/* the heart of the whole keyboard interactive login */
int ssh_userauth_kbdint(SSH_SESSION *session, const char *user, const char *submethods){
int err;
if(session->version==1)
return SSH_AUTH_DENIED; // no keyb-interactive for ssh1
enter_function();
if( !session->kbdint){
/* first time we call. we must ask for a challenge */
if(!user)
if(!(user=session->options->username)){
if(ssh_options_default_username(session->options)){
leave_function();
return SSH_AUTH_ERROR;
} else
user=session->options->username;
}
if(ask_userauth(session)){
leave_function();
return SSH_AUTH_ERROR;
}
err=kbdauth_init(session,user,submethods);
if(err!=SSH_AUTH_INFO){
leave_function();
return err; /* error or first try success */
}
err=kbdauth_info_get(session);
if(err==SSH_AUTH_ERROR){
kbdint_free(session->kbdint);
session->kbdint=NULL;
}
leave_function();
return err;
}
/* if we are at this point, it's because session->kbdint exists */
/* it means the user has set some informations there we need to send *
* the server. and then we need to ack the status (new questions or ok *
* pass in */
err=kbdauth_send(session);
kbdint_free(session->kbdint);
session->kbdint=NULL;
if(err!=SSH_AUTH_INFO){
leave_function();
return err;
}
err=kbdauth_info_get(session);
if(err==SSH_AUTH_ERROR){
kbdint_free(session->kbdint);
session->kbdint=NULL;
}
leave_function();
return err;
}
int ssh_userauth_pubkey(SSH_SESSION *session, const char *username, STRING *publickey, PRIVATE_KEY *privatekey){
STRING *user;
STRING *service;
STRING *method;
STRING *algo;
STRING *sign;
int err=SSH_AUTH_ERROR;
enter_function();
// if(session->version==1)
// return ssh_userauth1_pubkey(session,username,publickey,privatekey);
if(!username)
if(!(username=session->options->username)){
if(ssh_options_default_username(session->options)){
leave_function();
return err;
} else
username=session->options->username;
}
if(ask_userauth(session)){
leave_function();
return err;
}
user=string_from_char(username);
service=string_from_char("ssh-connection");
method=string_from_char("publickey");
algo=string_from_char(ssh_type_to_char(privatekey->type));
/* we said previously the public key was accepted */
buffer_add_u8(session->out_buffer,SSH2_MSG_USERAUTH_REQUEST);
buffer_add_ssh_string(session->out_buffer,user);
buffer_add_ssh_string(session->out_buffer,service);
buffer_add_ssh_string(session->out_buffer,method);
buffer_add_u8(session->out_buffer,1);
buffer_add_ssh_string(session->out_buffer,algo);
buffer_add_ssh_string(session->out_buffer,publickey);
sign=ssh_do_sign(session,session->out_buffer,privatekey);
if(sign){
buffer_add_ssh_string(session->out_buffer,sign);
free(sign);
packet_send(session);
err=wait_auth_status(session,0);
}
free(user);
free(service);
free(method);
free(algo);
leave_function();
return err;
}
int ssh_userauth_password(SSH_SESSION *session, const char *username, const char *password){
STRING *user;
STRING *service;
STRING *method;
STRING *password_s;
int err;
enter_function();
#ifdef HAVE_SSH1
if(session->version==1){
err = ssh_userauth1_password(session,username,password);
leave_function();
return err;
}
#endif
if(!username)
if(!(username=session->options->username)){
if(ssh_options_default_username(session->options)){
err = SSH_AUTH_ERROR;
leave_function();
return err;
} else
username=session->options->username;
}
if(ask_userauth(session)){
leave_function();
return SSH_AUTH_ERROR;
}
user=string_from_char(username);
service=string_from_char("ssh-connection");
method=string_from_char("password");
password_s=string_from_char(password);
buffer_add_u8(session->out_buffer,SSH2_MSG_USERAUTH_REQUEST);
buffer_add_ssh_string(session->out_buffer,user);
buffer_add_ssh_string(session->out_buffer,service);
buffer_add_ssh_string(session->out_buffer,method);
buffer_add_u8(session->out_buffer,0);
buffer_add_ssh_string(session->out_buffer,password_s);
free(user);
free(service);
free(method);
memset(password_s,0,strlen(password)+4);
free(password_s);
packet_send(session);
err=wait_auth_status(session,0);
leave_function();
return err;
}
int ssh_userauth_offer_pubkey(SSH_SESSION *session, const char *username,int type, STRING *publickey){
STRING *user;
STRING *service;
STRING *method;
STRING *algo;
int err=SSH_AUTH_ERROR;
enter_function();
#ifdef HAVE_SSH1
if(session->version==1){
err= ssh_userauth1_offer_pubkey(session,username,type,publickey);
leave_function();
return err;
}
#endif
if(!username)
if(!(username=session->options->username)){
if(ssh_options_default_username(session->options)){
leave_function();
return SSH_AUTH_ERROR;
} else
username=session->options->username;
}
if(ask_userauth(session)){
leave_function();
return SSH_AUTH_ERROR;
}
user=string_from_char(username);
service=string_from_char("ssh-connection");
method=string_from_char("publickey");
algo=string_from_char(ssh_type_to_char(type));
buffer_add_u8(session->out_buffer,SSH2_MSG_USERAUTH_REQUEST);
buffer_add_ssh_string(session->out_buffer,user);
buffer_add_ssh_string(session->out_buffer,service);
buffer_add_ssh_string(session->out_buffer,method);
buffer_add_u8(session->out_buffer,0);
buffer_add_ssh_string(session->out_buffer,algo);
buffer_add_ssh_string(session->out_buffer,publickey);
packet_send(session);
err=wait_auth_status(session,0);
free(user);
free(method);
free(service);
free(algo);
leave_function();
return err;
}
int ssh_userauth_none(SSH_SESSION *session, const char *username){
STRING *user;
STRING *service;
STRING *method;
int ret;
enter_function();
#ifdef HAVE_SSH1
if(session->version==1){
ret = ssh_userauth1_none(session,username);
leave_function();
return ret;
}
#endif
if(!username)
if(!(username=session->options->username)){
if(ssh_options_default_username(session->options)){
leave_function();
return SSH_AUTH_ERROR;
} else
username=session->options->username;
}
if(ask_userauth(session)){
leave_function();
return SSH_AUTH_ERROR;
}
user=string_from_char(username);
method=string_from_char("none");
service=string_from_char("ssh-connection");
buffer_add_u8(session->out_buffer,SSH2_MSG_USERAUTH_REQUEST);
buffer_add_ssh_string(session->out_buffer,user);
buffer_add_ssh_string(session->out_buffer,service);
buffer_add_ssh_string(session->out_buffer,method);
free(service);
free(method);
free(user);
packet_send(session);
ret = wait_auth_status(session,0);
leave_function();
return ret;
}
/**
* @brief Try to authenticate by password.
*
* @param session The ssh session to use.
*
* @param username The username to authenticate. You can specify NULL if
* ssh_option_set_username() has been used. You cannot try
* two different logins in a row.
*
* @param password The password to use. Take care to clean it after
* the authentication.
*
* @returns SSH_AUTH_ERROR: A serious error happened.\n
* SSH_AUTH_DENIED: Authentication failed: use another method.\n
* SSH_AUTH_PARTIAL: You've been partially authenticated, you still
* have to use another method.\n
* SSH_AUTH_SUCCESS: Authentication successful.
*
* @see ssh_userauth_kbdint()
* @see BURN_STRING
*/
int ssh_userauth_password(ssh_session session, const char *username,
const char *password) {
ssh_string user = NULL;
ssh_string service = NULL;
ssh_string method = NULL;
ssh_string pwd = NULL;
int rc = SSH_AUTH_ERROR;
enter_function();
#ifdef WITH_SSH1
if (session->version == 1) {
rc = ssh_userauth1_password(session, username, password);
leave_function();
return rc;
}
#endif
if (username == NULL) {
if (session->username == NULL) {
if (ssh_options_apply(session) < 0) {
leave_function();
return rc;
}
}
user = string_from_char(session->username);
} else {
user = string_from_char(username);
}
if (user == NULL) {
leave_function();
return rc;
}
if (ask_userauth(session) < 0) {
string_free(user);
leave_function();
return rc;
}
service = string_from_char("ssh-connection");
if (service == NULL) {
goto error;
}
method = string_from_char("password");
if (method == NULL) {
goto error;
}
pwd = string_from_char(password);
if (pwd == NULL) {
goto error;
}
if (buffer_add_u8(session->out_buffer, SSH2_MSG_USERAUTH_REQUEST) < 0 ||
buffer_add_ssh_string(session->out_buffer, user) < 0 ||
buffer_add_ssh_string(session->out_buffer, service) < 0 ||
buffer_add_ssh_string(session->out_buffer, method) < 0 ||
buffer_add_u8(session->out_buffer, 0) < 0 ||
buffer_add_ssh_string(session->out_buffer, pwd) < 0) {
goto error;
}
string_free(user);
string_free(service);
string_free(method);
string_burn(pwd);
string_free(pwd);
if (packet_send(session) != SSH_OK) {
leave_function();
return rc;
}
rc = wait_auth_status(session, 0);
leave_function();
return rc;
error:
buffer_reinit(session->out_buffer);
string_free(user);
string_free(service);
string_free(method);
string_burn(pwd);
string_free(pwd);
leave_function();
return rc;
}
/**
* @brief Try to authenticate through public key with an ssh agent.
*
* @param session The ssh session to use.
*
* @param username The username to authenticate. You can specify NULL if
* ssh_option_set_username() has been used. You cannot try
* two different logins in a row.
*
* @param publickey The public key provided by the agent.
*
* @returns SSH_AUTH_ERROR: A serious error happened.\n
* SSH_AUTH_DENIED: Authentication failed: use another method.\n
* SSH_AUTH_PARTIAL: You've been partially authenticated, you still
* have to use another method.\n
* SSH_AUTH_SUCCESS: Authentication successful.
*
* @see publickey_from_file()
* @see privatekey_from_file()
* @see privatekey_free()
* @see ssh_userauth_offer_pubkey()
*/
int ssh_userauth_agent_pubkey(ssh_session session, const char *username,
ssh_public_key publickey) {
ssh_string user = NULL;
ssh_string service = NULL;
ssh_string method = NULL;
ssh_string algo = NULL;
ssh_string key = NULL;
ssh_string sign = NULL;
int rc = SSH_AUTH_ERROR;
enter_function();
if (! agent_is_running(session)) {
return rc;
}
if (username == NULL) {
if (session->username == NULL) {
if (ssh_options_apply(session) < 0) {
leave_function();
return rc;
}
}
user = string_from_char(session->username);
} else {
user = string_from_char(username);
}
if (user == NULL) {
leave_function();
return rc;
}
if (ask_userauth(session) < 0) {
string_free(user);
leave_function();
return rc;
}
service = string_from_char("ssh-connection");
if (service == NULL) {
goto error;
}
method = string_from_char("publickey");
if (method == NULL) {
goto error;
}
algo = string_from_char(ssh_type_to_char(publickey->type));
if (algo == NULL) {
goto error;
}
key = publickey_to_string(publickey);
if (key == NULL) {
goto error;
}
/* we said previously the public key was accepted */
if (buffer_add_u8(session->out_buffer, SSH2_MSG_USERAUTH_REQUEST) < 0 ||
buffer_add_ssh_string(session->out_buffer, user) < 0 ||
buffer_add_ssh_string(session->out_buffer, service) < 0 ||
buffer_add_ssh_string(session->out_buffer, method) < 0 ||
buffer_add_u8(session->out_buffer, 1) < 0 ||
buffer_add_ssh_string(session->out_buffer, algo) < 0 ||
buffer_add_ssh_string(session->out_buffer, key) < 0) {
goto error;
}
sign = ssh_do_sign_with_agent(session, session->out_buffer, publickey);
if (sign) {
if (buffer_add_ssh_string(session->out_buffer, sign) < 0) {
goto error;
}
string_free(sign);
if (packet_send(session) != SSH_OK) {
leave_function();
return rc;
}
rc = wait_auth_status(session,0);
}
string_free(user);
string_free(service);
string_free(method);
string_free(algo);
string_free(key);
leave_function();
return rc;
error:
buffer_reinit(session->out_buffer);
string_free(sign);
string_free(user);
string_free(service);
string_free(method);
string_free(algo);
string_free(key);
leave_function();
return rc;
}
/**
* @brief Try to authenticate through the "keyboard-interactive" method.
*
* @param session The ssh session to use.
*
* @param user The username to authenticate. You can specify NULL if
* ssh_option_set_username() has been used. You cannot try
* two different logins in a row.
*
* @param submethods Undocumented. Set it to NULL.
*
* @returns SSH_AUTH_ERROR: A serious error happened\n
* SSH_AUTH_DENIED: Authentication failed : use another method\n
* SSH_AUTH_PARTIAL: You've been partially authenticated, you still
* have to use another method\n
* SSH_AUTH_SUCCESS: Authentication success\n
* SSH_AUTH_INFO: The server asked some questions. Use
* ssh_userauth_kbdint_getnprompts() and such.
*
* @see ssh_userauth_kbdint_getnprompts()
* @see ssh_userauth_kbdint_getname()
* @see ssh_userauth_kbdint_getinstruction()
* @see ssh_userauth_kbdint_getprompt()
* @see ssh_userauth_kbdint_setanswer()
*/
int ssh_userauth_kbdint(ssh_session session, const char *user,
const char *submethods) {
int rc = SSH_AUTH_ERROR;
if (session->version == 1) {
/* No keyb-interactive for ssh1 */
return SSH_AUTH_DENIED;
}
enter_function();
if (session->kbdint == NULL) {
/* first time we call. we must ask for a challenge */
if (user == NULL) {
if ((user = session->username) == NULL) {
if (ssh_options_apply(session) < 0) {
leave_function();
return SSH_AUTH_ERROR;
} else {
user = session->username;
}
}
}
if (ask_userauth(session)) {
leave_function();
return SSH_AUTH_ERROR;
}
rc = kbdauth_init(session, user, submethods);
if (rc != SSH_AUTH_INFO) {
leave_function();
return rc; /* error or first try success */
}
rc = kbdauth_info_get(session);
if (rc == SSH_AUTH_ERROR) {
kbdint_free(session->kbdint);
session->kbdint = NULL;
}
leave_function();
return rc;
}
/*
* If we are at this point, it ss because session->kbdint exists.
* It means the user has set some information there we need to send
* the server and then we need to ack the status (new questions or ok
* pass in).
*/
rc = kbdauth_send(session);
kbdint_free(session->kbdint);
session->kbdint = NULL;
if(rc != SSH_AUTH_INFO) {
leave_function();
return rc;
}
rc = kbdauth_info_get(session);
if (rc == SSH_AUTH_ERROR) {
kbdint_free(session->kbdint);
session->kbdint = NULL;
}
leave_function();
return rc;
}
