1 /* 2 * Author: Tatu Ylonen <ylo (at) cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo (at) cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * RSA-based authentication. This code determines whether to admit a login 6 * based on RSA authentication. This file also contains functions to check 7 * validity of the host key. 8 * 9 * As far as I am concerned, the code I have written for this software 10 * can be used freely for any purpose. Any derived versions of this 11 * software must be clearly marked as such, and if the derived work is 12 * incompatible with the protocol description in the RFC file, it must be 13 * called by a name other than "ssh" or "Secure Shell". 14 */ 15 16 #include "includes.h" 17 RCSID("$OpenBSD: auth-rsa.c,v 1.56 2002/06/10 16:53:06 stevesk Exp $"); 18 19 #pragma ident "%Z%%M% %I% %E% SMI" 20 21 #include <openssl/rsa.h> 22 #include <openssl/md5.h> 23 24 #include "rsa.h" 25 #include "packet.h" 26 #include "xmalloc.h" 27 #include "ssh1.h" 28 #include "mpaux.h" 29 #include "uidswap.h" 30 #include "match.h" 31 #include "auth-options.h" 32 #include "pathnames.h" 33 #include "log.h" 34 #include "servconf.h" 35 #include "auth.h" 36 #include "hostfile.h" 37 #include "ssh.h" 38 39 /* import */ 40 extern ServerOptions options; 41 42 /* 43 * Session identifier that is used to bind key exchange and authentication 44 * responses to a particular session. 45 */ 46 extern u_char session_id[16]; 47 48 /* 49 * The .ssh/authorized_keys file contains public keys, one per line, in the 50 * following format: 51 * options bits e n comment 52 * where bits, e and n are decimal numbers, 53 * and comment is any string of characters up to newline. The maximum 54 * length of a line is 8000 characters. See the documentation for a 55 * description of the options. 56 */ 57 58 BIGNUM * 59 auth_rsa_generate_challenge(Key *key) 60 { 61 BIGNUM *challenge; 62 BN_CTX *ctx; 63 64 if ((challenge = BN_new()) == NULL) 65 fatal("auth_rsa_generate_challenge: BN_new() failed"); 66 /* Generate a random challenge. */ 67 BN_rand(challenge, 256, 0, 0); 68 if ((ctx = BN_CTX_new()) == NULL) 69 fatal("auth_rsa_generate_challenge: BN_CTX_new() failed"); 70 BN_mod(challenge, challenge, key->rsa->n, ctx); 71 BN_CTX_free(ctx); 72 73 return challenge; 74 } 75 76 int 77 auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) 78 { 79 u_char buf[32], mdbuf[16]; 80 MD5_CTX md; 81 int len; 82 83 /* don't allow short keys */ 84 if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { 85 error("auth_rsa_verify_response: RSA modulus too small: %d < minimum %d bits", 86 BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); 87 return (0); 88 } 89 90 /* The response is MD5 of decrypted challenge plus session id. */ 91 len = BN_num_bytes(challenge); 92 if (len <= 0 || len > 32) 93 fatal("auth_rsa_verify_response: bad challenge length %d", len); 94 memset(buf, 0, 32); 95 BN_bn2bin(challenge, buf + 32 - len); 96 MD5_Init(&md); 97 MD5_Update(&md, buf, 32); 98 MD5_Update(&md, session_id, 16); 99 MD5_Final(mdbuf, &md); 100 101 /* Verify that the response is the original challenge. */ 102 if (memcmp(response, mdbuf, 16) != 0) { 103 /* Wrong answer. */ 104 return (0); 105 } 106 /* Correct answer. */ 107 return (1); 108 } 109 110 /* 111 * Performs the RSA authentication challenge-response dialog with the client, 112 * and returns true (non-zero) if the client gave the correct answer to 113 * our challenge; returns zero if the client gives a wrong answer. 114 */ 115 116 int 117 auth_rsa_challenge_dialog(Key *key) 118 { 119 BIGNUM *challenge, *encrypted_challenge; 120 u_char response[16]; 121 int i, success; 122 123 if ((encrypted_challenge = BN_new()) == NULL) 124 fatal("auth_rsa_challenge_dialog: BN_new() failed"); 125 126 challenge = auth_rsa_generate_challenge(key); 127 128 /* Encrypt the challenge with the public key. */ 129 rsa_public_encrypt(encrypted_challenge, challenge, key->rsa); 130 131 /* Send the encrypted challenge to the client. */ 132 packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE); 133 packet_put_bignum(encrypted_challenge); 134 packet_send(); 135 BN_clear_free(encrypted_challenge); 136 packet_write_wait(); 137 138 /* Wait for a response. */ 139 packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE); 140 for (i = 0; i < 16; i++) 141 response[i] = packet_get_char(); 142 packet_check_eom(); 143 144 success = auth_rsa_verify_response(key, challenge, response); 145 BN_clear_free(challenge); 146 return (success); 147 } 148 149 /* 150 * check if there's user key matching client_n, 151 * return key if login is allowed, NULL otherwise 152 */ 153 154 int 155 auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) 156 { 157 char line[8192], *file; 158 int allowed = 0; 159 u_int bits; 160 FILE *f; 161 u_long linenum = 0; 162 struct stat st; 163 Key *key; 164 165 /* Temporarily use the user's uid. */ 166 temporarily_use_uid(pw); 167 168 /* The authorized keys. */ 169 file = authorized_keys_file(pw); 170 debug("trying public RSA key file %s", file); 171 172 /* Fail quietly if file does not exist */ 173 if (stat(file, &st) < 0) { 174 /* Restore the privileged uid. */ 175 restore_uid(); 176 xfree(file); 177 return (0); 178 } 179 /* Open the file containing the authorized keys. */ 180 f = fopen(file, "r"); 181 if (!f) { 182 /* Restore the privileged uid. */ 183 restore_uid(); 184 xfree(file); 185 return (0); 186 } 187 if (options.strict_modes && 188 secure_filename(f, file, pw, line, sizeof(line)) != 0) { 189 xfree(file); 190 fclose(f); 191 log("Authentication refused: %s", line); 192 restore_uid(); 193 return (0); 194 } 195 196 /* Flag indicating whether the key is allowed. */ 197 allowed = 0; 198 199 key = key_new(KEY_RSA1); 200 201 /* 202 * Go though the accepted keys, looking for the current key. If 203 * found, perform a challenge-response dialog to verify that the 204 * user really has the corresponding private key. 205 */ 206 while (fgets(line, sizeof(line), f)) { 207 char *cp; 208 char *options; 209 210 linenum++; 211 212 /* Skip leading whitespace, empty and comment lines. */ 213 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 214 ; 215 if (!*cp || *cp == '\n' || *cp == '#') 216 continue; 217 218 /* 219 * Check if there are options for this key, and if so, 220 * save their starting address and skip the option part 221 * for now. If there are no options, set the starting 222 * address to NULL. 223 */ 224 if (*cp < '0' || *cp > '9') { 225 int quoted = 0; 226 options = cp; 227 for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { 228 if (*cp == '\\' && cp[1] == '"') 229 cp++; /* Skip both */ 230 else if (*cp == '"') 231 quoted = !quoted; 232 } 233 } else 234 options = NULL; 235 236 /* Parse the key from the line. */ 237 if (hostfile_read_key(&cp, &bits, key) == 0) { 238 debug("%.100s, line %lu: non ssh1 key syntax", 239 file, linenum); 240 continue; 241 } 242 /* cp now points to the comment part. */ 243 244 /* Check if the we have found the desired key (identified by its modulus). */ 245 if (BN_cmp(key->rsa->n, client_n) != 0) 246 continue; 247 248 /* check the real bits */ 249 if (bits != BN_num_bits(key->rsa->n)) 250 log("Warning: %s, line %lu: keysize mismatch: " 251 "actual %d vs. announced %d.", 252 file, linenum, BN_num_bits(key->rsa->n), bits); 253 254 /* We have found the desired key. */ 255 /* 256 * If our options do not allow this key to be used, 257 * do not send challenge. 258 */ 259 if (!auth_parse_options(pw, options, file, linenum)) 260 continue; 261 262 /* break out, this key is allowed */ 263 allowed = 1; 264 break; 265 } 266 267 /* Restore the privileged uid. */ 268 restore_uid(); 269 270 /* Close the file. */ 271 xfree(file); 272 fclose(f); 273 274 /* return key if allowed */ 275 if (allowed && rkey != NULL) 276 *rkey = key; 277 else 278 key_free(key); 279 return (allowed); 280 } 281 282 /* 283 * Performs the RSA authentication dialog with the client. This returns 284 * 0 if the client could not be authenticated, and 1 if authentication was 285 * successful. This may exit if there is a serious protocol violation. 286 */ 287 int 288 auth_rsa(struct passwd *pw, BIGNUM *client_n) 289 { 290 Key *key; 291 char *fp; 292 293 /* no user given */ 294 if (pw == NULL) 295 return 0; 296 297 if (!auth_rsa_key_allowed(pw, client_n, &key)) { 298 auth_clear_options(); 299 return (0); 300 } 301 302 /* Perform the challenge-response dialog for this key. */ 303 if (!auth_rsa_challenge_dialog(key)) { 304 /* Wrong response. */ 305 verbose("Wrong response to RSA authentication challenge."); 306 packet_send_debug("Wrong response to RSA authentication challenge."); 307 /* 308 * Break out of the loop. Otherwise we might send 309 * another challenge and break the protocol. 310 */ 311 key_free(key); 312 return (0); 313 } 314 /* 315 * Correct response. The client has been successfully 316 * authenticated. Note that we have not yet processed the 317 * options; this will be reset if the options cause the 318 * authentication to be rejected. 319 */ 320 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 321 verbose("Found matching %s key: %s", 322 key_type(key), fp); 323 xfree(fp); 324 key_free(key); 325 326 packet_send_debug("RSA authentication accepted."); 327 return (1); 328 } 329
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
Copyright © 1995-2008 Sun Microsystems, Inc.