1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 09:12:24 +00:00

Implement `bypass-ssh2-userauth', since from correspondence it sounds like

there are servers which could in principle operate in this mode, although I
don't know if any do in practice. (Hence, I haven't been able to test it.)

[originally from svn r5748]
[this svn revision also touched putty-wishlist]
This commit is contained in:
Jacob Nevins 2005-05-05 22:37:54 +00:00
parent df913d0036
commit b099456c87
6 changed files with 57 additions and 15 deletions

View File

@ -1817,6 +1817,12 @@ void setup_config_box(struct controlbox *b, int midsession,
ctrl_settitle(b, "Connection/SSH/Auth", ctrl_settitle(b, "Connection/SSH/Auth",
"Options controlling SSH authentication"); "Options controlling SSH authentication");
s = ctrl_getset(b, "Connection/SSH/Auth", "main", NULL);
ctrl_checkbox(s, "Bypass authentication entirely (SSH-2 only)", 'b',
HELPCTX(ssh_auth_bypass),
dlg_stdcheckbox_handler,
I(offsetof(Config,ssh_no_userauth)));
s = ctrl_getset(b, "Connection/SSH/Auth", "methods", s = ctrl_getset(b, "Connection/SSH/Auth", "methods",
"Authentication methods"); "Authentication methods");
ctrl_checkbox(s, "Attempt TIS or CryptoCard auth (SSH-1)", 'm', ctrl_checkbox(s, "Attempt TIS or CryptoCard auth (SSH-1)", 'm',

View File

@ -2278,6 +2278,22 @@ protection than SSH-2 without rekeys.
The Auth panel allows you to configure \i{authentication} options for The Auth panel allows you to configure \i{authentication} options for
SSH sessions. SSH sessions.
\S{config-ssh-noauth} \q{Bypass authentication entirely}
\cfg{winhelp-topic}{ssh.auth.bypass}
In SSH-2, it is possible to establish a connection without using SSH's
mechanisms to identify or authenticate oneself to the server. Some
servers may prefer to handle authentication in the data channel, for
instance, or may simply require no authentication whatsoever.
By default, PuTTY assumes the server requires authentication (most
do), and thus must provide a username. If you find you are getting
unwanted username prompts, you could try checking this option.
This option only affects SSH-2 connections. SSH-1 connections always
require an authentication step.
\S{config-ssh-tis} \q{Attempt \I{TIS authentication}TIS or \S{config-ssh-tis} \q{Attempt \I{TIS authentication}TIS or
\i{CryptoCard authentication}} \i{CryptoCard authentication}}

View File

@ -432,6 +432,7 @@ struct config_tag {
Filename keyfile; Filename keyfile;
int sshprot; /* use v1 or v2 when both available */ int sshprot; /* use v1 or v2 when both available */
int ssh2_des_cbc; /* "des-cbc" unrecommended SSH-2 cipher */ int ssh2_des_cbc; /* "des-cbc" unrecommended SSH-2 cipher */
int ssh_no_userauth; /* bypass "ssh-userauth" (SSH-2 only) */
int try_tis_auth; int try_tis_auth;
int try_ki_auth; int try_ki_auth;
int ssh_subsys; /* run a subsystem rather than a command */ int ssh_subsys; /* run a subsystem rather than a command */

View File

@ -300,6 +300,7 @@ void save_open_settings(void *sesskey, int do_host, Config *cfg)
wprefs(sesskey, "KEX", kexnames, KEX_MAX, cfg->ssh_kexlist); wprefs(sesskey, "KEX", kexnames, KEX_MAX, cfg->ssh_kexlist);
write_setting_i(sesskey, "RekeyTime", cfg->ssh_rekey_time); write_setting_i(sesskey, "RekeyTime", cfg->ssh_rekey_time);
write_setting_s(sesskey, "RekeyBytes", cfg->ssh_rekey_data); write_setting_s(sesskey, "RekeyBytes", cfg->ssh_rekey_data);
write_setting_i(sesskey, "SshNoAuth", cfg->ssh_no_userauth);
write_setting_i(sesskey, "AuthTIS", cfg->try_tis_auth); write_setting_i(sesskey, "AuthTIS", cfg->try_tis_auth);
write_setting_i(sesskey, "AuthKI", cfg->try_ki_auth); write_setting_i(sesskey, "AuthKI", cfg->try_ki_auth);
write_setting_i(sesskey, "SshNoShell", cfg->ssh_no_shell); write_setting_i(sesskey, "SshNoShell", cfg->ssh_no_shell);
@ -572,6 +573,7 @@ void load_open_settings(void *sesskey, int do_host, Config *cfg)
sizeof(cfg->ssh_rekey_data)); sizeof(cfg->ssh_rekey_data));
gppi(sesskey, "SshProt", 2, &cfg->sshprot); gppi(sesskey, "SshProt", 2, &cfg->sshprot);
gppi(sesskey, "SSH2DES", 0, &cfg->ssh2_des_cbc); gppi(sesskey, "SSH2DES", 0, &cfg->ssh2_des_cbc);
gppi(sesskey, "SshNoAuth", 0, &cfg->ssh_no_userauth);
gppi(sesskey, "AuthTIS", 0, &cfg->try_tis_auth); gppi(sesskey, "AuthTIS", 0, &cfg->try_tis_auth);
gppi(sesskey, "AuthKI", 1, &cfg->try_ki_auth); gppi(sesskey, "AuthKI", 1, &cfg->try_ki_auth);
gppi(sesskey, "SshNoShell", 0, &cfg->ssh_no_shell); gppi(sesskey, "SshNoShell", 0, &cfg->ssh_no_shell);

46
ssh.c
View File

@ -6428,6 +6428,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
AUTH_TYPE_KEYBOARD_INTERACTIVE, AUTH_TYPE_KEYBOARD_INTERACTIVE,
AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET
} type; } type;
int done_service_req;
int gotit, need_pw, can_pubkey, can_passwd, can_keyb_inter; int gotit, need_pw, can_pubkey, can_passwd, can_keyb_inter;
int tried_pubkey_config, tried_agent; int tried_pubkey_config, tried_agent;
int kbd_inter_running, kbd_inter_refused; int kbd_inter_running, kbd_inter_refused;
@ -6455,16 +6456,33 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
crBegin(ssh->do_ssh2_authconn_crstate); crBegin(ssh->do_ssh2_authconn_crstate);
/* s->done_service_req = FALSE;
* Request userauth protocol, and await a response to it. s->we_are_in = FALSE;
*/ if (!ssh->cfg.ssh_no_userauth) {
s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST); /*
ssh2_pkt_addstring(s->pktout, "ssh-userauth"); * Request userauth protocol, and await a response to it.
ssh2_pkt_send(ssh, s->pktout); */
crWaitUntilV(pktin); s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
if (pktin->type != SSH2_MSG_SERVICE_ACCEPT) { ssh2_pkt_addstring(s->pktout, "ssh-userauth");
bombout(("Server refused user authentication protocol")); ssh2_pkt_send(ssh, s->pktout);
crStopV; crWaitUntilV(pktin);
if (pktin->type == SSH2_MSG_SERVICE_ACCEPT)
s->done_service_req = TRUE;
}
if (!s->done_service_req) {
/*
* Request connection protocol directly, without authentication.
*/
s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
ssh2_pkt_addstring(s->pktout, "ssh-connection");
ssh2_pkt_send(ssh, s->pktout);
crWaitUntilV(pktin);
if (pktin->type == SSH2_MSG_SERVICE_ACCEPT) {
s->we_are_in = TRUE; /* no auth required */
} else {
bombout(("Server refused service request"));
crStopV;
}
} }
/* /*
@ -6493,7 +6511,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
*/ */
s->username[0] = '\0'; s->username[0] = '\0';
s->got_username = FALSE; s->got_username = FALSE;
do { while (!s->we_are_in) {
/* /*
* Get a username. * Get a username.
*/ */
@ -7234,12 +7252,10 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
crStopV; crStopV;
} }
} }
} while (!s->we_are_in); }
/* /*
* Now we're authenticated for the connection protocol. The * Now the connection protocol has started, one way or another.
* connection protocol will automatically have started at this
* point; there's no need to send SERVICE_REQUEST.
*/ */
ssh->channels = newtree234(ssh_channelcmp); ssh->channels = newtree234(ssh_channelcmp);

View File

@ -95,6 +95,7 @@
#define WINHELP_CTX_ssh_compress "ssh.compress" #define WINHELP_CTX_ssh_compress "ssh.compress"
#define WINHELP_CTX_ssh_kexlist "ssh.kex.order" #define WINHELP_CTX_ssh_kexlist "ssh.kex.order"
#define WINHELP_CTX_ssh_kex_repeat "ssh.kex.repeat" #define WINHELP_CTX_ssh_kex_repeat "ssh.kex.repeat"
#define WINHELP_CTX_ssh_auth_bypass "ssh.auth.bypass"
#define WINHELP_CTX_ssh_auth_privkey "ssh.auth.privkey" #define WINHELP_CTX_ssh_auth_privkey "ssh.auth.privkey"
#define WINHELP_CTX_ssh_auth_agentfwd "ssh.auth.agentfwd" #define WINHELP_CTX_ssh_auth_agentfwd "ssh.auth.agentfwd"
#define WINHELP_CTX_ssh_auth_changeuser "ssh.auth.changeuser" #define WINHELP_CTX_ssh_auth_changeuser "ssh.auth.changeuser"