mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-09 17:38:00 +00:00
Uppity: add stunt options for trivial authentication.
This allows the 'no trivial auth' option introduced by the previous commit to be tested. Uppity has grown three new options to make it accept "none" authentication, keyboard-interactive involving no prompts, and the perverse sending of USERAUTH_SUCCESS after a signatureless public-key offer. The first of those options also enables the analogue in SSH-1; the other two have no SSH-1 analogues in the first place. (SSH-1 public key authentication has a challenge-response structure that doesn't contain any way to terminate the exchange early with success. And the TIS and CryptoCard methods, which are its closest analogue of k-i, have a fixed number of prompts, which is not 0.)
This commit is contained in:
parent
5f5c710cf3
commit
ff941299cf
@ -39,7 +39,6 @@ struct ssh1_login_server_state {
|
||||
unsigned ap_methods, current_method;
|
||||
unsigned char auth_rsa_expected_response[16];
|
||||
RSAKey *authkey;
|
||||
bool auth_successful;
|
||||
|
||||
PacketProtocolLayer ppl;
|
||||
};
|
||||
@ -267,7 +266,9 @@ static void ssh1_login_server_process_queue(PacketProtocolLayer *ppl)
|
||||
s->username.ptr = s->username_str = mkstr(s->username);
|
||||
ppl_logevent("Received username '%.*s'", PTRLEN_PRINTF(s->username));
|
||||
|
||||
s->auth_successful = auth_none(s->authpolicy, s->username);
|
||||
if (auth_none(s->authpolicy, s->username))
|
||||
goto auth_success;
|
||||
|
||||
while (1) {
|
||||
/* Signal failed authentication */
|
||||
pktout = ssh_bpp_new_pktout(s->ppl.bpp, SSH1_SMSG_FAILURE);
|
||||
|
@ -21,6 +21,9 @@ struct SshServerConfig {
|
||||
|
||||
bool stunt_pretend_to_accept_any_pubkey;
|
||||
bool stunt_open_unconditional_agent_socket;
|
||||
bool stunt_allow_none_auth;
|
||||
bool stunt_allow_trivial_ki_auth;
|
||||
bool stunt_return_success_to_pubkey_offer;
|
||||
};
|
||||
|
||||
Plug *ssh_server_plug(
|
||||
|
@ -209,7 +209,8 @@ static void ssh2_userauth_server_process_queue(PacketProtocolLayer *ppl)
|
||||
if (!(s->methods & s->this_method))
|
||||
goto failure;
|
||||
|
||||
has_signature = get_bool(pktin);
|
||||
has_signature = get_bool(pktin) ||
|
||||
s->ssc->stunt_return_success_to_pubkey_offer;
|
||||
algorithm = get_string(pktin);
|
||||
blob = get_string(pktin);
|
||||
|
||||
@ -251,7 +252,8 @@ static void ssh2_userauth_server_process_queue(PacketProtocolLayer *ppl)
|
||||
|
||||
signature = get_string(pktin);
|
||||
success = ssh_key_verify(key, signature,
|
||||
ptrlen_from_strbuf(sigdata));
|
||||
ptrlen_from_strbuf(sigdata)) ||
|
||||
s->ssc->stunt_return_success_to_pubkey_offer;
|
||||
ssh_key_free(key);
|
||||
strbuf_free(sigdata);
|
||||
|
||||
|
@ -110,6 +110,8 @@ void make_unix_sftp_filehandle_key(void *data, size_t size)
|
||||
|
||||
static bool verbose;
|
||||
|
||||
struct server_config;
|
||||
|
||||
struct AuthPolicyShared {
|
||||
struct AuthPolicy_ssh1_pubkey *ssh1keys;
|
||||
struct AuthPolicy_ssh2_pubkey *ssh2keys;
|
||||
@ -124,6 +126,24 @@ struct server_instance {
|
||||
unsigned id;
|
||||
AuthPolicy ap;
|
||||
LogPolicy logpolicy;
|
||||
struct server_config *cfg;
|
||||
};
|
||||
|
||||
struct server_config {
|
||||
Conf *conf;
|
||||
const SshServerConfig *ssc;
|
||||
|
||||
ssh_key **hostkeys;
|
||||
int nhostkeys;
|
||||
|
||||
RSAKey *hostkey1;
|
||||
|
||||
struct AuthPolicyShared *ap_shared;
|
||||
|
||||
unsigned next_id;
|
||||
|
||||
Socket *listening_socket;
|
||||
Plug listening_plug;
|
||||
};
|
||||
|
||||
static void log_to_stderr(unsigned id, const char *msg)
|
||||
@ -175,11 +195,21 @@ struct AuthPolicy_ssh2_pubkey {
|
||||
|
||||
unsigned auth_methods(AuthPolicy *ap)
|
||||
{
|
||||
return (AUTHMETHOD_PUBLICKEY | AUTHMETHOD_PASSWORD | AUTHMETHOD_KBDINT |
|
||||
AUTHMETHOD_TIS | AUTHMETHOD_CRYPTOCARD);
|
||||
struct server_instance *inst = container_of(
|
||||
ap, struct server_instance, ap);
|
||||
unsigned methods = (AUTHMETHOD_PUBLICKEY | AUTHMETHOD_PASSWORD |
|
||||
AUTHMETHOD_KBDINT | AUTHMETHOD_TIS |
|
||||
AUTHMETHOD_CRYPTOCARD);
|
||||
if (inst->cfg->ssc->stunt_allow_none_auth)
|
||||
methods |= AUTHMETHOD_NONE;
|
||||
return methods;
|
||||
}
|
||||
bool auth_none(AuthPolicy *ap, ptrlen username)
|
||||
{
|
||||
struct server_instance *inst = container_of(
|
||||
ap, struct server_instance, ap);
|
||||
if (inst->cfg->ssc->stunt_allow_none_auth)
|
||||
return true;
|
||||
return false;
|
||||
}
|
||||
int auth_password(AuthPolicy *ap, ptrlen username, ptrlen password,
|
||||
@ -249,13 +279,21 @@ AuthKbdInt *auth_kbdint_prompts(AuthPolicy *ap, ptrlen username)
|
||||
aki->prompts[1].prompt = dupstr("Silent prompt: ");
|
||||
aki->prompts[1].echo = false;
|
||||
return aki;
|
||||
case 1:
|
||||
case 1: {
|
||||
struct server_instance *inst = container_of(
|
||||
ap, struct server_instance, ap);
|
||||
aki = snew(AuthKbdInt);
|
||||
if (inst->cfg->ssc->stunt_allow_trivial_ki_auth) {
|
||||
aki->title = dupstr("");
|
||||
aki->instruction = dupstr("");
|
||||
} else {
|
||||
aki->title = dupstr("Zero-prompt step");
|
||||
aki->instruction = dupstr("Shouldn't see any prompts this time");
|
||||
}
|
||||
aki->nprompts = 0;
|
||||
aki->prompts = NULL;
|
||||
return aki;
|
||||
}
|
||||
default:
|
||||
ap->kbdint_state = 0;
|
||||
return NULL;
|
||||
@ -416,23 +454,6 @@ static bool longoptnoarg(const char *arg, const char *expected)
|
||||
return false;
|
||||
}
|
||||
|
||||
struct server_config {
|
||||
Conf *conf;
|
||||
const SshServerConfig *ssc;
|
||||
|
||||
ssh_key **hostkeys;
|
||||
int nhostkeys;
|
||||
|
||||
RSAKey *hostkey1;
|
||||
|
||||
struct AuthPolicyShared *ap_shared;
|
||||
|
||||
unsigned next_id;
|
||||
|
||||
Socket *listening_socket;
|
||||
Plug listening_plug;
|
||||
};
|
||||
|
||||
static Plug *server_conn_plug(
|
||||
struct server_config *cfg, struct server_instance **inst_out)
|
||||
{
|
||||
@ -442,7 +463,10 @@ static Plug *server_conn_plug(
|
||||
|
||||
inst->id = cfg->next_id++;
|
||||
inst->ap.shared = cfg->ap_shared;
|
||||
if (cfg->ssc->stunt_allow_trivial_ki_auth)
|
||||
inst->ap.kbdint_state = 1;
|
||||
inst->logpolicy.vt = &server_logpolicy_vt;
|
||||
inst->cfg = cfg;
|
||||
|
||||
if (inst_out)
|
||||
*inst_out = inst;
|
||||
@ -785,6 +809,12 @@ int main(int argc, char **argv)
|
||||
ssc.stunt_pretend_to_accept_any_pubkey = true;
|
||||
} else if (!strcmp(arg, "--open-unconditional-agent-socket")) {
|
||||
ssc.stunt_open_unconditional_agent_socket = true;
|
||||
} else if (!strcmp(arg, "--allow-none-auth")) {
|
||||
ssc.stunt_allow_none_auth = true;
|
||||
} else if (!strcmp(arg, "--allow-trivial-ki-auth")) {
|
||||
ssc.stunt_allow_trivial_ki_auth = true;
|
||||
} else if (!strcmp(arg, "--return-success-to-pubkey-offer")) {
|
||||
ssc.stunt_return_success_to_pubkey_offer = true;
|
||||
} else {
|
||||
fprintf(stderr, "%s: unrecognised option '%s'\n", appname, arg);
|
||||
exit(1);
|
||||
|
Loading…
Reference in New Issue
Block a user