xfnw/plan9fox
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

ssh: do not try authentication methods that we know are not possible

Browse source
This commit is contained in:
cinap_lenrek 2017-04-20 23:45:56 +02:00
parent 2e714ffe7c
commit 9c50712d64
1 changed files with 46 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
sys/src/cmd/ssh.c
View file

@ -617,6 +617,31 @@ Next2: switch(recvpkt()){
setupChachastate(&recv.cs2, k12+0*ChachaKeylen, ChachaKeylen, nil, 64/8, 20); setupChachastate(&recv.cs2, k12+0*ChachaKeylen, ChachaKeylen, nil, 64/8, 20);
} }
static char *authnext;
int
authok(char *meth)
{
if(authnext == nil || strstr(authnext, meth) != nil)
return 1;
return 0;
}
int
authfailure(char *meth)
{
char *s;
int n, partial;
if(unpack(recv.r, recv.w-recv.r, "_sb", &s, &n, &partial) < 0)
sysfatal("bad auth failure response");
free(authnext);
authnext = smprint("%.*s", n, s);
if(debug)
fprint(2, "userauth %s failed: partial=%d, next=%s\n", meth, partial, authnext);
return partial != 0 || !authok(meth);
}
int int
pubkeyauth(void) pubkeyauth(void)
{ {
@ -631,6 +656,9 @@ pubkeyauth(void)
AuthRpc *rpc; AuthRpc *rpc;
RSApub *pub; RSApub *pub;
if(!authok(authmeth))
return -1;
if(debug) if(debug)
fprint(2, "%s...\n", authmeth); fprint(2, "%s...\n", authmeth);
@ -674,6 +702,8 @@ Next1: switch(recvpkt()){
dispatch(); dispatch();
goto Next1; goto Next1;
case MSG_USERAUTH_FAILURE: case MSG_USERAUTH_FAILURE:
if(authfailure(authmeth))
goto Failed;
continue; continue;
case MSG_USERAUTH_SUCCESS: case MSG_USERAUTH_SUCCESS:
case MSG_USERAUTH_PK_OK: case MSG_USERAUTH_PK_OK:
@ -717,6 +747,8 @@ Next2: switch(recvpkt()){
dispatch(); dispatch();
goto Next2; goto Next2;
case MSG_USERAUTH_FAILURE: case MSG_USERAUTH_FAILURE:
if(authfailure(authmeth))
goto Failed;
continue; continue;
case MSG_USERAUTH_SUCCESS: case MSG_USERAUTH_SUCCESS:
break; break;
@ -726,6 +758,7 @@ Next2: switch(recvpkt()){
close(afd); close(afd);
return 0; return 0;
} }
Failed:
rsapubfree(pub); rsapubfree(pub);
auth_freerpc(rpc); auth_freerpc(rpc);
close(afd); close(afd);
@ -738,6 +771,9 @@ passauth(void)
static char authmeth[] = "password"; static char authmeth[] = "password";
UserPasswd *up; UserPasswd *up;
if(!authok(authmeth))
return -1;
if(debug) if(debug)
fprint(2, "%s...\n", authmeth); fprint(2, "%s...\n", authmeth);
@ -761,7 +797,8 @@ Next0: switch(recvpkt()){
dispatch(); dispatch();
goto Next0; goto Next0;
case MSG_USERAUTH_FAILURE: case MSG_USERAUTH_FAILURE:
werrstr("%s authentication failed", authmeth); werrstr("wrong password");
authfailure(authmeth);
return -1; return -1;
case MSG_USERAUTH_SUCCESS: case MSG_USERAUTH_SUCCESS:
return 0; return 0;
@ -778,6 +815,9 @@ kbintauth(void)
int nquest, echo; int nquest, echo;
uchar *ans, *answ; uchar *ans, *answ;
if(!authok(authmeth))
return -1;
if(debug) if(debug)
fprint(2, "%s...\n", authmeth); fprint(2, "%s...\n", authmeth);
@ -793,14 +833,14 @@ Next0: switch(recvpkt()){
dispatch(); dispatch();
goto Next0; goto Next0;
case MSG_USERAUTH_FAILURE: case MSG_USERAUTH_FAILURE:
werrstr("%s authentication failed", authmeth); authfailure(authmeth);
return -1; return -1;
case MSG_USERAUTH_SUCCESS: case MSG_USERAUTH_SUCCESS:
return 0; return 0;
case MSG_USERAUTH_INFO_REQUEST: case MSG_USERAUTH_INFO_REQUEST:
break; break;
} }
Retry:
if((fd = open("/dev/cons", OWRITE)) < 0) if((fd = open("/dev/cons", OWRITE)) < 0)
return -1; return -1;
@ -850,8 +890,10 @@ Next1: switch(recvpkt()){
default: default:
dispatch(); dispatch();
goto Next1; goto Next1;
case MSG_USERAUTH_INFO_REQUEST:
goto Retry;
case MSG_USERAUTH_FAILURE: case MSG_USERAUTH_FAILURE:
werrstr("%s authentication failed", authmeth); authfailure(authmeth);
return -1; return -1;
case MSG_USERAUTH_SUCCESS: case MSG_USERAUTH_SUCCESS:
return 0; return 0;