summaryrefslogtreecommitdiffhomepage
path: root/svr-authpubkey.c
diff options
context:
space:
mode:
authorMatt Johnston <matt@ucc.asn.au>2006-03-08 13:23:58 +0000
committerMatt Johnston <matt@ucc.asn.au>2006-03-08 13:23:58 +0000
commit6ae3a09ef33b62811a7f60a1f97dcb89907c1ac1 (patch)
tree37e84722c5b30bbfc86947bee260473d4604b616 /svr-authpubkey.c
parent33defd1f9b6c4889fe5b075e6abb0b24c00f3a59 (diff)
parent8608a8e64c1aeda096867f43f89e29e1aee207ae (diff)
propagate from branch 'au.asn.ucc.matt.ltc.dropbear' (head 20dccfc09627970a312d77fb41dc2970b62689c3)
to branch 'au.asn.ucc.matt.dropbear' (head fdf4a7a3b97ae5046139915de7e40399cceb2c01) --HG-- extra : convert_revision : dc4809882e1b9f2dcd3f8bbe38c74a0a52c39ce4
Diffstat (limited to 'svr-authpubkey.c')
-rw-r--r--svr-authpubkey.c347
1 files changed, 347 insertions, 0 deletions
diff --git a/svr-authpubkey.c b/svr-authpubkey.c
new file mode 100644
index 0000000..3942bd5
--- /dev/null
+++ b/svr-authpubkey.c
@@ -0,0 +1,347 @@
+/*
+ * Dropbear - a SSH2 server
+ *
+ * Copyright (c) 2002,2003 Matt Johnston
+ * All rights reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE. */
+
+/* Process a pubkey auth request */
+
+#include "includes.h"
+#include "session.h"
+#include "dbutil.h"
+#include "buffer.h"
+#include "signkey.h"
+#include "auth.h"
+#include "ssh.h"
+#include "packet.h"
+#include "algo.h"
+
+#ifdef ENABLE_SVR_PUBKEY_AUTH
+
+#define MIN_AUTHKEYS_LINE 10 /* "ssh-rsa AB" - short but doesn't matter */
+#define MAX_AUTHKEYS_LINE 4200 /* max length of a line in authkeys */
+
+static int checkpubkey(unsigned char* algo, unsigned int algolen,
+ unsigned char* keyblob, unsigned int keybloblen);
+static int checkpubkeyperms();
+static void send_msg_userauth_pk_ok(unsigned char* algo, unsigned int algolen,
+ unsigned char* keyblob, unsigned int keybloblen);
+static int checkfileperm(char * filename);
+
+/* process a pubkey auth request, sending success or failure message as
+ * appropriate */
+void svr_auth_pubkey() {
+
+ unsigned char testkey; /* whether we're just checking if a key is usable */
+ unsigned char* algo = NULL; /* pubkey algo */
+ unsigned int algolen;
+ unsigned char* keyblob = NULL;
+ unsigned int keybloblen;
+ buffer * signbuf = NULL;
+ sign_key * key = NULL;
+ char* fp = NULL;
+ int type = -1;
+
+ TRACE(("enter pubkeyauth"))
+
+ /* 0 indicates user just wants to check if key can be used, 1 is an
+ * actual attempt*/
+ testkey = (buf_getbool(ses.payload) == 0);
+
+ algo = buf_getstring(ses.payload, &algolen);
+ keybloblen = buf_getint(ses.payload);
+ keyblob = buf_getptr(ses.payload, keybloblen);
+
+ /* check if the key is valid */
+ if (checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE) {
+ send_msg_userauth_failure(0, 0);
+ goto out;
+ }
+
+ /* let them know that the key is ok to use */
+ if (testkey) {
+ send_msg_userauth_pk_ok(algo, algolen, keyblob, keybloblen);
+ goto out;
+ }
+
+ /* now we can actually verify the signature */
+
+ /* get the key */
+ key = new_sign_key();
+ type = DROPBEAR_SIGNKEY_ANY;
+ if (buf_get_pub_key(ses.payload, key, &type) == DROPBEAR_FAILURE) {
+ send_msg_userauth_failure(0, 1);
+ goto out;
+ }
+
+ /* create the data which has been signed - this a string containing
+ * session_id, concatenated with the payload packet up to the signature */
+ signbuf = buf_new(ses.payload->pos + 4 + SHA1_HASH_SIZE);
+ buf_putstring(signbuf, ses.session_id, SHA1_HASH_SIZE);
+ buf_putbytes(signbuf, ses.payload->data, ses.payload->pos);
+ buf_setpos(signbuf, 0);
+
+ /* ... and finally verify the signature */
+ fp = sign_key_fingerprint(keyblob, keybloblen);
+ if (buf_verify(ses.payload, key, buf_getptr(signbuf, signbuf->len),
+ signbuf->len) == DROPBEAR_SUCCESS) {
+ dropbear_log(LOG_NOTICE,
+ "pubkey auth succeeded for '%s' with key %s from %s",
+ ses.authstate.printableuser, fp, svr_ses.addrstring);
+ send_msg_userauth_success();
+ } else {
+ dropbear_log(LOG_WARNING,
+ "pubkey auth bad signature for '%s' with key %s from %s",
+ ses.authstate.printableuser, fp, svr_ses.addrstring);
+ send_msg_userauth_failure(0, 1);
+ }
+ m_free(fp);
+
+out:
+ /* cleanup stuff */
+ if (signbuf) {
+ buf_free(signbuf);
+ }
+ if (algo) {
+ m_free(algo);
+ }
+ if (key) {
+ sign_key_free(key);
+ key = NULL;
+ }
+ TRACE(("leave pubkeyauth"))
+}
+
+/* Reply that the key is valid for auth, this is sent when the user sends
+ * a straight copy of their pubkey to test, to avoid having to perform
+ * expensive signing operations with a worthless key */
+static void send_msg_userauth_pk_ok(unsigned char* algo, unsigned int algolen,
+ unsigned char* keyblob, unsigned int keybloblen) {
+
+ TRACE(("enter send_msg_userauth_pk_ok"))
+ CHECKCLEARTOWRITE();
+
+ buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_PK_OK);
+ buf_putstring(ses.writepayload, algo, algolen);
+ buf_putstring(ses.writepayload, keyblob, keybloblen);
+
+ encrypt_packet();
+ TRACE(("leave send_msg_userauth_pk_ok"))
+
+}
+
+/* Checks whether a specified publickey (and associated algorithm) is an
+ * acceptable key for authentication */
+/* Returns DROPBEAR_SUCCESS if key is ok for auth, DROPBEAR_FAILURE otherwise */
+static int checkpubkey(unsigned char* algo, unsigned int algolen,
+ unsigned char* keyblob, unsigned int keybloblen) {
+
+ FILE * authfile = NULL;
+ char * filename = NULL;
+ int ret = DROPBEAR_FAILURE;
+ buffer * line = NULL;
+ unsigned int len, pos;
+
+ TRACE(("enter checkpubkey"))
+
+ /* check that we can use the algo */
+ if (have_algo(algo, algolen, sshhostkey) == DROPBEAR_FAILURE) {
+ dropbear_log(LOG_WARNING,
+ "pubkey auth attempt with unknown algo for '%s' from %s",
+ ses.authstate.printableuser, svr_ses.addrstring);
+ goto out;
+ }
+
+ /* check file permissions, also whether file exists */
+ if (checkpubkeyperms() == DROPBEAR_FAILURE) {
+ TRACE(("bad authorized_keys permissions, or file doesn't exist"))
+ goto out;
+ }
+
+ /* we don't need to check pw and pw_dir for validity, since
+ * its been done in checkpubkeyperms. */
+ len = strlen(ses.authstate.pw->pw_dir);
+ /* allocate max required pathname storage,
+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+ filename = m_malloc(len + 22);
+ snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
+ ses.authstate.pw->pw_dir);
+
+ /* open the file */
+ authfile = fopen(filename, "r");
+ if (authfile == NULL) {
+ goto out;
+ }
+ TRACE(("checkpubkey: opened authorized_keys OK"))
+
+ line = buf_new(MAX_AUTHKEYS_LINE);
+
+ /* iterate through the lines */
+ do {
+
+ if (buf_getline(line, authfile) == DROPBEAR_FAILURE) {
+ /* EOF reached */
+ TRACE(("checkpubkey: authorized_keys EOF reached"))
+ break;
+ }
+
+ if (line->len < MIN_AUTHKEYS_LINE) {
+ TRACE(("checkpubkey: line too short"))
+ continue; /* line is too short for it to be a valid key */
+ }
+
+ /* check the key type - this also stops us from using keys
+ * which have options with them */
+ if (strncmp(buf_getptr(line, algolen), algo, algolen) != 0) {
+ continue;
+ }
+ buf_incrpos(line, algolen);
+
+ /* check for space (' ') character */
+ if (buf_getbyte(line) != ' ') {
+ TRACE(("checkpubkey: space character expected, isn't there"))
+ continue;
+ }
+
+ /* truncate the line at the space after the base64 data */
+ pos = line->pos;
+ for (len = 0; line->pos < line->len; len++) {
+ if (buf_getbyte(line) == ' ') break;
+ }
+ buf_setpos(line, pos);
+ buf_setlen(line, line->pos + len);
+
+ TRACE(("checkpubkey: line pos = %d len = %d", line->pos, line->len))
+
+ ret = cmp_base64_key(keyblob, keybloblen, algo, algolen, line);
+ if (ret == DROPBEAR_SUCCESS) {
+ break;
+ }
+
+ /* We continue to the next line otherwise */
+
+ } while (1);
+
+out:
+ if (authfile) {
+ fclose(authfile);
+ }
+ if (line) {
+ buf_free(line);
+ }
+ m_free(filename);
+ TRACE(("leave checkpubkey: ret=%d", ret))
+ return ret;
+}
+
+
+/* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok,
+ * DROPBEAR_FAILURE otherwise.
+ * Checks that the user's homedir, ~/.ssh, and
+ * ~/.ssh/authorized_keys are all owned by either root or the user, and are
+ * g-w, o-w */
+static int checkpubkeyperms() {
+
+ char* filename = NULL;
+ int ret = DROPBEAR_FAILURE;
+ unsigned int len;
+
+ TRACE(("enter checkpubkeyperms"))
+
+ if (ses.authstate.pw->pw_dir == NULL) {
+ goto out;
+ }
+
+ if ((len = strlen(ses.authstate.pw->pw_dir)) == 0) {
+ goto out;
+ }
+
+ /* allocate max required pathname storage,
+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+ filename = m_malloc(len + 22);
+ strncpy(filename, ses.authstate.pw->pw_dir, len+1);
+
+ /* check ~ */
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out;
+ }
+
+ /* check ~/.ssh */
+ strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out;
+ }
+
+ /* now check ~/.ssh/authorized_keys */
+ strncat(filename, "/authorized_keys", 16);
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out;
+ }
+
+ /* file looks ok, return success */
+ ret = DROPBEAR_SUCCESS;
+
+out:
+ m_free(filename);
+
+ TRACE(("leave checkpubkeyperms"))
+ return ret;
+}
+
+/* Checks that a file is owned by the user or root, and isn't writable by
+ * group or other */
+/* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
+static int checkfileperm(char * filename) {
+ struct stat filestat;
+ int badperm = 0;
+
+ TRACE(("enter checkfileperm(%s)", filename))
+
+ if (stat(filename, &filestat) != 0) {
+ TRACE(("leave checkfileperm: stat() != 0"))
+ return DROPBEAR_FAILURE;
+ }
+ /* check ownership - user or root only*/
+ if (filestat.st_uid != ses.authstate.pw->pw_uid
+ && filestat.st_uid != 0) {
+ badperm = 1;
+ TRACE(("wrong ownership"))
+ }
+ /* check permissions - don't want group or others +w */
+ if (filestat.st_mode & (S_IWGRP | S_IWOTH)) {
+ badperm = 1;
+ TRACE(("wrong perms"))
+ }
+ if (badperm) {
+ if (!ses.authstate.perm_warn) {
+ ses.authstate.perm_warn = 1;
+ dropbear_log(LOG_INFO, "%s must be owned by user or root, and not writable by others", filename);
+ }
+ TRACE(("leave checkfileperm: failure perms/owner"))
+ return DROPBEAR_FAILURE;
+ }
+
+ TRACE(("leave checkfileperm: success"))
+ return DROPBEAR_SUCCESS;
+}
+
+
+#endif