ssh: Implement keyboard_interactive on server side

author: Hans <[email protected]> 2015-05-27 16:46:24 +0200
committer: Hans <[email protected]> 2015-05-29 15:00:21 +0200
commit: 2d9a5afcd801837be7637048977982bd9e1330f5 (patch)
tree: 3b52ed8dbedcd2f33d249c0dc5d7dab553249704
parent: 59b5884dfef313c09d79f3c18063297c81fb67d5 (diff)
download: otp-2d9a5afcd801837be7637048977982bd9e1330f5.tar.gz
otp-2d9a5afcd801837be7637048977982bd9e1330f5.tar.bz2
otp-2d9a5afcd801837be7637048977982bd9e1330f5.zip
3 files changed, 104 insertions, 4 deletions
diff --git a/lib/ssh/src/ssh.erl b/lib/ssh/src/ssh.erl
index 71e7d77475..7ed17618e7 100644
--- a/lib/ssh/src/ssh.erl
+++ b/lib/ssh/src/ssh.erl
@@ -331,6 +331,8 @@ handle_option([{exec, _} = Opt | Rest], SocketOptions, SshOptions) ->
     handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]);
 handle_option([{auth_methods, _} = Opt | Rest], SocketOptions, SshOptions) ->
     handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]);
+handle_option([{auth_method_kb_interactive_data, _} = Opt | Rest], SocketOptions, SshOptions) ->
+    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]);
 handle_option([{pref_public_key_algs, _} = Opt | Rest], SocketOptions, SshOptions) ->
     handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]);
 handle_option([{quiet_mode, _} = Opt|Rest], SocketOptions, SshOptions) ->
@@ -411,6 +413,13 @@ handle_ssh_option({exec, Function} = Opt) when is_function(Function) ->
     Opt;
 handle_ssh_option({auth_methods, Value} = Opt)  when is_list(Value) ->
     Opt;
+handle_ssh_option({auth_method_kb_interactive_data, {Name,Instruction,Prompt,Echo}} = Opt) when is_list(Name),
+												is_list(Instruction),
+												is_list(Prompt),
+												is_boolean(Echo) ->
+    Opt;
+handle_ssh_option({auth_method_kb_interactive_data, F} = Opt) when is_function(F,3) ->
+    Opt;
 handle_ssh_option({infofun, Value} = Opt)  when is_function(Value) ->
     Opt;
 handle_ssh_option({connectfun, Value} = Opt) when is_function(Value) ->
diff --git a/lib/ssh/src/ssh_auth.erl b/lib/ssh/src/ssh_auth.erl
index 45c4d52d7e..9d1ab14ce9 100644
--- a/lib/ssh/src/ssh_auth.erl
+++ b/lib/ssh/src/ssh_auth.erl
@@ -259,6 +259,54 @@ handle_userauth_request(#ssh_msg_userauth_request{user = User,
 
 handle_userauth_request(#ssh_msg_userauth_request{user = User,
 						  service = "ssh-connection",
+						  method = "keyboard-interactive",
+						  data = _},
+			_, #ssh{opts = Opts} = Ssh) ->
+    %% RFC4256
+    %% The data field contains:
+    %%   - language tag (deprecated). If =/=[] SHOULD use it however. We skip
+    %%                                it for simplicity.
+    %%   - submethods. "... the user can give a hint of which actual methods
+    %%                  he wants to use. ...".  It's a "MAY use" so we skip
+    %%                  it. It also needs an understanding between the client
+    %%                  and the server.
+    %%                  
+    %% "The server MUST reply with an SSH_MSG_USERAUTH_SUCCESS,
+    %%  SSH_MSG_USERAUTH_FAILURE, or SSH_MSG_USERAUTH_INFO_REQUEST message."
+    Default = {"SSH server",
+	       "Enter password for \""++User++"\"",
+	       "pwd: ",
+	       false},
+
+    {Name, Instruction, Prompt, Echo} =
+	case proplists:get_value(auth_method_kb_interactive_data, Opts) of
+	    undefined -> 
+		Default;
+	    {_,_,_,_}=V -> 
+		V;
+	    F when is_function(F) ->
+		{_,PeerName} = Ssh#ssh.peer,
+		F(PeerName, User, "ssh-connection")
+	end,
+    EchoEnc = case Echo of
+		  true -> <<?TRUE>>;
+		  false -> <<?FALSE>>
+	      end,
+    Msg = #ssh_msg_userauth_info_request{name = unicode:characters_to_list(Name),
+					 instruction = unicode:characters_to_list(Instruction),
+					 language_tag = "",
+					 num_prompts = 1,
+					 data = <<?STRING(unicode:characters_to_binary(Prompt)),
+						  EchoEnc/binary
+						>>
+					},
+    {not_authorized, {User, undefined}, 
+     ssh_transport:ssh_packet(Msg, Ssh#ssh{user = User,
+					   opts = [{max_kb_tries,3},{kb_userauth_info_msg,Msg}|Opts]
+					  })};
+
+handle_userauth_request(#ssh_msg_userauth_request{user = User,
+						  service = "ssh-connection",
 						  method = Other}, _,
 			#ssh{userauth_supported_methods = Methods} = Ssh) ->
     {not_authorized, {User, {authmethod, Other}}, 
@@ -280,6 +328,38 @@ handle_userauth_info_request(
        #ssh_msg_userauth_info_response{num_responses = NumPrompts,
 				       data = Responses}, Ssh)}.
 
+handle_userauth_info_response(#ssh_msg_userauth_info_response{num_responses = 1,
+							      data = <<?UINT32(Sz), Password:Sz/binary>>},
+			      #ssh{opts = Opts0,
+				   user = User} = Ssh) ->
+    NumTriesLeft = proplists:get_value(max_kb_tries, Opts0, 0) - 1,
+    Opts = lists:keydelete(max_kb_tries,1,Opts0),
+    case check_password(User, unicode:characters_to_list(Password), Opts) of
+	true ->
+	    {authorized, User,
+	     ssh_transport:ssh_packet(#ssh_msg_userauth_success{}, Ssh)};
+	false when NumTriesLeft > 0 ->
+	    UserAuthInfoMsg = 
+		(proplists:get_value(kb_userauth_info_msg,Opts))
+		#ssh_msg_userauth_info_request{name = "",
+					       instruction = 
+						   lists:concat(
+						     ["Bad user or password, try again. ",
+						      integer_to_list(NumTriesLeft),
+						      " tries left."])},
+	    {not_authorized, {User, undefined}, 
+	     ssh_transport:ssh_packet(UserAuthInfoMsg,
+				      Ssh#ssh{opts = [{max_kb_tries,NumTriesLeft}|Opts]})};
+	     
+	false ->
+	    {not_authorized, {User, {error,"Bad user or password"}}, 
+	     ssh_transport:ssh_packet(#ssh_msg_userauth_failure{
+					 authentications = "",
+					 partial_success = false}, 
+				      Ssh#ssh{opts = lists:keydelete(kb_userauth_info_msg,1,Opts)}
+				     )}
+    end;
+
 handle_userauth_info_response(#ssh_msg_userauth_info_response{},
 			      _Auth) ->
     throw(#ssh_msg_disconnect{code = ?SSH_DISCONNECT_SERVICE_NOT_AVAILABLE,
diff --git a/lib/ssh/src/ssh_connection_handler.erl b/lib/ssh/src/ssh_connection_handler.erl
index 0f6162db60..3161c1f291 100644
--- a/lib/ssh/src/ssh_connection_handler.erl
+++ b/lib/ssh/src/ssh_connection_handler.erl
@@ -496,10 +496,21 @@ userauth(#ssh_msg_userauth_info_request{} = Msg,
     {next_state, userauth, next_packet(State#state{ssh_params = Ssh})};
 
 userauth(#ssh_msg_userauth_info_response{} = Msg, 
-	 #state{ssh_params = #ssh{role = server} = Ssh0} = State) ->
-    {ok, {Reply, Ssh}} = ssh_auth:handle_userauth_info_response(Msg, Ssh0),
-    send_msg(Reply, State),
-    {next_state, userauth, next_packet(State#state{ssh_params = Ssh})};
+	 #state{ssh_params = #ssh{role = server,
+				  peer = {_, Address}} = Ssh0,
+		opts = Opts, starter = Pid} = State) ->
+    case ssh_auth:handle_userauth_info_response(Msg, Ssh0) of
+	{authorized, User, {Reply, Ssh}} ->
+	    send_msg(Reply, State),
+	    Pid ! ssh_connected,
+	    connected_fun(User, Address, "keyboard-interactive", Opts),
+	    {next_state, connected, 
+	     next_packet(State#state{auth_user = User, ssh_params = Ssh})};
+	{not_authorized, {User, Reason}, {Reply, Ssh}} ->
+	    retry_fun(User, Address, Reason, Opts),
+	    send_msg(Reply, State),
+	    {next_state, userauth, next_packet(State#state{ssh_params = Ssh})} 
+    end;
 			
 userauth(#ssh_msg_userauth_success{}, #state{ssh_params = #ssh{role = client} = Ssh,
 					     starter = Pid} = State) ->
author	Hans <[email protected]>	2015-05-27 16:46:24 +0200
committer	Hans <[email protected]>	2015-05-29 15:00:21 +0200
commit	2d9a5afcd801837be7637048977982bd9e1330f5 (patch)
tree	3b52ed8dbedcd2f33d249c0dc5d7dab553249704
parent	59b5884dfef313c09d79f3c18063297c81fb67d5 (diff)
download	otp-2d9a5afcd801837be7637048977982bd9e1330f5.tar.gz otp-2d9a5afcd801837be7637048977982bd9e1330f5.tar.bz2 otp-2d9a5afcd801837be7637048977982bd9e1330f5.zip