xref: /openbsd-src/usr.bin/ssh/sshconnect2.c (revision b46d8ef224b95de1dddcd1f01c1ab482f0ab3778)
1 /* $OpenBSD: sshconnect2.c,v 1.314 2019/11/15 02:37:24 djm Exp $ */
2 /*
3  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
4  * Copyright (c) 2008 Damien Miller.  All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  */
26 
27 #include <sys/types.h>
28 #include <sys/socket.h>
29 #include <sys/wait.h>
30 #include <sys/queue.h>
31 #include <sys/stat.h>
32 
33 #include <errno.h>
34 #include <fcntl.h>
35 #include <netdb.h>
36 #include <stdio.h>
37 #include <string.h>
38 #include <stdarg.h>
39 #include <signal.h>
40 #include <pwd.h>
41 #include <unistd.h>
42 #include <vis.h>
43 
44 #include "xmalloc.h"
45 #include "ssh.h"
46 #include "ssh2.h"
47 #include "sshbuf.h"
48 #include "packet.h"
49 #include "compat.h"
50 #include "cipher.h"
51 #include "sshkey.h"
52 #include "kex.h"
53 #include "myproposal.h"
54 #include "sshconnect.h"
55 #include "authfile.h"
56 #include "dh.h"
57 #include "authfd.h"
58 #include "log.h"
59 #include "misc.h"
60 #include "readconf.h"
61 #include "match.h"
62 #include "dispatch.h"
63 #include "canohost.h"
64 #include "msg.h"
65 #include "pathnames.h"
66 #include "uidswap.h"
67 #include "hostfile.h"
68 #include "ssherr.h"
69 #include "utf8.h"
70 #include "ssh-sk.h"
71 #include "sk-api.h"
72 
73 #ifdef GSSAPI
74 #include "ssh-gss.h"
75 #endif
76 
77 /* import */
78 extern char *client_version_string;
79 extern char *server_version_string;
80 extern Options options;
81 
82 /*
83  * SSH2 key exchange
84  */
85 
86 u_char *session_id2 = NULL;
87 u_int session_id2_len = 0;
88 
89 char *xxx_host;
90 struct sockaddr *xxx_hostaddr;
91 
92 static int
93 verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
94 {
95 	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1)
96 		fatal("Host key verification failed.");
97 	return 0;
98 }
99 
100 static char *
101 order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
102 {
103 	char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
104 	size_t maxlen;
105 	struct hostkeys *hostkeys;
106 	int ktype;
107 	u_int i;
108 
109 	/* Find all hostkeys for this hostname */
110 	get_hostfile_hostname_ipaddr(host, hostaddr, port, &hostname, NULL);
111 	hostkeys = init_hostkeys();
112 	for (i = 0; i < options.num_user_hostfiles; i++)
113 		load_hostkeys(hostkeys, hostname, options.user_hostfiles[i]);
114 	for (i = 0; i < options.num_system_hostfiles; i++)
115 		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
116 
117 	oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
118 	maxlen = strlen(avail) + 1;
119 	first = xmalloc(maxlen);
120 	last = xmalloc(maxlen);
121 	*first = *last = '\0';
122 
123 #define ALG_APPEND(to, from) \
124 	do { \
125 		if (*to != '\0') \
126 			strlcat(to, ",", maxlen); \
127 		strlcat(to, from, maxlen); \
128 	} while (0)
129 
130 	while ((alg = strsep(&avail, ",")) && *alg != '\0') {
131 		if ((ktype = sshkey_type_from_name(alg)) == KEY_UNSPEC)
132 			fatal("%s: unknown alg %s", __func__, alg);
133 		if (lookup_key_in_hostkeys_by_type(hostkeys,
134 		    sshkey_type_plain(ktype), NULL))
135 			ALG_APPEND(first, alg);
136 		else
137 			ALG_APPEND(last, alg);
138 	}
139 #undef ALG_APPEND
140 	xasprintf(&ret, "%s%s%s", first,
141 	    (*first == '\0' || *last == '\0') ? "" : ",", last);
142 	if (*first != '\0')
143 		debug3("%s: prefer hostkeyalgs: %s", __func__, first);
144 
145 	free(first);
146 	free(last);
147 	free(hostname);
148 	free(oavail);
149 	free_hostkeys(hostkeys);
150 
151 	return ret;
152 }
153 
154 void
155 ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
156 {
157 	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
158 	char *s, *all_key;
159 	int r;
160 
161 	xxx_host = host;
162 	xxx_hostaddr = hostaddr;
163 
164 	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
165 		fatal("%s: kex_names_cat", __func__);
166 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
167 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
168 	    compat_cipher_proposal(options.ciphers);
169 	myproposal[PROPOSAL_ENC_ALGS_STOC] =
170 	    compat_cipher_proposal(options.ciphers);
171 	myproposal[PROPOSAL_COMP_ALGS_CTOS] =
172 	    myproposal[PROPOSAL_COMP_ALGS_STOC] = options.compression ?
173 	    "zlib@openssh.com,zlib,none" : "none,zlib@openssh.com,zlib";
174 	myproposal[PROPOSAL_MAC_ALGS_CTOS] =
175 	    myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
176 	if (options.hostkeyalgorithms != NULL) {
177 		all_key = sshkey_alg_list(0, 0, 1, ',');
178 		if (kex_assemble_names(&options.hostkeyalgorithms,
179 		    KEX_DEFAULT_PK_ALG, all_key) != 0)
180 			fatal("%s: kex_assemble_namelist", __func__);
181 		free(all_key);
182 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
183 		    compat_pkalg_proposal(options.hostkeyalgorithms);
184 	} else {
185 		/* Enforce default */
186 		options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
187 		/* Prefer algorithms that we already have keys for */
188 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
189 		    compat_pkalg_proposal(
190 		    order_hostkeyalgs(host, hostaddr, port));
191 	}
192 
193 	if (options.rekey_limit || options.rekey_interval)
194 		ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
195 		    options.rekey_interval);
196 
197 	/* start key exchange */
198 	if ((r = kex_setup(ssh, myproposal)) != 0)
199 		fatal("kex_setup: %s", ssh_err(r));
200 #ifdef WITH_OPENSSL
201 	ssh->kex->kex[KEX_DH_GRP1_SHA1] = kex_gen_client;
202 	ssh->kex->kex[KEX_DH_GRP14_SHA1] = kex_gen_client;
203 	ssh->kex->kex[KEX_DH_GRP14_SHA256] = kex_gen_client;
204 	ssh->kex->kex[KEX_DH_GRP16_SHA512] = kex_gen_client;
205 	ssh->kex->kex[KEX_DH_GRP18_SHA512] = kex_gen_client;
206 	ssh->kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
207 	ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
208 	ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
209 #endif
210 	ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
211 	ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client;
212 	ssh->kex->verify_host_key=&verify_host_key_callback;
213 
214 	ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
215 
216 	/* remove ext-info from the KEX proposals for rekeying */
217 	myproposal[PROPOSAL_KEX_ALGS] =
218 	    compat_kex_proposal(options.kex_algorithms);
219 	if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
220 		fatal("kex_prop2buf: %s", ssh_err(r));
221 
222 	session_id2 = ssh->kex->session_id;
223 	session_id2_len = ssh->kex->session_id_len;
224 
225 #ifdef DEBUG_KEXDH
226 	/* send 1st encrypted/maced/compressed message */
227 	if ((r = sshpkt_start(ssh, SSH2_MSG_IGNORE)) != 0 ||
228 	    (r = sshpkt_put_cstring(ssh, "markus")) != 0 ||
229 	    (r = sshpkt_send(ssh)) != 0 ||
230 	    (r = ssh_packet_write_wait(ssh)) != 0)
231 		fatal("%s: %s", __func__, ssh_err(r));
232 #endif
233 }
234 
235 /*
236  * Authenticate user
237  */
238 
239 typedef struct cauthctxt Authctxt;
240 typedef struct cauthmethod Authmethod;
241 typedef struct identity Identity;
242 typedef struct idlist Idlist;
243 
244 struct identity {
245 	TAILQ_ENTRY(identity) next;
246 	int	agent_fd;		/* >=0 if agent supports key */
247 	struct sshkey	*key;		/* public/private key */
248 	char	*filename;		/* comment for agent-only keys */
249 	int	tried;
250 	int	isprivate;		/* key points to the private key */
251 	int	userprovided;
252 };
253 TAILQ_HEAD(idlist, identity);
254 
255 struct cauthctxt {
256 	const char *server_user;
257 	const char *local_user;
258 	const char *host;
259 	const char *service;
260 	struct cauthmethod *method;
261 	sig_atomic_t success;
262 	char *authlist;
263 #ifdef GSSAPI
264 	/* gssapi */
265 	gss_OID_set gss_supported_mechs;
266 	u_int mech_tried;
267 #endif
268 	/* pubkey */
269 	struct idlist keys;
270 	int agent_fd;
271 	/* hostbased */
272 	Sensitive *sensitive;
273 	char *oktypes, *ktypes;
274 	const char *active_ktype;
275 	/* kbd-interactive */
276 	int info_req_seen;
277 	int attempt_kbdint;
278 	/* password */
279 	int attempt_passwd;
280 	/* generic */
281 	void *methoddata;
282 };
283 
284 struct cauthmethod {
285 	char	*name;		/* string to compare against server's list */
286 	int	(*userauth)(struct ssh *ssh);
287 	void	(*cleanup)(struct ssh *ssh);
288 	int	*enabled;	/* flag in option struct that enables method */
289 	int	*batch_flag;	/* flag in option struct that disables method */
290 };
291 
292 static int input_userauth_service_accept(int, u_int32_t, struct ssh *);
293 static int input_userauth_ext_info(int, u_int32_t, struct ssh *);
294 static int input_userauth_success(int, u_int32_t, struct ssh *);
295 static int input_userauth_failure(int, u_int32_t, struct ssh *);
296 static int input_userauth_banner(int, u_int32_t, struct ssh *);
297 static int input_userauth_error(int, u_int32_t, struct ssh *);
298 static int input_userauth_info_req(int, u_int32_t, struct ssh *);
299 static int input_userauth_pk_ok(int, u_int32_t, struct ssh *);
300 static int input_userauth_passwd_changereq(int, u_int32_t, struct ssh *);
301 
302 static int userauth_none(struct ssh *);
303 static int userauth_pubkey(struct ssh *);
304 static int userauth_passwd(struct ssh *);
305 static int userauth_kbdint(struct ssh *);
306 static int userauth_hostbased(struct ssh *);
307 
308 #ifdef GSSAPI
309 static int userauth_gssapi(struct ssh *);
310 static void userauth_gssapi_cleanup(struct ssh *);
311 static int input_gssapi_response(int type, u_int32_t, struct ssh *);
312 static int input_gssapi_token(int type, u_int32_t, struct ssh *);
313 static int input_gssapi_error(int, u_int32_t, struct ssh *);
314 static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
315 #endif
316 
317 void	userauth(struct ssh *, char *);
318 
319 static void pubkey_cleanup(struct ssh *);
320 static int sign_and_send_pubkey(struct ssh *ssh, Identity *);
321 static void pubkey_prepare(Authctxt *);
322 static void pubkey_reset(Authctxt *);
323 static struct sshkey *load_identity_file(Identity *);
324 
325 static Authmethod *authmethod_get(char *authlist);
326 static Authmethod *authmethod_lookup(const char *name);
327 static char *authmethods_get(void);
328 
329 Authmethod authmethods[] = {
330 #ifdef GSSAPI
331 	{"gssapi-with-mic",
332 		userauth_gssapi,
333 		userauth_gssapi_cleanup,
334 		&options.gss_authentication,
335 		NULL},
336 #endif
337 	{"hostbased",
338 		userauth_hostbased,
339 		NULL,
340 		&options.hostbased_authentication,
341 		NULL},
342 	{"publickey",
343 		userauth_pubkey,
344 		NULL,
345 		&options.pubkey_authentication,
346 		NULL},
347 	{"keyboard-interactive",
348 		userauth_kbdint,
349 		NULL,
350 		&options.kbd_interactive_authentication,
351 		&options.batch_mode},
352 	{"password",
353 		userauth_passwd,
354 		NULL,
355 		&options.password_authentication,
356 		&options.batch_mode},
357 	{"none",
358 		userauth_none,
359 		NULL,
360 		NULL,
361 		NULL},
362 	{NULL, NULL, NULL, NULL, NULL}
363 };
364 
365 void
366 ssh_userauth2(struct ssh *ssh, const char *local_user,
367     const char *server_user, char *host, Sensitive *sensitive)
368 {
369 	Authctxt authctxt;
370 	int r;
371 
372 	if (options.challenge_response_authentication)
373 		options.kbd_interactive_authentication = 1;
374 	if (options.preferred_authentications == NULL)
375 		options.preferred_authentications = authmethods_get();
376 
377 	/* setup authentication context */
378 	memset(&authctxt, 0, sizeof(authctxt));
379 	authctxt.server_user = server_user;
380 	authctxt.local_user = local_user;
381 	authctxt.host = host;
382 	authctxt.service = "ssh-connection";		/* service name */
383 	authctxt.success = 0;
384 	authctxt.method = authmethod_lookup("none");
385 	authctxt.authlist = NULL;
386 	authctxt.methoddata = NULL;
387 	authctxt.sensitive = sensitive;
388 	authctxt.active_ktype = authctxt.oktypes = authctxt.ktypes = NULL;
389 	authctxt.info_req_seen = 0;
390 	authctxt.attempt_kbdint = 0;
391 	authctxt.attempt_passwd = 0;
392 #if GSSAPI
393 	authctxt.gss_supported_mechs = NULL;
394 	authctxt.mech_tried = 0;
395 #endif
396 	authctxt.agent_fd = -1;
397 	pubkey_prepare(&authctxt);
398 	if (authctxt.method == NULL) {
399 		fatal("%s: internal error: cannot send userauth none request",
400 		    __func__);
401 	}
402 
403 	if ((r = sshpkt_start(ssh, SSH2_MSG_SERVICE_REQUEST)) != 0 ||
404 	    (r = sshpkt_put_cstring(ssh, "ssh-userauth")) != 0 ||
405 	    (r = sshpkt_send(ssh)) != 0)
406 		fatal("%s: %s", __func__, ssh_err(r));
407 
408 	ssh->authctxt = &authctxt;
409 	ssh_dispatch_init(ssh, &input_userauth_error);
410 	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info);
411 	ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept);
412 	ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success);	/* loop until success */
413 	pubkey_cleanup(ssh);
414 	ssh->authctxt = NULL;
415 
416 	ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
417 
418 	if (!authctxt.success)
419 		fatal("Authentication failed.");
420 	debug("Authentication succeeded (%s).", authctxt.method->name);
421 }
422 
423 /* ARGSUSED */
424 static int
425 input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh)
426 {
427 	int r;
428 
429 	if (ssh_packet_remaining(ssh) > 0) {
430 		char *reply;
431 
432 		if ((r = sshpkt_get_cstring(ssh, &reply, NULL)) != 0)
433 			goto out;
434 		debug2("service_accept: %s", reply);
435 		free(reply);
436 	} else {
437 		debug2("buggy server: service_accept w/o service");
438 	}
439 	if ((r = sshpkt_get_end(ssh)) != 0)
440 		goto out;
441 	debug("SSH2_MSG_SERVICE_ACCEPT received");
442 
443 	/* initial userauth request */
444 	userauth_none(ssh);
445 
446 	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_error);
447 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
448 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure);
449 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);
450 	r = 0;
451  out:
452 	return r;
453 }
454 
455 /* ARGSUSED */
456 static int
457 input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh)
458 {
459 	return kex_input_ext_info(type, seqnr, ssh);
460 }
461 
462 void
463 userauth(struct ssh *ssh, char *authlist)
464 {
465 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
466 
467 	if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
468 		authctxt->method->cleanup(ssh);
469 
470 	free(authctxt->methoddata);
471 	authctxt->methoddata = NULL;
472 	if (authlist == NULL) {
473 		authlist = authctxt->authlist;
474 	} else {
475 		free(authctxt->authlist);
476 		authctxt->authlist = authlist;
477 	}
478 	for (;;) {
479 		Authmethod *method = authmethod_get(authlist);
480 		if (method == NULL)
481 			fatal("%s@%s: Permission denied (%s).",
482 			    authctxt->server_user, authctxt->host, authlist);
483 		authctxt->method = method;
484 
485 		/* reset the per method handler */
486 		ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_PER_METHOD_MIN,
487 		    SSH2_MSG_USERAUTH_PER_METHOD_MAX, NULL);
488 
489 		/* and try new method */
490 		if (method->userauth(ssh) != 0) {
491 			debug2("we sent a %s packet, wait for reply", method->name);
492 			break;
493 		} else {
494 			debug2("we did not send a packet, disable method");
495 			method->enabled = NULL;
496 		}
497 	}
498 }
499 
500 /* ARGSUSED */
501 static int
502 input_userauth_error(int type, u_int32_t seq, struct ssh *ssh)
503 {
504 	fatal("%s: bad message during authentication: type %d", __func__, type);
505 	return 0;
506 }
507 
508 /* ARGSUSED */
509 static int
510 input_userauth_banner(int type, u_int32_t seq, struct ssh *ssh)
511 {
512 	char *msg = NULL;
513 	size_t len;
514 	int r;
515 
516 	debug3("%s", __func__);
517 	if ((r = sshpkt_get_cstring(ssh, &msg, &len)) != 0 ||
518 	    (r = sshpkt_get_cstring(ssh, NULL, NULL)) != 0)
519 		goto out;
520 	if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO)
521 		fmprintf(stderr, "%s", msg);
522 	r = 0;
523  out:
524 	free(msg);
525 	return r;
526 }
527 
528 /* ARGSUSED */
529 static int
530 input_userauth_success(int type, u_int32_t seq, struct ssh *ssh)
531 {
532 	Authctxt *authctxt = ssh->authctxt;
533 
534 	if (authctxt == NULL)
535 		fatal("%s: no authentication context", __func__);
536 	free(authctxt->authlist);
537 	authctxt->authlist = NULL;
538 	if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
539 		authctxt->method->cleanup(ssh);
540 	free(authctxt->methoddata);
541 	authctxt->methoddata = NULL;
542 	authctxt->success = 1;			/* break out */
543 	return 0;
544 }
545 
546 #if 0
547 static int
548 input_userauth_success_unexpected(int type, u_int32_t seq, struct ssh *ssh)
549 {
550 	Authctxt *authctxt = ssh->authctxt;
551 
552 	if (authctxt == NULL)
553 		fatal("%s: no authentication context", __func__);
554 
555 	fatal("Unexpected authentication success during %s.",
556 	    authctxt->method->name);
557 	return 0;
558 }
559 #endif
560 
561 /* ARGSUSED */
562 static int
563 input_userauth_failure(int type, u_int32_t seq, struct ssh *ssh)
564 {
565 	Authctxt *authctxt = ssh->authctxt;
566 	char *authlist = NULL;
567 	u_char partial;
568 
569 	if (authctxt == NULL)
570 		fatal("input_userauth_failure: no authentication context");
571 
572 	if (sshpkt_get_cstring(ssh, &authlist, NULL) != 0 ||
573 	    sshpkt_get_u8(ssh, &partial) != 0 ||
574 	    sshpkt_get_end(ssh) != 0)
575 		goto out;
576 
577 	if (partial != 0) {
578 		verbose("Authenticated with partial success.");
579 		/* reset state */
580 		pubkey_reset(authctxt);
581 	}
582 	debug("Authentications that can continue: %s", authlist);
583 
584 	userauth(ssh, authlist);
585 	authlist = NULL;
586  out:
587 	free(authlist);
588 	return 0;
589 }
590 
591 /*
592  * Format an identity for logging including filename, key type, fingerprint
593  * and location (agent, etc.). Caller must free.
594  */
595 static char *
596 format_identity(Identity *id)
597 {
598 	char *fp = NULL, *ret = NULL;
599 	const char *note = "";
600 
601 	if (id->key != NULL) {
602 	     fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
603 		    SSH_FP_DEFAULT);
604 	}
605 	if (id->key) {
606 		if ((id->key->flags & SSHKEY_FLAG_EXT) != 0)
607 			note = " token";
608 		else if (sshkey_is_sk(id->key))
609 			note = " security-key";
610 	}
611 	xasprintf(&ret, "%s %s%s%s%s%s%s",
612 	    id->filename,
613 	    id->key ? sshkey_type(id->key) : "", id->key ? " " : "",
614 	    fp ? fp : "",
615 	    id->userprovided ? " explicit" : "", note,
616 	    id->agent_fd != -1 ? " agent" : "");
617 	free(fp);
618 	return ret;
619 }
620 
621 /* ARGSUSED */
622 static int
623 input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
624 {
625 	Authctxt *authctxt = ssh->authctxt;
626 	struct sshkey *key = NULL;
627 	Identity *id = NULL;
628 	int pktype, found = 0, sent = 0;
629 	size_t blen;
630 	char *pkalg = NULL, *fp = NULL, *ident = NULL;
631 	u_char *pkblob = NULL;
632 	int r;
633 
634 	if (authctxt == NULL)
635 		fatal("input_userauth_pk_ok: no authentication context");
636 
637 	if ((r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
638 	    (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
639 	    (r = sshpkt_get_end(ssh)) != 0)
640 		goto done;
641 
642 	if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
643 		debug("%s: server sent unknown pkalg %s", __func__, pkalg);
644 		goto done;
645 	}
646 	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
647 		debug("no key from blob. pkalg %s: %s", pkalg, ssh_err(r));
648 		goto done;
649 	}
650 	if (key->type != pktype) {
651 		error("input_userauth_pk_ok: type mismatch "
652 		    "for decoded key (received %d, expected %d)",
653 		    key->type, pktype);
654 		goto done;
655 	}
656 
657 	/*
658 	 * search keys in the reverse order, because last candidate has been
659 	 * moved to the end of the queue.  this also avoids confusion by
660 	 * duplicate keys
661 	 */
662 	TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) {
663 		if (sshkey_equal(key, id->key)) {
664 			found = 1;
665 			break;
666 		}
667 	}
668 	if (!found || id == NULL) {
669 		fp = sshkey_fingerprint(key, options.fingerprint_hash,
670 		    SSH_FP_DEFAULT);
671 		error("%s: server replied with unknown key: %s %s", __func__,
672 		    sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
673 		goto done;
674 	}
675 	ident = format_identity(id);
676 	debug("Server accepts key: %s", ident);
677 	sent = sign_and_send_pubkey(ssh, id);
678 	r = 0;
679  done:
680 	sshkey_free(key);
681 	free(ident);
682 	free(fp);
683 	free(pkalg);
684 	free(pkblob);
685 
686 	/* try another method if we did not send a packet */
687 	if (r == 0 && sent == 0)
688 		userauth(ssh, NULL);
689 	return r;
690 }
691 
692 #ifdef GSSAPI
693 static int
694 userauth_gssapi(struct ssh *ssh)
695 {
696 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
697 	Gssctxt *gssctxt = NULL;
698 	OM_uint32 min;
699 	int r, ok = 0;
700 	gss_OID mech = NULL;
701 
702 	/* Try one GSSAPI method at a time, rather than sending them all at
703 	 * once. */
704 
705 	if (authctxt->gss_supported_mechs == NULL)
706 		gss_indicate_mechs(&min, &authctxt->gss_supported_mechs);
707 
708 	/* Check to see whether the mechanism is usable before we offer it */
709 	while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
710 	    !ok) {
711 		mech = &authctxt->gss_supported_mechs->
712 		    elements[authctxt->mech_tried];
713 		/* My DER encoding requires length<128 */
714 		if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
715 		    mech, authctxt->host)) {
716 			ok = 1; /* Mechanism works */
717 		} else {
718 			authctxt->mech_tried++;
719 		}
720 	}
721 
722 	if (!ok || mech == NULL)
723 		return 0;
724 
725 	authctxt->methoddata=(void *)gssctxt;
726 
727 	if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
728 	    (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
729 	    (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
730 	    (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
731 	    (r = sshpkt_put_u32(ssh, 1)) != 0 ||
732 	    (r = sshpkt_put_u32(ssh, (mech->length) + 2)) != 0 ||
733 	    (r = sshpkt_put_u8(ssh, SSH_GSS_OIDTYPE)) != 0 ||
734 	    (r = sshpkt_put_u8(ssh, mech->length)) != 0 ||
735 	    (r = sshpkt_put(ssh, mech->elements, mech->length)) != 0 ||
736 	    (r = sshpkt_send(ssh)) != 0)
737 		fatal("%s: %s", __func__, ssh_err(r));
738 
739 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_RESPONSE, &input_gssapi_response);
740 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
741 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERROR, &input_gssapi_error);
742 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
743 
744 	authctxt->mech_tried++; /* Move along to next candidate */
745 
746 	return 1;
747 }
748 
749 static void
750 userauth_gssapi_cleanup(struct ssh *ssh)
751 {
752 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
753 	Gssctxt *gssctxt = (Gssctxt *)authctxt->methoddata;
754 
755 	ssh_gssapi_delete_ctx(&gssctxt);
756 	authctxt->methoddata = NULL;
757 
758 	free(authctxt->gss_supported_mechs);
759 	authctxt->gss_supported_mechs = NULL;
760 }
761 
762 static OM_uint32
763 process_gssapi_token(struct ssh *ssh, gss_buffer_t recv_tok)
764 {
765 	Authctxt *authctxt = ssh->authctxt;
766 	Gssctxt *gssctxt = authctxt->methoddata;
767 	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
768 	gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
769 	gss_buffer_desc gssbuf;
770 	OM_uint32 status, ms, flags;
771 	int r;
772 
773 	status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
774 	    recv_tok, &send_tok, &flags);
775 
776 	if (send_tok.length > 0) {
777 		u_char type = GSS_ERROR(status) ?
778 		    SSH2_MSG_USERAUTH_GSSAPI_ERRTOK :
779 		    SSH2_MSG_USERAUTH_GSSAPI_TOKEN;
780 
781 		if ((r = sshpkt_start(ssh, type)) != 0 ||
782 		    (r = sshpkt_put_string(ssh, send_tok.value,
783 		    send_tok.length)) != 0 ||
784 		    (r = sshpkt_send(ssh)) != 0)
785 			fatal("%s: %s", __func__, ssh_err(r));
786 
787 		gss_release_buffer(&ms, &send_tok);
788 	}
789 
790 	if (status == GSS_S_COMPLETE) {
791 		/* send either complete or MIC, depending on mechanism */
792 		if (!(flags & GSS_C_INTEG_FLAG)) {
793 			if ((r = sshpkt_start(ssh,
794 			    SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE)) != 0 ||
795 			    (r = sshpkt_send(ssh)) != 0)
796 				fatal("%s: %s", __func__, ssh_err(r));
797 		} else {
798 			struct sshbuf *b;
799 
800 			if ((b = sshbuf_new()) == NULL)
801 				fatal("%s: sshbuf_new failed", __func__);
802 			ssh_gssapi_buildmic(b, authctxt->server_user,
803 			    authctxt->service, "gssapi-with-mic");
804 
805 			if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
806 				fatal("%s: sshbuf_mutable_ptr failed", __func__);
807 			gssbuf.length = sshbuf_len(b);
808 
809 			status = ssh_gssapi_sign(gssctxt, &gssbuf, &mic);
810 
811 			if (!GSS_ERROR(status)) {
812 				if ((r = sshpkt_start(ssh,
813 				    SSH2_MSG_USERAUTH_GSSAPI_MIC)) != 0 ||
814 				    (r = sshpkt_put_string(ssh, mic.value,
815 				    mic.length)) != 0 ||
816 				    (r = sshpkt_send(ssh)) != 0)
817 					fatal("%s: %s", __func__, ssh_err(r));
818 			}
819 
820 			sshbuf_free(b);
821 			gss_release_buffer(&ms, &mic);
822 		}
823 	}
824 
825 	return status;
826 }
827 
828 /* ARGSUSED */
829 static int
830 input_gssapi_response(int type, u_int32_t plen, struct ssh *ssh)
831 {
832 	Authctxt *authctxt = ssh->authctxt;
833 	Gssctxt *gssctxt;
834 	size_t oidlen;
835 	u_char *oidv = NULL;
836 	int r;
837 
838 	if (authctxt == NULL)
839 		fatal("input_gssapi_response: no authentication context");
840 	gssctxt = authctxt->methoddata;
841 
842 	/* Setup our OID */
843 	if ((r = sshpkt_get_string(ssh, &oidv, &oidlen)) != 0)
844 		goto done;
845 
846 	if (oidlen <= 2 ||
847 	    oidv[0] != SSH_GSS_OIDTYPE ||
848 	    oidv[1] != oidlen - 2) {
849 		debug("Badly encoded mechanism OID received");
850 		userauth(ssh, NULL);
851 		goto ok;
852 	}
853 
854 	if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
855 		fatal("Server returned different OID than expected");
856 
857 	if ((r = sshpkt_get_end(ssh)) != 0)
858 		goto done;
859 
860 	if (GSS_ERROR(process_gssapi_token(ssh, GSS_C_NO_BUFFER))) {
861 		/* Start again with next method on list */
862 		debug("Trying to start again");
863 		userauth(ssh, NULL);
864 		goto ok;
865 	}
866  ok:
867 	r = 0;
868  done:
869 	free(oidv);
870 	return r;
871 }
872 
873 /* ARGSUSED */
874 static int
875 input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh)
876 {
877 	Authctxt *authctxt = ssh->authctxt;
878 	gss_buffer_desc recv_tok;
879 	u_char *p = NULL;
880 	size_t len;
881 	OM_uint32 status;
882 	int r;
883 
884 	if (authctxt == NULL)
885 		fatal("input_gssapi_response: no authentication context");
886 
887 	if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
888 	    (r = sshpkt_get_end(ssh)) != 0)
889 		goto out;
890 
891 	recv_tok.value = p;
892 	recv_tok.length = len;
893 	status = process_gssapi_token(ssh, &recv_tok);
894 
895 	/* Start again with the next method in the list */
896 	if (GSS_ERROR(status)) {
897 		userauth(ssh, NULL);
898 		/* ok */
899 	}
900 	r = 0;
901  out:
902 	free(p);
903 	return r;
904 }
905 
906 /* ARGSUSED */
907 static int
908 input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh)
909 {
910 	Authctxt *authctxt = ssh->authctxt;
911 	Gssctxt *gssctxt;
912 	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
913 	gss_buffer_desc recv_tok;
914 	OM_uint32 ms;
915 	u_char *p = NULL;
916 	size_t len;
917 	int r;
918 
919 	if (authctxt == NULL)
920 		fatal("input_gssapi_response: no authentication context");
921 	gssctxt = authctxt->methoddata;
922 
923 	if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
924 	    (r = sshpkt_get_end(ssh)) != 0) {
925 		free(p);
926 		return r;
927 	}
928 
929 	/* Stick it into GSSAPI and see what it says */
930 	recv_tok.value = p;
931 	recv_tok.length = len;
932 	(void)ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
933 	    &recv_tok, &send_tok, NULL);
934 	free(p);
935 	gss_release_buffer(&ms, &send_tok);
936 
937 	/* Server will be returning a failed packet after this one */
938 	return 0;
939 }
940 
941 /* ARGSUSED */
942 static int
943 input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
944 {
945 	char *msg = NULL;
946 	char *lang = NULL;
947 	int r;
948 
949 	if ((r = sshpkt_get_u32(ssh, NULL)) != 0 ||	/* maj */
950 	    (r = sshpkt_get_u32(ssh, NULL)) != 0 ||	/* min */
951 	    (r = sshpkt_get_cstring(ssh, &msg, NULL)) != 0 ||
952 	    (r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
953 		goto out;
954 	r = sshpkt_get_end(ssh);
955 	debug("Server GSSAPI Error:\n%s", msg);
956  out:
957 	free(msg);
958 	free(lang);
959 	return r;
960 }
961 #endif /* GSSAPI */
962 
963 static int
964 userauth_none(struct ssh *ssh)
965 {
966 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
967 	int r;
968 
969 	/* initial userauth request */
970 	if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
971 	    (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
972 	    (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
973 	    (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
974 	    (r = sshpkt_send(ssh)) != 0)
975 		fatal("%s: %s", __func__, ssh_err(r));
976 	return 1;
977 }
978 
979 static int
980 userauth_passwd(struct ssh *ssh)
981 {
982 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
983 	char *password, *prompt = NULL;
984 	const char *host = options.host_key_alias ?  options.host_key_alias :
985 	    authctxt->host;
986 	int r;
987 
988 	if (authctxt->attempt_passwd++ >= options.number_of_password_prompts)
989 		return 0;
990 
991 	if (authctxt->attempt_passwd != 1)
992 		error("Permission denied, please try again.");
993 
994 	xasprintf(&prompt, "%s@%s's password: ", authctxt->server_user, host);
995 	password = read_passphrase(prompt, 0);
996 	if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
997 	    (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
998 	    (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
999 	    (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
1000 	    (r = sshpkt_put_u8(ssh, 0)) != 0 ||
1001 	    (r = sshpkt_put_cstring(ssh, password)) != 0 ||
1002 	    (r = sshpkt_add_padding(ssh, 64)) != 0 ||
1003 	    (r = sshpkt_send(ssh)) != 0)
1004 		fatal("%s: %s", __func__, ssh_err(r));
1005 
1006 	free(prompt);
1007 	if (password != NULL)
1008 		freezero(password, strlen(password));
1009 
1010 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
1011 	    &input_userauth_passwd_changereq);
1012 
1013 	return 1;
1014 }
1015 
1016 /*
1017  * parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST
1018  */
1019 /* ARGSUSED */
1020 static int
1021 input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh)
1022 {
1023 	Authctxt *authctxt = ssh->authctxt;
1024 	char *info = NULL, *lang = NULL, *password = NULL, *retype = NULL;
1025 	char prompt[256];
1026 	const char *host;
1027 	int r;
1028 
1029 	debug2("input_userauth_passwd_changereq");
1030 
1031 	if (authctxt == NULL)
1032 		fatal("input_userauth_passwd_changereq: "
1033 		    "no authentication context");
1034 	host = options.host_key_alias ? options.host_key_alias : authctxt->host;
1035 
1036 	if ((r = sshpkt_get_cstring(ssh, &info, NULL)) != 0 ||
1037 	    (r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
1038 		goto out;
1039 	if (strlen(info) > 0)
1040 		logit("%s", info);
1041 	if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
1042 	    (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
1043 	    (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
1044 	    (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
1045 	    (r = sshpkt_put_u8(ssh, 1)) != 0)	/* additional info */
1046 		goto out;
1047 
1048 	snprintf(prompt, sizeof(prompt),
1049 	    "Enter %.30s@%.128s's old password: ",
1050 	    authctxt->server_user, host);
1051 	password = read_passphrase(prompt, 0);
1052 	if ((r = sshpkt_put_cstring(ssh, password)) != 0)
1053 		goto out;
1054 
1055 	freezero(password, strlen(password));
1056 	password = NULL;
1057 	while (password == NULL) {
1058 		snprintf(prompt, sizeof(prompt),
1059 		    "Enter %.30s@%.128s's new password: ",
1060 		    authctxt->server_user, host);
1061 		password = read_passphrase(prompt, RP_ALLOW_EOF);
1062 		if (password == NULL) {
1063 			/* bail out */
1064 			r = 0;
1065 			goto out;
1066 		}
1067 		snprintf(prompt, sizeof(prompt),
1068 		    "Retype %.30s@%.128s's new password: ",
1069 		    authctxt->server_user, host);
1070 		retype = read_passphrase(prompt, 0);
1071 		if (strcmp(password, retype) != 0) {
1072 			freezero(password, strlen(password));
1073 			logit("Mismatch; try again, EOF to quit.");
1074 			password = NULL;
1075 		}
1076 		freezero(retype, strlen(retype));
1077 	}
1078 	if ((r = sshpkt_put_cstring(ssh, password)) != 0 ||
1079 	    (r = sshpkt_add_padding(ssh, 64)) != 0 ||
1080 	    (r = sshpkt_send(ssh)) != 0)
1081 		goto out;
1082 
1083 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
1084 	    &input_userauth_passwd_changereq);
1085 	r = 0;
1086  out:
1087 	if (password)
1088 		freezero(password, strlen(password));
1089 	free(info);
1090 	free(lang);
1091 	return r;
1092 }
1093 
1094 /*
1095  * Select an algorithm for publickey signatures.
1096  * Returns algorithm (caller must free) or NULL if no mutual algorithm found.
1097  *
1098  * Call with ssh==NULL to ignore server-sig-algs extension list and
1099  * only attempt with the key's base signature type.
1100  */
1101 static char *
1102 key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
1103 {
1104 	char *allowed, *oallowed, *cp, *tmp, *alg = NULL;
1105 
1106 	/*
1107 	 * The signature algorithm will only differ from the key algorithm
1108 	 * for RSA keys/certs and when the server advertises support for
1109 	 * newer (SHA2) algorithms.
1110 	 */
1111 	if (ssh == NULL || ssh->kex->server_sig_algs == NULL ||
1112 	    (key->type != KEY_RSA && key->type != KEY_RSA_CERT) ||
1113 	    (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) {
1114 		/* Filter base key signature alg against our configuration */
1115 		return match_list(sshkey_ssh_name(key),
1116 		    options.pubkey_key_types, NULL);
1117 	}
1118 
1119 	/*
1120 	 * For RSA keys/certs, since these might have a different sig type:
1121 	 * find the first entry in PubkeyAcceptedKeyTypes of the right type
1122 	 * that also appears in the supported signature algorithms list from
1123 	 * the server.
1124 	 */
1125 	oallowed = allowed = xstrdup(options.pubkey_key_types);
1126 	while ((cp = strsep(&allowed, ",")) != NULL) {
1127 		if (sshkey_type_from_name(cp) != key->type)
1128 			continue;
1129 		tmp = match_list(sshkey_sigalg_by_name(cp), ssh->kex->server_sig_algs, NULL);
1130 		if (tmp != NULL)
1131 			alg = xstrdup(cp);
1132 		free(tmp);
1133 		if (alg != NULL)
1134 			break;
1135 	}
1136 	free(oallowed);
1137 	return alg;
1138 }
1139 
1140 static int
1141 identity_sign(struct identity *id, u_char **sigp, size_t *lenp,
1142     const u_char *data, size_t datalen, u_int compat, const char *alg)
1143 {
1144 	struct sshkey *sign_key = NULL, *prv = NULL;
1145 	int r = SSH_ERR_INTERNAL_ERROR;
1146 	struct notifier_ctx *notifier = NULL;
1147 	char *fp = NULL;
1148 
1149 	*sigp = NULL;
1150 	*lenp = 0;
1151 
1152 	/* The agent supports this key. */
1153 	if (id->key != NULL && id->agent_fd != -1) {
1154 		return ssh_agent_sign(id->agent_fd, id->key, sigp, lenp,
1155 		    data, datalen, alg, compat);
1156 	}
1157 
1158 	/*
1159 	 * We have already loaded the private key or the private key is
1160 	 * stored in external hardware.
1161 	 */
1162 	if (id->key != NULL &&
1163 	    (id->isprivate || (id->key->flags & SSHKEY_FLAG_EXT))) {
1164 		sign_key = id->key;
1165 	} else {
1166 		/* Load the private key from the file. */
1167 		if ((prv = load_identity_file(id)) == NULL)
1168 			return SSH_ERR_KEY_NOT_FOUND;
1169 		if (id->key != NULL && !sshkey_equal_public(prv, id->key)) {
1170 			error("%s: private key %s contents do not match public",
1171 			   __func__, id->filename);
1172 			r = SSH_ERR_KEY_NOT_FOUND;
1173 			goto out;
1174 		}
1175 		sign_key = prv;
1176 		if (sshkey_is_sk(sign_key) &&
1177 		    (sign_key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
1178 			/* XXX match batch mode should just skip these keys? */
1179 			if ((fp = sshkey_fingerprint(sign_key,
1180 			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
1181 				fatal("%s: sshkey_fingerprint", __func__);
1182 			notifier = notify_start(options.batch_mode,
1183 			    "Confirm user presence for key %s %s",
1184 			    sshkey_type(sign_key), fp);
1185 			free(fp);
1186 		}
1187 	}
1188 	if ((r = sshkey_sign(sign_key, sigp, lenp, data, datalen,
1189 	    alg, options.sk_provider, compat)) != 0) {
1190 		debug("%s: sshkey_sign: %s", __func__, ssh_err(r));
1191 		goto out;
1192 	}
1193 	/*
1194 	 * PKCS#11 tokens may not support all signature algorithms,
1195 	 * so check what we get back.
1196 	 */
1197 	if ((r = sshkey_check_sigtype(*sigp, *lenp, alg)) != 0) {
1198 		debug("%s: sshkey_check_sigtype: %s", __func__, ssh_err(r));
1199 		goto out;
1200 	}
1201 	/* success */
1202 	r = 0;
1203  out:
1204 	notify_complete(notifier);
1205 	sshkey_free(prv);
1206 	return r;
1207 }
1208 
1209 static int
1210 id_filename_matches(Identity *id, Identity *private_id)
1211 {
1212 	const char *suffixes[] = { ".pub", "-cert.pub", NULL };
1213 	size_t len = strlen(id->filename), plen = strlen(private_id->filename);
1214 	size_t i, slen;
1215 
1216 	if (strcmp(id->filename, private_id->filename) == 0)
1217 		return 1;
1218 	for (i = 0; suffixes[i]; i++) {
1219 		slen = strlen(suffixes[i]);
1220 		if (len > slen && plen == len - slen &&
1221 		    strcmp(id->filename + (len - slen), suffixes[i]) == 0 &&
1222 		    memcmp(id->filename, private_id->filename, plen) == 0)
1223 			return 1;
1224 	}
1225 	return 0;
1226 }
1227 
1228 static int
1229 sign_and_send_pubkey(struct ssh *ssh, Identity *id)
1230 {
1231 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
1232 	struct sshbuf *b = NULL;
1233 	Identity *private_id, *sign_id = NULL;
1234 	u_char *signature = NULL;
1235 	size_t slen = 0, skip = 0;
1236 	int r, fallback_sigtype, sent = 0;
1237 	char *alg = NULL, *fp = NULL;
1238 	const char *loc = "";
1239 
1240 	if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
1241 	    SSH_FP_DEFAULT)) == NULL)
1242 		return 0;
1243 
1244 	debug3("%s: %s %s", __func__, sshkey_type(id->key), fp);
1245 
1246 	/*
1247 	 * If the key is an certificate, try to find a matching private key
1248 	 * and use it to complete the signature.
1249 	 * If no such private key exists, fall back to trying the certificate
1250 	 * key itself in case it has a private half already loaded.
1251 	 * This will try to set sign_id to the private key that will perform
1252 	 * the signature.
1253 	 */
1254 	if (sshkey_is_cert(id->key)) {
1255 		TAILQ_FOREACH(private_id, &authctxt->keys, next) {
1256 			if (sshkey_equal_public(id->key, private_id->key) &&
1257 			    id->key->type != private_id->key->type) {
1258 				sign_id = private_id;
1259 				break;
1260 			}
1261 		}
1262 		/*
1263 		 * Exact key matches are preferred, but also allow
1264 		 * filename matches for non-PKCS#11/agent keys that
1265 		 * didn't load public keys. This supports the case
1266 		 * of keeping just a private key file and public
1267 		 * certificate on disk.
1268 		 */
1269 		if (sign_id == NULL &&
1270 		    !id->isprivate && id->agent_fd == -1 &&
1271 		    (id->key->flags & SSHKEY_FLAG_EXT) == 0) {
1272 			TAILQ_FOREACH(private_id, &authctxt->keys, next) {
1273 				if (private_id->key == NULL &&
1274 				    id_filename_matches(id, private_id)) {
1275 					sign_id = private_id;
1276 					break;
1277 				}
1278 			}
1279 		}
1280 		if (sign_id != NULL) {
1281 			debug2("%s: using private key \"%s\"%s for "
1282 			    "certificate", __func__, id->filename,
1283 			    id->agent_fd != -1 ? " from agent" : "");
1284 		} else {
1285 			debug("%s: no separate private key for certificate "
1286 			    "\"%s\"", __func__, id->filename);
1287 		}
1288 	}
1289 
1290 	/*
1291 	 * If the above didn't select another identity to do the signing
1292 	 * then default to the one we started with.
1293 	 */
1294 	if (sign_id == NULL)
1295 		sign_id = id;
1296 
1297 	/* assemble and sign data */
1298 	for (fallback_sigtype = 0; fallback_sigtype <= 1; fallback_sigtype++) {
1299 		free(alg);
1300 		slen = 0;
1301 		signature = NULL;
1302 		if ((alg = key_sig_algorithm(fallback_sigtype ? NULL : ssh,
1303 		    id->key)) == NULL) {
1304 			error("%s: no mutual signature supported", __func__);
1305 			goto out;
1306 		}
1307 		debug3("%s: signing using %s", __func__, alg);
1308 
1309 		sshbuf_free(b);
1310 		if ((b = sshbuf_new()) == NULL)
1311 			fatal("%s: sshbuf_new failed", __func__);
1312 		if (datafellows & SSH_OLD_SESSIONID) {
1313 			if ((r = sshbuf_put(b, session_id2,
1314 			    session_id2_len)) != 0) {
1315 				fatal("%s: sshbuf_put: %s",
1316 				    __func__, ssh_err(r));
1317 			}
1318 		} else {
1319 			if ((r = sshbuf_put_string(b, session_id2,
1320 			    session_id2_len)) != 0) {
1321 				fatal("%s: sshbuf_put_string: %s",
1322 				    __func__, ssh_err(r));
1323 			}
1324 		}
1325 		skip = sshbuf_len(b);
1326 		if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
1327 		    (r = sshbuf_put_cstring(b, authctxt->server_user)) != 0 ||
1328 		    (r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
1329 		    (r = sshbuf_put_cstring(b, authctxt->method->name)) != 0 ||
1330 		    (r = sshbuf_put_u8(b, 1)) != 0 ||
1331 		    (r = sshbuf_put_cstring(b, alg)) != 0 ||
1332 		    (r = sshkey_puts(id->key, b)) != 0) {
1333 			fatal("%s: assemble signed data: %s",
1334 			    __func__, ssh_err(r));
1335 		}
1336 
1337 		/* generate signature */
1338 		r = identity_sign(sign_id, &signature, &slen,
1339 		    sshbuf_ptr(b), sshbuf_len(b), datafellows, alg);
1340 		if (r == 0)
1341 			break;
1342 		else if (r == SSH_ERR_KEY_NOT_FOUND)
1343 			goto out; /* soft failure */
1344 		else if (r == SSH_ERR_SIGN_ALG_UNSUPPORTED &&
1345 		    !fallback_sigtype) {
1346 			if (sign_id->agent_fd != -1)
1347 				loc = "agent ";
1348 			else if ((sign_id->key->flags & SSHKEY_FLAG_EXT) != 0)
1349 				loc = "token ";
1350 			logit("%skey %s %s returned incorrect signature type",
1351 			    loc, sshkey_type(id->key), fp);
1352 			continue;
1353 		}
1354 		error("%s: signing failed: %s", __func__, ssh_err(r));
1355 		goto out;
1356 	}
1357 	if (slen == 0 || signature == NULL) /* shouldn't happen */
1358 		fatal("%s: no signature", __func__);
1359 
1360 	/* append signature */
1361 	if ((r = sshbuf_put_string(b, signature, slen)) != 0)
1362 		fatal("%s: append signature: %s", __func__, ssh_err(r));
1363 
1364 #ifdef DEBUG_PK
1365 	sshbuf_dump(b, stderr);
1366 #endif
1367 	/* skip session id and packet type */
1368 	if ((r = sshbuf_consume(b, skip + 1)) != 0)
1369 		fatal("%s: consume: %s", __func__, ssh_err(r));
1370 
1371 	/* put remaining data from buffer into packet */
1372 	if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
1373 	    (r = sshpkt_putb(ssh, b)) != 0 ||
1374 	    (r = sshpkt_send(ssh)) != 0)
1375 		fatal("%s: enqueue request: %s", __func__, ssh_err(r));
1376 
1377 	/* success */
1378 	sent = 1;
1379 
1380  out:
1381 	free(fp);
1382 	free(alg);
1383 	sshbuf_free(b);
1384 	freezero(signature, slen);
1385 	return sent;
1386 }
1387 
1388 static int
1389 send_pubkey_test(struct ssh *ssh, Identity *id)
1390 {
1391 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
1392 	u_char *blob = NULL;
1393 	char *alg = NULL;
1394 	size_t bloblen;
1395 	u_int have_sig = 0;
1396 	int sent = 0, r;
1397 
1398 	if ((alg = key_sig_algorithm(ssh, id->key)) == NULL) {
1399 		debug("%s: no mutual signature algorithm", __func__);
1400 		goto out;
1401 	}
1402 
1403 	if ((r = sshkey_to_blob(id->key, &blob, &bloblen)) != 0) {
1404 		/* we cannot handle this key */
1405 		debug3("%s: cannot handle key", __func__);
1406 		goto out;
1407 	}
1408 	/* register callback for USERAUTH_PK_OK message */
1409 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_PK_OK, &input_userauth_pk_ok);
1410 
1411 	if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
1412 	    (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
1413 	    (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
1414 	    (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
1415 	    (r = sshpkt_put_u8(ssh, have_sig)) != 0 ||
1416 	    (r = sshpkt_put_cstring(ssh, alg)) != 0 ||
1417 	    (r = sshpkt_put_string(ssh, blob, bloblen)) != 0 ||
1418 	    (r = sshpkt_send(ssh)) != 0)
1419 		fatal("%s: %s", __func__, ssh_err(r));
1420 	sent = 1;
1421 
1422  out:
1423 	free(alg);
1424 	free(blob);
1425 	return sent;
1426 }
1427 
1428 static struct sshkey *
1429 load_identity_file(Identity *id)
1430 {
1431 	struct sshkey *private = NULL;
1432 	char prompt[300], *passphrase, *comment;
1433 	int r, quit = 0, i;
1434 	struct stat st;
1435 
1436 	if (stat(id->filename, &st) == -1) {
1437 		(id->userprovided ? logit : debug3)("no such identity: %s: %s",
1438 		    id->filename, strerror(errno));
1439 		return NULL;
1440 	}
1441 	snprintf(prompt, sizeof prompt,
1442 	    "Enter passphrase for key '%.100s': ", id->filename);
1443 	for (i = 0; i <= options.number_of_password_prompts; i++) {
1444 		if (i == 0)
1445 			passphrase = "";
1446 		else {
1447 			passphrase = read_passphrase(prompt, 0);
1448 			if (*passphrase == '\0') {
1449 				debug2("no passphrase given, try next key");
1450 				free(passphrase);
1451 				break;
1452 			}
1453 		}
1454 		switch ((r = sshkey_load_private_type(KEY_UNSPEC, id->filename,
1455 		    passphrase, &private, &comment))) {
1456 		case 0:
1457 			break;
1458 		case SSH_ERR_KEY_WRONG_PASSPHRASE:
1459 			if (options.batch_mode) {
1460 				quit = 1;
1461 				break;
1462 			}
1463 			if (i != 0)
1464 				debug2("bad passphrase given, try again...");
1465 			break;
1466 		case SSH_ERR_SYSTEM_ERROR:
1467 			if (errno == ENOENT) {
1468 				debug2("Load key \"%s\": %s",
1469 				    id->filename, ssh_err(r));
1470 				quit = 1;
1471 				break;
1472 			}
1473 			/* FALLTHROUGH */
1474 		default:
1475 			error("Load key \"%s\": %s", id->filename, ssh_err(r));
1476 			quit = 1;
1477 			break;
1478 		}
1479 		if (private != NULL && sshkey_is_sk(private) &&
1480 		    options.sk_provider == NULL) {
1481 			debug("key \"%s\" is a security key, but no "
1482 			    "provider specified", id->filename);
1483 			sshkey_free(private);
1484 			private = NULL;
1485 			quit = 1;
1486 		}
1487 		if (!quit && private != NULL && id->agent_fd == -1 &&
1488 		    !(id->key && id->isprivate))
1489 			maybe_add_key_to_agent(id->filename, private, comment,
1490 			    passphrase);
1491 		if (i > 0)
1492 			freezero(passphrase, strlen(passphrase));
1493 		free(comment);
1494 		if (private != NULL || quit)
1495 			break;
1496 	}
1497 	return private;
1498 }
1499 
1500 static int
1501 key_type_allowed_by_config(struct sshkey *key)
1502 {
1503 	if (match_pattern_list(sshkey_ssh_name(key),
1504 	    options.pubkey_key_types, 0) == 1)
1505 		return 1;
1506 
1507 	/* RSA keys/certs might be allowed by alternate signature types */
1508 	switch (key->type) {
1509 	case KEY_RSA:
1510 		if (match_pattern_list("rsa-sha2-512",
1511 		    options.pubkey_key_types, 0) == 1)
1512 			return 1;
1513 		if (match_pattern_list("rsa-sha2-256",
1514 		    options.pubkey_key_types, 0) == 1)
1515 			return 1;
1516 		break;
1517 	case KEY_RSA_CERT:
1518 		if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
1519 		    options.pubkey_key_types, 0) == 1)
1520 			return 1;
1521 		if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
1522 		    options.pubkey_key_types, 0) == 1)
1523 			return 1;
1524 		break;
1525 	}
1526 	return 0;
1527 }
1528 
1529 
1530 /*
1531  * try keys in the following order:
1532  * 	1. certificates listed in the config file
1533  * 	2. other input certificates
1534  *	3. agent keys that are found in the config file
1535  *	4. other agent keys
1536  *	5. keys that are only listed in the config file
1537  */
1538 static void
1539 pubkey_prepare(Authctxt *authctxt)
1540 {
1541 	struct identity *id, *id2, *tmp;
1542 	struct idlist agent, files, *preferred;
1543 	struct sshkey *key;
1544 	int agent_fd = -1, i, r, found;
1545 	size_t j;
1546 	struct ssh_identitylist *idlist;
1547 	char *ident;
1548 
1549 	TAILQ_INIT(&agent);	/* keys from the agent */
1550 	TAILQ_INIT(&files);	/* keys from the config file */
1551 	preferred = &authctxt->keys;
1552 	TAILQ_INIT(preferred);	/* preferred order of keys */
1553 
1554 	/* list of keys stored in the filesystem and PKCS#11 */
1555 	for (i = 0; i < options.num_identity_files; i++) {
1556 		key = options.identity_keys[i];
1557 		if (key && key->cert &&
1558 		    key->cert->type != SSH2_CERT_TYPE_USER) {
1559 			debug("%s: ignoring certificate %s: not a user "
1560 			    "certificate",  __func__,
1561 			    options.identity_files[i]);
1562 			continue;
1563 		}
1564 		if (key && sshkey_is_sk(key) && options.sk_provider == NULL) {
1565 			debug("%s: ignoring security key %s as no "
1566 			    "SecurityKeyProvider has been specified",
1567 			    __func__, options.identity_files[i]);
1568 			continue;
1569 		}
1570 		options.identity_keys[i] = NULL;
1571 		id = xcalloc(1, sizeof(*id));
1572 		id->agent_fd = -1;
1573 		id->key = key;
1574 		id->filename = xstrdup(options.identity_files[i]);
1575 		id->userprovided = options.identity_file_userprovided[i];
1576 		TAILQ_INSERT_TAIL(&files, id, next);
1577 	}
1578 	/* list of certificates specified by user */
1579 	for (i = 0; i < options.num_certificate_files; i++) {
1580 		key = options.certificates[i];
1581 		if (!sshkey_is_cert(key) || key->cert == NULL ||
1582 		    key->cert->type != SSH2_CERT_TYPE_USER) {
1583 			debug("%s: ignoring certificate %s: not a user "
1584 			    "certificate",  __func__,
1585 			    options.identity_files[i]);
1586 			continue;
1587 		}
1588 		if (key && sshkey_is_sk(key) && options.sk_provider == NULL) {
1589 			debug("%s: ignoring security key certificate %s as no "
1590 			    "SecurityKeyProvider has been specified",
1591 			    __func__, options.identity_files[i]);
1592 			continue;
1593 		}
1594 		id = xcalloc(1, sizeof(*id));
1595 		id->agent_fd = -1;
1596 		id->key = key;
1597 		id->filename = xstrdup(options.certificate_files[i]);
1598 		id->userprovided = options.certificate_file_userprovided[i];
1599 		TAILQ_INSERT_TAIL(preferred, id, next);
1600 	}
1601 	/* list of keys supported by the agent */
1602 	if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) {
1603 		if (r != SSH_ERR_AGENT_NOT_PRESENT)
1604 			debug("%s: ssh_get_authentication_socket: %s",
1605 			    __func__, ssh_err(r));
1606 	} else if ((r = ssh_fetch_identitylist(agent_fd, &idlist)) != 0) {
1607 		if (r != SSH_ERR_AGENT_NO_IDENTITIES)
1608 			debug("%s: ssh_fetch_identitylist: %s",
1609 			    __func__, ssh_err(r));
1610 		close(agent_fd);
1611 	} else {
1612 		for (j = 0; j < idlist->nkeys; j++) {
1613 			found = 0;
1614 			TAILQ_FOREACH(id, &files, next) {
1615 				/*
1616 				 * agent keys from the config file are
1617 				 * preferred
1618 				 */
1619 				if (sshkey_equal(idlist->keys[j], id->key)) {
1620 					TAILQ_REMOVE(&files, id, next);
1621 					TAILQ_INSERT_TAIL(preferred, id, next);
1622 					id->agent_fd = agent_fd;
1623 					found = 1;
1624 					break;
1625 				}
1626 			}
1627 			if (!found && !options.identities_only) {
1628 				id = xcalloc(1, sizeof(*id));
1629 				/* XXX "steals" key/comment from idlist */
1630 				id->key = idlist->keys[j];
1631 				id->filename = idlist->comments[j];
1632 				idlist->keys[j] = NULL;
1633 				idlist->comments[j] = NULL;
1634 				id->agent_fd = agent_fd;
1635 				TAILQ_INSERT_TAIL(&agent, id, next);
1636 			}
1637 		}
1638 		ssh_free_identitylist(idlist);
1639 		/* append remaining agent keys */
1640 		for (id = TAILQ_FIRST(&agent); id; id = TAILQ_FIRST(&agent)) {
1641 			TAILQ_REMOVE(&agent, id, next);
1642 			TAILQ_INSERT_TAIL(preferred, id, next);
1643 		}
1644 		authctxt->agent_fd = agent_fd;
1645 	}
1646 	/* Prefer PKCS11 keys that are explicitly listed */
1647 	TAILQ_FOREACH_SAFE(id, &files, next, tmp) {
1648 		if (id->key == NULL || (id->key->flags & SSHKEY_FLAG_EXT) == 0)
1649 			continue;
1650 		found = 0;
1651 		TAILQ_FOREACH(id2, &files, next) {
1652 			if (id2->key == NULL ||
1653 			    (id2->key->flags & SSHKEY_FLAG_EXT) == 0)
1654 				continue;
1655 			if (sshkey_equal(id->key, id2->key)) {
1656 				TAILQ_REMOVE(&files, id, next);
1657 				TAILQ_INSERT_TAIL(preferred, id, next);
1658 				found = 1;
1659 				break;
1660 			}
1661 		}
1662 		/* If IdentitiesOnly set and key not found then don't use it */
1663 		if (!found && options.identities_only) {
1664 			TAILQ_REMOVE(&files, id, next);
1665 			freezero(id, sizeof(*id));
1666 		}
1667 	}
1668 	/* append remaining keys from the config file */
1669 	for (id = TAILQ_FIRST(&files); id; id = TAILQ_FIRST(&files)) {
1670 		TAILQ_REMOVE(&files, id, next);
1671 		TAILQ_INSERT_TAIL(preferred, id, next);
1672 	}
1673 	/* finally, filter by PubkeyAcceptedKeyTypes */
1674 	TAILQ_FOREACH_SAFE(id, preferred, next, id2) {
1675 		if (id->key != NULL && !key_type_allowed_by_config(id->key)) {
1676 			debug("Skipping %s key %s - "
1677 			    "not in PubkeyAcceptedKeyTypes",
1678 			    sshkey_ssh_name(id->key), id->filename);
1679 			TAILQ_REMOVE(preferred, id, next);
1680 			sshkey_free(id->key);
1681 			free(id->filename);
1682 			memset(id, 0, sizeof(*id));
1683 			continue;
1684 		}
1685 	}
1686 	/* List the keys we plan on using */
1687 	TAILQ_FOREACH_SAFE(id, preferred, next, id2) {
1688 		ident = format_identity(id);
1689 		debug("Will attempt key: %s", ident);
1690 		free(ident);
1691 	}
1692 	debug2("%s: done", __func__);
1693 }
1694 
1695 static void
1696 pubkey_cleanup(struct ssh *ssh)
1697 {
1698 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
1699 	Identity *id;
1700 
1701 	if (authctxt->agent_fd != -1) {
1702 		ssh_close_authentication_socket(authctxt->agent_fd);
1703 		authctxt->agent_fd = -1;
1704 	}
1705 	for (id = TAILQ_FIRST(&authctxt->keys); id;
1706 	    id = TAILQ_FIRST(&authctxt->keys)) {
1707 		TAILQ_REMOVE(&authctxt->keys, id, next);
1708 		sshkey_free(id->key);
1709 		free(id->filename);
1710 		free(id);
1711 	}
1712 }
1713 
1714 static void
1715 pubkey_reset(Authctxt *authctxt)
1716 {
1717 	Identity *id;
1718 
1719 	TAILQ_FOREACH(id, &authctxt->keys, next)
1720 		id->tried = 0;
1721 }
1722 
1723 static int
1724 try_identity(Identity *id)
1725 {
1726 	if (!id->key)
1727 		return (0);
1728 	if (sshkey_type_plain(id->key->type) == KEY_RSA &&
1729 	    (datafellows & SSH_BUG_RSASIGMD5) != 0) {
1730 		debug("Skipped %s key %s for RSA/MD5 server",
1731 		    sshkey_type(id->key), id->filename);
1732 		return (0);
1733 	}
1734 	return 1;
1735 }
1736 
1737 static int
1738 userauth_pubkey(struct ssh *ssh)
1739 {
1740 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
1741 	Identity *id;
1742 	int sent = 0;
1743 	char *ident;
1744 
1745 	while ((id = TAILQ_FIRST(&authctxt->keys))) {
1746 		if (id->tried++)
1747 			return (0);
1748 		/* move key to the end of the queue */
1749 		TAILQ_REMOVE(&authctxt->keys, id, next);
1750 		TAILQ_INSERT_TAIL(&authctxt->keys, id, next);
1751 		/*
1752 		 * send a test message if we have the public key. for
1753 		 * encrypted keys we cannot do this and have to load the
1754 		 * private key instead
1755 		 */
1756 		if (id->key != NULL) {
1757 			if (try_identity(id)) {
1758 				ident = format_identity(id);
1759 				debug("Offering public key: %s", ident);
1760 				free(ident);
1761 				sent = send_pubkey_test(ssh, id);
1762 			}
1763 		} else {
1764 			debug("Trying private key: %s", id->filename);
1765 			id->key = load_identity_file(id);
1766 			if (id->key != NULL) {
1767 				if (try_identity(id)) {
1768 					id->isprivate = 1;
1769 					sent = sign_and_send_pubkey(ssh, id);
1770 				}
1771 				sshkey_free(id->key);
1772 				id->key = NULL;
1773 				id->isprivate = 0;
1774 			}
1775 		}
1776 		if (sent)
1777 			return (sent);
1778 	}
1779 	return (0);
1780 }
1781 
1782 /*
1783  * Send userauth request message specifying keyboard-interactive method.
1784  */
1785 static int
1786 userauth_kbdint(struct ssh *ssh)
1787 {
1788 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
1789 	int r;
1790 
1791 	if (authctxt->attempt_kbdint++ >= options.number_of_password_prompts)
1792 		return 0;
1793 	/* disable if no SSH2_MSG_USERAUTH_INFO_REQUEST has been seen */
1794 	if (authctxt->attempt_kbdint > 1 && !authctxt->info_req_seen) {
1795 		debug3("userauth_kbdint: disable: no info_req_seen");
1796 		ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_INFO_REQUEST, NULL);
1797 		return 0;
1798 	}
1799 
1800 	debug2("userauth_kbdint");
1801 	if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
1802 	    (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
1803 	    (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
1804 	    (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
1805 	    (r = sshpkt_put_cstring(ssh, "")) != 0 ||		/* lang */
1806 	    (r = sshpkt_put_cstring(ssh, options.kbd_interactive_devices ?
1807 	    options.kbd_interactive_devices : "")) != 0 ||
1808 	    (r = sshpkt_send(ssh)) != 0)
1809 		fatal("%s: %s", __func__, ssh_err(r));
1810 
1811 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_INFO_REQUEST, &input_userauth_info_req);
1812 	return 1;
1813 }
1814 
1815 /*
1816  * parse INFO_REQUEST, prompt user and send INFO_RESPONSE
1817  */
1818 static int
1819 input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
1820 {
1821 	Authctxt *authctxt = ssh->authctxt;
1822 	char *name = NULL, *inst = NULL, *lang = NULL, *prompt = NULL;
1823 	char *response = NULL;
1824 	u_char echo = 0;
1825 	u_int num_prompts, i;
1826 	int r;
1827 
1828 	debug2("input_userauth_info_req");
1829 
1830 	if (authctxt == NULL)
1831 		fatal("input_userauth_info_req: no authentication context");
1832 
1833 	authctxt->info_req_seen = 1;
1834 
1835 	if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0 ||
1836 	    (r = sshpkt_get_cstring(ssh, &inst, NULL)) != 0 ||
1837 	    (r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
1838 		goto out;
1839 	if (strlen(name) > 0)
1840 		logit("%s", name);
1841 	if (strlen(inst) > 0)
1842 		logit("%s", inst);
1843 
1844 	if ((r = sshpkt_get_u32(ssh, &num_prompts)) != 0)
1845 		goto out;
1846 	/*
1847 	 * Begin to build info response packet based on prompts requested.
1848 	 * We commit to providing the correct number of responses, so if
1849 	 * further on we run into a problem that prevents this, we have to
1850 	 * be sure and clean this up and send a correct error response.
1851 	 */
1852 	if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_INFO_RESPONSE)) != 0 ||
1853 	    (r = sshpkt_put_u32(ssh, num_prompts)) != 0)
1854 		goto out;
1855 
1856 	debug2("input_userauth_info_req: num_prompts %d", num_prompts);
1857 	for (i = 0; i < num_prompts; i++) {
1858 		if ((r = sshpkt_get_cstring(ssh, &prompt, NULL)) != 0 ||
1859 		    (r = sshpkt_get_u8(ssh, &echo)) != 0)
1860 			goto out;
1861 		response = read_passphrase(prompt, echo ? RP_ECHO : 0);
1862 		if ((r = sshpkt_put_cstring(ssh, response)) != 0)
1863 			goto out;
1864 		freezero(response, strlen(response));
1865 		free(prompt);
1866 		response = prompt = NULL;
1867 	}
1868 	/* done with parsing incoming message. */
1869 	if ((r = sshpkt_get_end(ssh)) != 0 ||
1870 	    (r = sshpkt_add_padding(ssh, 64)) != 0)
1871 		goto out;
1872 	r = sshpkt_send(ssh);
1873  out:
1874 	if (response)
1875 		freezero(response, strlen(response));
1876 	free(prompt);
1877 	free(name);
1878 	free(inst);
1879 	free(lang);
1880 	return r;
1881 }
1882 
1883 static int
1884 ssh_keysign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp,
1885     const u_char *data, size_t datalen)
1886 {
1887 	struct sshbuf *b;
1888 	struct stat st;
1889 	pid_t pid;
1890 	int r, to[2], from[2], status;
1891 	int sock = ssh_packet_get_connection_in(ssh);
1892 	u_char rversion = 0, version = 2;
1893 	void (*osigchld)(int);
1894 
1895 	*sigp = NULL;
1896 	*lenp = 0;
1897 
1898 	if (stat(_PATH_SSH_KEY_SIGN, &st) == -1) {
1899 		error("%s: not installed: %s", __func__, strerror(errno));
1900 		return -1;
1901 	}
1902 	if (fflush(stdout) != 0) {
1903 		error("%s: fflush: %s", __func__, strerror(errno));
1904 		return -1;
1905 	}
1906 	if (pipe(to) == -1) {
1907 		error("%s: pipe: %s", __func__, strerror(errno));
1908 		return -1;
1909 	}
1910 	if (pipe(from) == -1) {
1911 		error("%s: pipe: %s", __func__, strerror(errno));
1912 		return -1;
1913 	}
1914 	if ((pid = fork()) == -1) {
1915 		error("%s: fork: %s", __func__, strerror(errno));
1916 		return -1;
1917 	}
1918 	osigchld = signal(SIGCHLD, SIG_DFL);
1919 	if (pid == 0) {
1920 		close(from[0]);
1921 		if (dup2(from[1], STDOUT_FILENO) == -1)
1922 			fatal("%s: dup2: %s", __func__, strerror(errno));
1923 		close(to[1]);
1924 		if (dup2(to[0], STDIN_FILENO) == -1)
1925 			fatal("%s: dup2: %s", __func__, strerror(errno));
1926 		close(from[1]);
1927 		close(to[0]);
1928 
1929 		if (dup2(sock, STDERR_FILENO + 1) == -1)
1930 			fatal("%s: dup2: %s", __func__, strerror(errno));
1931 		sock = STDERR_FILENO + 1;
1932 		fcntl(sock, F_SETFD, 0);	/* keep the socket on exec */
1933 		closefrom(sock + 1);
1934 
1935 		debug3("%s: [child] pid=%ld, exec %s",
1936 		    __func__, (long)getpid(), _PATH_SSH_KEY_SIGN);
1937 		execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL);
1938 		fatal("%s: exec(%s): %s", __func__, _PATH_SSH_KEY_SIGN,
1939 		    strerror(errno));
1940 	}
1941 	close(from[1]);
1942 	close(to[0]);
1943 	sock = STDERR_FILENO + 1;
1944 
1945 	if ((b = sshbuf_new()) == NULL)
1946 		fatal("%s: sshbuf_new failed", __func__);
1947 	/* send # of sock, data to be signed */
1948 	if ((r = sshbuf_put_u32(b, sock)) != 0 ||
1949 	    (r = sshbuf_put_string(b, data, datalen)) != 0)
1950 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
1951 	if (ssh_msg_send(to[1], version, b) == -1)
1952 		fatal("%s: couldn't send request", __func__);
1953 	sshbuf_reset(b);
1954 	r = ssh_msg_recv(from[0], b);
1955 	close(from[0]);
1956 	close(to[1]);
1957 	if (r < 0) {
1958 		error("%s: no reply", __func__);
1959 		goto fail;
1960 	}
1961 
1962 	errno = 0;
1963 	while (waitpid(pid, &status, 0) == -1) {
1964 		if (errno != EINTR) {
1965 			error("%s: waitpid %ld: %s",
1966 			    __func__, (long)pid, strerror(errno));
1967 			goto fail;
1968 		}
1969 	}
1970 	if (!WIFEXITED(status)) {
1971 		error("%s: exited abnormally", __func__);
1972 		goto fail;
1973 	}
1974 	if (WEXITSTATUS(status) != 0) {
1975 		error("%s: exited with status %d",
1976 		    __func__, WEXITSTATUS(status));
1977 		goto fail;
1978 	}
1979 	if ((r = sshbuf_get_u8(b, &rversion)) != 0) {
1980 		error("%s: buffer error: %s", __func__, ssh_err(r));
1981 		goto fail;
1982 	}
1983 	if (rversion != version) {
1984 		error("%s: bad version", __func__);
1985 		goto fail;
1986 	}
1987 	if ((r = sshbuf_get_string(b, sigp, lenp)) != 0) {
1988 		error("%s: buffer error: %s", __func__, ssh_err(r));
1989  fail:
1990 		signal(SIGCHLD, osigchld);
1991 		sshbuf_free(b);
1992 		return -1;
1993 	}
1994 	signal(SIGCHLD, osigchld);
1995 	sshbuf_free(b);
1996 
1997 	return 0;
1998 }
1999 
2000 static int
2001 userauth_hostbased(struct ssh *ssh)
2002 {
2003 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
2004 	struct sshkey *private = NULL;
2005 	struct sshbuf *b = NULL;
2006 	u_char *sig = NULL, *keyblob = NULL;
2007 	char *fp = NULL, *chost = NULL, *lname = NULL;
2008 	size_t siglen = 0, keylen = 0;
2009 	int i, r, success = 0;
2010 
2011 	if (authctxt->ktypes == NULL) {
2012 		authctxt->oktypes = xstrdup(options.hostbased_key_types);
2013 		authctxt->ktypes = authctxt->oktypes;
2014 	}
2015 
2016 	/*
2017 	 * Work through each listed type pattern in HostbasedKeyTypes,
2018 	 * trying each hostkey that matches the type in turn.
2019 	 */
2020 	for (;;) {
2021 		if (authctxt->active_ktype == NULL)
2022 			authctxt->active_ktype = strsep(&authctxt->ktypes, ",");
2023 		if (authctxt->active_ktype == NULL ||
2024 		    *authctxt->active_ktype == '\0')
2025 			break;
2026 		debug3("%s: trying key type %s", __func__,
2027 		    authctxt->active_ktype);
2028 
2029 		/* check for a useful key */
2030 		private = NULL;
2031 		for (i = 0; i < authctxt->sensitive->nkeys; i++) {
2032 			if (authctxt->sensitive->keys[i] == NULL ||
2033 			    authctxt->sensitive->keys[i]->type == KEY_UNSPEC)
2034 				continue;
2035 			if (match_pattern_list(
2036 			    sshkey_ssh_name(authctxt->sensitive->keys[i]),
2037 			    authctxt->active_ktype, 0) != 1)
2038 				continue;
2039 			/* we take and free the key */
2040 			private = authctxt->sensitive->keys[i];
2041 			authctxt->sensitive->keys[i] = NULL;
2042 			break;
2043 		}
2044 		/* Found one */
2045 		if (private != NULL)
2046 			break;
2047 		/* No more keys of this type; advance */
2048 		authctxt->active_ktype = NULL;
2049 	}
2050 	if (private == NULL) {
2051 		free(authctxt->oktypes);
2052 		authctxt->oktypes = authctxt->ktypes = NULL;
2053 		authctxt->active_ktype = NULL;
2054 		debug("No more client hostkeys for hostbased authentication.");
2055 		goto out;
2056 	}
2057 
2058 	if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
2059 	    SSH_FP_DEFAULT)) == NULL) {
2060 		error("%s: sshkey_fingerprint failed", __func__);
2061 		goto out;
2062 	}
2063 	debug("%s: trying hostkey %s %s",
2064 	    __func__, sshkey_ssh_name(private), fp);
2065 
2066 	/* figure out a name for the client host */
2067 	lname = get_local_name(ssh_packet_get_connection_in(ssh));
2068 	if (lname == NULL) {
2069 		error("%s: cannot get local ipaddr/name", __func__);
2070 		goto out;
2071 	}
2072 
2073 	/* XXX sshbuf_put_stringf? */
2074 	xasprintf(&chost, "%s.", lname);
2075 	debug2("%s: chost %s", __func__, chost);
2076 
2077 	/* construct data */
2078 	if ((b = sshbuf_new()) == NULL) {
2079 		error("%s: sshbuf_new failed", __func__);
2080 		goto out;
2081 	}
2082 	if ((r = sshkey_to_blob(private, &keyblob, &keylen)) != 0) {
2083 		error("%s: sshkey_to_blob: %s", __func__, ssh_err(r));
2084 		goto out;
2085 	}
2086 	if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
2087 	    (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
2088 	    (r = sshbuf_put_cstring(b, authctxt->server_user)) != 0 ||
2089 	    (r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
2090 	    (r = sshbuf_put_cstring(b, authctxt->method->name)) != 0 ||
2091 	    (r = sshbuf_put_cstring(b, sshkey_ssh_name(private))) != 0 ||
2092 	    (r = sshbuf_put_string(b, keyblob, keylen)) != 0 ||
2093 	    (r = sshbuf_put_cstring(b, chost)) != 0 ||
2094 	    (r = sshbuf_put_cstring(b, authctxt->local_user)) != 0) {
2095 		error("%s: buffer error: %s", __func__, ssh_err(r));
2096 		goto out;
2097 	}
2098 
2099 #ifdef DEBUG_PK
2100 	sshbuf_dump(b, stderr);
2101 #endif
2102 	if ((r = ssh_keysign(ssh, private, &sig, &siglen,
2103 	    sshbuf_ptr(b), sshbuf_len(b))) != 0) {
2104 		error("sign using hostkey %s %s failed",
2105 		    sshkey_ssh_name(private), fp);
2106 		goto out;
2107 	}
2108 	if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
2109 	    (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
2110 	    (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
2111 	    (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
2112 	    (r = sshpkt_put_cstring(ssh, sshkey_ssh_name(private))) != 0 ||
2113 	    (r = sshpkt_put_string(ssh, keyblob, keylen)) != 0 ||
2114 	    (r = sshpkt_put_cstring(ssh, chost)) != 0 ||
2115 	    (r = sshpkt_put_cstring(ssh, authctxt->local_user)) != 0 ||
2116 	    (r = sshpkt_put_string(ssh, sig, siglen)) != 0 ||
2117 	    (r = sshpkt_send(ssh)) != 0) {
2118 		error("%s: packet error: %s", __func__, ssh_err(r));
2119 		goto out;
2120 	}
2121 	success = 1;
2122 
2123  out:
2124 	if (sig != NULL)
2125 		freezero(sig, siglen);
2126 	free(keyblob);
2127 	free(lname);
2128 	free(fp);
2129 	free(chost);
2130 	sshkey_free(private);
2131 	sshbuf_free(b);
2132 
2133 	return success;
2134 }
2135 
2136 /* find auth method */
2137 
2138 /*
2139  * given auth method name, if configurable options permit this method fill
2140  * in auth_ident field and return true, otherwise return false.
2141  */
2142 static int
2143 authmethod_is_enabled(Authmethod *method)
2144 {
2145 	if (method == NULL)
2146 		return 0;
2147 	/* return false if options indicate this method is disabled */
2148 	if  (method->enabled == NULL || *method->enabled == 0)
2149 		return 0;
2150 	/* return false if batch mode is enabled but method needs interactive mode */
2151 	if  (method->batch_flag != NULL && *method->batch_flag != 0)
2152 		return 0;
2153 	return 1;
2154 }
2155 
2156 static Authmethod *
2157 authmethod_lookup(const char *name)
2158 {
2159 	Authmethod *method = NULL;
2160 	if (name != NULL)
2161 		for (method = authmethods; method->name != NULL; method++)
2162 			if (strcmp(name, method->name) == 0)
2163 				return method;
2164 	debug2("Unrecognized authentication method name: %s", name ? name : "NULL");
2165 	return NULL;
2166 }
2167 
2168 /* XXX internal state */
2169 static Authmethod *current = NULL;
2170 static char *supported = NULL;
2171 static char *preferred = NULL;
2172 
2173 /*
2174  * Given the authentication method list sent by the server, return the
2175  * next method we should try.  If the server initially sends a nil list,
2176  * use a built-in default list.
2177  */
2178 static Authmethod *
2179 authmethod_get(char *authlist)
2180 {
2181 	char *name = NULL;
2182 	u_int next;
2183 
2184 	/* Use a suitable default if we're passed a nil list.  */
2185 	if (authlist == NULL || strlen(authlist) == 0)
2186 		authlist = options.preferred_authentications;
2187 
2188 	if (supported == NULL || strcmp(authlist, supported) != 0) {
2189 		debug3("start over, passed a different list %s", authlist);
2190 		free(supported);
2191 		supported = xstrdup(authlist);
2192 		preferred = options.preferred_authentications;
2193 		debug3("preferred %s", preferred);
2194 		current = NULL;
2195 	} else if (current != NULL && authmethod_is_enabled(current))
2196 		return current;
2197 
2198 	for (;;) {
2199 		if ((name = match_list(preferred, supported, &next)) == NULL) {
2200 			debug("No more authentication methods to try.");
2201 			current = NULL;
2202 			return NULL;
2203 		}
2204 		preferred += next;
2205 		debug3("authmethod_lookup %s", name);
2206 		debug3("remaining preferred: %s", preferred);
2207 		if ((current = authmethod_lookup(name)) != NULL &&
2208 		    authmethod_is_enabled(current)) {
2209 			debug3("authmethod_is_enabled %s", name);
2210 			debug("Next authentication method: %s", name);
2211 			free(name);
2212 			return current;
2213 		}
2214 		free(name);
2215 	}
2216 }
2217 
2218 static char *
2219 authmethods_get(void)
2220 {
2221 	Authmethod *method = NULL;
2222 	struct sshbuf *b;
2223 	char *list;
2224 	int r;
2225 
2226 	if ((b = sshbuf_new()) == NULL)
2227 		fatal("%s: sshbuf_new failed", __func__);
2228 	for (method = authmethods; method->name != NULL; method++) {
2229 		if (authmethod_is_enabled(method)) {
2230 			if ((r = sshbuf_putf(b, "%s%s",
2231 			    sshbuf_len(b) ? "," : "", method->name)) != 0)
2232 				fatal("%s: buffer error: %s",
2233 				    __func__, ssh_err(r));
2234 		}
2235 	}
2236 	if ((list = sshbuf_dup_string(b)) == NULL)
2237 		fatal("%s: sshbuf_dup_string failed", __func__);
2238 	sshbuf_free(b);
2239 	return list;
2240 }
2241