ports/libssh
ports/libssh
1
1
Форкнуть 0
Код Релизы 1 Активность

Complete ssh client agent support.

Просмотр исходного кода 
git-svn-id: svn+ssh://svn.berlios.de/svnroot/repos/libssh/trunk@231 7dcaeef0-15fb-0310-b436-a5af3365683c
Этот коммит содержится в:
Andreas Schneider 2009-02-06 09:46:10 +00:00
родитель 53226f98f2
Коммит 73cde232be
5 изменённых файлов: 397 добавлений и 48 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
include/libssh/libssh.h
Просмотреть файл

@ -331,6 +331,8 @@ int ssh_userauth_none(SSH_SESSION *session, const char *username);
int ssh_userauth_password(SSH_SESSION *session, const char *username, const char *password);
int ssh_userauth_offer_pubkey(SSH_SESSION *session, const char *username, int type, STRING *publickey);
int ssh_userauth_pubkey(SSH_SESSION *session, const char *username, STRING *publickey, PRIVATE_KEY *privatekey);
int ssh_userauth_agent_pubkey(SSH_SESSION *session, const char *username,
PUBLIC_KEY *publickey);
int ssh_userauth_autopubkey(SSH_SESSION *session, const char *passphrase);
int ssh_userauth_kbdint(SSH_SESSION *session, const char *user, const char *submethods);
int ssh_userauth_kbdint_getnprompts(SSH_SESSION *session);

23
include/libssh/priv.h
Просмотреть файл

@ -289,7 +289,7 @@ struct channel_struct {
struct agent_struct {
struct socket *sock;
STRING *ident;
BUFFER *ident;
unsigned int count;
};
@ -450,7 +450,17 @@ void agent_free(struct agent_struct *agent);
*/
int agent_running(struct ssh_session *session);
int agent_ident_count(struct ssh_session *session);
int agent_get_ident_count(struct ssh_session *session);
struct public_key_struct *agent_get_next_ident(struct ssh_session *session,
char **comment);
struct public_key_struct *agent_get_first_ident(struct ssh_session *session,
char **comment);
STRING *agent_sign_data(struct ssh_session *session,
struct buffer_struct *data,
struct public_key_struct *pubkey);
#endif
/* socket.c */
@ -560,11 +570,20 @@ PRIVATE_KEY *_privatekey_from_file(void *session,char *filename,int type);
/* in keys.c */
char *ssh_type_to_char(int type);
int ssh_type_from_name(char *name);
PRIVATE_KEY *privatekey_make_dss(SSH_SESSION *session, BUFFER *buffer);
PRIVATE_KEY *privatekey_make_rsa(SSH_SESSION *session, BUFFER *buffer,
char *type);
PRIVATE_KEY *privatekey_from_string(SSH_SESSION *session, STRING *privkey_s);
PUBLIC_KEY *publickey_make_dss(SSH_SESSION *session, BUFFER *buffer);
PUBLIC_KEY *publickey_make_rsa(SSH_SESSION *session, BUFFER *buffer,char *type);
PUBLIC_KEY *publickey_from_string(SSH_SESSION *session, STRING *pubkey_s);
SIGNATURE *signature_from_string(SSH_SESSION *session, STRING *signature,PUBLIC_KEY *pubkey,int needed_type);
void signature_free(SIGNATURE *sign);
STRING *ssh_do_sign_with_agent(struct ssh_session *session,
struct buffer_struct *buf, struct public_key_struct *publickey);
STRING *ssh_do_sign(SSH_SESSION *session,BUFFER *sigbuf,
PRIVATE_KEY *privatekey);
STRING *ssh_sign_session_id(SSH_SESSION *session, PRIVATE_KEY *privatekey);

215
libssh/agent.c
Просмотреть файл

@ -23,6 +23,17 @@
/* This file is based on authfd.c from OpenSSH */
/*
* How does the ssh-agent work?
*
* a) client sends a request to get a list of all keys
* the agent returns the cound and all public keys
* b) iterate over them to check if the server likes one
* c) the client sends a sign request to the agent
* type, pubkey as blob, data to sign, flags
* the agent returns the signed data
*/
#ifndef _WIN32
#include <stdlib.h>
@ -50,7 +61,7 @@ static u32 agent_get_u32(const void *vp) {
v |= (u32)p[2] << 8;
v |= (u32)p[3];
return (v);
return v;
}
static void agent_put_u32(void *vp, u32 v) {
@ -107,7 +118,7 @@ static size_t atomicio(struct socket *s, void *buf, size_t n, int do_read) {
AGENT *agent_new(struct ssh_session *session) {
AGENT *agent = NULL;
agent = malloc(sizeof(*agent));
agent = calloc(1, sizeof(*agent));
if (agent) {
agent->count = 0;
agent->sock = ssh_socket_new(session);
@ -124,7 +135,9 @@ void agent_close(struct agent_struct *agent) {
void agent_free(AGENT *agent) {
if (agent) {
string_free(agent->ident);
if (agent->ident) {
buffer_free(agent->ident);
}
if (agent->sock) {
agent_close(agent);
ssh_socket_free(agent->sock);
@ -152,76 +165,68 @@ static int agent_connect(SSH_SESSION *session) {
return -1;
}
static int agent_decode_reply(int type) {
#if 0
static int agent_decode_reply(struct ssh_session *session, int type) {
switch (type) {
case SSH_AGENT_FAILURE:
case SSH2_AGENT_FAILURE:
case SSH_COM_AGENT2_FAILURE:
ssh_say(1, "SSH_AGENT_FAILURE\n");
ssh_log(session, SSH_LOG_RARE, "SSH_AGENT_FAILURE");
return 0;
case SSH_AGENT_SUCCESS:
return 1;
default:
ssh_set_error(session, SSH_FATAL,
"Bad response from authentication agent: %d", type);
/* TODO: fatal */
break;
}
return -1;
}
#endif
static int agent_talk(struct ssh_session *session,
struct buffer_struct *request, struct buffer_struct *reply) {
size_t len = 0;
unsigned char payload[1024] = {0};
u32 len = 0;
u8 payload[1024] = {0};
len = buffer_get_len(request);
ssh_say(2, "agent_talk - len of request: %u\n", len);
ssh_log(session, SSH_LOG_PACKET, "agent_talk - len of request: %u", len);
agent_put_u32(payload, len);
#if 0
/* send length and then the request packet */
if (ssh_socket_completewrite(session->agent->sock, payload, 4) == SSH_OK) {
buffer_get_data(request, payload, len);
fprintf(stderr, "agent_talk - sending request, payload = %u\n", payload[0]);
if (ssh_socket_completewrite(session->agent->sock, payload, len)
!= SSH_OK) {
return -1;
}
} else {
return -1;
}
#endif
/* send length and then the request packet */
if (atomicio(session->agent->sock, payload, 4, 0) == 4) {
buffer_get_data(request, payload, len);
ssh_say(2, "agent_talk - sending request, payload = %u\n", payload[0]);
ssh_log(session, SSH_LOG_PACKET,
"agent_talk - sending request, payload[0] = %u", payload[0]);
if (atomicio(session->agent->sock, payload, len, 0)
!= len) {
ssh_log(session, SSH_LOG_PACKET, "atomicio sending request failed: %s",
strerror(errno));
return -1;
}
} else {
ssh_log(session, SSH_LOG_PACKET,
"atomicio sending request length failed: %s",
strerror(errno));
return -1;
}
session->blocking = 0;
#if 0
/* wait for response, read the length of the response packet */
if (ssh_socket_read(session->agent->sock, payload, 4) != SSH_OK) {
fprintf(stderr, "agent_talk - error: %s\n", ssh_get_error(session));
return -1;
}
#endif
/* wait for response, read the length of the response packet */
if (atomicio(session->agent->sock, payload, 4, 1) != 4) {
ssh_log(session, SSH_LOG_PACKET, "atomicio read response length failed: %s",
strerror(errno));
return -1;
}
len = agent_get_u32(payload);
if (len > 256 * 1024) {
ssh_set_error(session, SSH_FATAL,
"Authentication response too long: %u", len);
return -1;
}
ssh_say(2, "agent_talk - response length: %u\n", len);
ssh_log(session, SSH_LOG_PACKET, "agent_talk - response length: %u", len);
while (len > 0) {
size_t n = len;
@ -229,7 +234,8 @@ static int agent_talk(struct ssh_session *session,
n = sizeof(payload);
}
if (atomicio(session->agent->sock, payload, n, 1) != n) {
ssh_say(1, "Error reading response from authentication socket.");
ssh_log(session, SSH_LOG_RARE,
"Error reading response from authentication socket.");
return -1;
}
buffer_add_data(reply, payload, n);
@ -239,12 +245,12 @@ static int agent_talk(struct ssh_session *session,
return 0;
}
int agent_ident_count(SSH_SESSION *session) {
int agent_get_ident_count(struct ssh_session *session) {
BUFFER *request = NULL;
BUFFER *reply = NULL;
unsigned int type = 0;
unsigned int c1 = 0, c2 = 0;
unsigned char buf[4] = {0};
u8 buf[4] = {0};
switch (session->version) {
case 1:
@ -273,26 +279,157 @@ int agent_ident_count(SSH_SESSION *session) {
/* get message type and verify the answer */
buffer_get_u8(reply, (u8 *) &type);
ssh_say(2, "agent_ident_count - answer type: %d, expected answer: %d\n",
ssh_log(session, SSH_LOG_PACKET,
"agent_ident_count - answer type: %d, expected answer: %d",
type, c2);
if (agent_failed(type)) {
return 0;
} else if (type != c2) {
/* TODO: fatal, set ssh error? */
ssh_set_error(session, SSH_FATAL,
"Bad authentication reply message type: %d", type);
return -1;
}
buffer_get_u32(reply, (u32 *) buf);
session->agent->count = agent_get_u32(buf);
ssh_say(2, "agent_ident_count - count: %d\n", session->agent->count);
ssh_log(session, SSH_LOG_PACKET, "agent_ident_count - count: %d",
session->agent->count);
if (session->agent->count > 1024) {
/* TODO: fatal, set ssh error? */
ssh_set_error(session, SSH_FATAL,
"Too many identities in authentication reply: %d",
session->agent->count);
buffer_free(reply);
return -1;
}
if (session->agent->ident) {
buffer_free(session->agent->ident);
}
session->agent->ident = reply;
return session->agent->count;
}
/* caller has to free commment */
struct public_key_struct *agent_get_first_ident(struct ssh_session *session,
char **comment) {
if (agent_get_ident_count(session) > 0) {
return agent_get_next_ident(session, comment);
}
return NULL;
}
/* caller has to free commment */
struct public_key_struct *agent_get_next_ident(struct ssh_session *session,
char **comment) {
struct public_key_struct *pubkey = NULL;
struct string_struct *blob = NULL;
struct string_struct *tmp = NULL;
if (session->agent->count == 0) {
return NULL;
}
switch(session->version) {
case 1:
/* TODO */
break;
case 2:
/* get the blob */
blob = buffer_get_ssh_string(session->agent->ident);
if (blob == NULL) {
return NULL;
}
/* get the comment */
tmp = buffer_get_ssh_string(session->agent->ident);
if (tmp == NULL) {
string_free(blob);
return NULL;
}
if (comment) {
*comment = string_to_char(tmp);
} else {
string_free(blob);
string_free(tmp);
return NULL;
}
string_free(tmp);
/* get key from blob */
pubkey = publickey_from_string(session, blob);
string_free(blob);
break;
default:
return NULL;
}
return pubkey;
}
STRING *agent_sign_data(struct ssh_session *session,
struct buffer_struct *data,
struct public_key_struct *pubkey) {
struct string_struct *blob = NULL;
struct string_struct *sig = NULL;
struct buffer_struct *request = NULL;
struct buffer_struct *reply = NULL;
int type = SSH2_AGENT_FAILURE;
int flags = 0;
u32 dlen = 0;
/* create blob from the pubkey */
blob = publickey_to_string(pubkey);
request = buffer_new();
/* create request */
buffer_add_u8(request, SSH2_AGENTC_SIGN_REQUEST);
/* adds len + blob */
buffer_add_ssh_string(request, blob);
/* Add data */
dlen = buffer_get_len(data);
buffer_add_u32(request, htonl(dlen));
buffer_add_data(request, buffer_get(data), dlen);
buffer_add_u32(request, htonl(flags));
string_free(blob);
reply = buffer_new();
/* send the request */
if (agent_talk(session, request, reply) < 0) {
buffer_free(request);
return NULL;
}
buffer_free(request);
/* check if reply is valid */
buffer_get_u8(reply, (u8 *) &type);
if (agent_failed(type)) {
ssh_log(session, SSH_LOG_RARE, "Agent reports failure in signing the key");
buffer_free(reply);
return NULL;
} else if (type != SSH2_AGENT_SIGN_RESPONSE) {
ssh_set_error(session, SSH_FATAL, "Bad authentication response: %d", type);
buffer_free(reply);
return NULL;
}
sig = buffer_get_ssh_string(reply);
buffer_free(reply);
return sig;
}
int agent_running(SSH_SESSION *session) {
if (session == NULL || session->agent == NULL) {
return 0;

154
libssh/auth.c
Просмотреть файл

@ -332,6 +332,87 @@ int ssh_userauth_pubkey(SSH_SESSION *session, const char *username, STRING *publ
return err;
}
/** \brief Try to authenticate through public key with ssh agent
* \param session ssh session
* \param username username to authenticate. You can specify NULL if
* ssh_option_set_username() has been used. You cannot try two different logins in a row.
* \param publickey a public key returned by publickey_from_file()
* \param privatekey a private key returned by privatekey_from_file()
* \returns SSH_AUTH_ERROR : a serious error happened\n
* SSH_AUTH_DENIED : Authentication failed : use another method\n
* SSH_AUTH_PARTIAL : You've been partially authenticated, you still have to use another method\n
* SSH_AUTH_SUCCESS : Authentication success
* \see publickey_from_file()
* \see privatekey_from_file()
* \see private_key_free()
* \see ssh_userauth_offer_pubkey()
*/
int ssh_userauth_agent_pubkey(SSH_SESSION *session, const char *username,
PUBLIC_KEY *publickey) {
STRING *user;
STRING *service;
STRING *method;
STRING *algo;
STRING *key;
STRING *sign;
int err = SSH_AUTH_ERROR;
enter_function();
if (! agent_running(session)) {
return err;
}
if(username == NULL) {
if((username = session->options->username) == NULL) {
if (ssh_options_default_username(session->options)) {
leave_function();
return err;
} else {
username=session->options->username;
}
}
}
if (ask_userauth(session)) {
leave_function();
return err;
}
user = string_from_char(username);
service = string_from_char("ssh-connection");
method = string_from_char("publickey");
algo = string_from_char(ssh_type_to_char(publickey->type));
key = publickey_to_string(publickey);
/* we said previously the public key was accepted */
buffer_add_u8(session->out_buffer, SSH2_MSG_USERAUTH_REQUEST);
buffer_add_ssh_string(session->out_buffer, user);
buffer_add_ssh_string(session->out_buffer, service);
buffer_add_ssh_string(session->out_buffer, method);
buffer_add_u8(session->out_buffer, 1);
buffer_add_ssh_string(session->out_buffer, algo);
buffer_add_ssh_string(session->out_buffer, key);
#if 0
sign=ssh_do_sign(session,session->out_buffer,privatekey);
sign = agent_sign_data(session, session->out_buffer, publickey);
#endif
sign = ssh_do_sign_with_agent(session, session->out_buffer, publickey);
if (sign) {
buffer_add_ssh_string(session->out_buffer, sign);
string_free(sign);
packet_send(session);
err = wait_auth_status(session,0);
}
string_free(user);
string_free(service);
string_free(method);
string_free(algo);
leave_function();
return err;
}
/** \brief Try to authenticate by password
* \param session ssh session
* \param username username to authenticate. You can specify NULL if
@ -421,10 +502,13 @@ int ssh_userauth_autopubkey(SSH_SESSION *session, const char *passphrase) {
int type=0;
int err;
STRING *pubkey;
struct public_key_struct *publickey;
char *privkeyfile=NULL;
PRIVATE_KEY *privkey;
char *id=NULL;
char *id = NULL;
enter_function();
// always testing none
err=ssh_userauth_none(session,NULL);
if(err==SSH_AUTH_ERROR || err==SSH_AUTH_SUCCESS){
@ -434,13 +518,69 @@ int ssh_userauth_autopubkey(SSH_SESSION *session, const char *passphrase) {
/* try ssh-agent keys first */
#ifndef _WIN32
#if 0
if (agent_running(session)) {
ssh_say(1, "SSH Agent is running\n");
count = agent_ident_count(session);
ssh_say(1, "SSH Agent has %d key(s)\n", count);
}
#endif
ssh_log(session, SSH_LOG_RARE,
"Trying to authenticate with SSH agent keys");
for (publickey = agent_get_first_ident(session, &privkeyfile);
publickey != NULL;
publickey = agent_get_next_ident(session, &privkeyfile)) {
ssh_log(session, SSH_LOG_RARE, "Trying identity %s", privkeyfile);
pubkey = publickey_to_string(publickey);
if (pubkey) {
err = ssh_userauth_offer_pubkey(session, NULL, publickey->type, pubkey);
string_free(pubkey);
if (err == SSH_AUTH_ERROR) {
SAFE_FREE(id);
SAFE_FREE(privkeyfile);
publickey_free(publickey);
leave_function();
return err;
} else if (err != SSH_AUTH_SUCCESS) {
ssh_log(session, SSH_LOG_PACKET, "Public key refused by server\n");
SAFE_FREE(id);
SAFE_FREE(privkeyfile);
publickey_free(publickey);
continue;
}
ssh_log(session, SSH_LOG_RARE, "Public key accepted");
/* pubkey accepted by server ! */
err = ssh_userauth_agent_pubkey(session, NULL, publickey);
if (err == SSH_AUTH_ERROR) {
SAFE_FREE(id);
SAFE_FREE(privkeyfile);
publickey_free(publickey);
leave_function();
return err;
} else if (err != SSH_AUTH_SUCCESS) {
ssh_log(session, SSH_LOG_RARE,
"Server accepted public key but refused the signature\n"
"It might be a bug of libssh\n");
SAFE_FREE(id);
SAFE_FREE(privkeyfile);
publickey_free(publickey);
continue;
}
/* auth success */
ssh_log(session, SSH_LOG_RARE, "Authentication using %s success\n",
privkeyfile);
SAFE_FREE(id);
SAFE_FREE(privkeyfile);
publickey_free(publickey);
leave_function();
return SSH_AUTH_SUCCESS;
} /* if pubkey */
SAFE_FREE(id);
SAFE_FREE(privkeyfile);
publickey_free(publickey);
} /* for each privkey */
} /* if agent is running */
#endif
if(session->options->identity){

51
libssh/keys.c
Просмотреть файл

@ -45,6 +45,25 @@ char *ssh_type_to_char(int type){
}
}
int ssh_type_from_name(char *name) {
if (strcmp(name, "rsa1") == 0) {
return TYPE_RSA1;
} else if (strcmp(name, "rsa") == 0) {
return TYPE_RSA;
} else if (strcmp(name, "dsa") == 0) {
return TYPE_DSS;
} else if (strcmp(name, "ssh-rsa1") == 0) {
return TYPE_RSA1;
} else if (strcmp(name, "ssh-rsa") == 0) {
return TYPE_RSA;
} else if (strcmp(name, "ssh-dss") == 0) {
return TYPE_DSS;
}
ssh_say(2, "key_type_from_name: unknown key type '%s'\n", name);
return -1;
}
PUBLIC_KEY *publickey_make_dss(SSH_SESSION *session, BUFFER *buffer){
STRING *p,*q,*g,*pubkey;
PUBLIC_KEY *key=malloc(sizeof(PUBLIC_KEY));
@ -601,6 +620,38 @@ static STRING *RSA_do_sign(void *payload,int len,RSA *privkey){
}
#endif
STRING *ssh_do_sign_with_agent(struct ssh_session *session,
struct buffer_struct *buf, struct public_key_struct *publickey) {
struct buffer_struct *sigbuf = NULL;
struct string_struct *signature = NULL;
struct string_struct *session_id = NULL;
struct ssh_crypto_struct *crypto = NULL;
if (session->current_crypto) {
crypto = session->current_crypto;
} else {
crypto = session->next_crypto;
}
/* prepend session identifier */
session_id = string_new(SHA_DIGEST_LEN);
string_fill(session_id, crypto->session_id, SHA_DIGEST_LEN);
sigbuf = buffer_new();
buffer_add_ssh_string(sigbuf, session_id);
/* append out buffer */
buffer_add_buffer(sigbuf, buf);
/* create signature */
signature = agent_sign_data(session, sigbuf, publickey);
buffer_free(sigbuf);
return signature;
}
/* this function signs the session id (known as H) as a string then the content of sigbuf */
STRING *ssh_do_sign(SSH_SESSION *session,BUFFER *sigbuf, PRIVATE_KEY *privatekey){
SHACTX ctx;