+ gotit = FALSE;
+
+ /*
+ * OK, we're now sitting on a USERAUTH_FAILURE message, so
+ * we can look at the string in it and know what we can
+ * helpfully try next.
+ */
+ {
+ char *methods;
+ int methlen;
+ ssh2_pkt_getstring(&methods, &methlen);
+ if (!ssh2_pkt_getbool()) {
+ /*
+ * We have received an unequivocal Access
+ * Denied. This can translate to a variety of
+ * messages:
+ *
+ * - if we'd just tried "none" authentication,
+ * it's not worth printing anything at all
+ *
+ * - if we'd just tried a public key _offer_,
+ * the message should be "Server refused our
+ * key" (or no message at all if the key
+ * came from Pageant)
+ *
+ * - if we'd just tried anything else, the
+ * message really should be "Access denied".
+ *
+ * Additionally, if we'd just tried password
+ * authentication, we should break out of this
+ * whole loop so as to go back to the username
+ * prompt.
+ */
+ if (type == AUTH_TYPE_NONE) {
+ /* do nothing */
+ } else if (type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD ||
+ type == AUTH_TYPE_PUBLICKEY_OFFER_QUIET) {
+ if (type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD)
+ c_write_str("Server refused our key\r\n");
+ logevent("Server refused public key");
+ } else {
+ c_write_str("Access denied\r\n");
+ logevent("Access denied");
+ if (type == AUTH_TYPE_PASSWORD) {
+ we_are_in = FALSE;
+ break;
+ }
+ }
+ } else {
+ c_write_str("Further authentication required\r\n");
+ logevent("Further authentication required");
+ }
+
+ can_pubkey = in_commasep_string("publickey", methods, methlen);
+ can_passwd = in_commasep_string("password", methods, methlen);
+ }
+
+ method = 0;
+
+ if (!method && can_pubkey && agent_exists && !tried_agent) {
+ /*
+ * Attempt public-key authentication using Pageant.
+ */
+ static unsigned char request[5], *response, *p;
+ static int responselen;
+ static int i, nkeys;
+ static int authed = FALSE;
+ void *r;
+
+ tried_agent = TRUE;
+
+ logevent("Pageant is running. Requesting keys.");
+
+ /* Request the keys held by the agent. */
+ PUT_32BIT(request, 1);
+ request[4] = SSH2_AGENTC_REQUEST_IDENTITIES;
+ agent_query(request, 5, &r, &responselen);
+ response = (unsigned char *)r;
+ if (response && responselen >= 5 &&
+ response[4] == SSH2_AGENT_IDENTITIES_ANSWER) {
+ p = response + 5;
+ nkeys = GET_32BIT(p); p += 4;
+ { char buf[64]; sprintf(buf, "Pageant has %d SSH2 keys", nkeys);
+ logevent(buf); }
+ for (i = 0; i < nkeys; i++) {
+ static char *pkblob, *alg, *commentp;
+ static int pklen, alglen, commentlen;
+ static int siglen, retlen, len;
+ static char *q, *agentreq, *ret;
+
+ { char buf[64]; sprintf(buf, "Trying Pageant key #%d", i);
+ logevent(buf); }
+ pklen = GET_32BIT(p); p += 4;
+ pkblob = p; p += pklen;
+ alglen = GET_32BIT(pkblob);
+ alg = pkblob + 4;
+ commentlen = GET_32BIT(p); p += 4;
+ commentp = p; p += commentlen;
+ ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
+ ssh2_pkt_addstring(username);
+ ssh2_pkt_addstring("ssh-connection");/* service requested */
+ ssh2_pkt_addstring("publickey");/* method */
+ ssh2_pkt_addbool(FALSE); /* no signature included */
+ ssh2_pkt_addstring_start();
+ ssh2_pkt_addstring_data(alg, alglen);
+ ssh2_pkt_addstring_start();
+ ssh2_pkt_addstring_data(pkblob, pklen);
+ ssh2_pkt_send();
+
+ crWaitUntilV(ispkt);
+ if (pktin.type != SSH2_MSG_USERAUTH_PK_OK) {
+ logevent("Key refused");
+ continue;
+ }
+
+ if (flags & FLAG_VERBOSE) {
+ c_write_str("Authenticating with public key \"");
+ c_write(commentp, commentlen);
+ c_write_str("\" from agent\r\n");
+ }
+
+ /*
+ * Server is willing to accept the key.
+ * Construct a SIGN_REQUEST.
+ */
+ ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
+ ssh2_pkt_addstring(username);
+ ssh2_pkt_addstring("ssh-connection"); /* service requested */
+ ssh2_pkt_addstring("publickey"); /* method */
+ ssh2_pkt_addbool(TRUE);
+ ssh2_pkt_addstring_start();
+ ssh2_pkt_addstring_data(alg, alglen);
+ ssh2_pkt_addstring_start();
+ ssh2_pkt_addstring_data(pkblob, pklen);
+
+ siglen = pktout.length - 5 + 4 + 20;
+ len = 1; /* message type */
+ len += 4 + pklen; /* key blob */
+ len += 4 + siglen; /* data to sign */
+ len += 4; /* flags */
+ agentreq = smalloc(4 + len);
+ PUT_32BIT(agentreq, len);
+ q = agentreq + 4;
+ *q++ = SSH2_AGENTC_SIGN_REQUEST;
+ PUT_32BIT(q, pklen); q += 4;
+ memcpy(q, pkblob, pklen); q += pklen;
+ PUT_32BIT(q, siglen); q += 4;
+ /* Now the data to be signed... */
+ PUT_32BIT(q, 20); q += 4;
+ memcpy(q, ssh2_session_id, 20); q += 20;
+ memcpy(q, pktout.data+5, pktout.length-5);
+ q += pktout.length-5;
+ /* And finally the (zero) flags word. */
+ PUT_32BIT(q, 0);
+ agent_query(agentreq, len+4, &ret, &retlen);
+ sfree(agentreq);
+ if (ret) {
+ if (ret[4] == SSH2_AGENT_SIGN_RESPONSE) {
+ logevent("Sending Pageant's response");
+ ssh2_pkt_addstring_start();
+ ssh2_pkt_addstring_data(ret+9, GET_32BIT(ret+5));
+ ssh2_pkt_send();
+ authed = TRUE;
+ break;
+ } else {
+ logevent("Pageant failed to answer challenge");
+ sfree(ret);
+ }
+ }
+ }
+ if (authed)
+ continue;
+ }
+ }
+
+ if (!method && can_pubkey && *cfg.keyfile && !tried_pubkey_config) {
+ unsigned char *pub_blob;
+ char *algorithm, *comment;
+ int pub_blob_len;
+
+ tried_pubkey_config = TRUE;
+
+ /*
+ * Try the public key supplied in the configuration.
+ *
+ * First, offer the public blob to see if the server is
+ * willing to accept it.
+ */
+ pub_blob = ssh2_userkey_loadpub(cfg.keyfile, &algorithm,
+ &pub_blob_len);
+ if (pub_blob) {
+ ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
+ ssh2_pkt_addstring(username);
+ ssh2_pkt_addstring("ssh-connection"); /* service requested */
+ ssh2_pkt_addstring("publickey");/* method */
+ ssh2_pkt_addbool(FALSE); /* no signature included */
+ ssh2_pkt_addstring(algorithm);
+ ssh2_pkt_addstring_start();
+ ssh2_pkt_addstring_data(pub_blob, pub_blob_len);
+ ssh2_pkt_send();
+ logevent("Offered public key"); /* FIXME */
+
+ crWaitUntilV(ispkt);
+ if (pktin.type != SSH2_MSG_USERAUTH_PK_OK) {
+ gotit = TRUE;
+ type = AUTH_TYPE_PUBLICKEY_OFFER_LOUD;
+ continue; /* key refused; give up on it */
+ }
+
+ logevent("Offer of public key accepted");
+ /*
+ * Actually attempt a serious authentication using
+ * the key.
+ */
+ if (ssh2_userkey_encrypted(cfg.keyfile, &comment)) {
+ sprintf(pwprompt, "Passphrase for key \"%.100s\": ", comment);
+ need_pw = TRUE;
+ } else {
+ need_pw = FALSE;
+ }
+ c_write_str("Authenticating with public key \"");
+ c_write_str(comment);
+ c_write_str("\"\r\n");
+ method = AUTH_PUBLICKEY_FILE;
+ }
+ }
+
+ if (!method && can_passwd) {
+ method = AUTH_PASSWORD;
+ sprintf(pwprompt, "%.90s@%.90s's password: ", username, savedhost);
+ need_pw = TRUE;
+ }
+
+ if (need_pw) {
+ if (ssh_get_line) {
+ if (!ssh_get_line(pwprompt, password,
+ sizeof(password), TRUE)) {
+ /*
+ * get_line failed to get a password (for
+ * example because one was supplied on the
+ * command line which has already failed to
+ * work). Terminate.
+ */
+ logevent("No more passwords to try");
+ ssh_state = SSH_STATE_CLOSED;
+ crReturnV;
+ }
+ } else {
+ static int pos = 0;
+ static char c;
+
+ c_write_str(pwprompt);
+ ssh_send_ok = 1;
+
+ pos = 0;
+ while (pos >= 0) {
+ crWaitUntilV(!ispkt);
+ while (inlen--) switch (c = *in++) {
+ case 10: case 13:
+ password[pos] = 0;
+ pos = -1;
+ break;
+ case 8: case 127:
+ if (pos > 0)
+ pos--;
+ break;
+ case 21: case 27:
+ pos = 0;
+ break;
+ case 3: case 4:
+ random_save_seed();
+ exit(0);
+ break;
+ default:
+ if (((c >= ' ' && c <= '~') ||
+ ((unsigned char)c >= 160)) && pos < 40)
+ password[pos++] = c;
+ break;
+ }
+ }
+ c_write_str("\r\n");
+ }
+ }
+
+ if (method == AUTH_PUBLICKEY_FILE) {
+ /*
+ * We have our passphrase. Now try the actual authentication.
+ */
+ struct ssh2_userkey *key;
+
+ key = ssh2_load_userkey(cfg.keyfile, password);
+ if (key == SSH2_WRONG_PASSPHRASE || key == NULL) {
+ if (key == SSH2_WRONG_PASSPHRASE) {
+ c_write_str("Wrong passphrase\r\n");
+ tried_pubkey_config = FALSE;
+ } else {
+ c_write_str("Unable to load private key\r\n");
+ tried_pubkey_config = TRUE;
+ }
+ /* Send a spurious AUTH_NONE to return to the top. */
+ ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
+ ssh2_pkt_addstring(username);
+ ssh2_pkt_addstring("ssh-connection"); /* service requested */
+ ssh2_pkt_addstring("none"); /* method */
+ ssh2_pkt_send();
+ type = AUTH_TYPE_NONE;
+ } else {
+ unsigned char *blob, *sigdata;
+ int blob_len, sigdata_len;
+
+ /*
+ * We have loaded the private key and the server
+ * has announced that it's willing to accept it.
+ * Hallelujah. Generate a signature and send it.
+ */
+ ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
+ ssh2_pkt_addstring(username);
+ ssh2_pkt_addstring("ssh-connection"); /* service requested */
+ ssh2_pkt_addstring("publickey"); /* method */
+ ssh2_pkt_addbool(TRUE);
+ ssh2_pkt_addstring(key->alg->name);
+ blob = key->alg->public_blob(key->data, &blob_len);
+ ssh2_pkt_addstring_start();
+ ssh2_pkt_addstring_data(blob, blob_len);
+ sfree(blob);
+
+ /*
+ * The data to be signed is:
+ *
+ * string session-id
+ *
+ * followed by everything so far placed in the
+ * outgoing packet.
+ */
+ sigdata_len = pktout.length - 5 + 4 + 20;
+ sigdata = smalloc(sigdata_len);
+ PUT_32BIT(sigdata, 20);
+ memcpy(sigdata+4, ssh2_session_id, 20);
+ memcpy(sigdata+24, pktout.data+5, pktout.length-5);
+ blob = key->alg->sign(key->data, sigdata, sigdata_len, &blob_len);
+ ssh2_pkt_addstring_start();
+ ssh2_pkt_addstring_data(blob, blob_len);
+ sfree(blob);
+ sfree(sigdata);
+
+ ssh2_pkt_send();
+ type = AUTH_TYPE_PUBLICKEY;
+ }
+ } else if (method == AUTH_PASSWORD) {
+ /*
+ * We send the password packet lumped tightly together with
+ * an SSH_MSG_IGNORE packet. The IGNORE packet contains a
+ * string long enough to make the total length of the two
+ * packets constant. This should ensure that a passive
+ * listener doing traffic analyis can't work out the length
+ * of the password.
+ *
+ * For this to work, we need an assumption about the
+ * maximum length of the password packet. I think 256 is
+ * pretty conservative. Anyone using a password longer than
+ * that probably doesn't have much to worry about from
+ * people who find out how long their password is!
+ */
+ ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
+ ssh2_pkt_addstring(username);
+ ssh2_pkt_addstring("ssh-connection"); /* service requested */
+ ssh2_pkt_addstring("password");
+ ssh2_pkt_addbool(FALSE);
+ ssh2_pkt_addstring(password);
+ ssh2_pkt_defer();
+ /*
+ * We'll include a string that's an exact multiple of the
+ * cipher block size. If the cipher is NULL for some
+ * reason, we don't do this trick at all because we gain
+ * nothing by it.
+ */
+ if (cscipher) {
+ int stringlen, i;
+
+ stringlen = (256 - deferred_len);
+ stringlen += cscipher->blksize - 1;
+ stringlen -= (stringlen % cscipher->blksize);
+ if (cscomp) {
+ /*
+ * Temporarily disable actual compression,
+ * so we can guarantee to get this string
+ * exactly the length we want it. The
+ * compression-disabling routine should
+ * return an integer indicating how many
+ * bytes we should adjust our string length
+ * by.
+ */
+ stringlen -= cscomp->disable_compression();
+ }
+ ssh2_pkt_init(SSH2_MSG_IGNORE);
+ ssh2_pkt_addstring_start();
+ for (i = 0; i < stringlen; i++) {
+ char c = (char)random_byte();
+ ssh2_pkt_addstring_data(&c, 1);
+ }
+ ssh2_pkt_defer();
+ }
+ ssh_pkt_defersend();
+ logevent("Sent password");
+ type = AUTH_TYPE_PASSWORD;
+ } else {
+ c_write_str("No supported authentication methods left to try!\r\n");
+ logevent("No supported authentications offered. Disconnecting");
+ ssh2_pkt_init(SSH2_MSG_DISCONNECT);
+ ssh2_pkt_adduint32(SSH2_DISCONNECT_BY_APPLICATION);
+ ssh2_pkt_addstring("No supported authentication methods available");
+ ssh2_pkt_addstring("en"); /* language tag */
+ ssh2_pkt_send();
+ ssh_state = SSH_STATE_CLOSED;
+ crReturnV;
+ }
+ }
+ } while (!we_are_in);