Asynchronous authentication works !
Этот коммит содержится в:
Aris Adamantiadis
родитель
682ed18123
Коммит
a229cb4676
@ -22,7 +22,47 @@
|
||||
#ifndef AUTH_H_
|
||||
#define AUTH_H_
|
||||
#include "libssh/callbacks.h"
|
||||
SSH_PACKET_CALLBACK(ssh_packet_userauth_banner);
|
||||
|
||||
SSH_PACKET_CALLBACK(ssh_packet_userauth_banner);
|
||||
SSH_PACKET_CALLBACK(ssh_packet_userauth_failure);
|
||||
SSH_PACKET_CALLBACK(ssh_packet_userauth_success);
|
||||
SSH_PACKET_CALLBACK(ssh_packet_userauth_pk_ok);
|
||||
|
||||
|
||||
/** @internal
|
||||
* States of authentication in the client-side. They describe
|
||||
* what was the last response from the server
|
||||
*/
|
||||
enum ssh_auth_state_e {
|
||||
/** No authentication asked */
|
||||
SSH_AUTH_STATE_NONE=0,
|
||||
/** Last authentication response was a partial success */
|
||||
SSH_AUTH_STATE_PARTIAL,
|
||||
/** Last authentication response was a success */
|
||||
SSH_AUTH_STATE_SUCCESS,
|
||||
/** Last authentication response was failed */
|
||||
SSH_AUTH_STATE_FAILED,
|
||||
/** Last authentication was erroneous */
|
||||
SSH_AUTH_STATE_ERROR,
|
||||
/** Last state was a keyboard-interactive ask for info */
|
||||
SSH_AUTH_STATE_INFO,
|
||||
/** Last state was a public key accepted for authentication */
|
||||
SSH_AUTH_STATE_PK_OK
|
||||
|
||||
};
|
||||
|
||||
/** @internal
|
||||
* @brief states of the authentication service request
|
||||
*/
|
||||
enum ssh_auth_service_state_e {
|
||||
/** initial state */
|
||||
SSH_AUTH_SERVICE_NONE=0,
|
||||
/** Authentication service request packet sent */
|
||||
SSH_AUTH_SERVICE_SENT,
|
||||
/** Service accepted */
|
||||
SSH_AUTH_SERVICE_ACCEPTED,
|
||||
/** Access to service denied (fatal) */
|
||||
SSH_AUTH_SERVICE_DENIED
|
||||
};
|
||||
|
||||
#endif /* AUTH_H_ */
|
||||
|
||||
@ -24,6 +24,7 @@
|
||||
#include "libssh/priv.h"
|
||||
#include "libssh/packet.h"
|
||||
#include "libssh/pcap.h"
|
||||
#include "libssh/auth.h"
|
||||
|
||||
typedef struct ssh_kbdint_struct* ssh_kbdint;
|
||||
|
||||
@ -41,19 +42,6 @@ enum ssh_session_state_e {
|
||||
SSH_SESSION_STATE_ERROR
|
||||
};
|
||||
|
||||
/** @internal
|
||||
* @brief states of the authentication service request
|
||||
*/
|
||||
enum ssh_auth_service_state_e {
|
||||
/** initial state */
|
||||
SSH_AUTH_SERVICE_NONE=0,
|
||||
/** Authentication service request packet sent */
|
||||
SSH_AUTH_SERVICE_SENT,
|
||||
/** Service accepted */
|
||||
SSH_AUTH_SERVICE_ACCEPTED,
|
||||
/** Access to service denied (fatal) */
|
||||
SSH_AUTH_SERVICE_DENIED
|
||||
};
|
||||
|
||||
struct ssh_session_struct {
|
||||
struct error_struct error;
|
||||
@ -93,8 +81,9 @@ struct ssh_session_struct {
|
||||
int packet_state;
|
||||
int dh_handshake_state;
|
||||
enum ssh_auth_service_state_e auth_service_state;
|
||||
ssh_string dh_server_signature; //information used by dh_handshake.
|
||||
enum ssh_auth_state_e auth_state;
|
||||
|
||||
ssh_string dh_server_signature; //information used by dh_handshake.
|
||||
KEX server_kex;
|
||||
KEX client_kex;
|
||||
ssh_buffer in_hashbuf;
|
||||
|
||||
172
libssh/auth.c
172
libssh/auth.c
@ -68,7 +68,7 @@ static int ask_userauth(ssh_session session) {
|
||||
}
|
||||
|
||||
/** @internal
|
||||
* @handles a SSH_USERAUTH_BANNER packet
|
||||
* @brief handles a SSH_USERAUTH_BANNER packet
|
||||
* This banner should be shown to user prior to authentication
|
||||
*/
|
||||
SSH_PACKET_CALLBACK(ssh_packet_userauth_banner){
|
||||
@ -91,55 +91,49 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_banner){
|
||||
return SSH_PACKET_USED;
|
||||
}
|
||||
|
||||
|
||||
static int wait_auth_status(ssh_session session, int kbdint) {
|
||||
/** @internal
|
||||
* @brief handles a SSH_USERAUTH_FAILURE packet
|
||||
* This handles the complete or partial authentication
|
||||
* failure.
|
||||
*/
|
||||
SSH_PACKET_CALLBACK(ssh_packet_userauth_failure){
|
||||
char *auth_methods = NULL;
|
||||
ssh_string auth;
|
||||
int rc = SSH_AUTH_ERROR;
|
||||
int cont = 1;
|
||||
uint8_t partial = 0;
|
||||
|
||||
(void) type;
|
||||
(void) user;
|
||||
enter_function();
|
||||
|
||||
while (cont) {
|
||||
if (packet_read(session) != SSH_OK) {
|
||||
break;
|
||||
}
|
||||
if (packet_translate(session) != SSH_OK) {
|
||||
break;
|
||||
}
|
||||
|
||||
switch (session->in_packet.type) {
|
||||
case SSH2_MSG_USERAUTH_FAILURE:
|
||||
auth = buffer_get_ssh_string(session->in_buffer);
|
||||
if (auth == NULL || buffer_get_u8(session->in_buffer, &partial) != 1) {
|
||||
auth = buffer_get_ssh_string(packet);
|
||||
if (auth == NULL || buffer_get_u8(packet, &partial) != 1) {
|
||||
ssh_set_error(session, SSH_FATAL,
|
||||
"Invalid SSH_MSG_USERAUTH_FAILURE message");
|
||||
leave_function();
|
||||
return SSH_AUTH_ERROR;
|
||||
session->auth_state=SSH_AUTH_STATE_ERROR;
|
||||
goto end;
|
||||
}
|
||||
|
||||
auth_methods = string_to_char(auth);
|
||||
if (auth_methods == NULL) {
|
||||
ssh_set_error(session, SSH_FATAL,
|
||||
"Not enough space");
|
||||
string_free(auth);
|
||||
leave_function();
|
||||
return SSH_AUTH_ERROR;
|
||||
ssh_set_error_oom(session);
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (partial) {
|
||||
rc = SSH_AUTH_PARTIAL;
|
||||
ssh_set_error(session, SSH_NO_ERROR,
|
||||
session->auth_state=SSH_AUTH_STATE_PARTIAL;
|
||||
ssh_log(session,SSH_LOG_PROTOCOL,
|
||||
"Partial success. Authentication that can continue: %s",
|
||||
auth_methods);
|
||||
} else {
|
||||
rc = SSH_AUTH_DENIED;
|
||||
session->auth_state=SSH_AUTH_STATE_FAILED;
|
||||
ssh_log(session, SSH_LOG_PROTOCOL,
|
||||
"Access denied. Authentication that can continue: %s",
|
||||
auth_methods);
|
||||
ssh_set_error(session, SSH_REQUEST_DENIED,
|
||||
"Access denied. Authentication that can continue: %s",
|
||||
auth_methods);
|
||||
|
||||
session->auth_methods = 0;
|
||||
}
|
||||
if (strstr(auth_methods, "password") != NULL) {
|
||||
session->auth_methods |= SSH_AUTH_METHOD_PASSWORD;
|
||||
}
|
||||
@ -152,35 +146,86 @@ static int wait_auth_status(ssh_session session, int kbdint) {
|
||||
if (strstr(auth_methods, "hostbased") != NULL) {
|
||||
session->auth_methods |= SSH_AUTH_METHOD_HOSTBASED;
|
||||
}
|
||||
}
|
||||
|
||||
end:
|
||||
string_free(auth);
|
||||
SAFE_FREE(auth_methods);
|
||||
cont = 0;
|
||||
leave_function();
|
||||
return SSH_PACKET_USED;
|
||||
}
|
||||
|
||||
/** @internal
|
||||
* @brief handles a SSH_USERAUTH_SUCCESS packet
|
||||
* It is also used to communicate the new to the
|
||||
* upper levels.
|
||||
*/
|
||||
SSH_PACKET_CALLBACK(ssh_packet_userauth_success){
|
||||
enter_function();
|
||||
(void)packet;
|
||||
(void)type;
|
||||
(void)user;
|
||||
ssh_log(session,SSH_LOG_PACKET,"Received SSH_USERAUTH_SUCCESS");
|
||||
ssh_log(session,SSH_LOG_PROTOCOL,"Authentication successful");
|
||||
session->auth_state=SSH_AUTH_STATE_SUCCESS;
|
||||
session->session_state=SSH_SESSION_STATE_AUTHENTICATED;
|
||||
leave_function();
|
||||
return SSH_PACKET_USED;
|
||||
}
|
||||
|
||||
/** @internal
|
||||
* @brief handles a SSH_USERAUTH_PK_OK or SSH_USERAUTH_INFO_REQUEST packet
|
||||
* Since the two types of packets share the same code, additional
|
||||
* work is done to understand if we are in a public key or
|
||||
* keyboard-interactive context.
|
||||
*/
|
||||
SSH_PACKET_CALLBACK(ssh_packet_userauth_pk_ok){
|
||||
enter_function();
|
||||
(void)packet;
|
||||
(void)type;
|
||||
(void)user;
|
||||
ssh_log(session,SSH_LOG_PACKET,"Received SSH_USERAUTH_PK_OK/INFO_REQUEST");
|
||||
if(session->kbdint){
|
||||
/* Assuming we are in keyboard-interactive context */
|
||||
ssh_log(session,SSH_LOG_PACKET,"keyboard-interactive context exists, assuming SSH_USERAUTH_INFO_REQUEST");
|
||||
session->auth_state=SSH_AUTH_STATE_INFO;
|
||||
} else {
|
||||
session->auth_state=SSH_AUTH_STATE_PK_OK;
|
||||
ssh_log(session,SSH_LOG_PACKET,"assuming SSH_USERAUTH_PK_OK");
|
||||
}
|
||||
leave_function();
|
||||
return SSH_PACKET_USED;
|
||||
}
|
||||
|
||||
static int wait_auth_status(ssh_session session) {
|
||||
int rc = SSH_AUTH_ERROR;
|
||||
|
||||
enter_function();
|
||||
|
||||
while (session->auth_state == SSH_AUTH_STATE_NONE) {
|
||||
ssh_handle_packets(session);
|
||||
}
|
||||
switch(session->auth_state){
|
||||
case SSH_AUTH_STATE_ERROR:
|
||||
rc=SSH_AUTH_ERROR;
|
||||
break;
|
||||
case SSH2_MSG_USERAUTH_PK_OK:
|
||||
/* SSH monkeys have defined the same number for both */
|
||||
/* SSH_MSG_USERAUTH_PK_OK and SSH_MSG_USERAUTH_INFO_REQUEST */
|
||||
/* which is not really smart; */
|
||||
/*case SSH2_MSG_USERAUTH_INFO_REQUEST: */
|
||||
if (kbdint) {
|
||||
case SSH_AUTH_STATE_FAILED:
|
||||
rc=SSH_AUTH_DENIED;
|
||||
break;
|
||||
case SSH_AUTH_STATE_INFO:
|
||||
rc=SSH_AUTH_INFO;
|
||||
cont = 0;
|
||||
break;
|
||||
}
|
||||
/* continue through success */
|
||||
case SSH2_MSG_USERAUTH_SUCCESS:
|
||||
case SSH_AUTH_STATE_PARTIAL:
|
||||
rc=SSH_AUTH_PARTIAL;
|
||||
break;
|
||||
case SSH_AUTH_STATE_PK_OK:
|
||||
case SSH_AUTH_STATE_SUCCESS:
|
||||
rc=SSH_AUTH_SUCCESS;
|
||||
cont = 0;
|
||||
break;
|
||||
|
||||
default:
|
||||
//packet_parse(session);
|
||||
//FIXME: broken
|
||||
case SSH_AUTH_STATE_NONE:
|
||||
/* not reached */
|
||||
rc=SSH_AUTH_ERROR;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
leave_function();
|
||||
return rc;
|
||||
}
|
||||
@ -212,9 +257,7 @@ int ssh_userauth_list(ssh_session session, const char *username) {
|
||||
*
|
||||
* @param session The ssh session to use.
|
||||
*
|
||||
* @param username The username to authenticate. You can specify NULL if
|
||||
* ssh_option_set_username() has been used. You cannot try
|
||||
* two different logins in a row.
|
||||
* @param username Deprecated, set to NULL.
|
||||
*
|
||||
* @returns SSH_AUTH_ERROR: A serious error happened.\n
|
||||
* SSH_AUTH_DENIED: Authentication failed: use another method\n
|
||||
@ -280,12 +323,12 @@ int ssh_userauth_none(ssh_session session, const char *username) {
|
||||
string_free(service);
|
||||
string_free(method);
|
||||
string_free(user);
|
||||
|
||||
session->auth_state=SSH_AUTH_STATE_NONE;
|
||||
if (packet_send(session) == SSH_ERROR) {
|
||||
leave_function();
|
||||
return rc;
|
||||
}
|
||||
rc = wait_auth_status(session, 0);
|
||||
rc = wait_auth_status(session);
|
||||
|
||||
leave_function();
|
||||
return rc;
|
||||
@ -394,12 +437,12 @@ int ssh_userauth_offer_pubkey(ssh_session session, const char *username,
|
||||
string_free(method);
|
||||
string_free(service);
|
||||
string_free(algo);
|
||||
|
||||
session->auth_state=SSH_AUTH_STATE_NONE;
|
||||
if (packet_send(session) != SSH_OK) {
|
||||
leave_function();
|
||||
return rc;
|
||||
}
|
||||
rc = wait_auth_status(session,0);
|
||||
rc = wait_auth_status(session);
|
||||
|
||||
leave_function();
|
||||
return rc;
|
||||
@ -514,12 +557,12 @@ int ssh_userauth_pubkey(ssh_session session, const char *username,
|
||||
goto error;
|
||||
}
|
||||
string_free(sign);
|
||||
|
||||
session->auth_state=SSH_AUTH_STATE_NONE;
|
||||
if (packet_send(session) != SSH_OK) {
|
||||
leave_function();
|
||||
return rc;
|
||||
}
|
||||
rc = wait_auth_status(session,0);
|
||||
rc = wait_auth_status(session);
|
||||
}
|
||||
|
||||
leave_function();
|
||||
@ -632,11 +675,12 @@ int ssh_userauth_agent_pubkey(ssh_session session, const char *username,
|
||||
goto error;
|
||||
}
|
||||
string_free(sign);
|
||||
session->auth_state=SSH_AUTH_STATE_NONE;
|
||||
if (packet_send(session) != SSH_OK) {
|
||||
leave_function();
|
||||
return rc;
|
||||
}
|
||||
rc = wait_auth_status(session,0);
|
||||
rc = wait_auth_status(session);
|
||||
}
|
||||
|
||||
string_free(user);
|
||||
@ -751,12 +795,12 @@ int ssh_userauth_password(ssh_session session, const char *username,
|
||||
string_free(method);
|
||||
string_burn(pwd);
|
||||
string_free(pwd);
|
||||
|
||||
session->auth_state=SSH_AUTH_STATE_NONE;
|
||||
if (packet_send(session) != SSH_OK) {
|
||||
leave_function();
|
||||
return rc;
|
||||
}
|
||||
rc = wait_auth_status(session, 0);
|
||||
rc = wait_auth_status(session);
|
||||
|
||||
leave_function();
|
||||
return rc;
|
||||
@ -1161,12 +1205,12 @@ static int kbdauth_init(ssh_session session, const char *user,
|
||||
string_free(service);
|
||||
string_free(method);
|
||||
string_free(sub);
|
||||
|
||||
session->auth_state=SSH_AUTH_STATE_NONE;
|
||||
if (packet_send(session) != SSH_OK) {
|
||||
leave_function();
|
||||
return rc;
|
||||
}
|
||||
rc = wait_auth_status(session,1);
|
||||
rc = wait_auth_status(session);
|
||||
|
||||
leave_function();
|
||||
return rc;
|
||||
@ -1328,12 +1372,12 @@ static int kbdauth_send(ssh_session session) {
|
||||
string_burn(answer);
|
||||
string_free(answer);
|
||||
}
|
||||
|
||||
session->auth_state=SSH_AUTH_STATE_NONE;
|
||||
if (packet_send(session) != SSH_OK) {
|
||||
leave_function();
|
||||
return rc;
|
||||
}
|
||||
rc = wait_auth_status(session,1);
|
||||
rc = wait_auth_status(session);
|
||||
|
||||
leave_function();
|
||||
return rc;
|
||||
@ -1405,7 +1449,7 @@ int ssh_userauth_kbdint(ssh_session session, const char *user,
|
||||
leave_function();
|
||||
return rc; /* error or first try success */
|
||||
}
|
||||
|
||||
/* TODO: put this in packet handler */
|
||||
rc = kbdauth_info_get(session);
|
||||
if (rc == SSH_AUTH_ERROR) {
|
||||
kbdint_free(session->kbdint);
|
||||
|
||||
@ -68,10 +68,11 @@ ssh_packet_callback default_packet_handlers[]= {
|
||||
NULL, NULL, NULL, NULL, NULL, // 35-49
|
||||
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
|
||||
NULL, //#define SSH2_MSG_USERAUTH_REQUEST 50
|
||||
NULL, //#define SSH2_MSG_USERAUTH_FAILURE 51
|
||||
NULL, //#define SSH2_MSG_USERAUTH_SUCCESS 52
|
||||
ssh_packet_userauth_failure, //#define SSH2_MSG_USERAUTH_FAILURE 51
|
||||
ssh_packet_userauth_success, //#define SSH2_MSG_USERAUTH_SUCCESS 52
|
||||
ssh_packet_userauth_banner, //#define SSH2_MSG_USERAUTH_BANNER 53
|
||||
NULL, //#define SSH2_MSG_USERAUTH_PK_OK 60 SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ 60
|
||||
NULL,NULL,NULL,NULL,NULL,NULL, // 54-59
|
||||
ssh_packet_userauth_pk_ok, //#define SSH2_MSG_USERAUTH_PK_OK 60 SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ 60
|
||||
//SSH2_MSG_USERAUTH_INFO_REQUEST 60
|
||||
NULL, //#define SSH2_MSG_USERAUTH_INFO_RESPONSE 61
|
||||
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, //62-79
|
||||
|
||||
Загрузка…
x
Ссылка в новой задаче
Block a user