Source snapshot from Powershell/openssh-portable:latestw_all

auth-passwd.c

@@ -54,6 +54,7 @@
 #include "hostfile.h"
 #include "auth.h"
 #include "auth-options.h"
+#include "authfd.h"
 
 extern Buffer loginmsg;
 extern ServerOptions options;
@@ -225,38 +226,36 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
 
 #elif defined(WINDOWS)
 /*
-* Authenticate on Windows - Pass creds to ssh-agent and retrieve token
+* Authenticate on Windows - Pass credentials to ssh-agent and retrieve token
 * upon succesful authentication
 */
 extern int auth_sock;
 int sys_auth_passwd(Authctxt *authctxt, const char *password)
 {
-	u_char *blob = NULL;
 	size_t blen = 0;
 	DWORD token = 0;
 	struct sshbuf *msg = NULL;
+	int r;
 
 	msg = sshbuf_new();
 	if (!msg)
-		return 0;
-	if (sshbuf_put_u8(msg, 100) != 0 ||
-		sshbuf_put_cstring(msg, "password") != 0 ||
-		sshbuf_put_cstring(msg, authctxt->user) != 0 ||
-		sshbuf_put_cstring(msg, password) != 0 ||
-		ssh_request_reply(auth_sock, msg, msg) != 0 ||
-		sshbuf_get_u32(msg, &token) != 0) {
-		debug("auth agent did not authorize client %s", authctxt->pw->pw_name);
-		return 0;
-	}
+		fatal("%s: out of memory", __func__);
 
-
-	if (blob)
-		free(blob);
+	if (sshbuf_put_u8(msg, SSH_AGENT_AUTHENTICATE) != 0 ||
+	    sshbuf_put_cstring(msg, PASSWD_AUTH_REQUEST) != 0 ||
+	    sshbuf_put_cstring(msg, authctxt->pw->pw_name) != 0 ||
+	    sshbuf_put_cstring(msg, password) != 0 ||
+	    ssh_request_reply(auth_sock, msg, msg) != 0 ||
+	    sshbuf_get_u32(msg, &token) != 0) {
+		debug("auth agent did not authorize client %s", authctxt->user);
+		r = 0;
+		goto done;
+	}
+	authctxt->methoddata = (void*)(INT_PTR)token;
+	r = 1;
+done:
 	if (msg)
 		sshbuf_free(msg);
-
-	authctxt->methoddata = (void*)(INT_PTR)token;
-
-	return 1;
+	return r;
 }
 #endif   /* WINDOWS */

auth2-pubkey.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.61 2016/12/30 22:08:02 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.62 2017/01/30 01:03:00 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -68,6 +68,7 @@
 #include "ssherr.h"
 #include "channels.h" /* XXX for session.h */
 #include "session.h" /* XXX for child_set_env(); refactor? */
+#include "authfd.h"
 
 /* import */
 extern ServerOptions options;
@@ -189,21 +190,21 @@ userauth_pubkey(Authctxt *authctxt)
 			while (1) {
 				msg = sshbuf_new();
 				if (!msg)
-					break;
-				if ((r = sshbuf_put_u8(msg, 100)) != 0 ||
-					(r = sshbuf_put_cstring(msg, "pubkey")) != 0 ||
-					(r = sshkey_to_blob(key, &blob, &blen)) != 0 ||
-					(r = sshbuf_put_string(msg, blob, blen)) != 0 ||
-					(r = sshbuf_put_cstring(msg, authctxt->pw->pw_name)) != 0 ||
-					(r = sshbuf_put_string(msg, sig, slen)) != 0 ||
-					(r = sshbuf_put_string(msg, buffer_ptr(&b), buffer_len(&b))) != 0 ||
-					(r = ssh_request_reply(auth_sock, msg, msg)) != 0 ||
-					(r = sshbuf_get_u32(msg, &token)) != 0) {
-					debug("auth agent did not authorize client %s", authctxt->pw->pw_name);
+					fatal("%s: out of memory", __func__);
+				if ((r = sshbuf_put_u8(msg, SSH_AGENT_AUTHENTICATE)) != 0 ||
+				    (r = sshbuf_put_cstring(msg, PUBKEY_AUTH_REQUEST)) != 0 ||
+				    (r = sshkey_to_blob(key, &blob, &blen)) != 0 ||
+				    (r = sshbuf_put_string(msg, blob, blen)) != 0 ||
+				    (r = sshbuf_put_cstring(msg, authctxt->pw->pw_name)) != 0 ||
+				    (r = sshbuf_put_string(msg, sig, slen)) != 0 ||
+				    (r = sshbuf_put_string(msg, buffer_ptr(&b), buffer_len(&b))) != 0 ||
+				    (r = ssh_request_reply(auth_sock, msg, msg)) != 0 ||
+				    (r = sshbuf_get_u32(msg, &token)) != 0) {
+					debug("auth agent did not authorize client %s", authctxt->user);
 					break;
 				}
 
-				debug3("auth agent authenticated %s", authctxt->pw->pw_name);
+				debug3("auth agent authenticated %s", authctxt->user);
 				break;
 
 			}
@@ -620,9 +621,12 @@ process_principals(FILE *f, char *file, struct passwd *pw,
 {
 	char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts;
 	u_long linenum = 0;
-	u_int i;
+	u_int i, found_principal = 0;
 
 	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
+		/* Always consume entire input */
+		if (found_principal)
+			continue;
 		/* Skip leading whitespace. */
 		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
 			;
@@ -655,11 +659,12 @@ process_principals(FILE *f, char *file, struct passwd *pw,
 				if (auth_parse_options(pw, line_opts,
 				    file, linenum) != 1)
 					continue;
-				return 1;
+				found_principal = 1;
+				continue;
 			}
 		}
 	}
-	return 0;
+	return found_principal;
 }
 
 static int
@@ -827,6 +832,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
 		char *cp, *key_options = NULL, *fp = NULL;
 		const char *reason = NULL;
 
+		/* Always consume entrire file */
+		if (found_key)
+			continue;
 		if (found != NULL)
 			key_free(found);
 		found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
@@ -913,7 +921,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
 			    file, linenum, key_type(found), fp);
 			free(fp);
 			found_key = 1;
-			break;
+			continue;
 		}
 	}
 	if (found != NULL)

auth2.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.136 2016/05/02 08:49:03 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.137 2017/02/03 23:05:57 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -212,6 +212,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
 static int
 input_userauth_request(int type, u_int32_t seq, void *ctxt)
 {
+	struct ssh *ssh = active_state;	/* XXX */
 	Authctxt *authctxt = ctxt;
 	Authmethod *m = NULL;
 	char *user, *service, *method, *style = NULL;
@@ -235,9 +236,10 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 		authctxt->user = xstrdup(user);
 		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
 			authctxt->valid = 1;
-			debug2("input_userauth_request: setting up authctxt for %s", user);
+			debug2("%s: setting up authctxt for %s",
+			    __func__, user);
 		} else {
-			logit("input_userauth_request: invalid user %s", user);
+			/* Invalid user, fake password information */
 			authctxt->pw = fakepw();
 #ifdef SSH_AUDIT_EVENTS
 			PRIVSEP(audit_event(SSH_INVALID_USER));
@@ -247,6 +249,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 		if (options.use_pam)
 			PRIVSEP(start_pam(authctxt));
 #endif
+		ssh_packet_set_log_preamble(ssh, "%suser %s",
+		    authctxt->valid ? "authenticating " : "invalid ", user);
 		setproctitle("%s%s", authctxt->valid ? user : "unknown",
 		    use_privsep ? " [net]" : "");
 		authctxt->service = xstrdup(service);
@@ -292,6 +296,7 @@ void
 userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
     const char *submethod)
 {
+	struct ssh *ssh = active_state;	/* XXX */
 	char *methods;
 	int partial = 0;
 
@@ -353,6 +358,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
 		packet_write_wait();
 		/* now we can break out */
 		authctxt->success = 1;
+		ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user);
 	} else {
 
 		/* Allow initial try of "none" auth without failure penalty */

authfd.c

@@ -97,35 +97,39 @@ ssh_get_authentication_socket(int *fdp)
 #ifdef WINDOWS
 	/* Auth socket in Windows is a static-named pipe listener in ssh-agent */
 	{
-#define SSH_AGENT_REG_ROOT L"SOFTWARE\\SSH\\Agent"
-#define SSH_AGENT_PIPE_NAME L"\\\\.\\pipe\\ssh-agent"
 		HKEY agent_root = 0;
 		DWORD agent_pid = 0, tmp_size = 4, pipe_server_pid = 0xff;
+		DWORD connection_attempts = 0;
 		HANDLE h;
-		RegOpenKeyExW(HKEY_LOCAL_MACHINE, SSH_AGENT_REG_ROOT, 0, KEY_QUERY_VALUE, &agent_root);
+		RegOpenKeyExW(HKEY_LOCAL_MACHINE, SSH_AGENT_REG_ROOT, 
+			0, KEY_QUERY_VALUE, &agent_root);
 		if (agent_root) {
-			RegQueryValueEx(agent_root, "ProcessId", 0, NULL, (LPBYTE)&agent_pid, &tmp_size);
+			RegQueryValueEx(agent_root, "ProcessId", 0, 
+				NULL, (LPBYTE)&agent_pid, &tmp_size);
 			RegCloseKey(agent_root);
 		}
 
 		do {
 			h = CreateFileW(SSH_AGENT_PIPE_NAME, GENERIC_READ | GENERIC_WRITE, 0,
-			    NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL); 
-			if (h != INVALID_HANDLE_VALUE || GetLastError() != ERROR_PIPE_BUSY)
+				NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL); 
+			if (h != INVALID_HANDLE_VALUE || GetLastError() != ERROR_PIPE_BUSY || 
+			    ++connection_attempts > 10)
 				break;
 			Sleep(100);
 		} while(1);
 
 		if (h == INVALID_HANDLE_VALUE) {
-			debug("ssh_get_authentication_socket - CreateFileW failed error %d", GetLastError());
+			debug("ssh_get_authentication_socket - CreateFileW failed error %d", 
+			    GetLastError());
 			return SSH_ERR_AGENT_NOT_PRESENT;
 		}
 
 		/*
-		 * ensure that connected server pid matches published pid. this provides service side
-		 * auth and prevents mitm
+		 * ensure that connected server pid matches published pid. 
+		 * this provides service side auth and prevents mitm
 		 */
-		if (!GetNamedPipeServerProcessId(h, &pipe_server_pid) || (agent_pid != pipe_server_pid)) {
+		if (!GetNamedPipeServerProcessId(h, &pipe_server_pid) || 
+		    (agent_pid != pipe_server_pid)) {
 			debug("agent pid mismatch");
 			CloseHandle(h);
 			return SSH_ERR_AGENT_COMMUNICATION;

authfd.h

@@ -89,4 +89,14 @@ int	ssh_agent_sign(int sock, struct sshkey *key,
 #define	SSH_AGENT_RSA_SHA2_256			0x02
 #define	SSH_AGENT_RSA_SHA2_512			0x04
 
+/* 
+* Following are used in Windows implementation
+* ssh-agent in Windows also serves user authentication
+*/
+#define SSH_AGENT_AUTHENTICATE			200
+#define PUBKEY_AUTH_REQUEST			"pubkey"
+#define PASSWD_AUTH_REQUEST			"password"
+#define SSH_AGENT_REG_ROOT			L"SOFTWARE\\SSH\\Agent"
+#define SSH_AGENT_PIPE_NAME			L"\\\\.\\pipe\\ssh-agent"
+
 #endif				/* AUTHFD_H */

channels.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.356 2016/10/18 17:32:54 dtucker Exp $ */
+/* $OpenBSD: channels.c,v 1.357 2017/02/01 02:59:09 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -3067,7 +3067,7 @@ channel_input_port_open(int type, u_int32_t seq, void *ctxt)
 	}
 	packet_check_eom();
 	c = channel_connect_to_port(host, host_port,
-	    "connected socket", originator_string);
+	    "connected socket", originator_string, NULL, NULL);
 	free(originator_string);
 	free(host);
 	if (c == NULL) {
@@ -4028,9 +4028,13 @@ channel_connect_ctx_free(struct channel_connect *cctx)
 	memset(cctx, 0, sizeof(*cctx));
 }
 
-/* Return CONNECTING channel to remote host:port or local socket path */
+/*
+ * Return CONNECTING channel to remote host:port or local socket path,
+ * passing back the failure reason if appropriate.
+ */
 static Channel *
-connect_to(const char *name, int port, char *ctype, char *rname)
+connect_to_reason(const char *name, int port, char *ctype, char *rname,
+     int *reason, const char **errmsg)
 {
 	struct addrinfo hints;
 	int gaierr;
@@ -4071,7 +4075,12 @@ connect_to(const char *name, int port, char *ctype, char *rname)
 		hints.ai_family = IPv4or6;
 		hints.ai_socktype = SOCK_STREAM;
 		snprintf(strport, sizeof strport, "%d", port);
-		if ((gaierr = getaddrinfo(name, strport, &hints, &cctx.aitop)) != 0) {
+		if ((gaierr = getaddrinfo(name, strport, &hints, &cctx.aitop))
+		    != 0) {
+			if (errmsg != NULL)
+				*errmsg = ssh_gai_strerror(gaierr);
+			if (reason != NULL)
+				*reason = SSH2_OPEN_CONNECT_FAILED;
 			error("connect_to %.100s: unknown host (%s)", name,
 			    ssh_gai_strerror(gaierr));
 			return NULL;
@@ -4094,6 +4103,13 @@ connect_to(const char *name, int port, char *ctype, char *rname)
 	return c;
 }
 
+/* Return CONNECTING channel to remote host:port or local socket path */
+static Channel *
+connect_to(const char *name, int port, char *ctype, char *rname)
+{
+	return connect_to_reason(name, port, ctype, rname, NULL, NULL);
+}
+
 /*
  * returns either the newly connected channel or the downstream channel
  * that needs to deal with this connection.
@@ -4138,7 +4154,8 @@ channel_connect_by_listen_path(const char *path, char *ctype, char *rname)
 
 /* Check if connecting to that port is permitted and connect. */
 Channel *
-channel_connect_to_port(const char *host, u_short port, char *ctype, char *rname)
+channel_connect_to_port(const char *host, u_short port, char *ctype,
+    char *rname, int *reason, const char **errmsg)
 {
 	int i, permit, permit_adm = 1;
 
@@ -4163,9 +4180,11 @@ channel_connect_to_port(const char *host, u_short port, char *ctype, char *rname
 	if (!permit || !permit_adm) {
 		logit("Received request to connect to host %.100s port %d, "
 		    "but the request was denied.", host, port);
+		if (reason != NULL)
+			*reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED;
 		return NULL;
 	}
-	return connect_to(host, port, ctype, rname);
+	return connect_to_reason(host, port, ctype, rname, reason, errmsg);
 }
 
 /* Check if connecting to that path is permitted and connect. */

channels.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.120 2016/10/18 17:32:54 dtucker Exp $ */
+/* $OpenBSD: channels.h,v 1.121 2017/02/01 02:59:09 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -275,7 +275,8 @@ void	 channel_update_permitted_opens(int, int);
 void	 channel_clear_permitted_opens(void);
 void	 channel_clear_adm_permitted_opens(void);
 void 	 channel_print_adm_permitted_opens(void);
-Channel	*channel_connect_to_port(const char *, u_short, char *, char *);
+Channel	*channel_connect_to_port(const char *, u_short, char *, char *, int *,
+	     const char **);
 Channel *channel_connect_to_path(const char *, char *, char *);
 Channel	*channel_connect_stdio_fwd(const char*, u_short, int, int);
 Channel	*channel_connect_by_listen_address(const char *, u_short,

clientloop.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.289 2016/09/30 09:19:13 markus Exp $ */
+/* $OpenBSD: clientloop.c,v 1.290 2017/01/29 21:35:23 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -991,7 +991,7 @@ process_cmdline(void)
 			    CHANNEL_CANCEL_PORT_STATIC,
 			    &options.fwd_opts) > 0;
 		if (!ok) {
-			logit("Unkown port forwarding.");
+			logit("Unknown port forwarding.");
 			goto out;
 		}
 		logit("Canceled forwarding.");