Merge branch 'devel' of https://github.com/bhart3/libnetconf2 into devel

michalvasko · michalvasko · commit 85744b2a126d · 2018-07-03T13:02:24.000+02:00
diff --git a/src/session_p.h b/src/session_p.h
@@ -169,6 +169,14 @@ struct nc_server_opts {
     int (*passwd_auth_clb)(const struct nc_session *session, const char *password, void *user_data);
     void *passwd_auth_data;
     void (*passwd_auth_data_free)(void *data);
+
+    int (*pubkey_auth_clb)(const struct nc_session *session, ssh_key key, void *user_data);
+    void *pubkey_auth_data;
+    void (*pubkey_auth_data_free)(void *data);
+
+    int (*interactive_auth_clb)(const struct nc_session *session, ssh_message msg, void *user_data);
+    void *interactive_auth_data;
+    void (*interactive_auth_data_free)(void *data);
 #endif
 #ifdef NC_ENABLED_TLS
     int (*user_verify_clb)(const struct nc_session *session);
diff --git a/src/session_server.h b/src/session_server.h
@@ -22,6 +22,12 @@
 #   include <openssl/x509.h>
 #endif
 
+#ifdef NC_ENABLED_SSH
+#   include <libssh/libssh.h>
+#   include <libssh/callbacks.h>
+#   include <libssh/server.h>
+#endif
+
 #include "session.h"
 #include "netconf.h"
 
@@ -507,6 +513,29 @@ void nc_server_ssh_set_passwd_auth_clb(int (*passwd_auth_clb)(const struct nc_se
                                                               void *user_data),
                                        void *user_data, void (*free_user_data)(void *user_data));
 
+/**
+ * @brief Set the callback for SSH interactive authentication. If none is set, local system users are used.
+ *
+ * @param[in] interactive_auth_clb Callback that should authenticate the user.
+ *                            Zero return indicates success, non-zero an error.
+ * @param[in] user_data Optional arbitrary user data that will be passed to \p passwd_auth_clb.
+ * @param[in] free_user_data Optional callback that will be called during cleanup to free any \p user_data.
+ */
+void ncserver_ssh_set_interactive_auth_clb(int (*interactive_auth_clb)(const struct nc_session *session, const struct ssh_message msg,
+                                                              void *user_data),
+                                           void *user_data, void (*free_user_data)(void *user_data));
+
+/**
+ * @brief Set the callback for SSH public key authentication. If none is set, local system users are used.
+ *
+ * @param[in] pubkey_auth_clb Callback that should authenticate the user.
+ *                            Zero return indicates success, non-zero an error.
+ * @param[in] user_data Optional arbitrary user data that will be passed to \p passwd_auth_clb.
+ * @param[in] free_user_data Optional callback that will be called during cleanup to free any \p user_data.
+ */
+ void ncserver_ssh_set_pubkey_auth_clb(int (*pubkey_auth_clb)(const struct nc_session *session, ssh_key key, void *user_data),
+                                       void *user_data, void (*free_user_data)(void *user_data));
+
 /**
  * @brief Set the callback for retrieving host keys. Any RSA, DSA, and ECDSA keys can be added. However,
  *        a maximum of one key of each type will be used during SSH authentication, later keys replacing
diff --git a/src/session_server_ssh.c b/src/session_server_ssh.c
@@ -142,6 +142,25 @@ nc_server_ssh_set_passwd_auth_clb(int (*passwd_auth_clb)(const struct nc_session
     server_opts.passwd_auth_data_free = free_user_data;
 }
 
+API void
+nc_server_ssh_set_interactive_auth_clb(int (*interactive_auth_clb)(const struct nc_session *session, ssh_message msg, void *user_data),
+                                  void *user_data, void (*free_user_data)(void *user_data))
+{
+    server_opts.interactive_auth_clb = interactive_auth_clb;
+    server_opts.interactive_auth_data = user_data;
+    server_opts.interactive_auth_data_free = free_user_data;
+}
+ 
+API void
+nc_server_ssh_set_pubkey_auth_clb(int (*pubkey_auth_clb)(const struct nc_session *session, ssh_key key, void *user_data),
+                                  void *user_data, void (*free_user_data)(void *user_data))
+{
+    server_opts.pubkey_auth_clb = pubkey_auth_clb;
+    server_opts.pubkey_auth_data = user_data;
+    server_opts.pubkey_auth_data_free = free_user_data;
+}
+
+
 API int
 nc_server_ssh_ch_client_add_hostkey(const char *client_name, const char *name, int16_t idx)
 {
@@ -825,33 +844,39 @@ nc_sshcb_auth_password(struct nc_session *session, ssh_message msg)
 static void
 nc_sshcb_auth_kbdint(struct nc_session *session, ssh_message msg)
 {
+    int auth_ret = 1;
     char *pass_hash;
 
-    if (!ssh_message_auth_kbdint_is_response(msg)) {
-        const char *prompts[] = {"Password: "};
-        char echo[] = {0};
-
-        ssh_message_auth_interactive_request(msg, "Interactive SSH Authentication", "Type your password:", 1, prompts, echo);
+    if (server_opts.interactive_auth_clb) {
+        auth_ret = server_opts.interactive_auth_clb(session, msg, server_opts.interactive_auth_data);  
     } else {
-        if (ssh_userauth_kbdint_getnanswers(session->ti.libssh.session) != 1) {
-            ssh_message_reply_default(msg);
-            return;
-        }
-        pass_hash = auth_password_get_pwd_hash(session->username);
-        if (!pass_hash) {
-            ssh_message_reply_default(msg);
-            return;
-        }
-        if (!auth_password_compare_pwd(pass_hash, ssh_userauth_kbdint_getanswer(session->ti.libssh.session, 0))) {
-            VRB("User \"%s\" authenticated.", session->username);
-            session->flags |= NC_SESSION_SSH_AUTHENTICATED;
-            ssh_message_auth_reply_success(msg, 0);
+        if (!ssh_message_auth_kbdint_is_response(msg)) {
+            const char *prompts[] = {"Password: "};
+            char echo[] = {0};
+
+            ssh_message_auth_interactive_request(msg, "Interactive SSH Authentication", "Type your password:", 1, prompts, echo);
         } else {
-            ++session->opts.server.ssh_auth_attempts;
-            VRB("Failed user \"%s\" authentication attempt (#%d).", session->username, session->opts.server.ssh_auth_attempts);
-            ssh_message_reply_default(msg);
+            if (ssh_userauth_kbdint_getnanswers(session->ti.libssh.session) != 1) {// failed session
+                ssh_message_reply_default(msg);
+                return;
+            }
+            pass_hash = auth_password_get_pwd_hash(session->username);// get hashed password
+            if (pass_hash) {
+                auth_ret = auth_password_compare_pwd(pass_hash, ssh_userauth_kbdint_getanswer(session->ti.libssh.session, 0));
+                free(pass_hash);// free hashed password
+            }
         }
-        free(pass_hash);
+    }
+
+    /* Authenticate message based on outcome */
+    if (!auth_ret) {
+        session->flags |= NC_SESSION_SSH_AUTHENTICATED;
+        VRB("User \"%s\" authenticated.", session->username);
+        ssh_message_auth_reply_success(msg, 0);
+    } else {
+        ++session->opts.server.ssh_auth_attempts;
+        VRB("Failed user \"%s\" authentication attempt (#%d).", session->username, session->opts.server.ssh_auth_attempts);
+        ssh_message_reply_default(msg);
     }
 }
 
@@ -914,12 +939,19 @@ nc_sshcb_auth_pubkey(struct nc_session *session, ssh_message msg)
     const char *username;
     int signature_state;
 
-    if ((username = auth_pubkey_compare_key(ssh_message_auth_pubkey(msg))) == NULL) {
-        VRB("User \"%s\" tried to use an unknown (unauthorized) public key.", session->username);
-        goto fail;
-    } else if (strcmp(session->username, username)) {
-        VRB("User \"%s\" is not the username identified with the presented public key.", session->username);
-        goto fail;
+    if(server_opts.pubkey_auth_clb){
+        if(server_opts.pubkey_auth_clb(session, ssh_message_auth_pubkey(msg), server_opts.pubkey_auth_data)){
+            goto fail;
+        }
+    }
+    else{
+        if ((username = auth_pubkey_compare_key(ssh_message_auth_pubkey(msg))) == NULL) {
+            VRB("User \"%s\" tried to use an unknown (unauthorized) public key.", session->username);
+            goto fail;
+        } else if (strcmp(session->username, username)) {
+            VRB("User \"%s\" is not the username identified with the presented public key.", session->username);
+            goto fail;
+        }
     }
 
     signature_state = ssh_message_auth_publickey_state(msg);
