- djm@cvs.openbsd.org 2008/11/04 08:22:13

[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h] [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5] [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c] [Makefile.in] Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008. This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint. This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc). "just commit it. It isn't too intrusive." deraadt@
author: Damien Miller <djm@mindrot.org> 2008-11-05 16:20:46 +1100
committer: Damien Miller <djm@mindrot.org> 2008-11-05 16:20:46 +1100
commit: 01ed2272a1545336173bf3aef66fbccc3494c8d8 (patch)
tree: a77f115d3b8964f0b6fcc604f9dea87d15143d7e /readconf.c
parent: 6f66d34308af787613d5525729953665f26367ee (diff)
1 files changed, 16 insertions, 2 deletions
diff --git a/readconf.c b/readconf.c
index 7f7bbfee2..ba70d9da0 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.170 2008/11/03 02:44:41 stevesk Exp $ */
+/* $OpenBSD: readconf.c,v 1.171 2008/11/04 08:22:13 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -130,7 +130,7 @@ typedef enum {
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
        oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
-        oVisualHostKey,
+        oVisualHostKey, oZeroKnowledgePasswordAuthentication,
        oDeprecated, oUnsupported
 } OpCodes;
@@ -228,6 +228,13 @@ static struct {
        { "localcommand", oLocalCommand },
        { "permitlocalcommand", oPermitLocalCommand },
        { "visualhostkey", oVisualHostKey },
+#ifdef JPAKE
+        { "zeroknowledgepasswordauthentication",
+            oZeroKnowledgePasswordAuthentication },
+#else
+        { "zeroknowledgepasswordauthentication", oUnsupported },
+#endif
        { NULL, oBadOption }
 };
@@ -412,6 +419,10 @@ parse_flag:
                intptr = &options->password_authentication;
                goto parse_flag;
+        case oZeroKnowledgePasswordAuthentication:
+                intptr = &options->zero_knowledge_password_authentication;
+                goto parse_flag;
        case oKbdInteractiveAuthentication:
                intptr = &options->kbd_interactive_authentication;
                goto parse_flag;
@@ -1054,6 +1065,7 @@ initialize_options(Options * options)
        options->local_command = NULL;
        options->permit_local_command = -1;
        options->visual_host_key = -1;
+        options->zero_knowledge_password_authentication = -1;
 }
 /*
@@ -1190,6 +1202,8 @@ fill_default_options(Options * options)
                options->permit_local_command = 0;
        if (options->visual_host_key == -1)
                options->visual_host_key = 0;
+        if (options->zero_knowledge_password_authentication == -1)
+                options->zero_knowledge_password_authentication = 0;
        /* options->local_command should not be set by default */
        /* options->proxy_command should not be set by default */
        /* options->user will be set in the main program if appropriate */
author	Damien Miller <djm@mindrot.org>	2008-11-05 16:20:46 +1100
committer	Damien Miller <djm@mindrot.org>	2008-11-05 16:20:46 +1100
commit	01ed2272a1545336173bf3aef66fbccc3494c8d8 (patch)
tree	a77f115d3b8964f0b6fcc604f9dea87d15143d7e /readconf.c
parent	6f66d34308af787613d5525729953665f26367ee (diff)