upstream: revert following; deals badly with agent keys
revision 1.285 date: 2018/09/14 04:17:12; author: djm; state: Exp; lines: +47 -26; commitid: lflGFcNb2X2HebaK; Use consistent format in debug log for keys readied, offered and received during public key authentication. This makes it a little easier to see what is going on, as each message now contains the key filename, its type and fingerprint, and whether the key is hosted in an agent or a token. OpenBSD-Commit-ID: e496bd004e452d4b051f33ed9ae6a54ab918f56d
This commit is contained in:
djm@openbsd.org
Damien Miller
parent
6da046f9c3
commit
6c8b82fc69
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshconnect2.c,v 1.285 2018/09/14 04:17:12 djm Exp $ */
|
||||
/* $OpenBSD: sshconnect2.c,v 1.286 2018/09/14 04:44:04 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||
|
|
@ -581,27 +581,6 @@ input_userauth_failure(int type, u_int32_t seq, struct ssh *ssh)
|
|||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Format an identity for logging including filename, key type, fingerprint
|
||||
* and location (agent, etc.). Caller must free.
|
||||
*/
|
||||
static char *
|
||||
format_identity(Identity *id)
|
||||
{
|
||||
char *fp, *ret = NULL;
|
||||
|
||||
if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||
xasprintf(&ret, "%s %s %s%s%s%s",
|
||||
id->filename, sshkey_type(id->key), fp,
|
||||
id->userprovided ? ", explicit" : "",
|
||||
(id->key->flags & SSHKEY_FLAG_EXT) ? ", token" : "",
|
||||
id->agent_fd != -1 ? ", agent" : "");
|
||||
free(fp);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
int
|
||||
input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
|
||||
|
|
@ -609,9 +588,9 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
|
|||
Authctxt *authctxt = ssh->authctxt;
|
||||
struct sshkey *key = NULL;
|
||||
Identity *id = NULL;
|
||||
int pktype, found = 0, sent = 0;
|
||||
int pktype, sent = 0;
|
||||
size_t blen;
|
||||
char *pkalg = NULL, *fp = NULL, *ident = NULL;
|
||||
char *pkalg = NULL, *fp;
|
||||
u_char *pkblob = NULL;
|
||||
int r;
|
||||
|
||||
|
|
@ -623,8 +602,10 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
|
|||
(r = sshpkt_get_end(ssh)) != 0)
|
||||
goto done;
|
||||
|
||||
debug("Server accepts key: pkalg %s blen %zu", pkalg, blen);
|
||||
|
||||
if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
|
||||
debug("%s: server sent unknown pkalg %s", __func__, pkalg);
|
||||
debug("unknown pkalg %s", pkalg);
|
||||
goto done;
|
||||
}
|
||||
if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
|
||||
|
|
@ -637,6 +618,11 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
|
|||
key->type, pktype);
|
||||
goto done;
|
||||
}
|
||||
if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
goto done;
|
||||
debug2("input_userauth_pk_ok: fp %s", fp);
|
||||
free(fp);
|
||||
|
||||
/*
|
||||
* search keys in the reverse order, because last candidate has been
|
||||
|
|
@ -645,25 +631,13 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
|
|||
*/
|
||||
TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) {
|
||||
if (sshkey_equal(key, id->key)) {
|
||||
found = 1;
|
||||
sent = sign_and_send_pubkey(ssh, authctxt, id);
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!found || id == NULL) {
|
||||
fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||
SSH_FP_DEFAULT);
|
||||
error("%s: server replied with unknown key: %s %s", __func__,
|
||||
sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
|
||||
goto done;
|
||||
}
|
||||
ident = format_identity(id);
|
||||
debug("Server accepts key: %s", ident);
|
||||
sent = sign_and_send_pubkey(ssh, authctxt, id);
|
||||
r = 0;
|
||||
done:
|
||||
sshkey_free(key);
|
||||
free(ident);
|
||||
free(fp);
|
||||
free(pkalg);
|
||||
free(pkblob);
|
||||
|
||||
|
|
@ -1484,7 +1458,6 @@ pubkey_prepare(Authctxt *authctxt)
|
|||
int agent_fd = -1, i, r, found;
|
||||
size_t j;
|
||||
struct ssh_identitylist *idlist;
|
||||
char *ident;
|
||||
|
||||
TAILQ_INIT(&agent); /* keys from the agent */
|
||||
TAILQ_INIT(&files); /* keys from the config file */
|
||||
|
|
@ -1601,11 +1574,10 @@ pubkey_prepare(Authctxt *authctxt)
|
|||
memset(id, 0, sizeof(*id));
|
||||
continue;
|
||||
}
|
||||
ident = format_identity(id);
|
||||
debug("Will attempt key: %s", ident);
|
||||
free(ident);
|
||||
debug2("key: %s (%p)%s%s", id->filename, id->key,
|
||||
id->userprovided ? ", explicit" : "",
|
||||
id->agent_fd != -1 ? ", agent" : "");
|
||||
}
|
||||
debug2("%s: done", __func__);
|
||||
}
|
||||
|
||||
static void
|
||||
|
|
@ -1653,7 +1625,7 @@ userauth_pubkey(Authctxt *authctxt)
|
|||
struct ssh *ssh = active_state; /* XXX */
|
||||
Identity *id;
|
||||
int sent = 0;
|
||||
char *ident;
|
||||
char *fp;
|
||||
|
||||
while ((id = TAILQ_FIRST(&authctxt->keys))) {
|
||||
if (id->tried++)
|
||||
|
|
@ -1668,9 +1640,16 @@ userauth_pubkey(Authctxt *authctxt)
|
|||
*/
|
||||
if (id->key != NULL) {
|
||||
if (try_identity(id)) {
|
||||
ident = format_identity(id);
|
||||
debug("Offering public key: %s", ident);
|
||||
free(ident);
|
||||
if ((fp = sshkey_fingerprint(id->key,
|
||||
options.fingerprint_hash,
|
||||
SSH_FP_DEFAULT)) == NULL) {
|
||||
error("%s: sshkey_fingerprint failed",
|
||||
__func__);
|
||||
return 0;
|
||||
}
|
||||
debug("Offering public key: %s %s %s",
|
||||
sshkey_type(id->key), fp, id->filename);
|
||||
free(fp);
|
||||
sent = send_pubkey_test(ssh, authctxt, id);
|
||||
}
|
||||
} else {
|
||||
|
|
|
|||
Loading…
Reference in New Issue