diff options
| author | Hans <[email protected]> | 2015-05-27 16:46:24 +0200 | 
|---|---|---|
| committer | Hans <[email protected]> | 2015-05-29 15:00:21 +0200 | 
| commit | 2d9a5afcd801837be7637048977982bd9e1330f5 (patch) | |
| tree | 3b52ed8dbedcd2f33d249c0dc5d7dab553249704 /lib/ssh | |
| parent | 59b5884dfef313c09d79f3c18063297c81fb67d5 (diff) | |
| download | otp-2d9a5afcd801837be7637048977982bd9e1330f5.tar.gz otp-2d9a5afcd801837be7637048977982bd9e1330f5.tar.bz2 otp-2d9a5afcd801837be7637048977982bd9e1330f5.zip | |
ssh: Implement keyboard_interactive on server side
Diffstat (limited to 'lib/ssh')
| -rw-r--r-- | lib/ssh/src/ssh.erl | 9 | ||||
| -rw-r--r-- | lib/ssh/src/ssh_auth.erl | 80 | ||||
| -rw-r--r-- | lib/ssh/src/ssh_connection_handler.erl | 19 | 
3 files changed, 104 insertions, 4 deletions
| diff --git a/lib/ssh/src/ssh.erl b/lib/ssh/src/ssh.erl index 71e7d77475..7ed17618e7 100644 --- a/lib/ssh/src/ssh.erl +++ b/lib/ssh/src/ssh.erl @@ -331,6 +331,8 @@ handle_option([{exec, _} = Opt | Rest], SocketOptions, SshOptions) ->      handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]);  handle_option([{auth_methods, _} = Opt | Rest], SocketOptions, SshOptions) ->      handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]); +handle_option([{auth_method_kb_interactive_data, _} = Opt | Rest], SocketOptions, SshOptions) -> +    handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]);  handle_option([{pref_public_key_algs, _} = Opt | Rest], SocketOptions, SshOptions) ->      handle_option(Rest, SocketOptions, [handle_ssh_option(Opt) | SshOptions]);  handle_option([{quiet_mode, _} = Opt|Rest], SocketOptions, SshOptions) -> @@ -411,6 +413,13 @@ handle_ssh_option({exec, Function} = Opt) when is_function(Function) ->      Opt;  handle_ssh_option({auth_methods, Value} = Opt)  when is_list(Value) ->      Opt; +handle_ssh_option({auth_method_kb_interactive_data, {Name,Instruction,Prompt,Echo}} = Opt) when is_list(Name), +												is_list(Instruction), +												is_list(Prompt), +												is_boolean(Echo) -> +    Opt; +handle_ssh_option({auth_method_kb_interactive_data, F} = Opt) when is_function(F,3) -> +    Opt;  handle_ssh_option({infofun, Value} = Opt)  when is_function(Value) ->      Opt;  handle_ssh_option({connectfun, Value} = Opt) when is_function(Value) -> diff --git a/lib/ssh/src/ssh_auth.erl b/lib/ssh/src/ssh_auth.erl index 45c4d52d7e..9d1ab14ce9 100644 --- a/lib/ssh/src/ssh_auth.erl +++ b/lib/ssh/src/ssh_auth.erl @@ -259,6 +259,54 @@ handle_userauth_request(#ssh_msg_userauth_request{user = User,  handle_userauth_request(#ssh_msg_userauth_request{user = User,  						  service = "ssh-connection", +						  method = "keyboard-interactive", +						  data = _}, +			_, #ssh{opts = Opts} = Ssh) -> +    %% RFC4256 +    %% The data field contains: +    %%   - language tag (deprecated). If =/=[] SHOULD use it however. We skip +    %%                                it for simplicity. +    %%   - submethods. "... the user can give a hint of which actual methods +    %%                  he wants to use. ...".  It's a "MAY use" so we skip +    %%                  it. It also needs an understanding between the client +    %%                  and the server. +    %%                   +    %% "The server MUST reply with an SSH_MSG_USERAUTH_SUCCESS, +    %%  SSH_MSG_USERAUTH_FAILURE, or SSH_MSG_USERAUTH_INFO_REQUEST message." +    Default = {"SSH server", +	       "Enter password for \""++User++"\"", +	       "pwd: ", +	       false}, + +    {Name, Instruction, Prompt, Echo} = +	case proplists:get_value(auth_method_kb_interactive_data, Opts) of +	    undefined ->  +		Default; +	    {_,_,_,_}=V ->  +		V; +	    F when is_function(F) -> +		{_,PeerName} = Ssh#ssh.peer, +		F(PeerName, User, "ssh-connection") +	end, +    EchoEnc = case Echo of +		  true -> <<?TRUE>>; +		  false -> <<?FALSE>> +	      end, +    Msg = #ssh_msg_userauth_info_request{name = unicode:characters_to_list(Name), +					 instruction = unicode:characters_to_list(Instruction), +					 language_tag = "", +					 num_prompts = 1, +					 data = <<?STRING(unicode:characters_to_binary(Prompt)), +						  EchoEnc/binary +						>> +					}, +    {not_authorized, {User, undefined},  +     ssh_transport:ssh_packet(Msg, Ssh#ssh{user = User, +					   opts = [{max_kb_tries,3},{kb_userauth_info_msg,Msg}|Opts] +					  })}; + +handle_userauth_request(#ssh_msg_userauth_request{user = User, +						  service = "ssh-connection",  						  method = Other}, _,  			#ssh{userauth_supported_methods = Methods} = Ssh) ->      {not_authorized, {User, {authmethod, Other}},  @@ -280,6 +328,38 @@ handle_userauth_info_request(         #ssh_msg_userauth_info_response{num_responses = NumPrompts,  				       data = Responses}, Ssh)}. +handle_userauth_info_response(#ssh_msg_userauth_info_response{num_responses = 1, +							      data = <<?UINT32(Sz), Password:Sz/binary>>}, +			      #ssh{opts = Opts0, +				   user = User} = Ssh) -> +    NumTriesLeft = proplists:get_value(max_kb_tries, Opts0, 0) - 1, +    Opts = lists:keydelete(max_kb_tries,1,Opts0), +    case check_password(User, unicode:characters_to_list(Password), Opts) of +	true -> +	    {authorized, User, +	     ssh_transport:ssh_packet(#ssh_msg_userauth_success{}, Ssh)}; +	false when NumTriesLeft > 0 -> +	    UserAuthInfoMsg =  +		(proplists:get_value(kb_userauth_info_msg,Opts)) +		#ssh_msg_userauth_info_request{name = "", +					       instruction =  +						   lists:concat( +						     ["Bad user or password, try again. ", +						      integer_to_list(NumTriesLeft), +						      " tries left."])}, +	    {not_authorized, {User, undefined},  +	     ssh_transport:ssh_packet(UserAuthInfoMsg, +				      Ssh#ssh{opts = [{max_kb_tries,NumTriesLeft}|Opts]})}; +	      +	false -> +	    {not_authorized, {User, {error,"Bad user or password"}},  +	     ssh_transport:ssh_packet(#ssh_msg_userauth_failure{ +					 authentications = "", +					 partial_success = false},  +				      Ssh#ssh{opts = lists:keydelete(kb_userauth_info_msg,1,Opts)} +				     )} +    end; +  handle_userauth_info_response(#ssh_msg_userauth_info_response{},  			      _Auth) ->      throw(#ssh_msg_disconnect{code = ?SSH_DISCONNECT_SERVICE_NOT_AVAILABLE, diff --git a/lib/ssh/src/ssh_connection_handler.erl b/lib/ssh/src/ssh_connection_handler.erl index 0f6162db60..3161c1f291 100644 --- a/lib/ssh/src/ssh_connection_handler.erl +++ b/lib/ssh/src/ssh_connection_handler.erl @@ -496,10 +496,21 @@ userauth(#ssh_msg_userauth_info_request{} = Msg,      {next_state, userauth, next_packet(State#state{ssh_params = Ssh})};  userauth(#ssh_msg_userauth_info_response{} = Msg,  -	 #state{ssh_params = #ssh{role = server} = Ssh0} = State) -> -    {ok, {Reply, Ssh}} = ssh_auth:handle_userauth_info_response(Msg, Ssh0), -    send_msg(Reply, State), -    {next_state, userauth, next_packet(State#state{ssh_params = Ssh})}; +	 #state{ssh_params = #ssh{role = server, +				  peer = {_, Address}} = Ssh0, +		opts = Opts, starter = Pid} = State) -> +    case ssh_auth:handle_userauth_info_response(Msg, Ssh0) of +	{authorized, User, {Reply, Ssh}} -> +	    send_msg(Reply, State), +	    Pid ! ssh_connected, +	    connected_fun(User, Address, "keyboard-interactive", Opts), +	    {next_state, connected,  +	     next_packet(State#state{auth_user = User, ssh_params = Ssh})}; +	{not_authorized, {User, Reason}, {Reply, Ssh}} -> +	    retry_fun(User, Address, Reason, Opts), +	    send_msg(Reply, State), +	    {next_state, userauth, next_packet(State#state{ssh_params = Ssh})}  +    end;  userauth(#ssh_msg_userauth_success{}, #state{ssh_params = #ssh{role = client} = Ssh,  					     starter = Pid} = State) -> | 
