upstream: revert following; deals badly with agent keys

revision 1.285 date: 2018/09/14 04:17:12; author: djm; state: Exp; lines: +47 -26; commitid: lflGFcNb2X2HebaK; Use consistent format in debug log for keys readied, offered and received during public key authentication. This makes it a little easier to see what is going on, as each message now contains the key filename, its type and fingerprint, and whether the key is hosted in an agent or a token. OpenBSD-Commit-ID: e496bd004e452d4b051f33ed9ae6a54ab918f56d
2025-07-28 08:14:24 +02:00 · 2018-09-14 04:44:04 +00:00 · 2018-09-14 04:44:04 +00:00 · 6c8b82fc69
commit 6c8b82fc69
parent 6da046f9c3
1 changed files with 26 additions and 47 deletions
--- a/sshconnect2.c
+++ b/sshconnect2.c
@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.285 2018/09/14 04:17:12 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.286 2018/09/14 04:44:04 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 * Copyright (c) 2008 Damien Miller.  All rights reserved.
@ -581,27 +581,6 @@ input_userauth_failure(int type, u_int32_t seq, struct ssh *ssh)
 	return 0;
 }
 /*
 * Format an identity for logging including filename, key type, fingerprint
 * and location (agent, etc.). Caller must free.
 */
 static char *
 format_identity(Identity *id)
 {
 	char *fp, *ret = NULL;
 	if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
 	    SSH_FP_DEFAULT)) == NULL)
 		fatal("%s: sshkey_fingerprint failed", __func__);
 	xasprintf(&ret, "%s %s %s%s%s%s",
 	    id->filename, sshkey_type(id->key), fp,
 	    id->userprovided ? ", explicit" : "",
 	    (id->key->flags & SSHKEY_FLAG_EXT) ? ", token" : "",
 	    id->agent_fd != -1 ? ", agent" : "");
 	free(fp);
 	return ret;
 }
 /* ARGSUSED */
 int
 input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
@ -609,9 +588,9 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
 	Authctxt *authctxt = ssh->authctxt;
 	struct sshkey *key = NULL;
 	Identity *id = NULL;
-	int pktype, found = 0, sent = 0;
+	int pktype, sent = 0;
 	size_t blen;
-	char *pkalg = NULL, *fp = NULL, *ident = NULL;
+	char *pkalg = NULL, *fp;
 	u_char *pkblob = NULL;
 	int r;
@ -623,8 +602,10 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
 	    (r = sshpkt_get_end(ssh)) != 0)
 		goto done;
 	debug("Server accepts key: pkalg %s blen %zu", pkalg, blen);
 	if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
-		debug("%s: server sent unknown pkalg %s", __func__, pkalg);
+		debug("unknown pkalg %s", pkalg);
 		goto done;
 	}
 	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
@ -637,6 +618,11 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
 		    key->type, pktype);
 		goto done;
 	}
 	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
 	    SSH_FP_DEFAULT)) == NULL)
 		goto done;
 	debug2("input_userauth_pk_ok: fp %s", fp);
 	free(fp);
 	/*
 	 * search keys in the reverse order, because last candidate has been
@ -645,25 +631,13 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
 	 */
 	TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) {
 		if (sshkey_equal(key, id->key)) {
-			found = 1;
+			sent = sign_and_send_pubkey(ssh, authctxt, id);
 			break;
 		}
 	}
 	if (!found || id == NULL) {
 		fp = sshkey_fingerprint(key, options.fingerprint_hash,
 		    SSH_FP_DEFAULT);
 		error("%s: server replied with unknown key: %s %s", __func__,
 		    sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
 		goto done;
 	}
 	ident = format_identity(id);
 	debug("Server accepts key: %s", ident);
 	sent = sign_and_send_pubkey(ssh, authctxt, id);
 	r = 0;
 done:
 	sshkey_free(key);
 	free(ident);
 	free(fp);
 	free(pkalg);
 	free(pkblob);
@ -1484,7 +1458,6 @@ pubkey_prepare(Authctxt *authctxt)
 	int agent_fd = -1, i, r, found;
 	size_t j;
 	struct ssh_identitylist *idlist;
 	char *ident;
 	TAILQ_INIT(&agent);	/* keys from the agent */
 	TAILQ_INIT(&files);	/* keys from the config file */
@ -1601,11 +1574,10 @@ pubkey_prepare(Authctxt *authctxt)
 			memset(id, 0, sizeof(*id));
 			continue;
 		}
-		ident = format_identity(id);
+		debug2("key: %s (%p)%s%s", id->filename, id->key,
-		debug("Will attempt key: %s", ident);
+		    id->userprovided ? ", explicit" : "",
-		free(ident);
+		    id->agent_fd != -1 ? ", agent" : "");
 	}
 	debug2("%s: done", __func__);
 }
 static void
@ -1653,7 +1625,7 @@ userauth_pubkey(Authctxt *authctxt)
 	struct ssh *ssh = active_state; /* XXX */
 	Identity *id;
 	int sent = 0;
-	char *ident;
+	char *fp;
 	while ((id = TAILQ_FIRST(&authctxt->keys))) {
 		if (id->tried++)
@ -1668,9 +1640,16 @@ userauth_pubkey(Authctxt *authctxt)
 		 */
 		if (id->key != NULL) {
 			if (try_identity(id)) {
-				ident = format_identity(id);
+				if ((fp = sshkey_fingerprint(id->key,
-				debug("Offering public key: %s", ident);
+				    options.fingerprint_hash,
-				free(ident);
+				    SSH_FP_DEFAULT)) == NULL) {
 					error("%s: sshkey_fingerprint failed",
 					    __func__);
 					return 0;
 				}
 				debug("Offering public key: %s %s %s",
 				    sshkey_type(id->key), fp, id->filename);
 				free(fp);
 				sent = send_pubkey_test(ssh, authctxt, id);
 			}
 		} else {