diff options
author | Darren Tucker <dtucker@zip.com.au> | 2005-01-20 11:05:34 +1100 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2005-01-20 11:05:34 +1100 |
commit | 611649ebf093bf030f2dde18103dde8c1af9226c (patch) | |
tree | 123d4895161d5a2b0fe9b07b295ac310d3000bc6 | |
parent | ea7c8127ce64879f81d6267897162a2fbf173124 (diff) |
- dtucker@cvs.openbsd.org 2005/01/19 13:11:47
[auth-bsdauth.c auth2-chall.c]
Have keyboard-interactive code call the drivers even for responses for
invalid logins. This allows the drivers themselves to decide how to
handle them and prevent leaking information where possible. Existing
behaviour for bsdauth is maintained by checking authctxt->valid in the
bsdauth driver. Note that any third-party kbdint drivers will now need
to be able to handle responses for invalid logins. ok markus@
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | auth-bsdauth.c | 5 | ||||
-rw-r--r-- | auth2-chall.c | 11 |
3 files changed, 16 insertions, 10 deletions
@@ -22,6 +22,14 @@ | |||
22 | - dtucker@cvs.openbsd.org 2005/01/17 22:48:39 | 22 | - dtucker@cvs.openbsd.org 2005/01/17 22:48:39 |
23 | [sshd.c] | 23 | [sshd.c] |
24 | Make debugging output continue after reexec; ok djm@ | 24 | Make debugging output continue after reexec; ok djm@ |
25 | - dtucker@cvs.openbsd.org 2005/01/19 13:11:47 | ||
26 | [auth-bsdauth.c auth2-chall.c] | ||
27 | Have keyboard-interactive code call the drivers even for responses for | ||
28 | invalid logins. This allows the drivers themselves to decide how to | ||
29 | handle them and prevent leaking information where possible. Existing | ||
30 | behaviour for bsdauth is maintained by checking authctxt->valid in the | ||
31 | bsdauth driver. Note that any third-party kbdint drivers will now need | ||
32 | to be able to handle responses for invalid logins. ok markus@ | ||
25 | 33 | ||
26 | 20050118 | 34 | 20050118 |
27 | - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement | 35 | - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement |
@@ -1994,4 +2002,4 @@ | |||
1994 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 2002 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
1995 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 2003 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
1996 | 2004 | ||
1997 | $Id: ChangeLog,v 1.3615 2005/01/20 00:03:08 dtucker Exp $ | 2005 | $Id: ChangeLog,v 1.3616 2005/01/20 00:05:34 dtucker Exp $ |
diff --git a/auth-bsdauth.c b/auth-bsdauth.c index 2ac27a7a2..920c977d8 100644 --- a/auth-bsdauth.c +++ b/auth-bsdauth.c | |||
@@ -22,7 +22,7 @@ | |||
22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
23 | */ | 23 | */ |
24 | #include "includes.h" | 24 | #include "includes.h" |
25 | RCSID("$OpenBSD: auth-bsdauth.c,v 1.5 2002/06/30 21:59:45 deraadt Exp $"); | 25 | RCSID("$OpenBSD: auth-bsdauth.c,v 1.6 2005/01/19 13:11:47 dtucker Exp $"); |
26 | 26 | ||
27 | #ifdef BSD_AUTH | 27 | #ifdef BSD_AUTH |
28 | #include "xmalloc.h" | 28 | #include "xmalloc.h" |
@@ -83,6 +83,9 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses) | |||
83 | Authctxt *authctxt = ctx; | 83 | Authctxt *authctxt = ctx; |
84 | int authok; | 84 | int authok; |
85 | 85 | ||
86 | if (!authctxt->valid) | ||
87 | return -1; | ||
88 | |||
86 | if (authctxt->as == 0) | 89 | if (authctxt->as == 0) |
87 | error("bsdauth_respond: no bsd auth session"); | 90 | error("bsdauth_respond: no bsd auth session"); |
88 | 91 | ||
diff --git a/auth2-chall.c b/auth2-chall.c index 486baaaa3..29234439c 100644 --- a/auth2-chall.c +++ b/auth2-chall.c | |||
@@ -23,7 +23,7 @@ | |||
23 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 23 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
24 | */ | 24 | */ |
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: auth2-chall.c,v 1.21 2004/06/01 14:20:45 dtucker Exp $"); | 26 | RCSID("$OpenBSD: auth2-chall.c,v 1.22 2005/01/19 13:11:47 dtucker Exp $"); |
27 | 27 | ||
28 | #include "ssh2.h" | 28 | #include "ssh2.h" |
29 | #include "auth.h" | 29 | #include "auth.h" |
@@ -274,12 +274,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) | |||
274 | } | 274 | } |
275 | packet_check_eom(); | 275 | packet_check_eom(); |
276 | 276 | ||
277 | if (authctxt->valid) { | 277 | res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response); |
278 | res = kbdintctxt->device->respond(kbdintctxt->ctxt, | ||
279 | nresp, response); | ||
280 | } else { | ||
281 | res = -1; | ||
282 | } | ||
283 | 278 | ||
284 | for (i = 0; i < nresp; i++) { | 279 | for (i = 0; i < nresp; i++) { |
285 | memset(response[i], 'r', strlen(response[i])); | 280 | memset(response[i], 'r', strlen(response[i])); |
@@ -291,7 +286,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) | |||
291 | switch (res) { | 286 | switch (res) { |
292 | case 0: | 287 | case 0: |
293 | /* Success! */ | 288 | /* Success! */ |
294 | authenticated = 1; | 289 | authenticated = authctxt->valid ? 1 : 0; |
295 | break; | 290 | break; |
296 | case 1: | 291 | case 1: |
297 | /* Authentication needs further interaction */ | 292 | /* Authentication needs further interaction */ |