diff options
| author | Damien Miller <djm@mindrot.org> | 2008-11-05 16:20:46 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2008-11-05 16:20:46 +1100 |
| commit | 01ed2272a1545336173bf3aef66fbccc3494c8d8 (patch) | |
| tree | a77f115d3b8964f0b6fcc604f9dea87d15143d7e /auth2.c | |
| parent | 6f66d34308af787613d5525729953665f26367ee (diff) | |
- djm@cvs.openbsd.org 2008/11/04 08:22:13
[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h]
[readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5]
[sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c]
[Makefile.in]
Add support for an experimental zero-knowledge password authentication
method using the J-PAKE protocol described in F. Hao, P. Ryan,
"Password Authenticated Key Exchange by Juggling", 16th Workshop on
Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing
the password to the server. Instead, the client and server exchange
cryptographic proofs to demonstrate of knowledge of the password while
revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently
compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
Diffstat (limited to 'auth2.c')
| -rw-r--r-- | auth2.c | 12 |
1 files changed, 11 insertions, 1 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2.c,v 1.119 2008/07/04 23:30:16 djm Exp $ */ | 1 | /* $OpenBSD: auth2.c,v 1.120 2008/11/04 08:22:12 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -71,6 +71,9 @@ extern Authmethod method_hostbased; | |||
| 71 | #ifdef GSSAPI | 71 | #ifdef GSSAPI |
| 72 | extern Authmethod method_gssapi; | 72 | extern Authmethod method_gssapi; |
| 73 | #endif | 73 | #endif |
| 74 | #ifdef JPAKE | ||
| 75 | extern Authmethod method_jpake; | ||
| 76 | #endif | ||
| 74 | 77 | ||
| 75 | Authmethod *authmethods[] = { | 78 | Authmethod *authmethods[] = { |
| 76 | &method_none, | 79 | &method_none, |
| @@ -78,6 +81,9 @@ Authmethod *authmethods[] = { | |||
| 78 | #ifdef GSSAPI | 81 | #ifdef GSSAPI |
| 79 | &method_gssapi, | 82 | &method_gssapi, |
| 80 | #endif | 83 | #endif |
| 84 | #ifdef JPAKE | ||
| 85 | &method_jpake, | ||
| 86 | #endif | ||
| 81 | &method_passwd, | 87 | &method_passwd, |
| 82 | &method_kbdint, | 88 | &method_kbdint, |
| 83 | &method_hostbased, | 89 | &method_hostbased, |
| @@ -257,8 +263,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
| 257 | } | 263 | } |
| 258 | /* reset state */ | 264 | /* reset state */ |
| 259 | auth2_challenge_stop(authctxt); | 265 | auth2_challenge_stop(authctxt); |
| 266 | #ifdef JPAKE | ||
| 267 | auth2_jpake_stop(authctxt); | ||
| 268 | #endif | ||
| 260 | 269 | ||
| 261 | #ifdef GSSAPI | 270 | #ifdef GSSAPI |
| 271 | /* XXX move to auth2_gssapi_stop() */ | ||
| 262 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 272 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
| 263 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); | 273 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); |
| 264 | #endif | 274 | #endif |