• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* $OpenBSD: sshconnect1.c,v 1.70 2006/11/06 21:25:28 markus Exp $ */
2 /*
3  * Author: Tatu Ylonen <ylo@cs.hut.fi>
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  * Code to connect to a remote host, and to perform the client side of the
7  * login (authentication) dialog.
8  *
9  * As far as I am concerned, the code I have written for this software
10  * can be used freely for any purpose.  Any derived versions of this
11  * software must be clearly marked as such, and if the derived work is
12  * incompatible with the protocol description in the RFC file, it must be
13  * called by a name other than "ssh" or "Secure Shell".
14  */
15 
16 #include "includes.h"
17 
18 #include <sys/types.h>
19 #include <sys/socket.h>
20 
21 #include <openssl/bn.h>
22 #include <openssl/md5.h>
23 
24 #include <stdarg.h>
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <signal.h>
29 #include <pwd.h>
30 
31 #include "xmalloc.h"
32 #include "ssh.h"
33 #include "ssh1.h"
34 #include "rsa.h"
35 #include "buffer.h"
36 #include "packet.h"
37 #include "key.h"
38 #include "cipher.h"
39 #include "kex.h"
40 #include "uidswap.h"
41 #include "log.h"
42 #include "readconf.h"
43 #include "authfd.h"
44 #include "sshconnect.h"
45 #include "authfile.h"
46 #include "misc.h"
47 #include "canohost.h"
48 #include "hostfile.h"
49 #include "auth.h"
50 
51 /* Session id for the current session. */
52 u_char session_id[16];
53 u_int supported_authentications = 0;
54 
55 extern Options options;
56 extern char *__progname;
57 
58 /*
59  * Checks if the user has an authentication agent, and if so, tries to
60  * authenticate using the agent.
61  */
62 static int
try_agent_authentication(void)63 try_agent_authentication(void)
64 {
65 	int type;
66 	char *comment;
67 	AuthenticationConnection *auth;
68 	u_char response[16];
69 	u_int i;
70 	Key *key;
71 	BIGNUM *challenge;
72 
73 	/* Get connection to the agent. */
74 	auth = ssh_get_authentication_connection();
75 	if (!auth)
76 		return 0;
77 
78 	if ((challenge = BN_new()) == NULL)
79 		fatal("try_agent_authentication: BN_new failed");
80 	/* Loop through identities served by the agent. */
81 	for (key = ssh_get_first_identity(auth, &comment, 1);
82 	    key != NULL;
83 	    key = ssh_get_next_identity(auth, &comment, 1)) {
84 
85 		/* Try this identity. */
86 		debug("Trying RSA authentication via agent with '%.100s'", comment);
87 		xfree(comment);
88 
89 		/* Tell the server that we are willing to authenticate using this key. */
90 		packet_start(SSH_CMSG_AUTH_RSA);
91 		packet_put_bignum(key->rsa->n);
92 		packet_send();
93 		packet_write_wait();
94 
95 		/* Wait for server's response. */
96 		type = packet_read();
97 
98 		/* The server sends failure if it doesn't like our key or
99 		   does not support RSA authentication. */
100 		if (type == SSH_SMSG_FAILURE) {
101 			debug("Server refused our key.");
102 			key_free(key);
103 			continue;
104 		}
105 		/* Otherwise it should have sent a challenge. */
106 		if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
107 			packet_disconnect("Protocol error during RSA authentication: %d",
108 					  type);
109 
110 		packet_get_bignum(challenge);
111 		packet_check_eom();
112 
113 		debug("Received RSA challenge from server.");
114 
115 		/* Ask the agent to decrypt the challenge. */
116 		if (!ssh_decrypt_challenge(auth, key, challenge, session_id, 1, response)) {
117 			/*
118 			 * The agent failed to authenticate this identifier
119 			 * although it advertised it supports this.  Just
120 			 * return a wrong value.
121 			 */
122 			logit("Authentication agent failed to decrypt challenge.");
123 			memset(response, 0, sizeof(response));
124 		}
125 		key_free(key);
126 		debug("Sending response to RSA challenge.");
127 
128 		/* Send the decrypted challenge back to the server. */
129 		packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
130 		for (i = 0; i < 16; i++)
131 			packet_put_char(response[i]);
132 		packet_send();
133 		packet_write_wait();
134 
135 		/* Wait for response from the server. */
136 		type = packet_read();
137 
138 		/* The server returns success if it accepted the authentication. */
139 		if (type == SSH_SMSG_SUCCESS) {
140 			ssh_close_authentication_connection(auth);
141 			BN_clear_free(challenge);
142 			debug("RSA authentication accepted by server.");
143 			return 1;
144 		}
145 		/* Otherwise it should return failure. */
146 		if (type != SSH_SMSG_FAILURE)
147 			packet_disconnect("Protocol error waiting RSA auth response: %d",
148 					  type);
149 	}
150 	ssh_close_authentication_connection(auth);
151 	BN_clear_free(challenge);
152 	debug("RSA authentication using agent refused.");
153 	return 0;
154 }
155 
156 /*
157  * Computes the proper response to a RSA challenge, and sends the response to
158  * the server.
159  */
160 static void
respond_to_rsa_challenge(BIGNUM * challenge,RSA * prv)161 respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
162 {
163 	u_char buf[32], response[16];
164 	MD5_CTX md;
165 	int i, len;
166 
167 	/* Decrypt the challenge using the private key. */
168 	/* XXX think about Bleichenbacher, too */
169 	if (rsa_private_decrypt(challenge, challenge, prv) <= 0)
170 		packet_disconnect(
171 		    "respond_to_rsa_challenge: rsa_private_decrypt failed");
172 
173 	/* Compute the response. */
174 	/* The response is MD5 of decrypted challenge plus session id. */
175 	len = BN_num_bytes(challenge);
176 	if (len <= 0 || (u_int)len > sizeof(buf))
177 		packet_disconnect(
178 		    "respond_to_rsa_challenge: bad challenge length %d", len);
179 
180 	memset(buf, 0, sizeof(buf));
181 	BN_bn2bin(challenge, buf + sizeof(buf) - len);
182 	MD5_Init(&md);
183 	MD5_Update(&md, buf, 32);
184 	MD5_Update(&md, session_id, 16);
185 	MD5_Final(response, &md);
186 
187 	debug("Sending response to host key RSA challenge.");
188 
189 	/* Send the response back to the server. */
190 	packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
191 	for (i = 0; i < 16; i++)
192 		packet_put_char(response[i]);
193 	packet_send();
194 	packet_write_wait();
195 
196 	memset(buf, 0, sizeof(buf));
197 	memset(response, 0, sizeof(response));
198 	memset(&md, 0, sizeof(md));
199 }
200 
201 /*
202  * Checks if the user has authentication file, and if so, tries to authenticate
203  * the user using it.
204  */
205 static int
try_rsa_authentication(int idx)206 try_rsa_authentication(int idx)
207 {
208 	BIGNUM *challenge;
209 	Key *public, *private;
210 	char buf[300], *passphrase, *comment, *authfile;
211 	int i, perm_ok = 1, type, quit;
212 
213 	public = options.identity_keys[idx];
214 	authfile = options.identity_files[idx];
215 	comment = xstrdup(authfile);
216 
217 	debug("Trying RSA authentication with key '%.100s'", comment);
218 
219 	/* Tell the server that we are willing to authenticate using this key. */
220 	packet_start(SSH_CMSG_AUTH_RSA);
221 	packet_put_bignum(public->rsa->n);
222 	packet_send();
223 	packet_write_wait();
224 
225 	/* Wait for server's response. */
226 	type = packet_read();
227 
228 	/*
229 	 * The server responds with failure if it doesn't like our key or
230 	 * doesn't support RSA authentication.
231 	 */
232 	if (type == SSH_SMSG_FAILURE) {
233 		debug("Server refused our key.");
234 		xfree(comment);
235 		return 0;
236 	}
237 	/* Otherwise, the server should respond with a challenge. */
238 	if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
239 		packet_disconnect("Protocol error during RSA authentication: %d", type);
240 
241 	/* Get the challenge from the packet. */
242 	if ((challenge = BN_new()) == NULL)
243 		fatal("try_rsa_authentication: BN_new failed");
244 	packet_get_bignum(challenge);
245 	packet_check_eom();
246 
247 	debug("Received RSA challenge from server.");
248 
249 	/*
250 	 * If the key is not stored in external hardware, we have to
251 	 * load the private key.  Try first with empty passphrase; if it
252 	 * fails, ask for a passphrase.
253 	 */
254 	if (public->flags & KEY_FLAG_EXT)
255 		private = public;
256 	else
257 		private = key_load_private_type(KEY_RSA1, authfile, "", NULL,
258 		    &perm_ok);
259 	if (private == NULL && !options.batch_mode && perm_ok) {
260 		snprintf(buf, sizeof(buf),
261 		    "Enter passphrase for RSA key '%.100s': ", comment);
262 		for (i = 0; i < options.number_of_password_prompts; i++) {
263 			passphrase = read_passphrase(buf, 0);
264 			if (strcmp(passphrase, "") != 0) {
265 				private = key_load_private_type(KEY_RSA1,
266 				    authfile, passphrase, NULL, NULL);
267 				quit = 0;
268 			} else {
269 				debug2("no passphrase given, try next key");
270 				quit = 1;
271 			}
272 			memset(passphrase, 0, strlen(passphrase));
273 			xfree(passphrase);
274 			if (private != NULL || quit)
275 				break;
276 			debug2("bad passphrase given, try again...");
277 		}
278 	}
279 	/* We no longer need the comment. */
280 	xfree(comment);
281 
282 	if (private == NULL) {
283 		if (!options.batch_mode && perm_ok)
284 			error("Bad passphrase.");
285 
286 		/* Send a dummy response packet to avoid protocol error. */
287 		packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
288 		for (i = 0; i < 16; i++)
289 			packet_put_char(0);
290 		packet_send();
291 		packet_write_wait();
292 
293 		/* Expect the server to reject it... */
294 		packet_read_expect(SSH_SMSG_FAILURE);
295 		BN_clear_free(challenge);
296 		return 0;
297 	}
298 
299 	/* Compute and send a response to the challenge. */
300 	respond_to_rsa_challenge(challenge, private->rsa);
301 
302 	/* Destroy the private key unless it in external hardware. */
303 	if (!(private->flags & KEY_FLAG_EXT))
304 		key_free(private);
305 
306 	/* We no longer need the challenge. */
307 	BN_clear_free(challenge);
308 
309 	/* Wait for response from the server. */
310 	type = packet_read();
311 	if (type == SSH_SMSG_SUCCESS) {
312 		debug("RSA authentication accepted by server.");
313 		return 1;
314 	}
315 	if (type != SSH_SMSG_FAILURE)
316 		packet_disconnect("Protocol error waiting RSA auth response: %d", type);
317 	debug("RSA authentication refused.");
318 	return 0;
319 }
320 
321 /*
322  * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv
323  * authentication and RSA host authentication.
324  */
325 static int
try_rhosts_rsa_authentication(const char * local_user,Key * host_key)326 try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
327 {
328 	int type;
329 	BIGNUM *challenge;
330 
331 	debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication.");
332 
333 	/* Tell the server that we are willing to authenticate using this key. */
334 	packet_start(SSH_CMSG_AUTH_RHOSTS_RSA);
335 	packet_put_cstring(local_user);
336 	packet_put_int(BN_num_bits(host_key->rsa->n));
337 	packet_put_bignum(host_key->rsa->e);
338 	packet_put_bignum(host_key->rsa->n);
339 	packet_send();
340 	packet_write_wait();
341 
342 	/* Wait for server's response. */
343 	type = packet_read();
344 
345 	/* The server responds with failure if it doesn't admit our
346 	   .rhosts authentication or doesn't know our host key. */
347 	if (type == SSH_SMSG_FAILURE) {
348 		debug("Server refused our rhosts authentication or host key.");
349 		return 0;
350 	}
351 	/* Otherwise, the server should respond with a challenge. */
352 	if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
353 		packet_disconnect("Protocol error during RSA authentication: %d", type);
354 
355 	/* Get the challenge from the packet. */
356 	if ((challenge = BN_new()) == NULL)
357 		fatal("try_rhosts_rsa_authentication: BN_new failed");
358 	packet_get_bignum(challenge);
359 	packet_check_eom();
360 
361 	debug("Received RSA challenge for host key from server.");
362 
363 	/* Compute a response to the challenge. */
364 	respond_to_rsa_challenge(challenge, host_key->rsa);
365 
366 	/* We no longer need the challenge. */
367 	BN_clear_free(challenge);
368 
369 	/* Wait for response from the server. */
370 	type = packet_read();
371 	if (type == SSH_SMSG_SUCCESS) {
372 		debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server.");
373 		return 1;
374 	}
375 	if (type != SSH_SMSG_FAILURE)
376 		packet_disconnect("Protocol error waiting RSA auth response: %d", type);
377 	debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused.");
378 	return 0;
379 }
380 
381 /*
382  * Tries to authenticate with any string-based challenge/response system.
383  * Note that the client code is not tied to s/key or TIS.
384  */
385 static int
try_challenge_response_authentication(void)386 try_challenge_response_authentication(void)
387 {
388 	int type, i;
389 	u_int clen;
390 	char prompt[1024];
391 	char *challenge, *response;
392 
393 	debug("Doing challenge response authentication.");
394 
395 	for (i = 0; i < options.number_of_password_prompts; i++) {
396 		/* request a challenge */
397 		packet_start(SSH_CMSG_AUTH_TIS);
398 		packet_send();
399 		packet_write_wait();
400 
401 		type = packet_read();
402 		if (type != SSH_SMSG_FAILURE &&
403 		    type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
404 			packet_disconnect("Protocol error: got %d in response "
405 			    "to SSH_CMSG_AUTH_TIS", type);
406 		}
407 		if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
408 			debug("No challenge.");
409 			return 0;
410 		}
411 		challenge = packet_get_string(&clen);
412 		packet_check_eom();
413 		snprintf(prompt, sizeof prompt, "%s%s", challenge,
414 		    strchr(challenge, '\n') ? "" : "\nResponse: ");
415 		xfree(challenge);
416 		if (i != 0)
417 			error("Permission denied, please try again.");
418 		if (options.cipher == SSH_CIPHER_NONE)
419 			logit("WARNING: Encryption is disabled! "
420 			    "Response will be transmitted in clear text.");
421 		response = read_passphrase(prompt, 0);
422 		if (strcmp(response, "") == 0) {
423 			xfree(response);
424 			break;
425 		}
426 		packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
427 		ssh_put_password(response);
428 		memset(response, 0, strlen(response));
429 		xfree(response);
430 		packet_send();
431 		packet_write_wait();
432 		type = packet_read();
433 		if (type == SSH_SMSG_SUCCESS)
434 			return 1;
435 		if (type != SSH_SMSG_FAILURE)
436 			packet_disconnect("Protocol error: got %d in response "
437 			    "to SSH_CMSG_AUTH_TIS_RESPONSE", type);
438 	}
439 	/* failure */
440 	return 0;
441 }
442 
443 /*
444  * Tries to authenticate with plain passwd authentication.
445  */
446 static int
try_password_authentication(char * prompt)447 try_password_authentication(char *prompt)
448 {
449 	int type, i;
450 	char *password;
451 
452 	debug("Doing password authentication.");
453 	if (options.cipher == SSH_CIPHER_NONE)
454 		logit("WARNING: Encryption is disabled! Password will be transmitted in clear text.");
455 	for (i = 0; i < options.number_of_password_prompts; i++) {
456 		if (i != 0)
457 			error("Permission denied, please try again.");
458 		password = read_passphrase(prompt, 0);
459 		packet_start(SSH_CMSG_AUTH_PASSWORD);
460 		ssh_put_password(password);
461 		memset(password, 0, strlen(password));
462 		xfree(password);
463 		packet_send();
464 		packet_write_wait();
465 
466 		type = packet_read();
467 		if (type == SSH_SMSG_SUCCESS)
468 			return 1;
469 		if (type != SSH_SMSG_FAILURE)
470 			packet_disconnect("Protocol error: got %d in response to passwd auth", type);
471 	}
472 	/* failure */
473 	return 0;
474 }
475 
476 /*
477  * SSH1 key exchange
478  */
479 void
ssh_kex(char * host,struct sockaddr * hostaddr)480 ssh_kex(char *host, struct sockaddr *hostaddr)
481 {
482 	int i;
483 	BIGNUM *key;
484 	Key *host_key, *server_key;
485 	int bits, rbits;
486 	int ssh_cipher_default = SSH_CIPHER_3DES;
487 	u_char session_key[SSH_SESSION_KEY_LENGTH];
488 	u_char cookie[8];
489 	u_int supported_ciphers;
490 	u_int server_flags, client_flags;
491 	u_int32_t rnd = 0;
492 
493 	debug("Waiting for server public key.");
494 
495 	/* Wait for a public key packet from the server. */
496 	packet_read_expect(SSH_SMSG_PUBLIC_KEY);
497 
498 	/* Get cookie from the packet. */
499 	for (i = 0; i < 8; i++)
500 		cookie[i] = packet_get_char();
501 
502 	/* Get the public key. */
503 	server_key = key_new(KEY_RSA1);
504 	bits = packet_get_int();
505 	packet_get_bignum(server_key->rsa->e);
506 	packet_get_bignum(server_key->rsa->n);
507 
508 	rbits = BN_num_bits(server_key->rsa->n);
509 	if (bits != rbits) {
510 		logit("Warning: Server lies about size of server public key: "
511 		    "actual size is %d bits vs. announced %d.", rbits, bits);
512 		logit("Warning: This may be due to an old implementation of ssh.");
513 	}
514 	/* Get the host key. */
515 	host_key = key_new(KEY_RSA1);
516 	bits = packet_get_int();
517 	packet_get_bignum(host_key->rsa->e);
518 	packet_get_bignum(host_key->rsa->n);
519 
520 	rbits = BN_num_bits(host_key->rsa->n);
521 	if (bits != rbits) {
522 		logit("Warning: Server lies about size of server host key: "
523 		    "actual size is %d bits vs. announced %d.", rbits, bits);
524 		logit("Warning: This may be due to an old implementation of ssh.");
525 	}
526 
527 	/* Get protocol flags. */
528 	server_flags = packet_get_int();
529 	packet_set_protocol_flags(server_flags);
530 
531 	supported_ciphers = packet_get_int();
532 	supported_authentications = packet_get_int();
533 	packet_check_eom();
534 
535 	debug("Received server public key (%d bits) and host key (%d bits).",
536 	    BN_num_bits(server_key->rsa->n), BN_num_bits(host_key->rsa->n));
537 
538 	if (verify_host_key(host, hostaddr, host_key) == -1)
539 		fatal("Host key verification failed.");
540 
541 	client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN;
542 
543 	derive_ssh1_session_id(host_key->rsa->n, server_key->rsa->n, cookie, session_id);
544 
545 	/* Generate a session key. */
546 	arc4random_stir();
547 
548 	/*
549 	 * Generate an encryption key for the session.   The key is a 256 bit
550 	 * random number, interpreted as a 32-byte key, with the least
551 	 * significant 8 bits being the first byte of the key.
552 	 */
553 	for (i = 0; i < 32; i++) {
554 		if (i % 4 == 0)
555 			rnd = arc4random();
556 		session_key[i] = rnd & 0xff;
557 		rnd >>= 8;
558 	}
559 
560 	/*
561 	 * According to the protocol spec, the first byte of the session key
562 	 * is the highest byte of the integer.  The session key is xored with
563 	 * the first 16 bytes of the session id.
564 	 */
565 	if ((key = BN_new()) == NULL)
566 		fatal("ssh_kex: BN_new failed");
567 	if (BN_set_word(key, 0) == 0)
568 		fatal("ssh_kex: BN_set_word failed");
569 	for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
570 		if (BN_lshift(key, key, 8) == 0)
571 			fatal("ssh_kex: BN_lshift failed");
572 		if (i < 16) {
573 			if (BN_add_word(key, session_key[i] ^ session_id[i])
574 			    == 0)
575 				fatal("ssh_kex: BN_add_word failed");
576 		} else {
577 			if (BN_add_word(key, session_key[i]) == 0)
578 				fatal("ssh_kex: BN_add_word failed");
579 		}
580 	}
581 
582 	/*
583 	 * Encrypt the integer using the public key and host key of the
584 	 * server (key with smaller modulus first).
585 	 */
586 	if (BN_cmp(server_key->rsa->n, host_key->rsa->n) < 0) {
587 		/* Public key has smaller modulus. */
588 		if (BN_num_bits(host_key->rsa->n) <
589 		    BN_num_bits(server_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
590 			fatal("respond_to_rsa_challenge: host_key %d < server_key %d + "
591 			    "SSH_KEY_BITS_RESERVED %d",
592 			    BN_num_bits(host_key->rsa->n),
593 			    BN_num_bits(server_key->rsa->n),
594 			    SSH_KEY_BITS_RESERVED);
595 		}
596 		rsa_public_encrypt(key, key, server_key->rsa);
597 		rsa_public_encrypt(key, key, host_key->rsa);
598 	} else {
599 		/* Host key has smaller modulus (or they are equal). */
600 		if (BN_num_bits(server_key->rsa->n) <
601 		    BN_num_bits(host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
602 			fatal("respond_to_rsa_challenge: server_key %d < host_key %d + "
603 			    "SSH_KEY_BITS_RESERVED %d",
604 			    BN_num_bits(server_key->rsa->n),
605 			    BN_num_bits(host_key->rsa->n),
606 			    SSH_KEY_BITS_RESERVED);
607 		}
608 		rsa_public_encrypt(key, key, host_key->rsa);
609 		rsa_public_encrypt(key, key, server_key->rsa);
610 	}
611 
612 	/* Destroy the public keys since we no longer need them. */
613 	key_free(server_key);
614 	key_free(host_key);
615 
616 	if (options.cipher == SSH_CIPHER_NOT_SET) {
617 		if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default))
618 			options.cipher = ssh_cipher_default;
619 	} else if (options.cipher == SSH_CIPHER_INVALID ||
620 	    !(cipher_mask_ssh1(1) & (1 << options.cipher))) {
621 		logit("No valid SSH1 cipher, using %.100s instead.",
622 		    cipher_name(ssh_cipher_default));
623 		options.cipher = ssh_cipher_default;
624 	}
625 	/* Check that the selected cipher is supported. */
626 	if (!(supported_ciphers & (1 << options.cipher)))
627 		fatal("Selected cipher type %.100s not supported by server.",
628 		    cipher_name(options.cipher));
629 
630 	debug("Encryption type: %.100s", cipher_name(options.cipher));
631 
632 	/* Send the encrypted session key to the server. */
633 	packet_start(SSH_CMSG_SESSION_KEY);
634 	packet_put_char(options.cipher);
635 
636 	/* Send the cookie back to the server. */
637 	for (i = 0; i < 8; i++)
638 		packet_put_char(cookie[i]);
639 
640 	/* Send and destroy the encrypted encryption key integer. */
641 	packet_put_bignum(key);
642 	BN_clear_free(key);
643 
644 	/* Send protocol flags. */
645 	packet_put_int(client_flags);
646 
647 	/* Send the packet now. */
648 	packet_send();
649 	packet_write_wait();
650 
651 	debug("Sent encrypted session key.");
652 
653 	/* Set the encryption key. */
654 	packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher);
655 
656 	/* We will no longer need the session key here.  Destroy any extra copies. */
657 	memset(session_key, 0, sizeof(session_key));
658 
659 	/*
660 	 * Expect a success message from the server.  Note that this message
661 	 * will be received in encrypted form.
662 	 */
663 	packet_read_expect(SSH_SMSG_SUCCESS);
664 
665 	debug("Received encrypted confirmation.");
666 }
667 
668 /*
669  * Authenticate user
670  */
671 void
ssh_userauth1(const char * local_user,const char * server_user,char * host,Sensitive * sensitive)672 ssh_userauth1(const char *local_user, const char *server_user, char *host,
673     Sensitive *sensitive)
674 {
675 	int i, type;
676 
677 	if (supported_authentications == 0)
678 		fatal("ssh_userauth1: server supports no auth methods");
679 
680 	/* Send the name of the user to log in as on the server. */
681 	packet_start(SSH_CMSG_USER);
682 	packet_put_cstring(server_user);
683 	packet_send();
684 	packet_write_wait();
685 
686 	/*
687 	 * The server should respond with success if no authentication is
688 	 * needed (the user has no password).  Otherwise the server responds
689 	 * with failure.
690 	 */
691 	type = packet_read();
692 
693 	/* check whether the connection was accepted without authentication. */
694 	if (type == SSH_SMSG_SUCCESS)
695 		goto success;
696 	if (type != SSH_SMSG_FAILURE)
697 		packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
698 
699 	/*
700 	 * Try .rhosts or /etc/hosts.equiv authentication with RSA host
701 	 * authentication.
702 	 */
703 	if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) &&
704 	    options.rhosts_rsa_authentication) {
705 		for (i = 0; i < sensitive->nkeys; i++) {
706 			if (sensitive->keys[i] != NULL &&
707 			    sensitive->keys[i]->type == KEY_RSA1 &&
708 			    try_rhosts_rsa_authentication(local_user,
709 			    sensitive->keys[i]))
710 				goto success;
711 		}
712 	}
713 	/* Try RSA authentication if the server supports it. */
714 	if ((supported_authentications & (1 << SSH_AUTH_RSA)) &&
715 	    options.rsa_authentication) {
716 		/*
717 		 * Try RSA authentication using the authentication agent. The
718 		 * agent is tried first because no passphrase is needed for
719 		 * it, whereas identity files may require passphrases.
720 		 */
721 		if (try_agent_authentication())
722 			goto success;
723 
724 		/* Try RSA authentication for each identity. */
725 		for (i = 0; i < options.num_identity_files; i++)
726 			if (options.identity_keys[i] != NULL &&
727 			    options.identity_keys[i]->type == KEY_RSA1 &&
728 			    try_rsa_authentication(i))
729 				goto success;
730 	}
731 	/* Try challenge response authentication if the server supports it. */
732 	if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
733 	    options.challenge_response_authentication && !options.batch_mode) {
734 		if (try_challenge_response_authentication())
735 			goto success;
736 	}
737 	/* Try password authentication if the server supports it. */
738 	if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) &&
739 	    options.password_authentication && !options.batch_mode) {
740 		char prompt[80];
741 
742 		snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
743 		    server_user, host);
744 		if (try_password_authentication(prompt))
745 			goto success;
746 	}
747 	/* All authentication methods have failed.  Exit with an error message. */
748 	fatal("Permission denied.");
749 	/* NOTREACHED */
750 
751  success:
752 	return;	/* need statement after label */
753 }
754