- markus@cvs.openbsd.org 2001/06/23 22:37:46

[sshconnect1.c] consistent with ssh2: skip key if empty passphrase is entered, retry num_of_passwd_prompt times if passphrase is wrong. ok fgsch@
2001-06-25 05:16:02 +00:00 · 2001-06-25 05:16:02 +00:00 · 0520945179
parent 980978639c
commit 0520945179
2 changed files with 41 additions and 38 deletions
--- a/6
+++ b/6
@ -88,6 +88,10 @@
   - markus@cvs.openbsd.org 2001/06/23 19:12:43
     [sshd.c]
     pidfile/sigterm race; bbraun@synack.net
   - markus@cvs.openbsd.org 2001/06/23 22:37:46
     [sshconnect1.c]
     consistent with ssh2: skip key if empty passphrase is entered,
     retry num_of_passwd_prompt times if passphrase is wrong. ok fgsch@
 20010622
 - (stevesk) handle systems without pw_expire and pw_change.
@ -5772,4 +5776,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1
-$Id: ChangeLog,v 1.1318 2001/06/25 05:10:20 mouring Exp $
+$Id: ChangeLog,v 1.1319 2001/06/25 05:16:02 mouring Exp $
--- a/sshconnect1.c
+++ b/sshconnect1.c
@ -13,7 +13,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.35 2001/06/23 15:12:21 itojun Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.36 2001/06/23 22:37:46 markus Exp $");
 #include <openssl/bn.h>
 #include <openssl/evp.h>
@ -204,11 +204,9 @@ static int
 try_rsa_authentication(const char *authfile)
 {
 	BIGNUM *challenge;
-	Key *public;
+	Key *public, *private;
-	Key *private;
+	char buf[300], *passphrase, *comment;
-	char *passphrase, *comment;
+	int i, type, quit, plen, clen;
 	int type, i;
 	int plen, clen;
 	/* Try to load identification for the authentication key. */
 	/* XXKEYLOAD */
@ -257,23 +255,31 @@ try_rsa_authentication(const char *authfile)
 	 * fails, ask for a passphrase.
 	 */
 	private = key_load_private_type(KEY_RSA1, authfile, "", NULL);
-	if (private == NULL) {
+	if (private == NULL && !options.batch_mode) {
-		char buf[300];
+		snprintf(buf, sizeof(buf),
-		snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ",
+		    "Enter passphrase for RSA key '%.100s': ", comment);
-		    comment);
+		for (i = 0; i < options.number_of_password_prompts; i++) {
 		if (!options.batch_mode)
 			passphrase = read_passphrase(buf, 0);
-		else {
+			if (strcmp(passphrase, "") != 0) {
-			debug("Will not query passphrase for %.100s in batch mode.",
+				private = key_load_private_type(KEY_RSA1,
-			      comment);
+				    authfile, passphrase, NULL);
-			passphrase = xstrdup("");
+				quit = 0;
 			} else {
 				debug2("no passphrase given, try next key");
 				quit = 1;
 			}
 		/* Load the authentication file using the pasphrase. */
 		private = key_load_private_type(KEY_RSA1, authfile, passphrase, NULL);
 		if (private == NULL) {
 			memset(passphrase, 0, strlen(passphrase));
 			xfree(passphrase);
 			if (private != NULL || quit)
 				break;
 			debug2("bad passphrase given, try again...");
 		}
 	}
 	/* We no longer need the comment. */
 	xfree(comment);
 	if (private == NULL) {
 		if (!options.batch_mode)
 			error("Bad passphrase.");
 		/* Send a dummy response packet to avoid protocol error. */
@ -285,16 +291,9 @@ try_rsa_authentication(const char *authfile)
 		/* Expect the server to reject it... */
 		packet_read_expect(&plen, SSH_SMSG_FAILURE);
 			xfree(comment);
 		BN_clear_free(challenge);
 		return 0;
 	}
 		/* Destroy the passphrase. */
 		memset(passphrase, 0, strlen(passphrase));
 		xfree(passphrase);
 	}
 	/* We no longer need the comment. */
 	xfree(comment);
 	/* Compute and send a response to the challenge. */
 	respond_to_rsa_challenge(challenge, private->rsa);