summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2001-06-23 22:37:47 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2001-06-23 22:37:47 +0000
commit01672c3384db5b63dc5148f295f0c0381ffa0387 (patch)
tree1761c70f5782dae02d80238424bb16b2ec910c03
parent5c5ccbb4415b224ce1a1bfcaac7245f363f7678c (diff)
consistent with ssh2: skip key if empty passphrase is entered,
retry num_of_passwd_prompt times if passphrase is wrong. ok fgsch@
-rw-r--r--usr.bin/ssh/sshconnect1.c73
1 files changed, 36 insertions, 37 deletions
diff --git a/usr.bin/ssh/sshconnect1.c b/usr.bin/ssh/sshconnect1.c
index a03233f28e4..ec0a5c96c10 100644
--- a/usr.bin/ssh/sshconnect1.c
+++ b/usr.bin/ssh/sshconnect1.c
@@ -13,7 +13,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.35 2001/06/23 15:12:21 itojun Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.36 2001/06/23 22:37:46 markus Exp $");
#include <openssl/bn.h>
#include <openssl/evp.h>
@@ -204,11 +204,9 @@ static int
try_rsa_authentication(const char *authfile)
{
BIGNUM *challenge;
- Key *public;
- Key *private;
- char *passphrase, *comment;
- int type, i;
- int plen, clen;
+ Key *public, *private;
+ char buf[300], *passphrase, *comment;
+ int i, type, quit, plen, clen;
/* Try to load identification for the authentication key. */
/* XXKEYLOAD */
@@ -257,45 +255,46 @@ try_rsa_authentication(const char *authfile)
* fails, ask for a passphrase.
*/
private = key_load_private_type(KEY_RSA1, authfile, "", NULL);
- if (private == NULL) {
- char buf[300];
- snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ",
- comment);
- if (!options.batch_mode)
+ if (private == NULL && !options.batch_mode) {
+ snprintf(buf, sizeof(buf),
+ "Enter passphrase for RSA key '%.100s': ", comment);
+ for (i = 0; i < options.number_of_password_prompts; i++) {
passphrase = read_passphrase(buf, 0);
- else {
- debug("Will not query passphrase for %.100s in batch mode.",
- comment);
- passphrase = xstrdup("");
- }
-
- /* Load the authentication file using the pasphrase. */
- private = key_load_private_type(KEY_RSA1, authfile, passphrase, NULL);
- if (private == NULL) {
+ if (strcmp(passphrase, "") != 0) {
+ private = key_load_private_type(KEY_RSA1,
+ authfile, passphrase, NULL);
+ quit = 0;
+ } else {
+ debug2("no passphrase given, try next key");
+ quit = 1;
+ }
memset(passphrase, 0, strlen(passphrase));
xfree(passphrase);
- error("Bad passphrase.");
-
- /* Send a dummy response packet to avoid protocol error. */
- packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
- for (i = 0; i < 16; i++)
- packet_put_char(0);
- packet_send();
- packet_write_wait();
-
- /* Expect the server to reject it... */
- packet_read_expect(&plen, SSH_SMSG_FAILURE);
- xfree(comment);
- BN_clear_free(challenge);
- return 0;
+ if (private != NULL || quit)
+ break;
+ debug2("bad passphrase given, try again...");
}
- /* Destroy the passphrase. */
- memset(passphrase, 0, strlen(passphrase));
- xfree(passphrase);
}
/* We no longer need the comment. */
xfree(comment);
+ if (private == NULL) {
+ if (!options.batch_mode)
+ error("Bad passphrase.");
+
+ /* Send a dummy response packet to avoid protocol error. */
+ packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
+ for (i = 0; i < 16; i++)
+ packet_put_char(0);
+ packet_send();
+ packet_write_wait();
+
+ /* Expect the server to reject it... */
+ packet_read_expect(&plen, SSH_SMSG_FAILURE);
+ BN_clear_free(challenge);
+ return 0;
+ }
+
/* Compute and send a response to the challenge. */
respond_to_rsa_challenge(challenge, private->rsa);