diff --git a/ctrl/sbbs.ini b/ctrl/sbbs.ini
index 60836fa62a4db4bfa679cf9f89987bbadecbfaee..d50ae0de75c1ece0b3a6bfd86d3436c2c007c011 100644
--- a/ctrl/sbbs.ini
+++ b/ctrl/sbbs.ini
@@ -173,6 +173,7 @@
; MUTE
; HAPROXY_PROTO
; ALLOW_SFTP
+ ; SSH_ANYAUTH
Options = XTRN_MINIMIZED | ALLOW_RLOGIN | ALLOW_SSH
[Mail] SMTP(S)/POP3(S) Mail Server
diff --git a/src/sbbs3/answer.cpp b/src/sbbs3/answer.cpp
index c08cd997ab015744d9ecded8e0879d11e733d3cc..c47aa5aa832ed33930d5968c7b02bf4a23591403 100644
--- a/src/sbbs3/answer.cpp
+++ b/src/sbbs3/answer.cpp
@@ -254,88 +254,111 @@ bool sbbs_t::answer()
tmp[0]=0;
pthread_mutex_lock(&ssh_mutex);
- for(ssh_failed=0; ssh_failed < 3; ssh_failed++) {
+
+ if (startup->options & BBS_OPT_SSH_ANYAUTH) {
lprintf(LOG_DEBUG, "%04d SSH Setting attribute: SESSINFO_ACTIVE", client_socket);
if(cryptStatusError(i=cryptSetAttribute(ssh_session, CRYPT_SESSINFO_ACTIVE, 1))) {
log_crypt_error_status_sock(i, "setting session active");
activate_ssh = false;
// TODO: Add private key here...
- if(i != CRYPT_ENVELOPE_RESOURCE) {
- break;
+ if(i == CRYPT_ENVELOPE_RESOURCE) {
+ activate_ssh = set_authresponse(true);
+ lprintf(LOG_DEBUG, "%04d SSH Setting attribute: SESSINFO_ACTIVE", client_socket);
+ i = cryptSetAttribute(ssh_session, CRYPT_SESSINFO_ACTIVE, 1);
+ if (cryptStatusError(i)) {
+ log_crypt_error_status_sock(i, "setting session active");
+ activate_ssh = false;
+ }
+ else {
+ SetEvent(ssh_active);
+ }
}
}
- else {
- SetEvent(ssh_active);
- break;
- }
- free_crypt_attrstr(pubkey);
- pubkey = nullptr;
- pubkeysz = 0;
- ctmp = get_crypt_attribute(ssh_session, CRYPT_SESSINFO_USERNAME);
- if (ctmp) {
- SAFECOPY(rlogin_name, parse_login(ctmp));
- free_crypt_attrstr(ctmp);
- ctmp = get_crypt_attribute(ssh_session, CRYPT_SESSINFO_PASSWORD);
+ }
+ else {
+ for(ssh_failed=0; ssh_failed < 3; ssh_failed++) {
+ lprintf(LOG_DEBUG, "%04d SSH Setting attribute: SESSINFO_ACTIVE", client_socket);
+ if(cryptStatusError(i=cryptSetAttribute(ssh_session, CRYPT_SESSINFO_ACTIVE, 1))) {
+ log_crypt_error_status_sock(i, "setting session active");
+ activate_ssh = false;
+ // TODO: Add private key here...
+ if(i != CRYPT_ENVELOPE_RESOURCE) {
+ break;
+ }
+ }
+ else {
+ SetEvent(ssh_active);
+ break;
+ }
+ free_crypt_attrstr(pubkey);
+ pubkey = nullptr;
+ pubkeysz = 0;
+ ctmp = get_crypt_attribute(ssh_session, CRYPT_SESSINFO_USERNAME);
if (ctmp) {
- SAFECOPY(tmp, ctmp);
+ SAFECOPY(rlogin_name, parse_login(ctmp));
free_crypt_attrstr(ctmp);
+ ctmp = get_crypt_attribute(ssh_session, CRYPT_SESSINFO_PASSWORD);
+ if (ctmp) {
+ SAFECOPY(tmp, ctmp);
+ free_crypt_attrstr(ctmp);
+ }
+ else {
+ free_crypt_attrstr(pubkey);
+ pubkey = get_binary_crypt_attribute(ssh_session, CRYPT_SESSINFO_PUBLICKEY, &pubkeysz);
+ }
+ lprintf(LOG_DEBUG,"SSH login: '%s'", rlogin_name);
}
else {
- free_crypt_attrstr(pubkey);
- pubkey = get_binary_crypt_attribute(ssh_session, CRYPT_SESSINFO_PUBLICKEY, &pubkeysz);
+ rlogin_name[0] = 0;
+ continue;
}
- lprintf(LOG_DEBUG,"SSH login: '%s'", rlogin_name);
- }
- else {
- rlogin_name[0] = 0;
- continue;
- }
- useron.number = find_login_id(&cfg, rlogin_name);
- if(useron.number) {
- if (getuserdat(&cfg,&useron) == 0) {
- if (pubkey) {
- if (check_pubkey(&cfg, useron.number, pubkey, pubkeysz)) {
- SAFECOPY(rlogin_pass, tmp);
- activate_ssh = set_authresponse(true);
+ useron.number = find_login_id(&cfg, rlogin_name);
+ if(useron.number) {
+ if (getuserdat(&cfg,&useron) == 0) {
+ if (pubkey) {
+ if (check_pubkey(&cfg, useron.number, pubkey, pubkeysz)) {
+ SAFECOPY(rlogin_pass, tmp);
+ activate_ssh = set_authresponse(true);
+ }
+ }
+ else {
+ if (stricmp(tmp, useron.pass) == 0) {
+ SAFECOPY(rlogin_pass, tmp);
+ activate_ssh = set_authresponse(true);
+ }
+ else if(ssh_failed) {
+ if(cfg.sys_misc&SM_ECHO_PW)
+ safe_snprintf(str,sizeof(str),"(%04u) %-25s FAILED Password attempt: '%s'"
+ ,useron.number,useron.alias,tmp);
+ else
+ safe_snprintf(str,sizeof(str),"(%04u) %-25s FAILED Password attempt"
+ ,useron.number,useron.alias);
+ logline(LOG_NOTICE,"+!",str);
+ badlogin(useron.alias, tmp);
+ useron.number=0;
+ }
}
}
else {
- if (stricmp(tmp, useron.pass) == 0) {
- SAFECOPY(rlogin_pass, tmp);
- activate_ssh = set_authresponse(true);
- }
- else if(ssh_failed) {
- if(cfg.sys_misc&SM_ECHO_PW)
- safe_snprintf(str,sizeof(str),"(%04u) %-25s FAILED Password attempt: '%s'"
- ,useron.number,useron.alias,tmp);
- else
- safe_snprintf(str,sizeof(str),"(%04u) %-25s FAILED Password attempt"
- ,useron.number,useron.alias);
- logline(LOG_NOTICE,"+!",str);
- badlogin(useron.alias, tmp);
- useron.number=0;
- }
+ lprintf(LOG_NOTICE, "SSH failed to read user data for %s", rlogin_name);
}
}
else {
- lprintf(LOG_NOTICE, "SSH failed to read user data for %s", rlogin_name);
+ if(cfg.sys_misc&SM_ECHO_PW)
+ lprintf(LOG_NOTICE, "SSH !UNKNOWN USER: '%s' (password: %s)", rlogin_name, truncsp(tmp));
+ else
+ lprintf(LOG_NOTICE, "SSH !UNKNOWN USER: '%s'", rlogin_name);
+ badlogin(rlogin_name, tmp);
+ // Enable SSH so we can create a new user...
+ activate_ssh = set_authresponse(true);
}
+ if (pubkey) {
+ free_crypt_attrstr(pubkey);
+ pubkey = nullptr;
+ }
+ if (!activate_ssh)
+ set_authresponse(false);
}
- else {
- if(cfg.sys_misc&SM_ECHO_PW)
- lprintf(LOG_NOTICE, "SSH !UNKNOWN USER: '%s' (password: %s)", rlogin_name, truncsp(tmp));
- else
- lprintf(LOG_NOTICE, "SSH !UNKNOWN USER: '%s'", rlogin_name);
- badlogin(rlogin_name, tmp);
- // Enable SSH so we can create a new user...
- activate_ssh = set_authresponse(true);
- }
- if (pubkey) {
- free_crypt_attrstr(pubkey);
- pubkey = nullptr;
- }
- if (!activate_ssh)
- set_authresponse(false);
}
if (activate_ssh) {
int cid;
@@ -388,7 +411,7 @@ bool sbbs_t::answer()
}
else if (tnamelen == 9 && strncmp(tname, "subsystem", 9) == 0) {
i=cryptGetAttributeString(ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_ARG1, tname, &tnamelen);
- if (startup->options&BBS_OPT_ALLOW_SFTP && tnamelen == 4 && strncmp(tname, "sftp", 4) == 0) {
+ if (((startup->options & (BBS_OPT_ALLOW_SFTP | BBS_OPT_SSH_ANYAUTH)) == BBS_OPT_ALLOW_SFTP) && tnamelen == 4 && strncmp(tname, "sftp", 4) == 0) {
if (useron.number) {
activate_ssh = init_sftp(cid);
cols = 0;
diff --git a/src/sbbs3/main.cpp b/src/sbbs3/main.cpp
index 876055bc526146af4aa6edf8098bf82573c059fb..7fbc4b20299b484dde935ac185567423b65c47df 100644
--- a/src/sbbs3/main.cpp
+++ b/src/sbbs3/main.cpp
@@ -1972,7 +1972,7 @@ static int crypt_pop_channel_data(sbbs_t *sbbs, char *inbuf, int want, int *got)
if (strcmp(cname, "subsystem") == 0) {
ssname = get_crypt_attribute(sbbs->ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_ARG1);
}
- if (startup->options & BBS_OPT_ALLOW_SFTP && ssname && cname && sbbs->sftp_channel == -1 && strcmp(ssname, "sftp") == 0) {
+ if (((startup->options & (BBS_OPT_ALLOW_SFTP | BBS_OPT_SSH_ANYAUTH)) == BBS_OPT_ALLOW_SFTP) && ssname && cname && sbbs->sftp_channel == -1 && strcmp(ssname, "sftp") == 0) {
if (sbbs->init_sftp(cid)) {
if (tgot > 0) {
if (!sftps_recv(sbbs->sftp_state, reinterpret_cast<uint8_t *>(inbuf), tgot))
diff --git a/src/sbbs3/startup.h b/src/sbbs3/startup.h
index 56ecb0c3ed9ca998f537887c00b8919fd6f78cf3..973743da226a71eadae0d2f699ba9634c3347413 100644
--- a/src/sbbs3/startup.h
+++ b/src/sbbs3/startup.h
@@ -205,6 +205,7 @@ static struct init_field {
#define BBS_OPT_NO_NEWDAY_EVENTS (1<<14) /* Don't check for a new day in event thread */
#define BBS_OPT_NO_TELNET (1<<15) /* Don't accept incoming telnet connections */
#define BBS_OPT_ALLOW_SFTP (1<<16) /* Allow logins via BSD SFTP */
+#define BBS_OPT_SSH_ANYAUTH (1<<17) /* Blindly accept any SSH credentials */
#define BBS_OPT_HAPROXY_PROTO (1<<26) /* Incoming requests are via HAproxy */
#define BBS_OPT_NO_RECYCLE (1<<27) /* Disable recycling of server */
#define BBS_OPT_GET_IDENT (1<<28) /* Get Identity (RFC 1413) */
@@ -233,6 +234,7 @@ static ini_bitdesc_t bbs_options[] = {
{ BBS_OPT_NO_NEWDAY_EVENTS ,"NO_NEWDAY_EVENTS" },
{ BBS_OPT_NO_TELNET ,"NO_TELNET" },
{ BBS_OPT_ALLOW_SFTP ,"ALLOW_SFTP" },
+ { BBS_OPT_SSH_ANYAUTH ,"SSH_ANYAUTH" },
{ BBS_OPT_NO_RECYCLE ,"NO_RECYCLE" },
{ BBS_OPT_GET_IDENT ,"GET_IDENT" },
{ BBS_OPT_NO_JAVASCRIPT ,"NO_JAVASCRIPT" },