blob: e8bfa16510c3f3f7e1919613ce75e77acb82de6d [file] [log] [blame]
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001/*
Damien Miller95def091999-11-25 00:26:21 +11002 * Author: Tatu Ylonen <ylo@cs.hut.fi>
Damien Miller95def091999-11-25 00:26:21 +11003 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
Damien Miller95def091999-11-25 00:26:21 +11005 * RSA-based authentication. This code determines whether to admit a login
6 * based on RSA authentication. This file also contains functions to check
7 * validity of the host key.
Damien Miller4af51302000-04-16 11:18:38 +10008 *
Damien Millere4340be2000-09-16 13:29:08 +11009 * As far as I am concerned, the code I have written for this software
10 * can be used freely for any purpose. Any derived versions of this
11 * software must be clearly marked as such, and if the derived work is
12 * incompatible with the protocol description in the RFC file, it must be
13 * called by a name other than "ssh" or "Secure Shell".
Damien Miller95def091999-11-25 00:26:21 +110014 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +100015
16#include "includes.h"
Damien Miller50a41ed2000-10-16 12:14:42 +110017RCSID("$OpenBSD: auth-rsa.c,v 1.32 2000/10/14 12:19:45 markus Exp $");
Damien Millerd4a8b7e1999-10-27 13:42:43 +100018
19#include "rsa.h"
20#include "packet.h"
21#include "xmalloc.h"
22#include "ssh.h"
23#include "mpaux.h"
24#include "uidswap.h"
Damien Miller450a7a12000-03-26 13:04:51 +100025#include "match.h"
Damien Miller6d7b2cd1999-11-12 15:19:27 +110026#include "servconf.h"
Damien Millerf6d9e222000-06-18 14:50:44 +100027#include "auth-options.h"
Damien Millerd4a8b7e1999-10-27 13:42:43 +100028
29#include <openssl/rsa.h>
30#include <openssl/md5.h>
Damien Millerd4a8b7e1999-10-27 13:42:43 +100031
Damien Miller874d77b2000-10-14 16:23:11 +110032
33/* import */
34extern ServerOptions options;
35
Damien Miller5428f641999-11-25 11:54:57 +110036/*
37 * Session identifier that is used to bind key exchange and authentication
38 * responses to a particular session.
39 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +100040extern unsigned char session_id[16];
41
Damien Miller5428f641999-11-25 11:54:57 +110042/*
43 * The .ssh/authorized_keys file contains public keys, one per line, in the
44 * following format:
45 * options bits e n comment
46 * where bits, e and n are decimal numbers,
47 * and comment is any string of characters up to newline. The maximum
48 * length of a line is 8000 characters. See the documentation for a
49 * description of the options.
50 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +100051
Damien Miller5428f641999-11-25 11:54:57 +110052/*
53 * Performs the RSA authentication challenge-response dialog with the client,
54 * and returns true (non-zero) if the client gave the correct answer to
55 * our challenge; returns zero if the client gives a wrong answer.
56 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +100057
58int
Damien Miller450a7a12000-03-26 13:04:51 +100059auth_rsa_challenge_dialog(RSA *pk)
Damien Millerd4a8b7e1999-10-27 13:42:43 +100060{
Damien Miller98c7ad62000-03-09 21:27:49 +110061 BIGNUM *challenge, *encrypted_challenge;
Damien Miller98c7ad62000-03-09 21:27:49 +110062 BN_CTX *ctx;
Damien Miller95def091999-11-25 00:26:21 +110063 unsigned char buf[32], mdbuf[16], response[16];
64 MD5_CTX md;
65 unsigned int i;
66 int plen, len;
Damien Millerd4a8b7e1999-10-27 13:42:43 +100067
Damien Miller95def091999-11-25 00:26:21 +110068 encrypted_challenge = BN_new();
69 challenge = BN_new();
Damien Millerd4a8b7e1999-10-27 13:42:43 +100070
Damien Miller95def091999-11-25 00:26:21 +110071 /* Generate a random challenge. */
72 BN_rand(challenge, 256, 0, 0);
Damien Miller98c7ad62000-03-09 21:27:49 +110073 ctx = BN_CTX_new();
Damien Miller450a7a12000-03-26 13:04:51 +100074 BN_mod(challenge, challenge, pk->n, ctx);
Damien Miller98c7ad62000-03-09 21:27:49 +110075 BN_CTX_free(ctx);
Damien Millerd4a8b7e1999-10-27 13:42:43 +100076
Damien Miller95def091999-11-25 00:26:21 +110077 /* Encrypt the challenge with the public key. */
78 rsa_public_encrypt(encrypted_challenge, challenge, pk);
Damien Millerd4a8b7e1999-10-27 13:42:43 +100079
Damien Miller95def091999-11-25 00:26:21 +110080 /* Send the encrypted challenge to the client. */
81 packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE);
82 packet_put_bignum(encrypted_challenge);
83 packet_send();
Damien Miller98c7ad62000-03-09 21:27:49 +110084 BN_clear_free(encrypted_challenge);
Damien Miller95def091999-11-25 00:26:21 +110085 packet_write_wait();
Damien Millerd4a8b7e1999-10-27 13:42:43 +100086
Damien Miller98c7ad62000-03-09 21:27:49 +110087 /* Wait for a response. */
88 packet_read_expect(&plen, SSH_CMSG_AUTH_RSA_RESPONSE);
89 packet_integrity_check(plen, 16, SSH_CMSG_AUTH_RSA_RESPONSE);
90 for (i = 0; i < 16; i++)
91 response[i] = packet_get_char();
92
Damien Miller95def091999-11-25 00:26:21 +110093 /* The response is MD5 of decrypted challenge plus session id. */
94 len = BN_num_bytes(challenge);
95 if (len <= 0 || len > 32)
96 fatal("auth_rsa_challenge_dialog: bad challenge length %d", len);
97 memset(buf, 0, 32);
98 BN_bn2bin(challenge, buf + 32 - len);
99 MD5_Init(&md);
100 MD5_Update(&md, buf, 32);
101 MD5_Update(&md, session_id, 16);
102 MD5_Final(mdbuf, &md);
Damien Miller95def091999-11-25 00:26:21 +1100103 BN_clear_free(challenge);
Damien Miller95def091999-11-25 00:26:21 +1100104
105 /* Verify that the response is the original challenge. */
106 if (memcmp(response, mdbuf, 16) != 0) {
107 /* Wrong answer. */
108 return 0;
109 }
110 /* Correct answer. */
111 return 1;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000112}
113
Damien Miller5428f641999-11-25 11:54:57 +1100114/*
115 * Performs the RSA authentication dialog with the client. This returns
116 * 0 if the client could not be authenticated, and 1 if authentication was
117 * successful. This may exit if there is a serious protocol violation.
118 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000119
120int
Damien Miller6d7b2cd1999-11-12 15:19:27 +1100121auth_rsa(struct passwd *pw, BIGNUM *client_n)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000122{
Damien Miller95def091999-11-25 00:26:21 +1100123 char line[8192], file[1024];
124 int authenticated;
125 unsigned int bits;
126 FILE *f;
127 unsigned long linenum = 0;
128 struct stat st;
Damien Miller450a7a12000-03-26 13:04:51 +1000129 RSA *pk;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000130
Damien Miller874d77b2000-10-14 16:23:11 +1100131 /* no user given */
132 if (pw == NULL)
133 return 0;
134
Damien Miller95def091999-11-25 00:26:21 +1100135 /* Temporarily use the user's uid. */
136 temporarily_use_uid(pw->pw_uid);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000137
Damien Miller95def091999-11-25 00:26:21 +1100138 /* The authorized keys. */
139 snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir,
140 SSH_USER_PERMITTED_KEYS);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000141
Damien Miller95def091999-11-25 00:26:21 +1100142 /* Fail quietly if file does not exist */
143 if (stat(file, &st) < 0) {
144 /* Restore the privileged uid. */
145 restore_uid();
146 return 0;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000147 }
Damien Miller95def091999-11-25 00:26:21 +1100148 /* Open the file containing the authorized keys. */
149 f = fopen(file, "r");
150 if (!f) {
151 /* Restore the privileged uid. */
152 restore_uid();
153 packet_send_debug("Could not open %.900s for reading.", file);
154 packet_send_debug("If your home is on an NFS volume, it may need to be world-readable.");
155 return 0;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000156 }
Damien Miller95def091999-11-25 00:26:21 +1100157 if (options.strict_modes) {
158 int fail = 0;
159 char buf[1024];
160 /* Check open file in order to avoid open/stat races */
161 if (fstat(fileno(f), &st) < 0 ||
162 (st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
163 (st.st_mode & 022) != 0) {
164 snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: "
165 "bad ownership or modes for '%s'.", pw->pw_name, file);
166 fail = 1;
167 } else {
168 /* Check path to SSH_USER_PERMITTED_KEYS */
169 int i;
170 static const char *check[] = {
171 "", SSH_USER_DIR, NULL
172 };
173 for (i = 0; check[i]; i++) {
174 snprintf(line, sizeof line, "%.500s/%.100s", pw->pw_dir, check[i]);
175 if (stat(line, &st) < 0 ||
176 (st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
177 (st.st_mode & 022) != 0) {
178 snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: "
179 "bad ownership or modes for '%s'.", pw->pw_name, line);
180 fail = 1;
181 break;
182 }
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000183 }
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000184 }
Damien Miller95def091999-11-25 00:26:21 +1100185 if (fail) {
Damien Millereba71ba2000-04-29 23:57:08 +1000186 fclose(f);
Damien Miller37023962000-07-11 17:31:38 +1000187 log("%s",buf);
188 packet_send_debug("%s",buf);
Damien Miller95def091999-11-25 00:26:21 +1100189 restore_uid();
190 return 0;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000191 }
Damien Miller95def091999-11-25 00:26:21 +1100192 }
193 /* Flag indicating whether authentication has succeeded. */
194 authenticated = 0;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000195
Damien Miller450a7a12000-03-26 13:04:51 +1000196 pk = RSA_new();
197 pk->e = BN_new();
198 pk->n = BN_new();
Damien Miller95def091999-11-25 00:26:21 +1100199
Damien Miller5428f641999-11-25 11:54:57 +1100200 /*
201 * Go though the accepted keys, looking for the current key. If
202 * found, perform a challenge-response dialog to verify that the
203 * user really has the corresponding private key.
204 */
Damien Miller95def091999-11-25 00:26:21 +1100205 while (fgets(line, sizeof(line), f)) {
206 char *cp;
207 char *options;
208
209 linenum++;
210
Damien Miller5428f641999-11-25 11:54:57 +1100211 /* Skip leading whitespace, empty and comment lines. */
212 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
213 ;
Damien Miller95def091999-11-25 00:26:21 +1100214 if (!*cp || *cp == '\n' || *cp == '#')
215 continue;
216
Damien Miller5428f641999-11-25 11:54:57 +1100217 /*
218 * Check if there are options for this key, and if so,
219 * save their starting address and skip the option part
220 * for now. If there are no options, set the starting
221 * address to NULL.
222 */
Damien Miller95def091999-11-25 00:26:21 +1100223 if (*cp < '0' || *cp > '9') {
224 int quoted = 0;
225 options = cp;
226 for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
227 if (*cp == '\\' && cp[1] == '"')
228 cp++; /* Skip both */
229 else if (*cp == '"')
230 quoted = !quoted;
231 }
232 } else
233 options = NULL;
Damien Miller50a41ed2000-10-16 12:14:42 +1100234 /*
235 * If our options do not allow this key to be used,
236 * do not send challenge.
237 */
238 if (!auth_parse_options(pw, options, linenum))
239 continue;
Damien Miller95def091999-11-25 00:26:21 +1100240
241 /* Parse the key from the line. */
Damien Miller450a7a12000-03-26 13:04:51 +1000242 if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) {
Damien Miller95def091999-11-25 00:26:21 +1100243 debug("%.100s, line %lu: bad key syntax",
244 SSH_USER_PERMITTED_KEYS, linenum);
245 packet_send_debug("%.100s, line %lu: bad key syntax",
Damien Miller4af51302000-04-16 11:18:38 +1000246 SSH_USER_PERMITTED_KEYS, linenum);
Damien Miller95def091999-11-25 00:26:21 +1100247 continue;
248 }
249 /* cp now points to the comment part. */
250
Damien Miller95def091999-11-25 00:26:21 +1100251 /* Check if the we have found the desired key (identified by its modulus). */
Damien Miller450a7a12000-03-26 13:04:51 +1000252 if (BN_cmp(pk->n, client_n) != 0)
Damien Miller5428f641999-11-25 11:54:57 +1100253 continue;
Damien Miller95def091999-11-25 00:26:21 +1100254
Damien Milleraae6c611999-12-06 11:47:28 +1100255 /* check the real bits */
Damien Miller450a7a12000-03-26 13:04:51 +1000256 if (bits != BN_num_bits(pk->n))
Damien Milleraae6c611999-12-06 11:47:28 +1100257 log("Warning: %s, line %ld: keysize mismatch: "
258 "actual %d vs. announced %d.",
Damien Miller450a7a12000-03-26 13:04:51 +1000259 file, linenum, BN_num_bits(pk->n), bits);
Damien Milleraae6c611999-12-06 11:47:28 +1100260
Damien Miller95def091999-11-25 00:26:21 +1100261 /* We have found the desired key. */
262
263 /* Perform the challenge-response dialog for this key. */
Damien Miller450a7a12000-03-26 13:04:51 +1000264 if (!auth_rsa_challenge_dialog(pk)) {
Damien Miller95def091999-11-25 00:26:21 +1100265 /* Wrong response. */
266 verbose("Wrong response to RSA authentication challenge.");
267 packet_send_debug("Wrong response to RSA authentication challenge.");
268 continue;
269 }
Damien Miller5428f641999-11-25 11:54:57 +1100270 /*
271 * Correct response. The client has been successfully
272 * authenticated. Note that we have not yet processed the
273 * options; this will be reset if the options cause the
274 * authentication to be rejected.
Damien Miller5428f641999-11-25 11:54:57 +1100275 * Break out of the loop if authentication was successful;
276 * otherwise continue searching.
277 */
Damien Miller50a41ed2000-10-16 12:14:42 +1100278 authenticated = 1;
279 break;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000280 }
281
Damien Miller95def091999-11-25 00:26:21 +1100282 /* Restore the privileged uid. */
283 restore_uid();
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000284
Damien Miller95def091999-11-25 00:26:21 +1100285 /* Close the file. */
286 fclose(f);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000287
Damien Miller450a7a12000-03-26 13:04:51 +1000288 RSA_free(pk);
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000289
Damien Miller95def091999-11-25 00:26:21 +1100290 if (authenticated)
291 packet_send_debug("RSA authentication accepted.");
Damien Miller874d77b2000-10-14 16:23:11 +1100292 else
293 auth_clear_options();
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000294
Damien Miller95def091999-11-25 00:26:21 +1100295 /* Return authentication result. */
296 return authenticated;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000297}