_put_bignum(public->rsa->n);
	packet_send();
	packet_write_wait();

	/* Wait for server's response. */
226
	type = packet_read();
227 228

	/*
229 230
	 * The server responds with failure if it doesn't like our key or
	 * doesn't support RSA authentication.
231 232 233
	 */
	if (type == SSH_SMSG_FAILURE) {
		debug("Server refused our key.");
234
		free(comment);
235 236 237 238 239 240 241
		return 0;
	}
	/* Otherwise, the server should respond with a challenge. */
	if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
		packet_disconnect("Protocol error during RSA authentication: %d", type);

	/* Get the challenge from the packet. */
242 243
	if ((challenge = BN_new()) == NULL)
		fatal("try_rsa_authentication: BN_new failed");
244
	packet_get_bignum(challenge);
245
	packet_check_eom();
246 247 248 249

	debug("Received RSA challenge from server.");

	/*
250 251
	 * If the key is not stored in external hardware, we have to
	 * load the private key.  Try first with empty passphrase; if it
252 253
	 * fails, ask for a passphrase.
	 */
254
	if (public->flags & KEY_FLAG_EXT)
255 256
		private = public;
	else
257 258 259
		private = key_load_private_type(KEY_RSA1, authfile, "", NULL,
		    &perm_ok);
	if (private == NULL && !options.batch_mode && perm_ok) {
260 261 262
		snprintf(buf, sizeof(buf),
		    "Enter passphrase for RSA key '%.100s': ", comment);
		for (i = 0; i < options.number_of_password_prompts; i++) {
263
			passphrase = read_passphrase(buf, 0);
264 265
			if (strcmp(passphrase, "") != 0) {
				private = key_load_private_type(KEY_RSA1,
266
				    authfile, passphrase, NULL, NULL);
267 268 269 270 271
				quit = 0;
			} else {
				debug2("no passphrase given, try next key");
				quit = 1;
			}
272
			memset(passphrase, 0, strlen(passphrase));
273
			free(passphrase);
274 275 276
			if (private != NULL || quit)
				break;
			debug2("bad passphrase given, try again...");
277 278 279
		}
	}
	/* We no longer need the comment. */
280
	free(comment);
281

282
	if (private == NULL) {
283
		if (!options.batch_mode && perm_ok)
284 285 286 287 288 289 290 291 292 293
			error("Bad passphrase.");

		/* Send a dummy response packet to avoid protocol error. */
		packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
		for (i = 0; i < 16; i++)
			packet_put_char(0);
		packet_send();
		packet_write_wait();

		/* Expect the server to reject it... */
294
		packet_read_expect(SSH_SMSG_FAILURE);
295 296 297 298
		BN_clear_free(challenge);
		return 0;
	}

299 300 301
	/* Compute and send a response to the challenge. */
	respond_to_rsa_challenge(challenge, private->rsa);

302 303 304
	/* Destroy the private key unless it in external hardware. */
	if (!(private->flags & KEY_FLAG_EXT))
		key_free(private);
305 306 307 308 309

	/* We no longer need the challenge. */
	BN_clear_free(challenge);

	/* Wait for response from the server. */
310
	type = packet_read();
311 312 313 314 315 316 317 318 319 320 321 322 323 324
	if (type == SSH_SMSG_SUCCESS) {
		debug("RSA authentication accepted by server.");
		return 1;
	}
	if (type != SSH_SMSG_FAILURE)
		packet_disconnect("Protocol error waiting RSA auth response: %d", type);
	debug("RSA authentication refused.");
	return 0;
}

/*
 * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv
 * authentication and RSA host authentication.
 */
325
static int
326
try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
327 328 329 330 331 332 333 334
{
	int type;
	BIGNUM *challenge;

	debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication.");

	/* Tell the server that we are willing to authenticate using this key. */
	packet_start(SSH_CMSG_AUTH_RHOSTS_RSA);
335
	packet_put_cstring(local_user);
336 337 338
	packet_put_int(BN_num_bits(host_key->rsa->n));
	packet_put_bignum(host_key->rsa->e);
	packet_put_bignum(host_key->rsa->n);
339 340 341 342
	packet_send();
	packet_write_wait();

	/* Wait for server's response. */
343
	type = packet_read();
344 345 346 347 348 349 350 351 352 353 354 355

	/* The server responds with failure if it doesn't admit our
	   .rhosts authentication or doesn't know our host key. */
	if (type == SSH_SMSG_FAILURE) {
		debug("Server refused our rhosts authentication or host key.");
		return 0;
	}
	/* Otherwise, the server should respond with a challenge. */
	if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
		packet_disconnect("Protocol error during RSA authentication: %d", type);

	/* Get the challenge from the packet. */
356 357
	if ((challenge = BN_new()) == NULL)
		fatal("try_rhosts_rsa_authentication: BN_new failed");
358
	packet_get_bignum(challenge);
359
	packet_check_eom();
360 361 362 363

	debug("Received RSA challenge for host key from server.");

	/* Compute a response to the challenge. */
364
	respond_to_rsa_challenge(challenge, host_key->rsa);
365 366 367 368 369

	/* We no longer need the challenge. */
	BN_clear_free(challenge);

	/* Wait for response from the server. */
370
	type = packet_read();
371 372 373 374 375 376 377 378 379 380 381 382 383 384
	if (type == SSH_SMSG_SUCCESS) {
		debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server.");
		return 1;
	}
	if (type != SSH_SMSG_FAILURE)
		packet_disconnect("Protocol error waiting RSA auth response: %d", type);
	debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused.");
	return 0;
}

/*
 * Tries to authenticate with any string-based challenge/response system.
 * Note that the client code is not tied to s/key or TIS.
 */
385
static int
386
try_challenge_response_authentication(void)
387 388
{
	int type, i;
389
	u_int clen;
390
	char prompt[1024];
391
	char *challenge, *response;
392 393 394

	debug("Doing challenge response authentication.");

395
	for (i = 0; i < options.number_of_password_prompts; i++) {
396 397 398 399 400
		/* request a challenge */
		packet_start(SSH_CMSG_AUTH_TIS);
		packet_send();
		packet_write_wait();

401
		type = packet_read();
402 403 404
		if (type != SSH_SMSG_FAILURE &&
		    type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
			packet_disconnect("Protocol error: got %d in response "
405
			    "to SSH_CMSG_AUTH_TIS", type);
406 407
		}
		if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
408
			debug("No challenge.");
409 410 411
			return 0;
		}
		challenge = packet_get_string(&clen);
412
		packet_check_eom();
413
		snprintf(prompt, sizeof prompt, "%s%s", challenge,
414
		    strchr(challenge, '\n') ? "" : "\nResponse: ");
415
		free(challenge);
416 417
		if (i != 0)
			error("Permission denied, please try again.");
418
		if (options.cipher == SSH_CIPHER_NONE)
419
			logit("WARNING: Encryption is disabled! "
420
			    "Response will be transmitted in clear text.");
421 422
		response = read_passphrase(prompt, 0);
		if (strcmp(response, "") == 0) {
423
			free(response);
424 425
			break;
		}
426
		packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
Damien Miller's avatar
Damien Miller committed
427
		ssh_put_password(response);
428
		memset(response, 0, strlen(response));
429
		free(response);
430 431
		packet_send();
		packet_write_wait();
432
		type = packet_read();
433 434 435 436
		if (type == SSH_SMSG_SUCCESS)
			return 1;
		if (type != SSH_SMSG_FAILURE)
			packet_disconnect("Protocol error: got %d in response "
437
			    "to SSH_CMSG_AUTH_TIS_RESPONSE", type);
438 439 440 441 442 443 444 445
	}
	/* failure */
	return 0;
}

/*
 * Tries to authenticate with plain passwd authentication.
 */
446
static int
447 448
try_password_authentication(char *prompt)
{
449
	int type, i;
450 451 452 453
	char *password;

	debug("Doing password authentication.");
	if (options.cipher == SSH_CIPHER_NONE)
454
		logit("WARNING: Encryption is disabled! Password will be transmitted in clear text.");
455 456 457 458 459
	for (i = 0; i < options.number_of_password_prompts; i++) {
		if (i != 0)
			error("Permission denied, please try again.");
		password = read_passphrase(prompt, 0);
		packet_start(SSH_CMSG_AUTH_PASSWORD);
Damien Miller's avatar
Damien Miller committed
460
		ssh_put_password(password);
461
		memset(password, 0, strlen(password));
462
		free(password);
463 464 465
		packet_send();
		packet_write_wait();

466
		type = packet_read();
467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483
		if (type == SSH_SMSG_SUCCESS)
			return 1;
		if (type != SSH_SMSG_FAILURE)
			packet_disconnect("Protocol error: got %d in response to passwd auth", type);
	}
	/* failure */
	return 0;
}

/*
 * SSH1 key exchange
 */
void
ssh_kex(char *host, struct sockaddr *hostaddr)
{
	int i;
	BIGNUM *key;
484
	Key *host_key, *server_key;
485 486
	int bits, rbits;
	int ssh_cipher_default = SSH_CIPHER_3DES;
487 488 489 490
	u_char session_key[SSH_SESSION_KEY_LENGTH];
	u_char cookie[8];
	u_int supported_ciphers;
	u_int server_flags, client_flags;
491
	u_int32_t rnd = 0;
492 493 494 495

	debug("Waiting for server public key.");

	/* Wait for a public key packet from the server. */
496
	packet_read_expect(SSH_SMSG_PUBLIC_KEY);
497 498 499 500 501 502

	/* Get cookie from the packet. */
	for (i = 0; i < 8; i++)
		cookie[i] = packet_get_char();

	/* Get the public key. */
503 504
	server_key = key_new(KEY_RSA1);
	bits = packet_get_int();
505 506
	packet_get_bignum(server_key->rsa->e);
	packet_get_bignum(server_key->rsa->n);
507

508
	rbits = BN_num_bits(server_key->rsa->n);
509
	if (bits != rbits) {
510
		logit("Warning: Server lies about size of server public key: "
511
		    "actual size is %d bits vs. announced %d.", rbits, bits);
512
		logit("Warning: This may be due to an old implementation of ssh.");
513 514
	}
	/* Get the host key. */
515 516
	host_key = key_new(KEY_RSA1);
	bits = packet_get_int();
517 518
	packet_get_bignum(host_key->rsa->e);
	packet_get_bignum(host_key->rsa->n);
519

520
	rbits = BN_num_bits(host_key->rsa->n);
521
	if (bits != rbits) {
522
		logit("Warning: Server lies about size of server host key: "
523
		    "actual size is %d bits vs. announced %d.", rbits, bits);
524
		logit("Warning: This may be due to an old implementation of ssh.");
525 526 527 528 529 530 531 532
	}

	/* Get protocol flags. */
	server_flags = packet_get_int();
	packet_set_protocol_flags(server_flags);

	supported_ciphers = packet_get_int();
	supported_authentications = packet_get_int();
533
	packet_check_eom();
534 535

	debug("Received server public key (%d bits) and host key (%d bits).",
536
	    BN_num_bits(server_key->rsa->n), BN_num_bits(host_key->rsa->n));
537

538
	if (verify_host_key(host, hostaddr, host_key) == -1)
539
		fatal("Host key verification failed.");
540 541 542

	client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN;

543
	derive_ssh1_session_id(host_key->rsa->n, server_key->rsa->n, cookie, session_id);
544 545 546 547 548 549 550 551

	/*
	 * Generate an encryption key for the session.   The key is a 256 bit
	 * random number, interpreted as a 32-byte key, with the least
	 * significant 8 bits being the first byte of the key.
	 */
	for (i = 0; i < 32; i++) {
		if (i % 4 == 0)
552 553 554
			rnd = arc4random();
		session_key[i] = rnd & 0xff;
		rnd >>= 8;
555 556 557 558 559 560 561
	}

	/*
	 * According to the protocol spec, the first byte of the session key
	 * is the highest byte of the integer.  The session key is xored with
	 * the first 16 bytes of the session id.
	 */
562
	if ((key = BN_new()) == NULL)
563 564 565
		fatal("ssh_kex: BN_new failed");
	if (BN_set_word(key, 0) == 0)
		fatal("ssh_kex: BN_set_word failed");
566
	for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
567 568 569 570 571 572 573 574 575 576
		if (BN_lshift(key, key, 8) == 0)
			fatal("ssh_kex: BN_lshift failed");
		if (i < 16) {
			if (BN_add_word(key, session_key[i] ^ session_id[i])
			    == 0)
				fatal("ssh_kex: BN_add_word failed");
		} else {
			if (BN_add_word(key, session_key[i]) == 0)
				fatal("ssh_kex: BN_add_word failed");
		}
577 578 579 580 581 582
	}

	/*
	 * Encrypt the integer using the public key and host key of the
	 * server (key with smaller modulus first).
	 */
583
	if (BN_cmp(server_key->rsa->n, host_key->rsa->n) < 0) {
584
		/* Public key has smaller modulus. */
585 586 587
		if (BN_num_bits(host_key->rsa->n) <
		    BN_num_bits(server_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
			fatal("respond_to_rsa_challenge: host_key %d < server_key %d + "
588
			    "SSH_KEY_BITS_RESERVED %d",
589 590
			    BN_num_bits(host_key->rsa->n),
			    BN_num_bits(server_key->rsa->n),
591
			    SSH_KEY_BITS_RESERVED);
592
		}
593 594
		rsa_public_encrypt(key, key, server_key->rsa);
		rsa_public_encrypt(key, key, host_key->rsa);
595 596
	} else {
		/* Host key has smaller modulus (or they are equal). */
597 598 599
		if (BN_num_bits(server_key->rsa->n) <
		    BN_num_bits(host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
			fatal("respond_to_rsa_challenge: server_key %d < host_key %d + "
600
			    "SSH_KEY_BITS_RESERVED %d",
601 602
			    BN_num_bits(server_key->rsa->n),
			    BN_num_bits(host_key->rsa->n),
603
			    SSH_KEY_BITS_RESERVED);
604
		}
605 606
		rsa_public_encrypt(key, key, host_key->rsa);
		rsa_public_encrypt(key, key, server_key->rsa);
607 608 609
	}

	/* Destroy the public keys since we no longer need them. */
610 611
	key_free(server_key);
	key_free(host_key);
612

613 614 615
	if (options.cipher == SSH_CIPHER_NOT_SET) {
		if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default))
			options.cipher = ssh_cipher_default;
616
	} else if (options.cipher == SSH_CIPHER_INVALID ||
617
	    !(cipher_mask_ssh1(1) & (1 << options.cipher))) {
618
		logit("No valid SSH1 cipher, using %.100s instead.",
619 620
		    cipher_name(ssh_cipher_default));
		options.cipher = ssh_cipher_default;
621 622 623 624
	}
	/* Check that the selected cipher is supported. */
	if (!(supported_ciphers & (1 << options.cipher)))
		fatal("Selected cipher type %.100s not supported by server.",
625
		    cipher_name(options.cipher));
626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659

	debug("Encryption type: %.100s", cipher_name(options.cipher));

	/* Send the encrypted session key to the server. */
	packet_start(SSH_CMSG_SESSION_KEY);
	packet_put_char(options.cipher);

	/* Send the cookie back to the server. */
	for (i = 0; i < 8; i++)
		packet_put_char(cookie[i]);

	/* Send and destroy the encrypted encryption key integer. */
	packet_put_bignum(key);
	BN_clear_free(key);

	/* Send protocol flags. */
	packet_put_int(client_flags);

	/* Send the packet now. */
	packet_send();
	packet_write_wait();

	debug("Sent encrypted session key.");

	/* Set the encryption key. */
	packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher);

	/* We will no longer need the session key here.  Destroy any extra copies. */
	memset(session_key, 0, sizeof(session_key));

	/*
	 * Expect a success message from the server.  Note that this message
	 * will be received in encrypted form.
	 */
660
	packet_read_expect(SSH_SMSG_SUCCESS);
661 662 663 664 665 666 667 668

	debug("Received encrypted confirmation.");
}

/*
 * Authenticate user
 */
void
669
ssh_userauth1(const char *local_user, const char *server_user, char *host,
670
    Sensitive *sensitive)
671 672
{
	int i, type;
673

674
	if (supported_authentications == 0)
675
		fatal("ssh_userauth1: server supports no auth methods");
676 677 678

	/* Send the name of the user to log in as on the server. */
	packet_start(SSH_CMSG_USER);
679
	packet_put_cstring(server_user);
680 681 682 683 684 685 686 687
	packet_send();
	packet_write_wait();

	/*
	 * The server should respond with success if no authentication is
	 * needed (the user has no password).  Otherwise the server responds
	 * with failure.
	 */
688
	type = packet_read();
689 690 691

	/* check whether the connection was accepted without authentication. */
	if (type == SSH_SMSG_SUCCESS)
692
		goto success;
693
	if (type != SSH_SMSG_FAILURE)
694
		packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
695

696 697 698 699 700
	/*
	 * Try .rhosts or /etc/hosts.equiv authentication with RSA host
	 * authentication.
	 */
	if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) &&
701
	    options.rhosts_rsa_authentication) {
702 703 704 705 706
		for (i = 0; i < sensitive->nkeys; i++) {
			if (sensitive->keys[i] != NULL &&
			    sensitive->keys[i]->type == KEY_RSA1 &&
			    try_rhosts_rsa_authentication(local_user,
			    sensitive->keys[i]))
707
				goto success;
708
		}
709 710 711 712 713 714 715 716 717 718
	}
	/* Try RSA authentication if the server supports it. */
	if ((supported_authentications & (1 << SSH_AUTH_RSA)) &&
	    options.rsa_authentication) {
		/*
		 * Try RSA authentication using the authentication agent. The
		 * agent is tried first because no passphrase is needed for
		 * it, whereas identity files may require passphrases.
		 */
		if (try_agent_authentication())
719
			goto success;
720 721 722

		/* Try RSA authentication for each identity. */
		for (i = 0; i < options.num_identity_files; i++)
723 724
			if (options.identity_keys[i] != NULL &&
			    options.identity_keys[i]->type == KEY_RSA1 &&
725
			    try_rsa_authentication(i))
726
				goto success;
727
	}
728
	/* Try challenge response authentication if the server supports it. */
729
	if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
730 731
	    options.challenge_response_authentication && !options.batch_mode) {
		if (try_challenge_response_authentication())
732
			goto success;
733 734 735 736 737 738
	}
	/* Try password authentication if the server supports it. */
	if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) &&
	    options.password_authentication && !options.batch_mode) {
		char prompt[80];

739
		snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
740 741
		    server_user, host);
		if (try_password_authentication(prompt))
742
			goto success;
743 744 745 746
	}
	/* All authentication methods have failed.  Exit with an error message. */
	fatal("Permission denied.");
	/* NOTREACHED */
747 748

 success:
Damien Miller's avatar
Damien Miller committed
749
	return;	/* need statement after label */
750
}