/*
* Child process.
*/
static void *
pam_child(struct pam_ctxt *ctxt)
{
Buffer buffer;
struct pam_conv pam_conv;
pam_handle_t *pamh;
int pam_err;
pam_conv.conv = pam_child_conv;
pam_conv.appdata_ptr = ctxt;
buffer_init(&buffer);
setproctitle("%s [pam]", ctxt->pam_user);
pam_err = pam_start("sshd", ctxt->pam_user, &pam_conv, &pamh);
if (pam_err != PAM_SUCCESS)
goto auth_fail;
pam_err = pam_authenticate(pamh, 0);
if (pam_err != PAM_SUCCESS)
goto auth_fail;
pam_err = pam_acct_mgmt(pamh, 0);
if (pam_err != PAM_SUCCESS)
goto auth_fail;
buffer_put_cstring(&buffer, "OK");
ssh_msg_send(ctxt->pam_sock, PAM_SUCCESS, &buffer);
buffer_free(&buffer);
pam_end(pamh, pam_err);
exit(0);
auth_fail:
buffer_put_cstring(&buffer, pam_strerror(pamh, pam_err));
ssh_msg_send(ctxt->pam_sock, PAM_AUTH_ERR, &buffer);
buffer_free(&buffer);
pam_end(pamh, pam_err);
exit(0);
}
/*
* Conversation function for child process.
*/
static int
pam_child_conv(int n,
const struct pam_message **msg,
struct pam_response **resp,
void *data)
{
Buffer buffer;
struct pam_ctxt *ctxt;
int i;
ctxt = data;
if (n <= 0 || n > PAM_MAX_NUM_MSG)
return (PAM_CONV_ERR);
*resp = xmalloc(n * sizeof **resp);
buffer_init(&buffer);
for (i = 0; i < n; ++i) {
resp[i]->resp_retcode = 0;
resp[i]->resp = NULL;
switch (msg[i]->msg_style) {
case PAM_PROMPT_ECHO_OFF:
buffer_put_cstring(&buffer, msg[i]->msg);
ssh_msg_send(ctxt->pam_sock, msg[i]->msg_style, &buffer);
ssh_msg_recv(ctxt->pam_sock, &buffer);
if (buffer_get_char(&buffer) != PAM_AUTHTOK)
goto fail;
resp[i]->resp = buffer_get_string(&buffer, NULL);
break;
case PAM_PROMPT_ECHO_ON:
buffer_put_cstring(&buffer, msg[i]->msg);
ssh_msg_send(ctxt->pam_sock, msg[i]->msg_style, &buffer);
ssh_msg_recv(ctxt->pam_sock, &buffer);
if (buffer_get_char(&buffer) != PAM_AUTHTOK)
goto fail;
resp[i]->resp = buffer_get_string(&buffer, NULL);
break;
case PAM_ERROR_MSG:
buffer_put_cstring(&buffer, msg[i]->msg);
ssh_msg_send(ctxt->pam_sock, msg[i]->msg_style, &buffer);
break;
case PAM_TEXT_INFO:
buffer_put_cstring(&buffer, msg[i]->msg);
ssh_msg_send(ctxt->pam_sock, msg[i]->msg_style, &buffer);
break;
default:
goto fail;
}
buffer_clear(&buffer);
}
buffer_free(&buffer);
return (PAM_SUCCESS);
fail:
while (i)
xfree(resp[--i]);
xfree(*resp);
*resp = NULL;
buffer_free(&buffer);
return (PAM_CONV_ERR);
}
/* XXX - see also comment in auth-chall.c:verify_response */
static int
sshpam_respond(void *ctx, u_int num, char **resp)
{
Buffer buffer;
struct pam_ctxt *ctxt = ctx;
debug2("PAM: %s entering, %u responses", __func__, num);
switch (ctxt->pam_done) {
case 1:
sshpam_authenticated = 1;
return (0);
case 0:
break;
default:
return (-1);
}
if (num != 1) {
error("PAM: expected one response, got %u", num);
return (-1);
}
buffer_init(&buffer);
if (sshpam_authctxt->valid &&
(sshpam_authctxt->pw->pw_uid != 0 ||
options.permit_root_login == PERMIT_YES))
buffer_put_cstring(&buffer, *resp);
else
buffer_put_cstring(&buffer, badpw);
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
buffer_free(&buffer);
return (-1);
}
buffer_free(&buffer);
return (1);
}
static int
pam_respond(void *ctx, u_int num, char **resp)
{
Buffer buffer;
struct pam_ctxt *ctxt = ctx;
char *msg;
debug2(__func__);
switch (ctxt->pam_done) {
case 1:
return (0);
case 0:
break;
default:
return (-1);
}
if (num != 1) {
error("expected one response, got %u", num);
return (-1);
}
buffer_init(&buffer);
buffer_put_cstring(&buffer, *resp);
ssh_msg_send(ctxt->pam_sock, PAM_AUTHTOK, &buffer);
buffer_free(&buffer);
return (1);
}
/* XXX - see also comment in auth-chall.c:verify_response */
static int
sshpam_respond(void *ctx, u_int num, char **resp)
{
struct sshbuf *buffer;
struct pam_ctxt *ctxt = ctx;
char *fake;
int r;
debug2("PAM: %s entering, %u responses", __func__, num);
switch (ctxt->pam_done) {
case 1:
sshpam_authenticated = 1;
return (0);
case 0:
break;
default:
return (-1);
}
if (num != 1) {
error("PAM: expected one response, got %u", num);
return (-1);
}
if ((buffer = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
if (sshpam_authctxt->valid &&
(sshpam_authctxt->pw->pw_uid != 0 ||
options.permit_root_login == PERMIT_YES)) {
if ((r = sshbuf_put_cstring(buffer, *resp)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
} else {
fake = fake_password(*resp);
if ((r = sshbuf_put_cstring(buffer, fake)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
free(fake);
}
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, buffer) == -1) {
sshbuf_free(buffer);
return (-1);
}
sshbuf_free(buffer);
return (1);
}
static void
send_rexec_state(int fd, Buffer *conf)
{
Buffer m;
debug3("%s: entering fd = %d config len %d", __func__, fd,
buffer_len(conf));
/*
* Protocol from reexec master to child:
* string configuration
* u_int ephemeral_key_follows
* bignum e (only if ephemeral_key_follows == 1)
* bignum n "
* bignum d "
* bignum iqmp "
* bignum p "
* bignum q "
*/
buffer_init(&m);
buffer_put_cstring(&m, buffer_ptr(conf));
if (sensitive_data.server_key != NULL &&
sensitive_data.server_key->type == KEY_RSA1) {
buffer_put_int(&m, 1);
buffer_put_bignum(&m, sensitive_data.server_key->rsa->e);
buffer_put_bignum(&m, sensitive_data.server_key->rsa->n);
buffer_put_bignum(&m, sensitive_data.server_key->rsa->d);
buffer_put_bignum(&m, sensitive_data.server_key->rsa->iqmp);
buffer_put_bignum(&m, sensitive_data.server_key->rsa->p);
buffer_put_bignum(&m, sensitive_data.server_key->rsa->q);
} else
buffer_put_int(&m, 0);
if (ssh_msg_send(fd, 0, &m) == -1)
fatal("%s: ssh_msg_send failed", __func__);
buffer_free(&m);
debug3("%s: done", __func__);
}
int
main(int argc, char **argv)
{
Buffer b;
Options options;
#define NUM_KEYTYPES 3
Key *keys[NUM_KEYTYPES], *key = NULL;
struct passwd *pw;
int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
u_char *signature, *data;
char *host;
u_int slen, dlen;
u_int32_t rnd[256];
/* Ensure that stdin and stdout are connected */
if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
exit(1);
/* Leave /dev/null fd iff it is attached to stderr */
if (fd > 2)
close(fd);
i = 0;
key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
original_real_uid = getuid(); /* XXX readconf.c needs this */
if ((pw = getpwuid(original_real_uid)) == NULL)
fatal("getpwuid failed");
pw = pwcopy(pw);
permanently_set_uid(pw);
#ifdef DEBUG_SSH_KEYSIGN
log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
#endif
/* verify that ssh-keysign is enabled by the admin */
initialize_options(&options);
(void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options, 0);
fill_default_options(&options);
if (options.enable_ssh_keysign != 1)
fatal("ssh-keysign not enabled in %s",
_PATH_HOST_CONFIG_FILE);
for (i = found = 0; i < NUM_KEYTYPES; i++) {
if (key_fd[i] != -1)
found = 1;
}
if (found == 0)
fatal("could not open any host key");
OpenSSL_add_all_algorithms();
for (i = 0; i < 256; i++)
rnd[i] = arc4random();
RAND_seed(rnd, sizeof(rnd));
found = 0;
for (i = 0; i < NUM_KEYTYPES; i++) {
keys[i] = NULL;
if (key_fd[i] == -1)
continue;
keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC,
NULL, NULL);
close(key_fd[i]);
if (keys[i] != NULL)
found = 1;
}
if (!found)
fatal("no hostkey found");
buffer_init(&b);
if (ssh_msg_recv(STDIN_FILENO, &b) < 0)
fatal("ssh_msg_recv failed");
if (buffer_get_char(&b) != version)
fatal("bad version");
fd = buffer_get_int(&b);
if ((fd == STDIN_FILENO) || (fd == STDOUT_FILENO))
fatal("bad fd");
if ((host = get_local_name(fd)) == NULL)
fatal("cannot get local name for fd");
data = buffer_get_string(&b, &dlen);
if (valid_request(pw, host, &key, data, dlen) < 0)
fatal("not a valid request");
xfree(host);
found = 0;
for (i = 0; i < NUM_KEYTYPES; i++) {
if (keys[i] != NULL &&
key_equal_public(key, keys[i])) {
found = 1;
break;
}
}
if (!found)
fatal("no matching hostkey found");
if (key_sign(keys[i], &signature, &slen, data, dlen) != 0)
fatal("key_sign failed");
xfree(data);
/* send reply */
buffer_clear(&b);
buffer_put_string(&b, signature, slen);
if (ssh_msg_send(STDOUT_FILENO, version, &b) == -1)
fatal("ssh_msg_send failed");
return (0);
}
/*
* Authentication thread.
*/
static void *
sshpam_thread(void *ctxtp)
{
struct pam_ctxt *ctxt = ctxtp;
Buffer buffer;
struct pam_conv sshpam_conv;
int flags = (options.permit_empty_passwd == 0 ?
PAM_DISALLOW_NULL_AUTHTOK : 0);
#ifndef UNSUPPORTED_POSIX_THREADS_HACK
extern char **environ;
char **env_from_pam;
u_int i;
const char *pam_user;
const char **ptr_pam_user = &pam_user;
char *tz = getenv("TZ");
sshpam_err = pam_get_item(sshpam_handle, PAM_USER,
(sshpam_const void **)ptr_pam_user);
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
environ[0] = NULL;
if (tz != NULL)
if (setenv("TZ", tz, 1) == -1)
error("PAM: could not set TZ environment: %s",
strerror(errno));
if (sshpam_authctxt != NULL) {
setproctitle("%s [pam]",
sshpam_authctxt->valid ? pam_user : "******");
}
#endif
sshpam_conv.conv = sshpam_thread_conv;
sshpam_conv.appdata_ptr = ctxt;
if (sshpam_authctxt == NULL)
fatal("%s: PAM authctxt not initialized", __func__);
buffer_init(&buffer);
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&sshpam_conv);
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
sshpam_err = pam_authenticate(sshpam_handle, flags);
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
if (compat20) {
if (!do_pam_account()) {
sshpam_err = PAM_ACCT_EXPIRED;
goto auth_fail;
}
if (sshpam_authctxt->force_pwchange) {
sshpam_err = pam_chauthtok(sshpam_handle,
PAM_CHANGE_EXPIRED_AUTHTOK);
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
sshpam_password_change_required(0);
}
}
buffer_put_cstring(&buffer, "OK");
#ifndef UNSUPPORTED_POSIX_THREADS_HACK
/* Export variables set by do_pam_account */
buffer_put_int(&buffer, sshpam_account_status);
buffer_put_int(&buffer, sshpam_authctxt->force_pwchange);
/* Export any environment strings set in child */
for(i = 0; environ[i] != NULL; i++)
; /* Count */
buffer_put_int(&buffer, i);
for(i = 0; environ[i] != NULL; i++)
buffer_put_cstring(&buffer, environ[i]);
/* Export any environment strings set by PAM in child */
env_from_pam = pam_getenvlist(sshpam_handle);
for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++)
; /* Count */
buffer_put_int(&buffer, i);
for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++)
buffer_put_cstring(&buffer, env_from_pam[i]);
#endif /* UNSUPPORTED_POSIX_THREADS_HACK */
/* XXX - can't do much about an error here */
ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
buffer_free(&buffer);
pthread_exit(NULL);
auth_fail:
buffer_put_cstring(&buffer,
pam_strerror(sshpam_handle, sshpam_err));
/* XXX - can't do much about an error here */
if (sshpam_err == PAM_ACCT_EXPIRED)
ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer);
else
ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
buffer_free(&buffer);
pthread_exit(NULL);
return (NULL); /* Avoid warning for non-pthread case */
}
/*
* Conversation function for authentication thread.
*/
static int
sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
Buffer buffer;
struct pam_ctxt *ctxt;
struct pam_response *reply;
int i;
debug3("PAM: %s entering, %d messages", __func__, n);
*resp = NULL;
if (data == NULL) {
error("PAM: conversation function passed a null context");
return (PAM_CONV_ERR);
}
ctxt = data;
if (n <= 0 || n > PAM_MAX_NUM_MSG)
return (PAM_CONV_ERR);
if ((reply = calloc(n, sizeof(*reply))) == NULL)
return (PAM_CONV_ERR);
buffer_init(&buffer);
for (i = 0; i < n; ++i) {
switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
case PAM_PROMPT_ECHO_OFF:
buffer_put_cstring(&buffer,
PAM_MSG_MEMBER(msg, i, msg));
if (ssh_msg_send(ctxt->pam_csock,
PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
goto fail;
if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1)
goto fail;
if (buffer_get_char(&buffer) != PAM_AUTHTOK)
goto fail;
reply[i].resp = buffer_get_string(&buffer, NULL);
break;
case PAM_PROMPT_ECHO_ON:
buffer_put_cstring(&buffer,
PAM_MSG_MEMBER(msg, i, msg));
if (ssh_msg_send(ctxt->pam_csock,
PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
goto fail;
if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1)
goto fail;
if (buffer_get_char(&buffer) != PAM_AUTHTOK)
goto fail;
reply[i].resp = buffer_get_string(&buffer, NULL);
break;
case PAM_ERROR_MSG:
buffer_put_cstring(&buffer,
PAM_MSG_MEMBER(msg, i, msg));
if (ssh_msg_send(ctxt->pam_csock,
PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
goto fail;
break;
case PAM_TEXT_INFO:
buffer_put_cstring(&buffer,
PAM_MSG_MEMBER(msg, i, msg));
if (ssh_msg_send(ctxt->pam_csock,
PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
goto fail;
break;
default:
goto fail;
}
buffer_clear(&buffer);
}
buffer_free(&buffer);
*resp = reply;
return (PAM_SUCCESS);
fail:
for(i = 0; i < n; i++) {
free(reply[i].resp);
}
free(reply);
buffer_free(&buffer);
return (PAM_CONV_ERR);
}
/*
* Conversation function for authentication thread.
*/
static int
sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
struct sshbuf *buffer;
struct pam_ctxt *ctxt;
struct pam_response *reply;
int r, i;
u_char status;
debug3("PAM: %s entering, %d messages", __func__, n);
*resp = NULL;
if (data == NULL) {
error("PAM: conversation function passed a null context");
return (PAM_CONV_ERR);
}
ctxt = data;
if (n <= 0 || n > PAM_MAX_NUM_MSG)
return (PAM_CONV_ERR);
if ((reply = calloc(n, sizeof(*reply))) == NULL)
return PAM_CONV_ERR;
if ((buffer = sshbuf_new()) == NULL) {
free(reply);
return PAM_CONV_ERR;
}
for (i = 0; i < n; ++i) {
switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
case PAM_PROMPT_ECHO_OFF:
case PAM_PROMPT_ECHO_ON:
if ((r = sshbuf_put_cstring(buffer,
PAM_MSG_MEMBER(msg, i, msg))) != 0)
fatal("%s: buffer error: %s",
__func__, ssh_err(r));
if (ssh_msg_send(ctxt->pam_csock,
PAM_MSG_MEMBER(msg, i, msg_style), buffer) == -1)
goto fail;
if (ssh_msg_recv(ctxt->pam_csock, buffer) == -1)
goto fail;
if ((r = sshbuf_get_u8(buffer, &status)) != 0)
fatal("%s: buffer error: %s",
__func__, ssh_err(r));
if (status != PAM_AUTHTOK)
goto fail;
if ((r = sshbuf_get_cstring(buffer,
&reply[i].resp, NULL)) != 0)
fatal("%s: buffer error: %s",
__func__, ssh_err(r));
break;
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
if ((r = sshbuf_put_cstring(buffer,
PAM_MSG_MEMBER(msg, i, msg))) != 0)
fatal("%s: buffer error: %s",
__func__, ssh_err(r));
if (ssh_msg_send(ctxt->pam_csock,
PAM_MSG_MEMBER(msg, i, msg_style), buffer) == -1)
goto fail;
break;
default:
goto fail;
}
sshbuf_reset(buffer);
}
sshbuf_free(buffer);
*resp = reply;
return (PAM_SUCCESS);
fail:
for(i = 0; i < n; i++) {
free(reply[i].resp);
}
free(reply);
sshbuf_free(buffer);
return (PAM_CONV_ERR);
}
int
main(int argc, char **argv)
{
struct sshbuf *b;
Options options;
#define NUM_KEYTYPES 4
struct sshkey *keys[NUM_KEYTYPES], *key = NULL;
struct passwd *pw;
int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
u_char *signature, *data, rver;
char *host, *fp;
size_t slen, dlen;
#ifdef WITH_OPENSSL
u_int32_t rnd[256];
#endif
if (pledge("stdio rpath getpw dns id", NULL) != 0)
fatal("%s: pledge: %s", __progname, strerror(errno));
/* Ensure that stdin and stdout are connected */
if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
exit(1);
/* Leave /dev/null fd iff it is attached to stderr */
if (fd > 2)
close(fd);
i = 0;
/* XXX This really needs to read sshd_config for the paths */
key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
key_fd[i++] = open(_PATH_HOST_ED25519_KEY_FILE, O_RDONLY);
key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
original_real_uid = getuid(); /* XXX readconf.c needs this */
if ((pw = getpwuid(original_real_uid)) == NULL)
fatal("getpwuid failed");
pw = pwcopy(pw);
permanently_set_uid(pw);
seed_rng();
#ifdef DEBUG_SSH_KEYSIGN
log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
#endif
/* verify that ssh-keysign is enabled by the admin */
initialize_options(&options);
(void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", &options, 0);
fill_default_options(&options);
if (options.enable_ssh_keysign != 1)
fatal("ssh-keysign not enabled in %s",
_PATH_HOST_CONFIG_FILE);
for (i = found = 0; i < NUM_KEYTYPES; i++) {
if (key_fd[i] != -1)
found = 1;
}
if (found == 0)
fatal("could not open any host key");
#ifdef WITH_OPENSSL
OpenSSL_add_all_algorithms();
arc4random_buf(rnd, sizeof(rnd));
RAND_seed(rnd, sizeof(rnd));
#endif
found = 0;
for (i = 0; i < NUM_KEYTYPES; i++) {
keys[i] = NULL;
if (key_fd[i] == -1)
continue;
r = sshkey_load_private_type_fd(key_fd[i], KEY_UNSPEC,
NULL, &key, NULL);
close(key_fd[i]);
if (r != 0)
debug("parse key %d: %s", i, ssh_err(r));
else if (key != NULL) {
keys[i] = key;
found = 1;
}
}
if (!found)
fatal("no hostkey found");
if (pledge("stdio dns", NULL) != 0)
fatal("%s: pledge: %s", __progname, strerror(errno));
if ((b = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __progname);
if (ssh_msg_recv(STDIN_FILENO, b) < 0)
fatal("ssh_msg_recv failed");
if ((r = sshbuf_get_u8(b, &rver)) != 0)
fatal("%s: buffer error: %s", __progname, ssh_err(r));
if (rver != version)
fatal("bad version: received %d, expected %d", rver, version);
if ((r = sshbuf_get_u32(b, (u_int *)&fd)) != 0)
fatal("%s: buffer error: %s", __progname, ssh_err(r));
if (fd < 0 || fd == STDIN_FILENO || fd == STDOUT_FILENO)
fatal("bad fd");
if ((host = get_local_name(fd)) == NULL)
fatal("cannot get local name for fd");
if ((r = sshbuf_get_string(b, &data, &dlen)) != 0)
fatal("%s: buffer error: %s", __progname, ssh_err(r));
if (valid_request(pw, host, &key, data, dlen) < 0)
fatal("not a valid request");
free(host);
found = 0;
for (i = 0; i < NUM_KEYTYPES; i++) {
if (keys[i] != NULL &&
sshkey_equal_public(key, keys[i])) {
found = 1;
break;
}
}
if (!found) {
if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
SSH_FP_DEFAULT)) == NULL)
fatal("%s: sshkey_fingerprint failed", __progname);
fatal("no matching hostkey found for key %s %s",
sshkey_type(key), fp ? fp : "");
}
if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen, NULL, 0))
!= 0)
fatal("sshkey_sign failed: %s", ssh_err(r));
free(data);
/* send reply */
sshbuf_reset(b);
if ((r = sshbuf_put_string(b, signature, slen)) != 0)
fatal("%s: buffer error: %s", __progname, ssh_err(r));
if (ssh_msg_send(STDOUT_FILENO, version, b) == -1)
fatal("ssh_msg_send failed");
return (0);
}