1 /* $OpenBSD: auth2-chall.c,v 1.34 2008/12/09 04:32:22 djm Exp $ */
3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2001 Per Allansson. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 #include <sys/types.h>
47 extern ServerOptions options
;
49 static int auth2_challenge_start(Authctxt
*);
50 static int send_userauth_info_request(Authctxt
*);
51 static void input_userauth_info_response(int, u_int32_t
, void *);
54 extern KbdintDevice bsdauth_device
;
57 extern KbdintDevice sshpam_device
;
60 extern KbdintDevice skey_device
;
64 KbdintDevice
*devices
[] = {
78 typedef struct KbdintAuthctxt KbdintAuthctxt
;
89 remove_kbdint_device(const char *devname
)
93 for (i
= 0; devices
[i
] != NULL
; i
++)
94 if (strcmp(devices
[i
]->name
, devname
) == 0) {
95 for (j
= i
; devices
[j
] != NULL
; j
++)
96 devices
[j
] = devices
[j
+1];
102 static KbdintAuthctxt
*
103 kbdint_alloc(const char *devs
)
105 KbdintAuthctxt
*kbdintctxt
;
110 if (!options
.use_pam
)
111 remove_kbdint_device("pam");
114 kbdintctxt
= xmalloc(sizeof(KbdintAuthctxt
));
115 if (strcmp(devs
, "") == 0) {
117 for (i
= 0; devices
[i
]; i
++) {
118 if (buffer_len(&b
) > 0)
119 buffer_append(&b
, ",", 1);
120 buffer_append(&b
, devices
[i
]->name
,
121 strlen(devices
[i
]->name
));
123 buffer_append(&b
, "\0", 1);
124 kbdintctxt
->devices
= xstrdup(buffer_ptr(&b
));
127 kbdintctxt
->devices
= xstrdup(devs
);
129 debug("kbdint_alloc: devices '%s'", kbdintctxt
->devices
);
130 kbdintctxt
->ctxt
= NULL
;
131 kbdintctxt
->device
= NULL
;
132 kbdintctxt
->nreq
= 0;
137 kbdint_reset_device(KbdintAuthctxt
*kbdintctxt
)
139 if (kbdintctxt
->ctxt
) {
140 kbdintctxt
->device
->free_ctx(kbdintctxt
->ctxt
);
141 kbdintctxt
->ctxt
= NULL
;
143 kbdintctxt
->device
= NULL
;
146 kbdint_free(KbdintAuthctxt
*kbdintctxt
)
148 if (kbdintctxt
->device
)
149 kbdint_reset_device(kbdintctxt
);
150 if (kbdintctxt
->devices
) {
151 xfree(kbdintctxt
->devices
);
152 kbdintctxt
->devices
= NULL
;
156 /* get next device */
158 kbdint_next_device(KbdintAuthctxt
*kbdintctxt
)
164 if (kbdintctxt
->device
)
165 kbdint_reset_device(kbdintctxt
);
167 len
= kbdintctxt
->devices
?
168 strcspn(kbdintctxt
->devices
, ",") : 0;
172 for (i
= 0; devices
[i
]; i
++)
173 if (strncmp(kbdintctxt
->devices
, devices
[i
]->name
, len
) == 0)
174 kbdintctxt
->device
= devices
[i
];
175 t
= kbdintctxt
->devices
;
176 kbdintctxt
->devices
= t
[len
] ? xstrdup(t
+len
+1) : NULL
;
178 debug2("kbdint_next_device: devices %s", kbdintctxt
->devices
?
179 kbdintctxt
->devices
: "<empty>");
180 } while (kbdintctxt
->devices
&& !kbdintctxt
->device
);
182 return kbdintctxt
->device
? 1 : 0;
186 * try challenge-response, set authctxt->postponed if we have to
187 * wait for the response.
190 auth2_challenge(Authctxt
*authctxt
, char *devs
)
192 debug("auth2_challenge: user=%s devs=%s",
193 authctxt
->user
? authctxt
->user
: "<nouser>",
194 devs
? devs
: "<no devs>");
196 if (authctxt
->user
== NULL
|| !devs
)
198 if (authctxt
->kbdintctxt
== NULL
)
199 authctxt
->kbdintctxt
= kbdint_alloc(devs
);
200 return auth2_challenge_start(authctxt
);
203 /* unregister kbd-int callbacks and context */
205 auth2_challenge_stop(Authctxt
*authctxt
)
207 /* unregister callback */
208 dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE
, NULL
);
209 if (authctxt
->kbdintctxt
!= NULL
) {
210 kbdint_free(authctxt
->kbdintctxt
);
211 authctxt
->kbdintctxt
= NULL
;
215 /* side effect: sets authctxt->postponed if a reply was sent*/
217 auth2_challenge_start(Authctxt
*authctxt
)
219 KbdintAuthctxt
*kbdintctxt
= authctxt
->kbdintctxt
;
221 debug2("auth2_challenge_start: devices %s",
222 kbdintctxt
->devices
? kbdintctxt
->devices
: "<empty>");
224 if (kbdint_next_device(kbdintctxt
) == 0) {
225 auth2_challenge_stop(authctxt
);
228 debug("auth2_challenge_start: trying authentication method '%s'",
229 kbdintctxt
->device
->name
);
231 if ((kbdintctxt
->ctxt
= kbdintctxt
->device
->init_ctx(authctxt
)) == NULL
) {
232 auth2_challenge_stop(authctxt
);
235 if (send_userauth_info_request(authctxt
) == 0) {
236 auth2_challenge_stop(authctxt
);
239 dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE
,
240 &input_userauth_info_response
);
242 authctxt
->postponed
= 1;
247 send_userauth_info_request(Authctxt
*authctxt
)
249 KbdintAuthctxt
*kbdintctxt
;
250 char *name
, *instr
, **prompts
;
253 kbdintctxt
= authctxt
->kbdintctxt
;
254 if (kbdintctxt
->device
->query(kbdintctxt
->ctxt
,
255 &name
, &instr
, &kbdintctxt
->nreq
, &prompts
, &echo_on
))
258 packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST
);
259 packet_put_cstring(name
);
260 packet_put_cstring(instr
);
261 packet_put_cstring(""); /* language not used */
262 packet_put_int(kbdintctxt
->nreq
);
263 for (i
= 0; i
< kbdintctxt
->nreq
; i
++) {
264 packet_put_cstring(prompts
[i
]);
265 packet_put_char(echo_on
[i
]);
270 for (i
= 0; i
< kbdintctxt
->nreq
; i
++)
280 input_userauth_info_response(int type
, u_int32_t seq
, void *ctxt
)
282 Authctxt
*authctxt
= ctxt
;
283 KbdintAuthctxt
*kbdintctxt
;
284 int authenticated
= 0, res
;
286 char **response
= NULL
, *method
;
288 if (authctxt
== NULL
)
289 fatal("input_userauth_info_response: no authctxt");
290 kbdintctxt
= authctxt
->kbdintctxt
;
291 if (kbdintctxt
== NULL
|| kbdintctxt
->ctxt
== NULL
)
292 fatal("input_userauth_info_response: no kbdintctxt");
293 if (kbdintctxt
->device
== NULL
)
294 fatal("input_userauth_info_response: no device");
296 authctxt
->postponed
= 0; /* reset */
297 nresp
= packet_get_int();
298 if (nresp
!= kbdintctxt
->nreq
)
299 fatal("input_userauth_info_response: wrong number of replies");
301 fatal("input_userauth_info_response: too many replies");
303 response
= xcalloc(nresp
, sizeof(char *));
304 for (i
= 0; i
< nresp
; i
++)
305 response
[i
] = packet_get_string(NULL
);
309 res
= kbdintctxt
->device
->respond(kbdintctxt
->ctxt
, nresp
, response
);
311 for (i
= 0; i
< nresp
; i
++) {
312 memset(response
[i
], 'r', strlen(response
[i
]));
321 authenticated
= authctxt
->valid
? 1 : 0;
324 /* Authentication needs further interaction */
325 if (send_userauth_info_request(authctxt
) == 1)
326 authctxt
->postponed
= 1;
333 xasprintf(&method
, "keyboard-interactive/%s", kbdintctxt
->device
->name
);
335 if (!authctxt
->postponed
) {
337 auth2_challenge_stop(authctxt
);
339 /* start next device */
340 /* may set authctxt->postponed */
341 auth2_challenge_start(authctxt
);
344 userauth_finish(authctxt
, authenticated
, method
);
349 privsep_challenge_enable(void)
351 #if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY)
355 extern KbdintDevice mm_bsdauth_device
;
358 extern KbdintDevice mm_sshpam_device
;
361 extern KbdintDevice mm_skey_device
;
365 devices
[n
++] = &mm_bsdauth_device
;
368 devices
[n
++] = &mm_sshpam_device
;
371 devices
[n
++] = &mm_skey_device
;