%% %% %CopyrightBegin% %% %% Copyright Ericsson AB 2008-2018. All Rights Reserved. %% %% Licensed under the Apache License, Version 2.0 (the "License"); %% you may not use this file except in compliance with the License. %% You may obtain a copy of the License at %% %% http://www.apache.org/licenses/LICENSE-2.0 %% %% Unless required by applicable law or agreed to in writing, software %% distributed under the License is distributed on an "AS IS" BASIS, %% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. %% See the License for the specific language governing permissions and %% limitations under the License. %% %% %CopyrightEnd% %% %% -module(ssh_auth). -include_lib("public_key/include/public_key.hrl"). -include("ssh.hrl"). -include("ssh_auth.hrl"). -include("ssh_transport.hrl"). -export([get_public_key/2, publickey_msg/1, password_msg/1, keyboard_interactive_msg/1, service_request_msg/1, init_userauth_request_msg/1, userauth_request_msg/1, handle_userauth_request/3, handle_userauth_info_request/2, handle_userauth_info_response/2 ]). %%-------------------------------------------------------------------- %%% Internal application API %%-------------------------------------------------------------------- %%%---------------------------------------------------------------- userauth_request_msg(#ssh{userauth_methods = ServerMethods, userauth_supported_methods = UserPrefMethods, userauth_preference = ClientMethods0 } = Ssh0) -> case sort_select_mthds(ClientMethods0, UserPrefMethods, ServerMethods) of [] -> {send_disconnect, ?SSH_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE, Ssh0}; [{Pref,Module,Function,Args} | Prefs] -> Ssh = case Pref of "keyboard-interactive" -> Ssh0; _ -> Ssh0#ssh{userauth_preference = Prefs} end, case Module:Function(Args ++ [Ssh]) of {not_ok, Ssh1} -> userauth_request_msg(Ssh1#ssh{userauth_preference = Prefs}); Result -> {Pref,Result} end end. sort_select_mthds(Clients, undefined, Servers) -> %% User has not expressed an opinion via option "auth_methods", use the server's prefs sort_select_mthds1(Clients, Servers, string:tokens(?SUPPORTED_AUTH_METHODS,",")); sort_select_mthds(Clients, Users0, Servers0) -> %% The User has an opinion, use the intersection of that and the Servers whishes but %% in the Users order sort_select_mthds1(Clients, string:tokens(Users0,","), Servers0). sort_select_mthds1(Clients, Users0, Servers0) -> Servers = unique(Servers0), Users = unique(Users0), [C || Key <- Users, lists:member(Key, Servers), C <- Clients, element(1,C) == Key]. unique(L) -> lists:reverse( lists:foldl(fun(E,Acc) -> case lists:member(E,Acc) of true -> Acc; false -> [E|Acc] end end, [], L)). %%%---- userauth_request_msg "callbacks" password_msg([#ssh{opts = Opts, user = User, service = Service} = Ssh0]) -> IoCb = ?GET_INTERNAL_OPT(io_cb, Opts), {Password,Ssh} = case ?GET_OPT(password, Opts) of undefined when IoCb == ssh_no_io -> {not_ok, Ssh0}; undefined -> {IoCb:read_password("ssh password: ",Opts), Ssh0}; PW -> %% If "password" option is given it should not be tried again {PW, Ssh0#ssh{opts = ?PUT_OPT({password,not_ok}, Opts)}} end, case Password of not_ok -> {not_ok, Ssh}; _ -> ssh_transport:ssh_packet( #ssh_msg_userauth_request{user = User, service = Service, method = "password", data = <>}, Ssh) end. %% See RFC 4256 for info on keyboard-interactive keyboard_interactive_msg([#ssh{user = User, opts = Opts, service = Service} = Ssh]) -> case ?GET_OPT(password, Opts) of not_ok -> {not_ok,Ssh}; % No need to use a failed pwd once more _ -> ssh_transport:ssh_packet( #ssh_msg_userauth_request{user = User, service = Service, method = "keyboard-interactive", data = << ?STRING(<<"">>), ?STRING(<<>>) >> }, Ssh) end. get_public_key(SigAlg, #ssh{opts = Opts}) -> KeyAlg = key_alg(SigAlg), case ssh_transport:call_KeyCb(user_key, [KeyAlg], Opts) of {ok, PrivKey} -> try %% Check the key - the KeyCb may be a buggy plugin true = ssh_transport:valid_key_sha_alg(PrivKey, KeyAlg), Key = ssh_transport:extract_public_key(PrivKey), public_key:ssh_encode(Key, ssh2_pubkey) of PubKeyBlob -> {ok,{PrivKey,PubKeyBlob}} catch _:_ -> not_ok end; _Error -> not_ok end. publickey_msg([SigAlg, #ssh{user = User, session_id = SessionId, service = Service} = Ssh]) -> case get_public_key(SigAlg, Ssh) of {ok, {PrivKey,PubKeyBlob}} -> SigAlgStr = atom_to_list(SigAlg), SigData = build_sig_data(SessionId, User, Service, PubKeyBlob, SigAlgStr), Hash = ssh_transport:sha(SigAlg), Sig = ssh_transport:sign(SigData, Hash, PrivKey), SigBlob = list_to_binary([?string(SigAlgStr), ?binary(Sig)]), ssh_transport:ssh_packet( #ssh_msg_userauth_request{user = User, service = Service, method = "publickey", data = [?TRUE, ?string(SigAlgStr), ?binary(PubKeyBlob), ?binary(SigBlob)]}, Ssh); _ -> {not_ok, Ssh} end. %%%---------------------------------------------------------------- service_request_msg(Ssh) -> ssh_transport:ssh_packet(#ssh_msg_service_request{name = "ssh-userauth"}, Ssh#ssh{service = "ssh-userauth"}). %%%---------------------------------------------------------------- init_userauth_request_msg(#ssh{opts = Opts} = Ssh) -> %% Client side case ?GET_OPT(user, Opts) of undefined -> ?DISCONNECT(?SSH_DISCONNECT_ILLEGAL_USER_NAME, "Could not determine the users name"); User -> ssh_transport:ssh_packet( #ssh_msg_userauth_request{user = User, service = "ssh-connection", method = "none", data = <<>>}, Ssh#ssh{user = User, userauth_preference = method_preference(Ssh#ssh.userauth_pubkeys), userauth_methods = none, service = "ssh-connection"} ) end. %%%---------------------------------------------------------------- %%% called by server handle_userauth_request(#ssh_msg_service_request{name = Name = "ssh-userauth"}, _, Ssh) -> {ok, ssh_transport:ssh_packet(#ssh_msg_service_accept{name = Name}, Ssh#ssh{service = "ssh-connection"})}; handle_userauth_request(#ssh_msg_userauth_request{user = User, service = "ssh-connection", method = "password", data = <>}, _, #ssh{opts = Opts, userauth_supported_methods = Methods} = Ssh) -> Password = unicode:characters_to_list(BinPwd), case check_password(User, Password, Opts, Ssh) of {true,Ssh1} -> {authorized, User, ssh_transport:ssh_packet(#ssh_msg_userauth_success{}, Ssh1)}; {false,Ssh1} -> {not_authorized, {User, {error,"Bad user or password"}}, ssh_transport:ssh_packet(#ssh_msg_userauth_failure{ authentications = Methods, partial_success = false}, Ssh1)} end; handle_userauth_request(#ssh_msg_userauth_request{user = User, service = "ssh-connection", method = "password", data = <> }, _, #ssh{userauth_supported_methods = Methods} = Ssh) -> %% Password change without us having sent SSH_MSG_USERAUTH_PASSWD_CHANGEREQ (because we never do) %% RFC 4252 says: %% SSH_MSG_USERAUTH_FAILURE without partial success - The password %% has not been changed. Either password changing was not supported, %% or the old password was bad. {not_authorized, {User, {error,"Password change not supported"}}, ssh_transport:ssh_packet(#ssh_msg_userauth_failure{ authentications = Methods, partial_success = false}, Ssh)}; handle_userauth_request(#ssh_msg_userauth_request{user = User, service = "ssh-connection", method = "none"}, _, #ssh{userauth_supported_methods = Methods} = Ssh) -> {not_authorized, {User, undefined}, ssh_transport:ssh_packet( #ssh_msg_userauth_failure{authentications = Methods, partial_success = false}, Ssh)}; handle_userauth_request(#ssh_msg_userauth_request{user = User, service = "ssh-connection", method = "publickey", data = <> }, _SessionId, #ssh{opts = Opts, userauth_supported_methods = Methods} = Ssh) -> case pre_verify_sig(User, KeyBlob, Opts) of true -> {not_authorized, {User, undefined}, ssh_transport:ssh_packet( #ssh_msg_userauth_pk_ok{algorithm_name = binary_to_list(BAlg), key_blob = KeyBlob}, Ssh)}; false -> {not_authorized, {User, undefined}, ssh_transport:ssh_packet(#ssh_msg_userauth_failure{ authentications = Methods, partial_success = false}, Ssh)} end; handle_userauth_request(#ssh_msg_userauth_request{user = User, service = "ssh-connection", method = "publickey", data = <> }, SessionId, #ssh{userauth_supported_methods = Methods} = Ssh) -> case verify_sig(SessionId, User, "ssh-connection", BAlg, KeyBlob, SigWLen, Ssh) of true -> {authorized, User, ssh_transport:ssh_packet( #ssh_msg_userauth_success{}, Ssh)}; false -> {not_authorized, {User, undefined}, ssh_transport:ssh_packet(#ssh_msg_userauth_failure{ authentications = Methods, partial_success = false}, Ssh)} end; handle_userauth_request(#ssh_msg_userauth_request{user = User, service = "ssh-connection", method = "keyboard-interactive", data = _}, _, #ssh{opts = Opts, kb_tries_left = KbTriesLeft, userauth_supported_methods = Methods} = Ssh) -> case KbTriesLeft of N when N<1 -> {not_authorized, {User, {authmethod, "keyboard-interactive"}}, ssh_transport:ssh_packet( #ssh_msg_userauth_failure{authentications = Methods, partial_success = false}, Ssh)}; _ -> %% RFC4256 %% The data field contains: %% - language tag (deprecated). If =/=[] SHOULD use it however. We skip %% it for simplicity. %% - submethods. "... the user can give a hint of which actual methods %% he wants to use. ...". It's a "MAY use" so we skip %% it. It also needs an understanding between the client %% and the server. %% %% "The server MUST reply with an SSH_MSG_USERAUTH_SUCCESS, %% SSH_MSG_USERAUTH_FAILURE, or SSH_MSG_USERAUTH_INFO_REQUEST message." Default = {"SSH server", "Enter password for \""++User++"\"", "password: ", false}, {Name, Instruction, Prompt, Echo} = case ?GET_OPT(auth_method_kb_interactive_data, Opts) of undefined -> Default; {_,_,_,_}=V -> V; F when is_function(F) -> {_,PeerName} = Ssh#ssh.peer, F(PeerName, User, "ssh-connection") end, EchoEnc = case Echo of true -> <>; false -> <> end, Msg = #ssh_msg_userauth_info_request{name = unicode:characters_to_list(Name), instruction = unicode:characters_to_list(Instruction), language_tag = "", num_prompts = 1, data = <> }, {not_authorized, {User, undefined}, ssh_transport:ssh_packet(Msg, Ssh#ssh{user = User })} end; handle_userauth_request(#ssh_msg_userauth_request{user = User, service = "ssh-connection", method = Other}, _, #ssh{userauth_supported_methods = Methods} = Ssh) -> {not_authorized, {User, {authmethod, Other}}, ssh_transport:ssh_packet( #ssh_msg_userauth_failure{authentications = Methods, partial_success = false}, Ssh)}. %%%---------------------------------------------------------------- %%% keyboard-interactive client handle_userauth_info_request(#ssh_msg_userauth_info_request{name = Name, instruction = Instr, num_prompts = NumPrompts, data = Data}, #ssh{opts=Opts} = Ssh) -> PromptInfos = decode_keyboard_interactive_prompts(NumPrompts,Data), case keyboard_interact_get_responses(Opts, Name, Instr, PromptInfos) of not_ok -> not_ok; Responses -> {ok, ssh_transport:ssh_packet( #ssh_msg_userauth_info_response{num_responses = NumPrompts, data = Responses}, Ssh)} end. %%%---------------------------------------------------------------- %%% keyboard-interactive server handle_userauth_info_response(#ssh_msg_userauth_info_response{num_responses = 1, data = <>}, #ssh{opts = Opts, kb_tries_left = KbTriesLeft, user = User, userauth_supported_methods = Methods} = Ssh) -> SendOneEmpty = (?GET_OPT(tstflg,Opts) == one_empty) orelse proplists:get_value(one_empty, ?GET_OPT(tstflg,Opts), false), case check_password(User, unicode:characters_to_list(Password), Opts, Ssh) of {true,Ssh1} when SendOneEmpty==true -> Msg = #ssh_msg_userauth_info_request{name = "", instruction = "", language_tag = "", num_prompts = 0, data = <> }, {authorized_but_one_more, User, ssh_transport:ssh_packet(Msg, Ssh1)}; {true,Ssh1} -> {authorized, User, ssh_transport:ssh_packet(#ssh_msg_userauth_success{}, Ssh1)}; {false,Ssh1} -> {not_authorized, {User, {error,"Bad user or password"}}, ssh_transport:ssh_packet(#ssh_msg_userauth_failure{ authentications = Methods, partial_success = false}, Ssh1#ssh{kb_tries_left = max(KbTriesLeft-1, 0)} )} end; handle_userauth_info_response({extra,#ssh_msg_userauth_info_response{}}, #ssh{user = User} = Ssh) -> {authorized, User, ssh_transport:ssh_packet(#ssh_msg_userauth_success{}, Ssh)}; handle_userauth_info_response(#ssh_msg_userauth_info_response{}, _Auth) -> ?DISCONNECT(?SSH_DISCONNECT_SERVICE_NOT_AVAILABLE, "Server does not support keyboard-interactive"). %%-------------------------------------------------------------------- %%% Internal functions %%-------------------------------------------------------------------- method_preference(SigKeyAlgs) -> %% PubKeyAlgs: List of user (client) public key algorithms to try to use. %% All of the acceptable algorithms is the default values. PubKeyDefs = [{"publickey", ?MODULE, publickey_msg, [A]} || A <- SigKeyAlgs], NonPKmethods = [{"password", ?MODULE, password_msg, []}, {"keyboard-interactive", ?MODULE, keyboard_interactive_msg, []} ], PubKeyDefs ++ NonPKmethods. check_password(User, Password, Opts, Ssh) -> case ?GET_OPT(pwdfun, Opts) of undefined -> Static = get_password_option(Opts, User), {Password == Static, Ssh}; Checker when is_function(Checker,2) -> {Checker(User, Password), Ssh}; Checker when is_function(Checker,4) -> #ssh{pwdfun_user_state = PrivateState, peer = {_,PeerAddr={_,_}} } = Ssh, case Checker(User, Password, PeerAddr, PrivateState) of true -> {true,Ssh}; false -> {false,Ssh}; {true,NewState} -> {true, Ssh#ssh{pwdfun_user_state=NewState}}; {false,NewState} -> {false, Ssh#ssh{pwdfun_user_state=NewState}}; disconnect -> ?DISCONNECT(?SSH_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE, "") end end. get_password_option(Opts, User) -> Passwords = ?GET_OPT(user_passwords, Opts), case lists:keysearch(User, 1, Passwords) of {value, {User, Pw}} -> Pw; false -> ?GET_OPT(password, Opts) end. pre_verify_sig(User, KeyBlob, Opts) -> try Key = public_key:ssh_decode(KeyBlob, ssh2_pubkey), % or exception ssh_transport:call_KeyCb(is_auth_key, [Key, User], Opts) catch _:_ -> false end. verify_sig(SessionId, User, Service, AlgBin, KeyBlob, SigWLen, #ssh{opts = Opts} = Ssh) -> try Alg = binary_to_list(AlgBin), Key = public_key:ssh_decode(KeyBlob, ssh2_pubkey), % or exception true = ssh_transport:call_KeyCb(is_auth_key, [Key, User], Opts), PlainText = build_sig_data(SessionId, User, Service, KeyBlob, Alg), <> = SigWLen, <> = AlgSig, ssh_transport:verify(PlainText, ssh_transport:sha(Alg), Sig, Key, Ssh) catch _:_ -> false end. build_sig_data(SessionId, User, Service, KeyBlob, Alg) -> Sig = [?binary(SessionId), ?SSH_MSG_USERAUTH_REQUEST, ?string_utf8(User), ?string(Service), ?binary(<<"publickey">>), ?TRUE, ?string(Alg), ?binary(KeyBlob)], list_to_binary(Sig). key_alg('rsa-sha2-256') -> 'ssh-rsa'; key_alg('rsa-sha2-512') -> 'ssh-rsa'; key_alg(Alg) -> Alg. %%%================================================================ %%% %%% Keyboard-interactive %%% decode_keyboard_interactive_prompts(_NumPrompts, Data) -> ssh_message:decode_keyboard_interactive_prompts(Data, []). keyboard_interact_get_responses(Opts, Name, Instr, PromptInfos) -> keyboard_interact_get_responses(?GET_OPT(user_interaction, Opts), ?GET_OPT(keyboard_interact_fun, Opts), ?GET_OPT(password, Opts), Name, Instr, PromptInfos, Opts). %% Don't re-try an already rejected password. This could happen if both keyboard-interactive %% and password methods are tried: keyboard_interact_get_responses(_, _, not_ok, _, _, _, _) -> not_ok; %% Only one password requestedm and we have got one via the 'password' option for the daemon: keyboard_interact_get_responses(_, undefined, Pwd, _, _, [_], _) when Pwd =/= undefined -> [Pwd]; %% Password auth implemented with keyboard-interaction and passwd is known %% No password requested (keyboard-interactive): keyboard_interact_get_responses(_, _, _, _, _, [], _) -> []; %% user_interaction is forbidden (by option user_interaction) and we have to ask %% the user for one or more. %% Throw an error: keyboard_interact_get_responses(false, undefined, undefined, _, _, [Prompt|_], Opts) -> ssh_no_io:read_line(Prompt, Opts); %% One or more passwords are requested, we may prompt the user and no fun is used %% to get the responses: keyboard_interact_get_responses(true, undefined, _, Name, Instr, PromptInfos, Opts) -> prompt_user_for_passwords(Name, Instr, PromptInfos, Opts); %% The passwords are provided with a fun. Use that one! keyboard_interact_get_responses(true, Fun, _Pwd, Name, Instr, PromptInfos, _Opts) -> keyboard_interact_fun(Fun, Name, Instr, PromptInfos). prompt_user_for_passwords(Name, Instr, PromptInfos, Opts) -> IoCb = ?GET_INTERNAL_OPT(io_cb, Opts), write_if_nonempty(IoCb, Name), write_if_nonempty(IoCb, Instr), lists:map(fun({Prompt, true}) -> IoCb:read_line(Prompt, Opts); ({Prompt, false}) -> IoCb:read_password(Prompt, Opts) end, PromptInfos). keyboard_interact_fun(KbdInteractFun, Name, Instr, PromptInfos) -> case KbdInteractFun(Name, Instr, PromptInfos) of Responses when is_list(Responses), length(Responses) == length(PromptInfos) -> Responses; _ -> nok end. write_if_nonempty(_, "") -> ok; write_if_nonempty(_, <<>>) -> ok; write_if_nonempty(IoCb, Text) -> IoCb:format("~s~n",[Text]).