summaryrefslogtreecommitdiffstats
path: root/sshconnect2.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2021-12-19 23:08:48 +0100
committerDamien Miller <djm@mindrot.org>2021-12-19 23:24:42 +0100
commite9497ecf73f3c16667288bce48d4e3d7e746fea1 (patch)
treea066c9cb60add52ff97fe31bdc8d631716e0c248 /sshconnect2.c
parentupstream: Record session ID, host key and sig at intital KEX (diff)
downloadopenssh-e9497ecf73f3c16667288bce48d4e3d7e746fea1.tar.xz
openssh-e9497ecf73f3c16667288bce48d4e3d7e746fea1.zip
upstream: ssh client side of binding
send session ID, hostkey, signature and a flag indicating whether the agent connection is being forwarded to ssh agent each time a connection is opened via a new "session-bind@openssh.com" agent extension. ok markus@ OpenBSD-Commit-ID: 2f154844fe13167d3ab063f830d7455fcaa99135
Diffstat (limited to 'sshconnect2.c')
-rw-r--r--sshconnect2.c47
1 files changed, 35 insertions, 12 deletions
diff --git a/sshconnect2.c b/sshconnect2.c
index fea50fab6..672938a31 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.351 2021/07/23 05:24:02 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.352 2021/12/19 22:08:48 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -391,7 +391,7 @@ void userauth(struct ssh *, char *);
static void pubkey_cleanup(struct ssh *);
static int sign_and_send_pubkey(struct ssh *ssh, Identity *);
-static void pubkey_prepare(Authctxt *);
+static void pubkey_prepare(struct ssh *, Authctxt *);
static void pubkey_reset(Authctxt *);
static struct sshkey *load_identity_file(Identity *);
@@ -465,7 +465,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
authctxt.mech_tried = 0;
#endif
authctxt.agent_fd = -1;
- pubkey_prepare(&authctxt);
+ pubkey_prepare(ssh, &authctxt);
if (authctxt.method == NULL) {
fatal_f("internal error: cannot send userauth none request");
}
@@ -1631,6 +1631,36 @@ key_type_allowed_by_config(struct sshkey *key)
return 0;
}
+/* obtain a list of keys from the agent */
+static int
+get_agent_identities(struct ssh *ssh, int *agent_fdp,
+ struct ssh_identitylist **idlistp)
+{
+ int r, agent_fd;
+ struct ssh_identitylist *idlist;
+
+ if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) {
+ if (r != SSH_ERR_AGENT_NOT_PRESENT)
+ debug_fr(r, "ssh_get_authentication_socket");
+ return r;
+ }
+ if ((r = ssh_agent_bind_hostkey(agent_fd, ssh->kex->initial_hostkey,
+ ssh->kex->session_id, ssh->kex->initial_sig, 0)) == 0)
+ debug_f("bound agent to hostkey");
+ else
+ debug2_fr(r, "ssh_agent_bind_hostkey");
+
+ if ((r = ssh_fetch_identitylist(agent_fd, &idlist)) != 0) {
+ debug_fr(r, "ssh_fetch_identitylist");
+ close(agent_fd);
+ return r;
+ }
+ /* success */
+ *agent_fdp = agent_fd;
+ *idlistp = idlist;
+ debug_f("agent returned %zu keys", idlist->nkeys);
+ return 0;
+}
/*
* try keys in the following order:
@@ -1641,7 +1671,7 @@ key_type_allowed_by_config(struct sshkey *key)
* 5. keys that are only listed in the config file
*/
static void
-pubkey_prepare(Authctxt *authctxt)
+pubkey_prepare(struct ssh *ssh, Authctxt *authctxt)
{
struct identity *id, *id2, *tmp;
struct idlist agent, files, *preferred;
@@ -1703,14 +1733,7 @@ pubkey_prepare(Authctxt *authctxt)
TAILQ_INSERT_TAIL(preferred, id, next);
}
/* list of keys supported by the agent */
- if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) {
- if (r != SSH_ERR_AGENT_NOT_PRESENT)
- debug_fr(r, "ssh_get_authentication_socket");
- } else if ((r = ssh_fetch_identitylist(agent_fd, &idlist)) != 0) {
- if (r != SSH_ERR_AGENT_NO_IDENTITIES)
- debug_fr(r, "ssh_fetch_identitylist");
- close(agent_fd);
- } else {
+ if ((r = get_agent_identities(ssh, &agent_fd, &idlist)) == 0) {
for (j = 0; j < idlist->nkeys; j++) {
found = 0;
TAILQ_FOREACH(id, &files, next) {