static void torture_auth_password_nonblocking(void **state) {
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
int rc;
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_BOB);
assert_int_equal(rc, SSH_OK);
rc = ssh_connect(session);
assert_int_equal(rc, SSH_OK);
ssh_set_blocking(session,0);
do {
rc = ssh_userauth_none(session, NULL);
} while (rc == SSH_AUTH_AGAIN);
/* This request should return a SSH_REQUEST_DENIED error */
if (rc == SSH_AUTH_ERROR) {
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
}
rc = ssh_userauth_list(session, NULL);
assert_true(rc & SSH_AUTH_METHOD_PASSWORD);
do {
rc = ssh_userauth_password(session, NULL, TORTURE_SSH_USER_BOB_PASSWORD);
} while(rc==SSH_AUTH_AGAIN);
assert_int_equal(rc, SSH_AUTH_SUCCESS);
}
static void torture_auth_agent(void **state) {
ssh_session session = *state;
char *user = getenv("TORTURE_USER");
int rc;
if (user == NULL) {
print_message("*** Please set the environment variable TORTURE_USER"
" to enable this test!!\n");
return;
}
if (!agent_is_running(session)){
print_message("*** Agent not running. Test ignored");
return;
}
rc = ssh_options_set(session, SSH_OPTIONS_USER, user);
assert_true(rc == SSH_OK);
rc = ssh_connect(session);
assert_true(rc == SSH_OK);
rc = ssh_userauth_none(session,NULL);
/* This request should return a SSH_REQUEST_DENIED error */
if (rc == SSH_ERROR) {
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
}
rc = ssh_userauth_list(session, NULL);
assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
rc = ssh_userauth_agent(session, NULL);
assert_true(rc == SSH_AUTH_SUCCESS);
}
static void torture_auth_autopubkey_nonblocking(void **state) {
ssh_session session = *state;
char *user = getenv("TORTURE_USER");
int rc;
if (user == NULL) {
print_message("*** Please set the environment variable TORTURE_USER"
" to enable this test!!\n");
return;
}
rc = ssh_options_set(session, SSH_OPTIONS_USER, user);
assert_true(rc == SSH_OK);
rc = ssh_connect(session);
assert_true(rc == SSH_OK);
ssh_set_blocking(session,0);
do {
rc = ssh_userauth_none(session, NULL);
} while (rc == SSH_AUTH_AGAIN);
/* This request should return a SSH_REQUEST_DENIED error */
if (rc == SSH_ERROR) {
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
}
rc = ssh_userauth_list(session, NULL);
assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
do {
rc = ssh_userauth_publickey_auto(session, NULL, NULL);
} while (rc == SSH_AUTH_AGAIN);
assert_true(rc == SSH_AUTH_SUCCESS);
}
static int test_several_auth_methods(ssh_session session, url_t* urlp)
{
int rc = ssh_userauth_none(session, NULL);
/* if (rc != SSH_AUTH_SUCCESS) {
return rc;
} */
int method = ssh_userauth_list(session, NULL);
if (method & SSH_AUTH_METHOD_NONE)
{
rc = authenticate_none(session);
if (rc == SSH_AUTH_SUCCESS) return rc;
}
if (method & SSH_AUTH_METHOD_PUBLICKEY)
{
rc = authenticate_pubkey(session);
if (rc == SSH_AUTH_SUCCESS) return rc;
}
if (method & SSH_AUTH_METHOD_INTERACTIVE)
{
rc = authenticate_kbdint(session);
if (rc == SSH_AUTH_SUCCESS) return rc;
}
if (method & SSH_AUTH_METHOD_PASSWORD)
{
rc = authenticate_password(session, urlp);
if (rc == SSH_AUTH_SUCCESS) return rc;
}
return SSH_AUTH_ERROR;
}
static void torture_auth_password(void **state) {
ssh_session session = *state;
char *user = getenv("TORTURE_USER");
char *password = getenv("TORTURE_PASSWORD");
int rc;
if (user == NULL) {
print_message("*** Please set the environment variable TORTURE_USER"
" to enable this test!!\n");
return;
}
if (password == NULL) {
print_message("*** Please set the environment variable "
"TORTURE_PASSWORD to enable this test!!\n");
return;
}
rc = ssh_options_set(session, SSH_OPTIONS_USER, user);
assert_true(rc == SSH_OK);
rc = ssh_connect(session);
assert_true(rc == SSH_OK);
rc = ssh_userauth_none(session, NULL);
/* This request should return a SSH_REQUEST_DENIED error */
if (rc == SSH_AUTH_ERROR) {
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
}
rc = ssh_userauth_list(session, NULL);
assert_true(rc & SSH_AUTH_METHOD_PASSWORD);
rc = ssh_userauth_password(session, NULL, password);
assert_true(rc == SSH_AUTH_SUCCESS);
}
static void torture_auth_kbdint(void **state) {
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
int rc;
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_BOB);
assert_int_equal(rc, SSH_OK);
rc = ssh_connect(session);
assert_int_equal(rc, SSH_OK);
rc = ssh_userauth_none(session,NULL);
/* This request should return a SSH_REQUEST_DENIED error */
if (rc == SSH_ERROR) {
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
}
rc = ssh_userauth_list(session, NULL);
assert_true(rc & SSH_AUTH_METHOD_INTERACTIVE);
rc = ssh_userauth_kbdint(session, NULL, NULL);
assert_int_equal(rc, SSH_AUTH_INFO);
assert_int_equal(ssh_userauth_kbdint_getnprompts(session), 1);
rc = ssh_userauth_kbdint_setanswer(session, 0, TORTURE_SSH_USER_BOB_PASSWORD);
assert_false(rc < 0);
rc = ssh_userauth_kbdint(session, NULL, NULL);
/* Sometimes, SSH server send an empty query at the end of exchange */
if(rc == SSH_AUTH_INFO) {
assert_int_equal(ssh_userauth_kbdint_getnprompts(session), 0);
rc = ssh_userauth_kbdint(session, NULL, NULL);
}
assert_int_equal(rc, SSH_AUTH_SUCCESS);
}
static void torture_auth_agent_nonblocking(void **state) {
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
int rc;
if (!ssh_agent_is_running(session)){
print_message("*** Agent not running. Test ignored\n");
return;
}
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
assert_int_equal(rc, SSH_OK);
rc = ssh_connect(session);
assert_int_equal(rc, SSH_OK);
rc = ssh_userauth_none(session,NULL);
/* This request should return a SSH_REQUEST_DENIED error */
if (rc == SSH_ERROR) {
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
}
rc = ssh_userauth_list(session, NULL);
assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
ssh_set_blocking(session,0);
do {
rc = ssh_userauth_agent(session, NULL);
} while (rc == SSH_AUTH_AGAIN);
assert_int_equal(rc, SSH_AUTH_SUCCESS);
}
static void torture_auth_kbdint_nonblocking(void **state) {
ssh_session session = *state;
char *user = getenv("TORTURE_USER");
char *password = getenv("TORTURE_PASSWORD");
int rc;
if (user == NULL) {
print_message("*** Please set the environment variable TORTURE_USER"
" to enable this test!!\n");
return;
}
if (password == NULL) {
print_message("*** Please set the environment variable "
"TORTURE_PASSWORD to enable this test!!\n");
return;
}
rc = ssh_options_set(session, SSH_OPTIONS_USER, user);
assert_true(rc == SSH_OK);
rc = ssh_connect(session);
assert_true(rc == SSH_OK);
ssh_set_blocking(session,0);
do {
rc = ssh_userauth_none(session, NULL);
} while (rc == SSH_AUTH_AGAIN);
/* This request should return a SSH_REQUEST_DENIED error */
if (rc == SSH_ERROR) {
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
}
rc = ssh_userauth_list(session, NULL);
assert_true(rc & SSH_AUTH_METHOD_INTERACTIVE);
do {
rc = ssh_userauth_kbdint(session, NULL, NULL);
} while (rc == SSH_AUTH_AGAIN);
assert_true(rc == SSH_AUTH_INFO);
assert_int_equal(ssh_userauth_kbdint_getnprompts(session), 1);
do {
rc = ssh_userauth_kbdint_setanswer(session, 0, password);
} while (rc == SSH_AUTH_AGAIN);
assert_false(rc < 0);
do {
rc = ssh_userauth_kbdint(session, NULL, NULL);
} while (rc == SSH_AUTH_AGAIN);
/* Sometimes, SSH server send an empty query at the end of exchange */
if(rc == SSH_AUTH_INFO) {
assert_int_equal(ssh_userauth_kbdint_getnprompts(session), 0);
do {
rc = ssh_userauth_kbdint(session, NULL, NULL);
} while (rc == SSH_AUTH_AGAIN);
}
assert_true(rc == SSH_AUTH_SUCCESS);
}
int authenticate_console(ssh_session session)
{
int rc;
int method;
// Try to authenticate
rc = ssh_userauth_none(session, NULL);
if (rc == SSH_AUTH_ERROR)
{
error(session);
return rc;
}
method = ssh_userauth_list(session,NULL);
while (rc != SSH_AUTH_SUCCESS)
{
// Try to authenticate with public key first
rc = ssh_userauth_autopubkey(session, NULL);
if (rc == SSH_AUTH_ERROR)
{
error(session);
return rc;
} else if (rc == SSH_AUTH_SUCCESS)
{
break;
}
rc=authenticate_kbdint(session,pass_word);
if (rc == SSH_AUTH_ERROR)
{
error(session);
return rc;
} else if (rc == SSH_AUTH_SUCCESS)
{
break;
}
rc = ssh_userauth_password(session, NULL, pass_word);
if (rc == SSH_AUTH_ERROR)
{
error(session);
return rc;
} else if (rc == SSH_AUTH_SUCCESS)
{
break;
} else if(rc == SSH_AUTH_DENIED)
{
} else if(rc == SSH_AUTH_PARTIAL)
{
} else if(rc == SSH_AUTH_INFO)
{
} else if(rc == SSH_AUTH_AGAIN)
{
}
}
return rc;
}
//
// dirty workaround here: miscptr is the ptr to the logins, and the first one is used
// to test if password authentication is enabled!!
//
int32_t service_ssh_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
// called before the childrens are forked off, so this is the function
// which should be filled if initial connections and service setup has to be
// performed once only.
//
// fill if needed.
//
// return codes:
// 0 all OK
// 1 skip target without generating an error
// 2 skip target because of protocol problems
// 3 skip target because its unreachable
#ifdef LIBSSH
int32_t rc, method;
ssh_session session = ssh_new();
if (verbose || debug)
printf("[INFO] Testing if password authentication is supported by ssh://%s@%s:%d\n", miscptr == NULL ? "hydra" : miscptr, hydra_address2string_beautiful(ip), port);
ssh_options_set(session, SSH_OPTIONS_PORT, &port);
ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip));
if (miscptr == NULL)
ssh_options_set(session, SSH_OPTIONS_USER, "hydra");
else
ssh_options_set(session, SSH_OPTIONS_USER, miscptr);
ssh_options_set(session, SSH_OPTIONS_TIMEOUT, &hydra_options.waittime);
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none");
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none");
if (ssh_connect(session) != 0) {
fprintf(stderr, "[ERROR] could not connect to ssh://%s:%d - %s\n", hydra_address2string_beautiful(ip), port, ssh_get_error(session));
return 2;
}
rc = ssh_userauth_none(session, NULL);
method = ssh_userauth_list(session, NULL);
ssh_disconnect(session);
ssh_finalize();
ssh_free(session);
if (debug) printf("[DEBUG] SSH method check: %08x\n", method);
if ((method & SSH_AUTH_METHOD_INTERACTIVE) || (method & SSH_AUTH_METHOD_PASSWORD)) {
if (verbose || debug)
printf("[INFO] Successful, password authentication is supported by ssh://%s:%d\n", hydra_address2string_beautiful(ip), port);
return 0;
} else if (method == 0) {
if (verbose || debug)
fprintf(stderr, "[WARNING] invalid SSH method reply from ssh://%s:%d, continuing anyway ... (check for empty password!)\n", hydra_address2string_beautiful(ip), port);
return 0;
}
fprintf(stderr, "[ERROR] target ssh://%s:%d/ does not support password authentication (method reply %d).\n", hydra_address2string_beautiful(ip), port, method);
return 1;
#else
return 0;
#endif
}
static void torture_auth_pubkey_types_ed25519_nonblocking(void **state)
{
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
int rc;
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
assert_ssh_return_code(session, rc);
rc = ssh_connect(session);
assert_ssh_return_code(session, rc);
ssh_set_blocking(session, 0);
do {
rc = ssh_userauth_none(session, NULL);
} while (rc == SSH_AUTH_AGAIN);
/* This request should return a SSH_REQUEST_DENIED error */
if (rc == SSH_ERROR) {
assert_int_equal(ssh_get_error_code(session), SSH_REQUEST_DENIED);
}
rc = ssh_userauth_list(session, NULL);
assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
/* Enable only DSA keys -- authentication should fail */
rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
"ssh-dss");
assert_ssh_return_code(session, rc);
do {
rc = ssh_userauth_publickey_auto(session, NULL, NULL);
} while (rc == SSH_AUTH_AGAIN);
assert_int_equal(rc, SSH_AUTH_DENIED);
/* Verify we can use also ED25519 key to authenticate */
rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
"ssh-ed25519");
assert_ssh_return_code(session, rc);
do {
rc = ssh_userauth_publickey_auto(session, NULL, NULL);
} while (rc == SSH_AUTH_AGAIN);
assert_int_equal(rc, SSH_AUTH_SUCCESS);
}
static void torture_auth_pubkey_types_nonblocking(void **state)
{
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
int rc;
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
assert_ssh_return_code(session, rc);
rc = ssh_connect(session);
assert_ssh_return_code(session, rc);
ssh_set_blocking(session, 0);
do {
rc = ssh_userauth_none(session, NULL);
} while (rc == SSH_AUTH_AGAIN);
/* This request should return a SSH_REQUEST_DENIED error */
if (rc == SSH_ERROR) {
assert_int_equal(ssh_get_error_code(session), SSH_REQUEST_DENIED);
}
rc = ssh_userauth_list(session, NULL);
assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
/* Disable RSA key types for authentication */
rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
"ssh-dss");
assert_ssh_return_code(session, rc);
do {
rc = ssh_userauth_publickey_auto(session, NULL, NULL);
} while (rc == SSH_AUTH_AGAIN);
assert_int_equal(rc, SSH_AUTH_DENIED);
/* Now enable it and retry */
rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
"rsa-sha2-512,ssh-rsa");
assert_ssh_return_code(session, rc);
do {
rc = ssh_userauth_publickey_auto(session, NULL, NULL);
} while (rc == SSH_AUTH_AGAIN);
assert_int_equal(rc, SSH_AUTH_SUCCESS);
}
int service_ssh_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
// called before the childrens are forked off, so this is the function
// which should be filled if initial connections and service setup has to be
// performed once only.
//
// fill if needed.
//
// return codes:
// 0 all OK
// 1 skip target without generating an error
// 2 skip target because of protocol problems
// 3 skip target because its unreachable
#ifdef LIBSSH
int rc, method;
ssh_session session = ssh_new();
if (verbose || debug)
printf("[INFO] Testing if password authentication is supported by ssh://%s:%d\n", hydra_address2string(ip), port);
ssh_options_set(session, SSH_OPTIONS_PORT, &port);
ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip));
ssh_options_set(session, SSH_OPTIONS_USER, "root");
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none");
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none");
if (ssh_connect(session) != 0) {
fprintf(stderr, "[ERROR] could not connect to ssh://%s:%d\n", hydra_address2string(ip), port);
return 2;
}
rc = ssh_userauth_none(session, NULL);
method = ssh_userauth_list(session, NULL);
ssh_disconnect(session);
ssh_finalize();
ssh_free(session);
if ((method & SSH_AUTH_METHOD_INTERACTIVE) || (method & SSH_AUTH_METHOD_PASSWORD)) {
if (verbose || debug)
printf("[INFO] Successful, password authentication is supported by ssh://%s:%d\n", hydra_address2string(ip), port);
return 0;
}
fprintf(stderr, "[ERROR] target ssh://%s:%d/ does not support password authentication.\n", hydra_address2string(ip), port);
return 1;
#else
return 0;
#endif
}
static void torture_auth_autopubkey(void **state) {
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
int rc;
/* Authenticate as alice with bob his pubkey */
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
assert_int_equal(rc, SSH_OK);
rc = ssh_connect(session);
assert_int_equal(rc, SSH_OK);
rc = ssh_userauth_none(session,NULL);
/* This request should return a SSH_REQUEST_DENIED error */
if (rc == SSH_ERROR) {
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
}
rc = ssh_userauth_list(session, NULL);
assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
rc = ssh_userauth_publickey_auto(session, NULL, NULL);
assert_int_equal(rc, SSH_AUTH_SUCCESS);
}
static gint
remmina_ssh_auth_password (RemminaSSH *ssh)
{
gint ret;
gint authlist;
gint n;
gint i;
ret = SSH_AUTH_ERROR;
if (ssh->authenticated) return 1;
if (ssh->password == NULL) return -1;
authlist = ssh_userauth_list (ssh->session, NULL);
if (authlist & SSH_AUTH_METHOD_INTERACTIVE)
{
while ((ret = ssh_userauth_kbdint (ssh->session, NULL, NULL)) == SSH_AUTH_INFO)
{
n = ssh_userauth_kbdint_getnprompts (ssh->session);
for (i = 0; i < n; i++)
{
ssh_userauth_kbdint_setanswer(ssh->session, i, ssh->password);
}
}
}
if (ret != SSH_AUTH_SUCCESS && authlist & SSH_AUTH_METHOD_PASSWORD)
{
ret = ssh_userauth_password (ssh->session, NULL, ssh->password);
}
if (ret != SSH_AUTH_SUCCESS)
{
remmina_ssh_set_error (ssh, _("SSH password authentication failed: %s"));
return 0;
}
ssh->authenticated = TRUE;
return 1;
}
static void torture_auth_pubkey_types_ecdsa(void **state)
{
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
int rc;
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
assert_ssh_return_code(session, rc);
rc = ssh_connect(session);
assert_ssh_return_code(session, rc);
rc = ssh_userauth_none(session, NULL);
/* This request should return a SSH_REQUEST_DENIED error */
if (rc == SSH_ERROR) {
assert_int_equal(ssh_get_error_code(session), SSH_REQUEST_DENIED);
}
rc = ssh_userauth_list(session, NULL);
assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
/* We have only the 256b key -- whitelisting only larger should fail */
rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
"ecdsa-sha2-nistp384");
assert_ssh_return_code(session, rc);
rc = ssh_userauth_publickey_auto(session, NULL, NULL);
assert_int_equal(rc, SSH_AUTH_DENIED);
/* Verify we can use also ECDSA keys with their various names */
rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
"ecdsa-sha2-nistp256");
assert_ssh_return_code(session, rc);
rc = ssh_userauth_publickey_auto(session, NULL, NULL);
assert_int_equal(rc, SSH_AUTH_SUCCESS);
}
int FSSftp::CheckSession( int* err, FSCInfo* info )
{
if ( sshSession ) { return 0; }
try
{
sshSession = ssh_new();
if ( !sshSession ) { throw int( SSH_INTERROR_X3 ); }
if ( ssh_options_set( sshSession, SSH_OPTIONS_HOST, unicode_to_utf8( _operParam.server.Data() ).ptr() ) )
{
throw int( SSH_INTERROR_X3 );
}
int port = _operParam.port;
if ( ssh_options_set( sshSession, SSH_OPTIONS_PORT, &port ) )
{
throw int( SSH_INTERROR_X3 );
}
FSString userName = "";
if ( _operParam.user.Data()[0] )
{
userName = _operParam.user.Data();
}
else
{
char* ret = getenv( "LOGNAME" );
if ( ret )
{
userName = FSString( sys_charset_id, ret );
_operParam.user = userName.GetUnicode();
MutexLock infoLock( &infoMutex );
_infoParam.user = userName.GetUnicode();
}
};
if ( ssh_options_set( sshSession, SSH_OPTIONS_USER, ( char* )userName.Get( _operParam.charset ) ) ) //есть сомнения, что надо все таки в utf8
{
throw int( SSH_INTERROR_X3 );
}
if ( ssh_connect( sshSession ) != SSH_OK )
{
throw int( SSH_INTERROR_CONNECT );
}
int method = ssh_userauth_list( sshSession, 0 );
int ret;
static unicode_t userSymbol = '@';
if ( method & SSH_AUTH_METHOD_PASSWORD )
{
FSPromptData data;
data.visible = false;
data.prompt = utf8_to_unicode( "Password:"******"SFTP_" ).ptr(),
carray_cat<unicode_t>( userName.GetUnicode(), &userSymbol, _operParam.server.Data() ).ptr(),
&data, 1 ) ) { throw int( SSH_INTERROR_STOPPED ); }
ret = ssh_userauth_password( sshSession,
( char* )FSString( _operParam.user.Data() ).Get( _operParam.charset ),
( char* )FSString( data.prompt.Data() ).Get( _operParam.charset ) );
}
if ( ret != SSH_AUTH_SUCCESS &&
( method & SSH_AUTH_METHOD_INTERACTIVE ) != 0 )
{
while ( true )
{
ret = ssh_userauth_kbdint( sshSession, 0, 0 );
if ( ret != SSH_AUTH_INFO ) { break; }
const char* instruction = ssh_userauth_kbdint_getinstruction( sshSession );
if ( !instruction ) { instruction = ""; }
int n = ssh_userauth_kbdint_getnprompts( sshSession );
if ( n <= 0 ) { continue; }
std::vector<FSPromptData> pData( n );
int i;
for ( i = 0; i < n; i++ )
{
char echo;
const char* prompt = ssh_userauth_kbdint_getprompt( sshSession, i, &echo );
if ( !prompt ) { break; }
pData[i].visible = echo != 0;
pData[i].prompt = utf8_to_unicode( prompt ).ptr();
}
if ( !info ) { throw int( SSH_INTERROR_AUTH ); }
if ( !info->Prompt(
utf8_to_unicode( "SFTP" ).ptr(),
carray_cat<unicode_t>( userName.GetUnicode(), &userSymbol, _operParam.server.Data() ).ptr(),
pData.ptr(), n ) ) { throw int( SSH_INTERROR_STOPPED ); }
for ( i = 0; i < n; i++ )
{
if ( ssh_userauth_kbdint_setanswer( sshSession, i, ( char* )FSString( pData[i].prompt.Data() ).Get( _operParam.charset ) ) < 0 )
{
throw int( SSH_INTERROR_AUTH );
}
}
}
}
if ( ret != SSH_AUTH_SUCCESS )
{
if ( ret == SSH_AUTH_PARTIAL )
{
throw int( SSH_INTERROR_UNSUPPORTED_AUTH );
}
else
{
throw int( SSH_INTERROR_AUTH );
}
}
sftpSession = sftp_new( sshSession );
if ( !sftpSession ) { throw int( SSH_INTERROR_FATAL ); }
if ( sftp_init( sftpSession ) != SSH_OK ) { throw int( SSH_INTERROR_FATAL ); }
}
catch ( int e )
{
if ( err ) { *err = e; }
if ( sftpSession ) { sftp_free( sftpSession ); }
if ( sshSession ) { ssh_free( sshSession ); }
sshSession = 0;
sftpSession = 0;
return ( e == SSH_INTERROR_STOPPED ) ? -2 : -1;
}
return 0;
}
static const gchar *
cockpit_ssh_authenticate (CockpitSshData *data)
{
gss_cred_id_t gsscreds = GSS_C_NO_CREDENTIAL;
const gchar *password = NULL;
const gchar *problem;
gboolean tried = FALSE;
gchar *description;
int methods;
int rc;
problem = "not-authorized";
rc = ssh_userauth_none (data->session, NULL);
if (rc == SSH_AUTH_ERROR)
{
if (g_atomic_int_get (data->connecting))
g_message ("%s: server authentication handshake failed: %s",
data->logname, ssh_get_error (data->session));
problem = "internal-error";
goto out;
}
if (rc == SSH_AUTH_SUCCESS)
{
problem = NULL;
goto out;
}
methods = ssh_userauth_list (data->session, NULL);
if (methods & SSH_AUTH_METHOD_PASSWORD)
{
password = cockpit_creds_get_password (data->creds);
if (password)
{
tried = TRUE;
rc = ssh_userauth_password (data->session, NULL, password);
switch (rc)
{
case SSH_AUTH_SUCCESS:
g_debug ("%s: password auth succeeded", data->logname);
problem = NULL;
goto out;
case SSH_AUTH_DENIED:
g_debug ("%s: password auth failed", data->logname);
break;
case SSH_AUTH_PARTIAL:
g_message ("%s: password auth worked, but server wants more authentication",
data->logname);
break;
default:
if (g_atomic_int_get (data->connecting))
g_message ("%s: couldn't authenticate: %s", data->logname,
ssh_get_error (data->session));
problem = "internal-error";
goto out;
}
}
}
if (methods & SSH_AUTH_METHOD_GSSAPI_MIC)
{
tried = TRUE;
gsscreds = cockpit_creds_push_thread_default_gssapi (data->creds);
if (gsscreds != GSS_C_NO_CREDENTIAL)
{
#ifdef HAVE_SSH_GSSAPI_SET_CREDS
ssh_gssapi_set_creds (data->session, gsscreds);
#else
g_warning ("unable to forward delegated gssapi kerberos credentials because the "
"version of libssh on this system does not support it.");
#endif
rc = ssh_userauth_gssapi (data->session);
#ifdef HAVE_SSH_GSSAPI_SET_CREDS
ssh_gssapi_set_creds (data->session, NULL);
#endif
switch (rc)
{
case SSH_AUTH_SUCCESS:
g_debug("%s: gssapi auth succeeded", data->logname);
problem = NULL;
goto out;
case SSH_AUTH_DENIED:
g_debug ("%s: gssapi auth failed", data->logname);
break;
case SSH_AUTH_PARTIAL:
g_message ("%s: gssapi auth worked, but server wants more authentication",
data->logname);
break;
default:
if (g_atomic_int_get (data->connecting))
g_message ("%s: couldn't authenticate: %s", data->logname,
ssh_get_error (data->session));
problem = "internal-error";
goto out;
}
}
}
if (!tried)
{
description = auth_method_description (methods);
g_message ("%s: server offered unsupported authentication methods: %s",
data->logname, description);
g_free (description);
problem = "not-authorized";
}
else if (!password && gsscreds == GSS_C_NO_CREDENTIAL)
{
problem = "no-forwarding";
}
else
{
problem = "not-authorized";
}
out:
cockpit_creds_pop_thread_default_gssapi (data->creds, gsscreds);
return problem;
}
