Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/openssh/auth2-hostbased.c
34677 views
1
/* $OpenBSD: auth2-hostbased.c,v 1.53 2024/05/17 00:30:23 djm Exp $ */

2
/*

3
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.

4
 *

5
 * Redistribution and use in source and binary forms, with or without

6
 * modification, are permitted provided that the following conditions

7
 * are met:

8
 * 1. Redistributions of source code must retain the above copyright

9
 *    notice, this list of conditions and the following disclaimer.

10
 * 2. Redistributions in binary form must reproduce the above copyright

11
 *    notice, this list of conditions and the following disclaimer in the

12
 *    documentation and/or other materials provided with the distribution.

13
 *

14
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

15
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

16
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

17
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,

18
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

19
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

20
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

21
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

22
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

23
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

24
 */

25


26
#include "includes.h"

27


28
#include <sys/types.h>

29


30
#include <stdlib.h>

31
#include <pwd.h>

32
#include <string.h>

33
#include <stdarg.h>

34


35
#include "xmalloc.h"

36
#include "ssh2.h"

37
#include "packet.h"

38
#include "kex.h"

39
#include "sshbuf.h"

40
#include "log.h"

41
#include "misc.h"

42
#include "servconf.h"

43
#include "sshkey.h"

44
#include "hostfile.h"

45
#include "auth.h"

46
#include "canohost.h"

47
#ifdef GSSAPI

48
#include "ssh-gss.h"

49
#endif

50
#include "monitor_wrap.h"

51
#include "pathnames.h"

52
#include "ssherr.h"

53
#include "match.h"

54


55
/* import */

56
extern ServerOptions options;

57
extern struct authmethod_cfg methodcfg_hostbased;

58


59
static int

60
userauth_hostbased(struct ssh *ssh, const char *method)

61
{

62
	Authctxt *authctxt = ssh->authctxt;

63
	struct sshbuf *b;

64
	struct sshkey *key = NULL;

65
	char *pkalg, *cuser, *chost;

66
	u_char *pkblob, *sig;

67
	size_t alen, blen, slen;

68
	int r, pktype, authenticated = 0;

69


70
	/* XXX use sshkey_froms() */

71
	if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||

72
	    (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||

73
	    (r = sshpkt_get_cstring(ssh, &chost, NULL)) != 0 ||

74
	    (r = sshpkt_get_cstring(ssh, &cuser, NULL)) != 0 ||

75
	    (r = sshpkt_get_string(ssh, &sig, &slen)) != 0)

76
		fatal_fr(r, "parse packet");

77


78
	debug_f("cuser %s chost %s pkalg %s slen %zu",

79
	    cuser, chost, pkalg, slen);

80
#ifdef DEBUG_PK

81
	debug("signature:");

82
	sshbuf_dump_data(sig, slen, stderr);

83
#endif

84
	pktype = sshkey_type_from_name(pkalg);

85
	if (pktype == KEY_UNSPEC) {

86
		/* this is perfectly legal */

87
		logit_f("unsupported public key algorithm: %s",

88
		    pkalg);

89
		goto done;

90
	}

91
	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {

92
		error_fr(r, "key_from_blob");

93
		goto done;

94
	}

95
	if (key == NULL) {

96
		error_f("cannot decode key: %s", pkalg);

97
		goto done;

98
	}

99
	if (key->type != pktype) {

100
		error_f("type mismatch for decoded key "

101
		    "(received %d, expected %d)", key->type, pktype);

102
		goto done;

103
	}

104
	if (match_pattern_list(pkalg, options.hostbased_accepted_algos, 0) != 1) {

105
		logit_f("signature algorithm %s not in "

106
		    "HostbasedAcceptedAlgorithms", pkalg);

107
		goto done;

108
	}

109
	if ((r = sshkey_check_cert_sigtype(key,

110
	    options.ca_sign_algorithms)) != 0) {

111
		logit_fr(r, "certificate signature algorithm %s",

112
		    (key->cert == NULL || key->cert->signature_type == NULL) ?

113
		    "(null)" : key->cert->signature_type);

114
		goto done;

115
	}

116
	if ((r = sshkey_check_rsa_length(key,

117
	    options.required_rsa_size)) != 0) {

118
		logit_r(r, "refusing %s key", sshkey_type(key));

119
		goto done;

120
	}

121


122
	if (!authctxt->valid || authctxt->user == NULL) {

123
		debug2_f("disabled because of invalid user");

124
		goto done;

125
	}

126


127
	if ((b = sshbuf_new()) == NULL)

128
		fatal_f("sshbuf_new failed");

129
	/* reconstruct packet */

130
	if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||

131
	    (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||

132
	    (r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||

133
	    (r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||

134
	    (r = sshbuf_put_cstring(b, method)) != 0 ||

135
	    (r = sshbuf_put_string(b, pkalg, alen)) != 0 ||

136
	    (r = sshbuf_put_string(b, pkblob, blen)) != 0 ||

137
	    (r = sshbuf_put_cstring(b, chost)) != 0 ||

138
	    (r = sshbuf_put_cstring(b, cuser)) != 0)

139
		fatal_fr(r, "reconstruct packet");

140
#ifdef DEBUG_PK

141
	sshbuf_dump(b, stderr);

142
#endif

143


144
	auth2_record_info(authctxt,

145
	    "client user \"%.100s\", client host \"%.100s\"", cuser, chost);

146


147
	/* test for allowed key and correct signature */

148
	authenticated = 0;

149
	if (mm_hostbased_key_allowed(ssh, authctxt->pw, cuser,

150
	    chost, key) &&

151
	    mm_sshkey_verify(key, sig, slen,

152
	    sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL) == 0)

153
		authenticated = 1;

154


155
	auth2_record_key(authctxt, authenticated, key);

156
	sshbuf_free(b);

157
done:

158
	debug2_f("authenticated %d", authenticated);

159
	sshkey_free(key);

160
	free(pkalg);

161
	free(pkblob);

162
	free(cuser);

163
	free(chost);

164
	free(sig);

165
	return authenticated;

166
}

167


168
/* return 1 if given hostkey is allowed */

169
int

170
hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,

171
    const char *cuser, char *chost, struct sshkey *key)

172
{

173
	const char *resolvedname, *ipaddr, *lookup, *reason;

174
	HostStatus host_status;

175
	int len;

176
	char *fp;

177


178
	if (auth_key_is_revoked(key))

179
		return 0;

180


181
	resolvedname = auth_get_canonical_hostname(ssh, options.use_dns);

182
	ipaddr = ssh_remote_ipaddr(ssh);

183


184
	debug2_f("chost %s resolvedname %s ipaddr %s",

185
	    chost, resolvedname, ipaddr);

186


187
	if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {

188
		debug2("stripping trailing dot from chost %s", chost);

189
		chost[len - 1] = '\0';

190
	}

191


192
	if (options.hostbased_uses_name_from_packet_only) {

193
		if (auth_rhosts2(pw, cuser, chost, chost) == 0) {

194
			debug2_f("auth_rhosts2 refused user \"%.100s\" "

195
			    "host \"%.100s\" (from packet)", cuser, chost);

196
			return 0;

197
		}

198
		lookup = chost;

199
	} else {

200
		if (strcasecmp(resolvedname, chost) != 0)

201
			logit("userauth_hostbased mismatch: "

202
			    "client sends %s, but we resolve %s to %s",

203
			    chost, ipaddr, resolvedname);

204
		if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) {

205
			debug2_f("auth_rhosts2 refused "

206
			    "user \"%.100s\" host \"%.100s\" addr \"%.100s\"",

207
			    cuser, resolvedname, ipaddr);

208
			return 0;

209
		}

210
		lookup = resolvedname;

211
	}

212
	debug2_f("access allowed by auth_rhosts2");

213


214
	if (sshkey_is_cert(key) &&

215
	    sshkey_cert_check_authority_now(key, 1, 0, 0, lookup, &reason)) {

216
		error("%s", reason);

217
		auth_debug_add("%s", reason);

218
		return 0;

219
	}

220


221
	host_status = check_key_in_hostfiles(pw, key, lookup,

222
	    _PATH_SSH_SYSTEM_HOSTFILE,

223
	    options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);

224


225
	/* backward compat if no key has been found. */

226
	if (host_status == HOST_NEW) {

227
		host_status = check_key_in_hostfiles(pw, key, lookup,

228
		    _PATH_SSH_SYSTEM_HOSTFILE2,

229
		    options.ignore_user_known_hosts ? NULL :

230
		    _PATH_SSH_USER_HOSTFILE2);

231
	}

232


233
	if (host_status == HOST_OK) {

234
		if (sshkey_is_cert(key)) {

235
			if ((fp = sshkey_fingerprint(key->cert->signature_key,

236
			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)

237
				fatal_f("sshkey_fingerprint fail");

238
			verbose("Accepted certificate ID \"%s\" signed by "

239
			    "%s CA %s from %s@%s", key->cert->key_id,

240
			    sshkey_type(key->cert->signature_key), fp,

241
			    cuser, lookup);

242
		} else {

243
			if ((fp = sshkey_fingerprint(key,

244
			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)

245
				fatal_f("sshkey_fingerprint fail");

246
			verbose("Accepted %s public key %s from %s@%s",

247
			    sshkey_type(key), fp, cuser, lookup);

248
		}

249
		free(fp);

250
	}

251


252
	return (host_status == HOST_OK);

253
}

254


255
Authmethod method_hostbased = {

256
	&methodcfg_hostbased,

257
	userauth_hostbased,

258
};

259


260