/**
* Exception wrapper around libssh2_agent_userauth.
*/
inline void userauth(
LIBSSH2_AGENT* agent, LIBSSH2_SESSION* session,
const char* user_name, libssh2_agent_publickey* identity)
{
boost::system::error_code ec;
std::string message;
userauth(agent, session, user_name, identity, ec, message);
if (ec)
{
SSH_DETAIL_THROW_API_ERROR_CODE(ec, message, "libssh2_agent_userauth");
}
}
/* Authenticate the user in a the Container
* @param id Container id
* @param user User name
* @param password User password
* @param gid if >= 0 user checked to be a member of group gid.
* @param type 0 - system, 1 - pleskadmin
* @return
*/
int vzctl2_env_auth(struct vzctl_env_handle *h, const char *user, const char *passwd,
int gid, int type)
{
int is_mounted = 0;
int pid, ret;
struct vzctl_env_param *env;
if (user == NULL || passwd == NULL)
return vzctl_err(VZCTL_E_INVAL, 0, "Invalid argument");
env = vzctl2_get_env_param(h);
if (check_var(env->fs->ve_root, "VE_ROOT is not set"))
return VZCTL_E_VE_ROOT_NOTSET;
is_mounted = vzctl2_env_is_mounted(h);
if (!is_mounted) {
ret = vzctl2_env_mount(h, 0);
if (ret)
return ret;
}
if (!(pid = fork())) {
int rootfd = -1;
if (type == 0) {
rootfd = open("/", O_RDONLY);
if (rootfd == -1)
_exit(vzctl_err(VZCTL_E_SYSTEM, errno,
"failed to open '/' "));
}
if ((ret = vzctl_chroot(env->fs->ve_root)) == 0) {
if (type == 0)
ret = userauth(user, passwd, gid, rootfd);
else
ret = pleskauth(user, passwd);
}
if (rootfd != -1)
close(rootfd);
_exit(ret);
}
ret = env_wait(pid, 0, NULL);
if (!is_mounted)
vzctl2_env_umount(h, 0);
return ret;
}
void
input_userauth_failure(int type, u_int32_t seq, void *ctxt)
{
Authctxt *authctxt = ctxt;
char *authlist = NULL;
int partial;
if (authctxt == NULL)
fatal("input_userauth_failure: no authentication context");
authlist = packet_get_string(NULL);
partial = packet_get_char();
packet_check_eom();
if (partial != 0)
log("Authenticated with partial success.");
debug("Authentications that can continue: %s", authlist);
clear_auth_state(authctxt);
userauth(authctxt, authlist);
}
int
userauth_gssapi_keyex(Authctxt *authctxt)
{
Gssctxt *gssctxt;
gss_buffer_desc send_tok;
OM_uint32 status;
static int attempt = 0;
if (authctxt == NULL || authctxt->method == NULL)
fatal("input_gssapi_response: no authentication context");
if (xxx_gssctxt == NULL || xxx_gssctxt->context == GSS_C_NO_CONTEXT)
return 0;
if (strcmp(authctxt->method->name, "gssapi-keyex") == 0)
authctxt->methoddata = gssctxt = xxx_gssctxt;
if (attempt++ >= 1)
return 0;
if (strcmp(authctxt->method->name, "gssapi-keyex") == 0) {
gss_buffer_desc g_mic_data;
Buffer mic_data;
debug2("Authenticating with GSS-API context from key exchange (w/ MIC)");
/* Make data buffer to MIC */
buffer_init(&mic_data);
buffer_put_string(&mic_data, session_id2, session_id2_len);
buffer_put_char(&mic_data, SSH2_MSG_USERAUTH_REQUEST);
buffer_put_cstring(&mic_data, authctxt->server_user);
buffer_put_cstring(&mic_data, authctxt->service);
buffer_put_cstring(&mic_data, authctxt->method->name);
/* Make MIC */
g_mic_data.value = buffer_ptr(&mic_data);
g_mic_data.length = buffer_len(&mic_data);
status = ssh_gssapi_get_mic(gssctxt, &g_mic_data, &send_tok);
buffer_clear(&mic_data);
if (GSS_ERROR(status) || send_tok.length == 0) {
/*
* Oops, now what? There's no error token...
* Next userauth
*/
debug("GSS_GetMIC() failed! - "
"Abandoning GSSAPI userauth");
clear_auth_state(authctxt);
userauth(authctxt,NULL);
return 0;
}
packet_start(SSH2_MSG_USERAUTH_REQUEST);
packet_put_cstring(authctxt->server_user);
packet_put_cstring(authctxt->service);
packet_put_cstring(authctxt->method->name);
packet_put_string(send_tok.value,send_tok.length); /* MIC */
packet_send();
packet_write_wait();
(void) gss_release_buffer(&status, &send_tok);
} else if (strcmp(authctxt->method->name, "external-keyx") == 0) {
debug2("Authentication with deprecated \"external-keyx\""
" method not supported");
return 0;
}
return 1;
}
void
input_gssapi_token(int type, u_int32_t plen, void *ctxt)
{
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
gss_buffer_desc send_tok, recv_tok, g_mic_data;
Buffer mic_data;
OM_uint32 status;
u_int slen;
if (authctxt == NULL || authctxt->method == NULL)
fatal("input_gssapi_response: no authentication context");
gssctxt = authctxt->methoddata;
recv_tok.value=packet_get_string(&slen);
recv_tok.length=slen; /* safe typecast */
status=ssh_gssapi_init_ctx(gssctxt, authctxt->host,
options.gss_deleg_creds,
&recv_tok, &send_tok);
packet_check_eom();
if (GSS_ERROR(status)) {
if (send_tok.length>0) {
packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
packet_put_string(send_tok.value,send_tok.length);
packet_send();
packet_write_wait();
}
/* Start again with the next method in the list */
clear_auth_state(authctxt);
userauth(authctxt,NULL);
return;
}
if (send_tok.length>0) {
packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
packet_put_string(send_tok.value,send_tok.length);
packet_send();
packet_write_wait();
}
if (status != GSS_S_COMPLETE)
return;
/* Make data buffer to MIC */
buffer_init(&mic_data);
buffer_put_string(&mic_data, session_id2, session_id2_len);
buffer_put_char(&mic_data, SSH2_MSG_USERAUTH_REQUEST);
buffer_put_cstring(&mic_data, authctxt->server_user);
buffer_put_cstring(&mic_data, authctxt->service);
buffer_put_cstring(&mic_data, authctxt->method->name);
/* Make MIC */
g_mic_data.value = buffer_ptr(&mic_data);
g_mic_data.length = buffer_len(&mic_data);
status = ssh_gssapi_get_mic(gssctxt, &g_mic_data, &send_tok);
buffer_clear(&mic_data);
if (GSS_ERROR(status) || send_tok.length == 0) {
/*
* Oops, now what? There's no error token...
* Next userauth
*/
debug("GSS_GetMIC() failed! - "
"Abandoning GSSAPI userauth");
clear_auth_state(authctxt);
userauth(authctxt,NULL);
return;
}
packet_start(SSH2_MSG_USERAUTH_GSSAPI_MIC);
packet_put_string(send_tok.value,send_tok.length);
packet_send();
packet_write_wait();
}
void
input_gssapi_response(int type, u_int32_t plen, void *ctxt)
{
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
OM_uint32 status,ms;
u_int oidlen;
char *oidv;
gss_buffer_desc send_tok;
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
gssctxt = authctxt->methoddata;
/* Setup our OID */
oidv=packet_get_string(&oidlen);
if (datafellows & SSH_BUG_GSSAPI_BER) {
if (!ssh_gssapi_check_mech_oid(gssctxt,oidv,oidlen)) {
gss_OID oid;
oid = ssh_gssapi_make_oid(oidlen, oidv);
debug("Server returned different OID (%s) than expected (%s)",
ssh_gssapi_oid_to_str(oid),
ssh_gssapi_oid_to_str(gssctxt->desired_mech));
ssh_gssapi_release_oid(&oid);
clear_auth_state(authctxt);
userauth(authctxt,NULL);
return;
}
} else {
if(oidv[0]!=0x06 || oidv[1]!=oidlen-2) {
debug("Badly encoded mechanism OID received");
clear_auth_state(authctxt);
userauth(authctxt,NULL);
return;
}
if (!ssh_gssapi_check_mech_oid(gssctxt,oidv+2,oidlen-2)) {
gss_OID oid;
oid = ssh_gssapi_make_oid(oidlen-2, oidv+2);
debug("Server returned different OID (%s) than expected (%s)",
ssh_gssapi_oid_to_str(oid),
ssh_gssapi_oid_to_str(gssctxt->desired_mech));
clear_auth_state(authctxt);
userauth(authctxt,NULL);
return;
}
}
packet_check_eom();
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN,&input_gssapi_token);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERROR,&input_gssapi_error);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK,&input_gssapi_errtok);
status = ssh_gssapi_init_ctx(gssctxt, authctxt->host,
options.gss_deleg_creds,
GSS_C_NO_BUFFER, &send_tok);
if (GSS_ERROR(status)) {
if (send_tok.length>0) {
packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
packet_put_string(send_tok.value,send_tok.length);
packet_send();
packet_write_wait();
}
/* Start again with next method on list */
debug("Trying to start again");
clear_auth_state(authctxt);
userauth(authctxt,NULL);
return;
}
/* We must have data to send */
packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
packet_put_string(send_tok.value,send_tok.length);
packet_send();
packet_write_wait();
gss_release_buffer(&ms, &send_tok);
}
void
input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
{
Authctxt *authctxt = ctxt;
Key *key = NULL;
Buffer b;
int pktype, sent = 0;
u_int alen, blen;
char *pkalg, *fp;
u_char *pkblob;
if (authctxt == NULL)
fatal("input_userauth_pk_ok: no authentication context");
if (datafellows & SSH_BUG_PKOK) {
/* this is similar to SSH_BUG_PKAUTH */
debug2("input_userauth_pk_ok: SSH_BUG_PKOK");
pkblob = packet_get_string(&blen);
buffer_init(&b);
buffer_append(&b, pkblob, blen);
pkalg = buffer_get_string(&b, &alen);
buffer_free(&b);
} else {
pkalg = packet_get_string(&alen);
pkblob = packet_get_string(&blen);
}
packet_check_eom();
debug("Server accepts key: pkalg %s blen %u lastkey %p hint %d",
pkalg, blen, authctxt->last_key, authctxt->last_key_hint);
do {
if (authctxt->last_key == NULL ||
authctxt->last_key_sign == NULL) {
debug("no last key or no sign cb");
break;
}
if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) {
debug("unknown pkalg %s", pkalg);
break;
}
if ((key = key_from_blob(pkblob, blen)) == NULL) {
debug("no key from blob. pkalg %s", pkalg);
break;
}
if (key->type != pktype) {
error("input_userauth_pk_ok: type mismatch "
"for decoded key (received %d, expected %d)",
key->type, pktype);
break;
}
fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
debug2("input_userauth_pk_ok: fp %s", fp);
xfree(fp);
if (!key_equal(key, authctxt->last_key)) {
debug("key != last_key");
break;
}
sent = sign_and_send_pubkey(authctxt, key,
authctxt->last_key_sign);
} while (0);
if (key != NULL)
key_free(key);
xfree(pkalg);
xfree(pkblob);
/* unregister */
clear_auth_state(authctxt);
dispatch_set(SSH2_MSG_USERAUTH_PK_OK, NULL);
/* try another method if we did not send a packet */
if (sent == 0)
userauth(authctxt, NULL);
}
