diff options
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | auth-chall.c | 110 | ||||
-rw-r--r-- | auth.h | 27 | ||||
-rw-r--r-- | auth1.c | 9 | ||||
-rw-r--r-- | auth2-chall.c | 279 | ||||
-rw-r--r-- | auth2.c | 14 | ||||
-rw-r--r-- | readconf.c | 10 | ||||
-rw-r--r-- | readconf.h | 4 | ||||
-rw-r--r-- | servconf.c | 10 | ||||
-rw-r--r-- | servconf.h | 4 | ||||
-rw-r--r-- | sshconnect1.c | 8 | ||||
-rw-r--r-- | sshconnect2.c | 5 | ||||
-rw-r--r-- | sshd.c | 4 |
13 files changed, 347 insertions, 146 deletions
@@ -3,7 +3,12 @@ | |||
3 | - markus@cvs.openbsd.org 2001/05/17 21:34:15 | 3 | - markus@cvs.openbsd.org 2001/05/17 21:34:15 |
4 | [ssh.1] | 4 | [ssh.1] |
5 | no spaces in PreferredAuthentications; | 5 | no spaces in PreferredAuthentications; |
6 | meixner@rbg.informatik.tu-darmstadt.de | 6 | meixner@rbg.informatik.tu-darmstadt.de |
7 | - markus@cvs.openbsd.org 2001/05/18 14:13:29 | ||
8 | [auth-chall.c auth.h auth1.c auth2-chall.c auth2.c readconf.c | ||
9 | readconf.h servconf.c servconf.h sshconnect1.c sshconnect2.c sshd.c] | ||
10 | improved kbd-interactive support. work by per@appgate.com and me | ||
11 | |||
7 | 20010528 | 12 | 20010528 |
8 | - (tim) [conifgure.in] add setvbuf test needed for sftp-int.c | 13 | - (tim) [conifgure.in] add setvbuf test needed for sftp-int.c |
9 | Patch by Corinna Vinschen <vinschen@redhat.com> | 14 | Patch by Corinna Vinschen <vinschen@redhat.com> |
@@ -5433,4 +5438,4 @@ | |||
5433 | - Wrote replacements for strlcpy and mkdtemp | 5438 | - Wrote replacements for strlcpy and mkdtemp |
5434 | - Released 1.0pre1 | 5439 | - Released 1.0pre1 |
5435 | 5440 | ||
5436 | $Id: ChangeLog,v 1.1227 2001/06/05 18:39:10 mouring Exp $ | 5441 | $Id: ChangeLog,v 1.1228 2001/06/05 18:56:16 mouring Exp $ |
diff --git a/auth-chall.c b/auth-chall.c index f3502f4ee..45e0c3452 100644 --- a/auth-chall.c +++ b/auth-chall.c | |||
@@ -23,82 +23,60 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: auth-chall.c,v 1.7 2001/04/05 10:42:47 markus Exp $"); | 26 | RCSID("$OpenBSD: auth-chall.c,v 1.8 2001/05/18 14:13:28 markus Exp $"); |
27 | 27 | ||
28 | #include "auth.h" | 28 | #include "auth.h" |
29 | #include "log.h" | 29 | #include "log.h" |
30 | #include "xmalloc.h" | ||
30 | 31 | ||
31 | #ifdef BSD_AUTH | 32 | /* limited protocol v1 interface to kbd-interactive authentication */ |
32 | char * | ||
33 | get_challenge(Authctxt *authctxt, char *devs) | ||
34 | { | ||
35 | char *challenge; | ||
36 | 33 | ||
37 | if (authctxt->as != NULL) { | 34 | extern KbdintDevice *devices[]; |
38 | debug2("try reuse session"); | 35 | static KbdintDevice *device; |
39 | challenge = auth_getitem(authctxt->as, AUTHV_CHALLENGE); | ||
40 | if (challenge != NULL) { | ||
41 | debug2("reuse bsd auth session"); | ||
42 | return challenge; | ||
43 | } | ||
44 | auth_close(authctxt->as); | ||
45 | authctxt->as = NULL; | ||
46 | } | ||
47 | debug2("new bsd auth session"); | ||
48 | if (devs == NULL || strlen(devs) == 0) | ||
49 | devs = authctxt->style; | ||
50 | debug3("bsd auth: devs %s", devs ? devs : "<default>"); | ||
51 | authctxt->as = auth_userchallenge(authctxt->user, devs, "auth-ssh", | ||
52 | &challenge); | ||
53 | if (authctxt->as == NULL) | ||
54 | return NULL; | ||
55 | debug2("get_challenge: <%s>", challenge ? challenge : "EMPTY"); | ||
56 | return challenge; | ||
57 | } | ||
58 | int | ||
59 | verify_response(Authctxt *authctxt, char *response) | ||
60 | { | ||
61 | int authok; | ||
62 | |||
63 | if (authctxt->as == 0) | ||
64 | error("verify_response: no bsd auth session"); | ||
65 | authok = auth_userresponse(authctxt->as, response, 0); | ||
66 | authctxt->as = NULL; | ||
67 | debug("verify_response: <%s> = <%d>", response, authok); | ||
68 | return authok != 0; | ||
69 | } | ||
70 | #else | ||
71 | #ifdef SKEY | ||
72 | #include <skey.h> | ||
73 | 36 | ||
74 | char * | 37 | char * |
75 | get_challenge(Authctxt *authctxt, char *devs) | 38 | get_challenge(Authctxt *authctxt) |
76 | { | 39 | { |
77 | static char challenge[1024]; | 40 | char *challenge, *name, *info, **prompts; |
78 | struct skey skey; | 41 | u_int i, numprompts; |
79 | if (skeychallenge(&skey, authctxt->user, challenge) == -1) | 42 | u_int *echo_on; |
43 | |||
44 | device = devices[0]; /* we always use the 1st device for protocol 1 */ | ||
45 | if (device == NULL) | ||
80 | return NULL; | 46 | return NULL; |
81 | strlcat(challenge, "\nS/Key Password: ", sizeof challenge); | 47 | if ((authctxt->kbdintctxt = device->init_ctx(authctxt)) == NULL) |
82 | return challenge; | 48 | return NULL; |
83 | } | 49 | if (device->query(authctxt->kbdintctxt, &name, &info, |
84 | int | 50 | &numprompts, &prompts, &echo_on)) { |
85 | verify_response(Authctxt *authctxt, char *response) | 51 | device->free_ctx(authctxt->kbdintctxt); |
86 | { | 52 | authctxt->kbdintctxt = NULL; |
87 | return (authctxt->valid && | 53 | return NULL; |
88 | skey_haskey(authctxt->pw->pw_name) == 0 && | 54 | } |
89 | skey_passcheck(authctxt->pw->pw_name, response) != -1); | 55 | if (numprompts < 1) |
90 | } | 56 | fatal("get_challenge: numprompts < 1"); |
91 | #else | 57 | challenge = xstrdup(prompts[0]); |
92 | /* not available */ | 58 | for (i = 0; i < numprompts; i++) |
93 | char * | 59 | xfree(prompts[i]); |
94 | get_challenge(Authctxt *authctxt, char *devs) | 60 | xfree(prompts); |
95 | { | 61 | xfree(name); |
96 | return NULL; | 62 | xfree(echo_on); |
63 | xfree(info); | ||
64 | |||
65 | return (challenge); | ||
97 | } | 66 | } |
98 | int | 67 | int |
99 | verify_response(Authctxt *authctxt, char *response) | 68 | verify_response(Authctxt *authctxt, const char *response) |
100 | { | 69 | { |
101 | return 0; | 70 | char *resp[1]; |
71 | int res; | ||
72 | |||
73 | if (device == NULL) | ||
74 | return 0; | ||
75 | if (authctxt->kbdintctxt == NULL) | ||
76 | return 0; | ||
77 | resp[0] = (char *)response; | ||
78 | res = device->respond(authctxt->kbdintctxt, 1, resp); | ||
79 | device->free_ctx(authctxt->kbdintctxt); | ||
80 | authctxt->kbdintctxt = NULL; | ||
81 | return res ? 0 : 1; | ||
102 | } | 82 | } |
103 | #endif | ||
104 | #endif | ||
@@ -21,7 +21,7 @@ | |||
21 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 21 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
23 | * | 23 | * |
24 | * $OpenBSD: auth.h,v 1.15 2001/04/12 19:15:24 markus Exp $ | 24 | * $OpenBSD: auth.h,v 1.16 2001/05/18 14:13:28 markus Exp $ |
25 | */ | 25 | */ |
26 | #ifndef AUTH_H | 26 | #ifndef AUTH_H |
27 | #define AUTH_H | 27 | #define AUTH_H |
@@ -36,6 +36,8 @@ | |||
36 | #endif | 36 | #endif |
37 | 37 | ||
38 | typedef struct Authctxt Authctxt; | 38 | typedef struct Authctxt Authctxt; |
39 | typedef struct KbdintDevice KbdintDevice; | ||
40 | |||
39 | struct Authctxt { | 41 | struct Authctxt { |
40 | int success; | 42 | int success; |
41 | int postponed; | 43 | int postponed; |
@@ -46,12 +48,31 @@ struct Authctxt { | |||
46 | char *service; | 48 | char *service; |
47 | struct passwd *pw; | 49 | struct passwd *pw; |
48 | char *style; | 50 | char *style; |
51 | void *kbdintctxt; | ||
49 | #ifdef BSD_AUTH | 52 | #ifdef BSD_AUTH |
50 | auth_session_t *as; | 53 | auth_session_t *as; |
51 | #endif | 54 | #endif |
52 | }; | 55 | }; |
53 | 56 | ||
54 | /* | 57 | /* |
58 | * Keyboard interactive device: | ||
59 | * init_ctx returns: non NULL upon success | ||
60 | * query returns: 0 - success, otherwise failure | ||
61 | * respond returns: 0 - success, 1 - need further interaction, | ||
62 | * otherwise - failure | ||
63 | */ | ||
64 | struct KbdintDevice | ||
65 | { | ||
66 | const char *name; | ||
67 | void* (*init_ctx) __P((Authctxt*)); | ||
68 | int (*query) __P((void *ctx, char **name, char **infotxt, | ||
69 | u_int *numprompts, char ***prompts, | ||
70 | u_int **echo_on)); | ||
71 | int (*respond) __P((void *ctx, u_int numresp, char **responses)); | ||
72 | void (*free_ctx) __P((void *ctx)); | ||
73 | }; | ||
74 | |||
75 | /* | ||
55 | * Tries to authenticate the user using the .rhosts file. Returns true if | 76 | * Tries to authenticate the user using the .rhosts file. Returns true if |
56 | * authentication succeeds. If ignore_rhosts is non-zero, this will not | 77 | * authentication succeeds. If ignore_rhosts is non-zero, this will not |
57 | * consider .rhosts and .shosts (/etc/hosts.equiv will still be used). | 78 | * consider .rhosts and .shosts (/etc/hosts.equiv will still be used). |
@@ -133,8 +154,8 @@ int auth2_challenge(Authctxt *authctxt, char *devs); | |||
133 | 154 | ||
134 | int allowed_user(struct passwd * pw); | 155 | int allowed_user(struct passwd * pw); |
135 | 156 | ||
136 | char *get_challenge(Authctxt *authctxt, char *devs); | 157 | char *get_challenge(Authctxt *authctxt); |
137 | int verify_response(Authctxt *authctxt, char *response); | 158 | int verify_response(Authctxt *authctxt, const char *response); |
138 | 159 | ||
139 | struct passwd * auth_get_user(void); | 160 | struct passwd * auth_get_user(void); |
140 | 161 | ||
@@ -10,7 +10,7 @@ | |||
10 | */ | 10 | */ |
11 | 11 | ||
12 | #include "includes.h" | 12 | #include "includes.h" |
13 | RCSID("$OpenBSD: auth1.c,v 1.22 2001/03/23 12:02:49 markus Exp $"); | 13 | RCSID("$OpenBSD: auth1.c,v 1.23 2001/05/18 14:13:28 markus Exp $"); |
14 | 14 | ||
15 | #include "xmalloc.h" | 15 | #include "xmalloc.h" |
16 | #include "rsa.h" | 16 | #include "rsa.h" |
@@ -271,12 +271,13 @@ do_authloop(Authctxt *authctxt) | |||
271 | 271 | ||
272 | case SSH_CMSG_AUTH_TIS: | 272 | case SSH_CMSG_AUTH_TIS: |
273 | debug("rcvd SSH_CMSG_AUTH_TIS"); | 273 | debug("rcvd SSH_CMSG_AUTH_TIS"); |
274 | if (options.challenge_reponse_authentication == 1) { | 274 | if (options.challenge_response_authentication == 1) { |
275 | char *challenge = get_challenge(authctxt, authctxt->style); | 275 | char *challenge = get_challenge(authctxt); |
276 | if (challenge != NULL) { | 276 | if (challenge != NULL) { |
277 | debug("sending challenge '%s'", challenge); | 277 | debug("sending challenge '%s'", challenge); |
278 | packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); | 278 | packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); |
279 | packet_put_cstring(challenge); | 279 | packet_put_cstring(challenge); |
280 | xfree(challenge); | ||
280 | packet_send(); | 281 | packet_send(); |
281 | packet_write_wait(); | 282 | packet_write_wait(); |
282 | continue; | 283 | continue; |
@@ -285,7 +286,7 @@ do_authloop(Authctxt *authctxt) | |||
285 | break; | 286 | break; |
286 | case SSH_CMSG_AUTH_TIS_RESPONSE: | 287 | case SSH_CMSG_AUTH_TIS_RESPONSE: |
287 | debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE"); | 288 | debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE"); |
288 | if (options.challenge_reponse_authentication == 1) { | 289 | if (options.challenge_response_authentication == 1) { |
289 | char *response = packet_get_string(&dlen); | 290 | char *response = packet_get_string(&dlen); |
290 | debug("got response '%s'", response); | 291 | debug("got response '%s'", response); |
291 | packet_integrity_check(plen, 4 + dlen, type); | 292 | packet_integrity_check(plen, 4 + dlen, type); |
diff --git a/auth2-chall.c b/auth2-chall.c index 5af60e42f..ad4f7ac42 100644 --- a/auth2-chall.c +++ b/auth2-chall.c | |||
@@ -1,5 +1,6 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (c) 2001 Markus Friedl. All rights reserved. | 2 | * Copyright (c) 2001 Markus Friedl. All rights reserved. |
3 | * Copyright (c) 2001 Per Allansson. All rights reserved. | ||
3 | * | 4 | * |
4 | * Redistribution and use in source and binary forms, with or without | 5 | * Redistribution and use in source and binary forms, with or without |
5 | * modification, are permitted provided that the following conditions | 6 | * modification, are permitted provided that the following conditions |
@@ -22,91 +23,285 @@ | |||
22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 23 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
23 | */ | 24 | */ |
24 | #include "includes.h" | 25 | #include "includes.h" |
25 | RCSID("$OpenBSD: auth2-chall.c,v 1.4 2001/03/28 22:43:31 markus Exp $"); | 26 | RCSID("$OpenBSD: auth2-chall.c,v 1.5 2001/05/18 14:13:28 markus Exp $"); |
26 | 27 | ||
27 | #include "ssh2.h" | 28 | #include "ssh2.h" |
28 | #include "auth.h" | 29 | #include "auth.h" |
29 | #include "packet.h" | 30 | #include "packet.h" |
30 | #include "xmalloc.h" | 31 | #include "xmalloc.h" |
31 | #include "dispatch.h" | 32 | #include "dispatch.h" |
33 | #include "auth.h" | ||
32 | #include "log.h" | 34 | #include "log.h" |
33 | 35 | ||
34 | void send_userauth_into_request(Authctxt *authctxt, char *challenge, int echo); | 36 | static int auth2_challenge_start(Authctxt *authctxt); |
35 | void input_userauth_info_response(int type, int plen, void *ctxt); | 37 | static int send_userauth_info_request(Authctxt *authctxt); |
38 | static void input_userauth_info_response(int type, int plen, void *ctxt); | ||
39 | |||
40 | #ifdef BSD_AUTH | ||
41 | extern KbdintDevice bsdauth_device; | ||
42 | #else | ||
43 | #ifdef SKEY | ||
44 | extern KbdintDevice skey_device; | ||
45 | #endif | ||
46 | #endif | ||
47 | |||
48 | KbdintDevice *devices[] = { | ||
49 | #ifdef BSD_AUTH | ||
50 | &bsdauth_device, | ||
51 | #else | ||
52 | #ifdef SKEY | ||
53 | &skey_device, | ||
54 | #endif | ||
55 | #endif | ||
56 | NULL | ||
57 | }; | ||
58 | |||
59 | typedef struct KbdintAuthctxt KbdintAuthctxt; | ||
60 | struct KbdintAuthctxt | ||
61 | { | ||
62 | char *devices; | ||
63 | void *ctxt; | ||
64 | KbdintDevice *device; | ||
65 | }; | ||
66 | |||
67 | KbdintAuthctxt * | ||
68 | kbdint_alloc(const char *devs) | ||
69 | { | ||
70 | KbdintAuthctxt *kbdintctxt; | ||
71 | int i; | ||
72 | char buf[1024]; | ||
73 | |||
74 | kbdintctxt = xmalloc(sizeof(KbdintAuthctxt)); | ||
75 | if (strcmp(devs, "") == 0) { | ||
76 | buf[0] = '\0'; | ||
77 | for (i = 0; devices[i]; i++) { | ||
78 | if (i != 0) | ||
79 | strlcat(buf, ",", sizeof(buf)); | ||
80 | strlcat(buf, devices[i]->name, sizeof(buf)); | ||
81 | } | ||
82 | debug("kbdint_alloc: devices '%s'", buf); | ||
83 | kbdintctxt->devices = xstrdup(buf); | ||
84 | } else { | ||
85 | kbdintctxt->devices = xstrdup(devs); | ||
86 | } | ||
87 | kbdintctxt->ctxt = NULL; | ||
88 | kbdintctxt->device = NULL; | ||
89 | |||
90 | return kbdintctxt; | ||
91 | } | ||
92 | void | ||
93 | kbdint_reset_device(KbdintAuthctxt *kbdintctxt) | ||
94 | { | ||
95 | if (kbdintctxt->ctxt) { | ||
96 | kbdintctxt->device->free_ctx(kbdintctxt->ctxt); | ||
97 | kbdintctxt->ctxt = NULL; | ||
98 | } | ||
99 | kbdintctxt->device = NULL; | ||
100 | } | ||
101 | void | ||
102 | kbdint_free(KbdintAuthctxt *kbdintctxt) | ||
103 | { | ||
104 | if (kbdintctxt->device) | ||
105 | kbdint_reset_device(kbdintctxt); | ||
106 | if (kbdintctxt->devices) { | ||
107 | xfree(kbdintctxt->devices); | ||
108 | kbdintctxt->devices = NULL; | ||
109 | } | ||
110 | xfree(kbdintctxt); | ||
111 | } | ||
112 | /* get next device */ | ||
113 | int | ||
114 | kbdint_next_device(KbdintAuthctxt *kbdintctxt) | ||
115 | { | ||
116 | size_t len; | ||
117 | char *t; | ||
118 | int i; | ||
119 | |||
120 | if (kbdintctxt->device) | ||
121 | kbdint_reset_device(kbdintctxt); | ||
122 | do { | ||
123 | len = kbdintctxt->devices ? | ||
124 | strcspn(kbdintctxt->devices, ",") : 0; | ||
125 | |||
126 | if (len == 0) | ||
127 | break; | ||
128 | for (i = 0; devices[i]; i++) | ||
129 | if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) | ||
130 | kbdintctxt->device = devices[i]; | ||
131 | t = kbdintctxt->devices; | ||
132 | kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; | ||
133 | xfree(t); | ||
134 | debug2("kbdint_next_device: devices %s", kbdintctxt->devices ? | ||
135 | kbdintctxt->devices : "<empty>"); | ||
136 | } while (kbdintctxt->devices && !kbdintctxt->device); | ||
137 | |||
138 | return kbdintctxt->device ? 1 : 0; | ||
139 | } | ||
36 | 140 | ||
37 | /* | 141 | /* |
38 | * try challenge-reponse, return -1 (= postponed) if we have to | 142 | * try challenge-reponse, set authctxt->postponed if we have to |
39 | * wait for the response. | 143 | * wait for the response. |
40 | */ | 144 | */ |
41 | int | 145 | int |
42 | auth2_challenge(Authctxt *authctxt, char *devs) | 146 | auth2_challenge(Authctxt *authctxt, char *devs) |
43 | { | 147 | { |
44 | char *challenge; | 148 | debug("auth2_challenge: user=%s devs=%s", |
149 | authctxt->user ? authctxt->user : "<nouser>", | ||
150 | devs ? devs : "<no devs>"); | ||
151 | |||
152 | if (!authctxt->valid || authctxt->user == NULL || !devs) | ||
153 | return 0; | ||
154 | if (authctxt->kbdintctxt == NULL) | ||
155 | authctxt->kbdintctxt = kbdint_alloc(devs); | ||
156 | return auth2_challenge_start(authctxt); | ||
157 | } | ||
158 | |||
159 | /* side effect: sets authctxt->postponed if a reply was sent*/ | ||
160 | static int | ||
161 | auth2_challenge_start(Authctxt *authctxt) | ||
162 | { | ||
163 | KbdintAuthctxt *kbdintctxt = authctxt->kbdintctxt; | ||
164 | |||
165 | debug2("auth2_challenge_start: devices %s", | ||
166 | kbdintctxt->devices ? kbdintctxt->devices : "<empty>"); | ||
167 | |||
168 | if (kbdint_next_device(kbdintctxt) == 0) { | ||
169 | kbdint_free(kbdintctxt); | ||
170 | authctxt->kbdintctxt = NULL; | ||
171 | return 0; | ||
172 | } | ||
173 | debug("auth2_challenge_start: trying authentication method '%s'", | ||
174 | kbdintctxt->device->name); | ||
45 | 175 | ||
46 | if (!authctxt->valid || authctxt->user == NULL) | 176 | if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) { |
177 | kbdint_free(kbdintctxt); | ||
178 | authctxt->kbdintctxt = NULL; | ||
47 | return 0; | 179 | return 0; |
48 | if ((challenge = get_challenge(authctxt, devs)) == NULL) | 180 | } |
181 | if (send_userauth_info_request(authctxt) == 0) { | ||
182 | kbdint_free(kbdintctxt); | ||
183 | authctxt->kbdintctxt = NULL; | ||
49 | return 0; | 184 | return 0; |
50 | send_userauth_into_request(authctxt, challenge, 0); | 185 | } |
51 | dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, | 186 | dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, |
52 | &input_userauth_info_response); | 187 | &input_userauth_info_response); |
188 | |||
53 | authctxt->postponed = 1; | 189 | authctxt->postponed = 1; |
54 | return 0; | 190 | return 0; |
55 | } | 191 | } |
56 | 192 | ||
57 | void | 193 | static int |
58 | send_userauth_into_request(Authctxt *authctxt, char *challenge, int echo) | 194 | send_userauth_info_request(Authctxt *authctxt) |
59 | { | 195 | { |
60 | int nprompts = 1; | 196 | KbdintAuthctxt *kbdintctxt; |
197 | char *name, *instr, **prompts; | ||
198 | int i; | ||
199 | u_int numprompts, *echo_on; | ||
200 | |||
201 | kbdintctxt = authctxt->kbdintctxt; | ||
202 | if (kbdintctxt->device->query(kbdintctxt->ctxt, | ||
203 | &name, &instr, &numprompts, &prompts, &echo_on)) | ||
204 | return 0; | ||
61 | 205 | ||
62 | packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); | 206 | packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); |
63 | /* name, instruction and language are unused */ | 207 | packet_put_cstring(name); |
64 | packet_put_cstring(""); | 208 | packet_put_cstring(instr); |
65 | packet_put_cstring(""); | 209 | packet_put_cstring(""); /* language not used */ |
66 | packet_put_cstring(""); | 210 | packet_put_int(numprompts); |
67 | packet_put_int(nprompts); | 211 | for (i = 0; i < numprompts; i++) { |
68 | packet_put_cstring(challenge); | 212 | packet_put_cstring(prompts[i]); |
69 | packet_put_char(echo); | 213 | packet_put_char(echo_on[i]); |
214 | } | ||
70 | packet_send(); | 215 | packet_send(); |
71 | packet_write_wait(); | 216 | packet_write_wait(); |
217 | |||
218 | for (i = 0; i < numprompts; i++) | ||
219 | xfree(prompts[i]); | ||
220 | xfree(prompts); | ||
221 | xfree(echo_on); | ||
222 | xfree(name); | ||
223 | xfree(instr); | ||
224 | return 1; | ||
72 | } | 225 | } |
73 | 226 | ||
74 | void | 227 | static void |
75 | input_userauth_info_response(int type, int plen, void *ctxt) | 228 | input_userauth_info_response(int type, int plen, void *ctxt) |
76 | { | 229 | { |
77 | Authctxt *authctxt = ctxt; | 230 | Authctxt *authctxt = ctxt; |
78 | int authenticated = 0; | 231 | KbdintAuthctxt *kbdintctxt; |
79 | u_int nresp, rlen; | 232 | int i, authenticated = 0, res, len; |
80 | char *response, *method = "challenge-reponse"; | 233 | u_int nresp; |
234 | char **response = NULL, *method; | ||
81 | 235 | ||
82 | if (authctxt == NULL) | 236 | if (authctxt == NULL) |
83 | fatal("input_userauth_info_response: no authctxt"); | 237 | fatal("input_userauth_info_response: no authctxt"); |
238 | kbdintctxt = authctxt->kbdintctxt; | ||
239 | if (kbdintctxt == NULL || kbdintctxt->ctxt == NULL) | ||
240 | fatal("input_userauth_info_response: no kbdintctxt"); | ||
241 | if (kbdintctxt->device == NULL) | ||
242 | fatal("input_userauth_info_response: no device"); | ||
84 | 243 | ||
85 | authctxt->postponed = 0; /* reset */ | 244 | authctxt->postponed = 0; /* reset */ |
86 | nresp = packet_get_int(); | 245 | nresp = packet_get_int(); |
87 | if (nresp == 1) { | 246 | if (nresp > 0) { |
88 | response = packet_get_string(&rlen); | 247 | response = xmalloc(nresp * sizeof(char*)); |
89 | packet_done(); | 248 | for (i = 0; i < nresp; i++) |
90 | if (strlen(response) == 0) { | 249 | response[i] = packet_get_string(NULL); |
91 | /* | 250 | } |
92 | * if we received an empty response, resend challenge | 251 | packet_done(); |
93 | * with echo enabled | 252 | |
94 | */ | 253 | if (authctxt->valid) { |
95 | char *challenge = get_challenge(authctxt, NULL); | 254 | res = kbdintctxt->device->respond(kbdintctxt->ctxt, |
96 | if (challenge != NULL) { | 255 | nresp, response); |
97 | send_userauth_into_request(authctxt, | 256 | } else { |
98 | challenge, 1); | 257 | res = -1; |
99 | authctxt->postponed = 1; | 258 | } |
100 | } | 259 | |
101 | } else if (authctxt->valid) { | 260 | for (i = 0; i < nresp; i++) { |
102 | authenticated = verify_response(authctxt, response); | 261 | memset(response[i], 'r', strlen(response[i])); |
103 | memset(response, 'r', rlen); | 262 | xfree(response[i]); |
104 | } | 263 | } |
264 | if (response) | ||
105 | xfree(response); | 265 | xfree(response); |
266 | |||
267 | switch (res) { | ||
268 | case 0: | ||
269 | /* Success! */ | ||
270 | authenticated = 1; | ||
271 | break; | ||
272 | case 1: | ||
273 | /* Authentication needs further interaction */ | ||
274 | authctxt->postponed = 1; | ||
275 | if (send_userauth_info_request(authctxt) == 0) { | ||
276 | authctxt->postponed = 0; | ||
277 | } | ||
278 | break; | ||
279 | default: | ||
280 | /* Failure! */ | ||
281 | break; | ||
106 | } | 282 | } |
107 | /* unregister callback */ | 283 | |
108 | if (!authctxt->postponed) | 284 | len = strlen("keyboard-interactive") + 2 + |
285 | strlen(kbdintctxt->device->name); | ||
286 | method = xmalloc(len); | ||
287 | method[0] = '\0'; | ||
288 | strlcat(method, "keyboard-interactive", len); | ||
289 | strlcat(method, "/", len); | ||
290 | strlcat(method, kbdintctxt->device->name, len); | ||
291 | |||
292 | if (!authctxt->postponed) { | ||
293 | /* unregister callback */ | ||
109 | dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); | 294 | dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); |
110 | 295 | ||
296 | if (authenticated) { | ||
297 | kbdint_free(kbdintctxt); | ||
298 | authctxt->kbdintctxt = NULL; | ||
299 | } else { | ||
300 | /* start next device */ | ||
301 | /* may set authctxt->postponed */ | ||
302 | auth2_challenge_start(authctxt); | ||
303 | } | ||
304 | } | ||
111 | userauth_finish(authctxt, authenticated, method); | 305 | userauth_finish(authctxt, authenticated, method); |
306 | xfree(method); | ||
112 | } | 307 | } |
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: auth2.c,v 1.56 2001/04/19 00:05:11 markus Exp $"); | 26 | RCSID("$OpenBSD: auth2.c,v 1.57 2001/05/18 14:13:28 markus Exp $"); |
27 | 27 | ||
28 | #include <openssl/evp.h> | 28 | #include <openssl/evp.h> |
29 | 29 | ||
@@ -51,6 +51,7 @@ RCSID("$OpenBSD: auth2.c,v 1.56 2001/04/19 00:05:11 markus Exp $"); | |||
51 | #include "hostfile.h" | 51 | #include "hostfile.h" |
52 | #include "canohost.h" | 52 | #include "canohost.h" |
53 | #include "tildexpand.h" | 53 | #include "tildexpand.h" |
54 | #include "match.h" | ||
54 | 55 | ||
55 | /* import */ | 56 | /* import */ |
56 | extern ServerOptions options; | 57 | extern ServerOptions options; |
@@ -125,7 +126,7 @@ do_authentication2() | |||
125 | x_authctxt = authctxt; /*XXX*/ | 126 | x_authctxt = authctxt; /*XXX*/ |
126 | 127 | ||
127 | /* challenge-reponse is implemented via keyboard interactive */ | 128 | /* challenge-reponse is implemented via keyboard interactive */ |
128 | if (options.challenge_reponse_authentication) | 129 | if (options.challenge_response_authentication) |
129 | options.kbd_interactive_authentication = 1; | 130 | options.kbd_interactive_authentication = 1; |
130 | if (options.pam_authentication_via_kbd_int) | 131 | if (options.pam_authentication_via_kbd_int) |
131 | options.kbd_interactive_authentication = 1; | 132 | options.kbd_interactive_authentication = 1; |
@@ -400,24 +401,23 @@ int | |||
400 | userauth_kbdint(Authctxt *authctxt) | 401 | userauth_kbdint(Authctxt *authctxt) |
401 | { | 402 | { |
402 | int authenticated = 0; | 403 | int authenticated = 0; |
403 | char *lang = NULL; | 404 | char *lang, *devs; |
404 | char *devs = NULL; | ||
405 | 405 | ||
406 | lang = packet_get_string(NULL); | 406 | lang = packet_get_string(NULL); |
407 | devs = packet_get_string(NULL); | 407 | devs = packet_get_string(NULL); |
408 | packet_done(); | 408 | packet_done(); |
409 | 409 | ||
410 | debug("keyboard-interactive language %s devs %s", lang, devs); | 410 | debug("keyboard-interactive devs %s", devs); |
411 | 411 | ||
412 | if (options.challenge_reponse_authentication) | 412 | if (options.challenge_response_authentication) |
413 | authenticated = auth2_challenge(authctxt, devs); | 413 | authenticated = auth2_challenge(authctxt, devs); |
414 | 414 | ||
415 | #ifdef USE_PAM | 415 | #ifdef USE_PAM |
416 | if (authenticated == 0 && options.pam_authentication_via_kbd_int) | 416 | if (authenticated == 0 && options.pam_authentication_via_kbd_int) |
417 | authenticated = auth2_pam(authctxt); | 417 | authenticated = auth2_pam(authctxt); |
418 | #endif | 418 | #endif |
419 | xfree(lang); | ||
420 | xfree(devs); | 419 | xfree(devs); |
420 | xfree(lang); | ||
421 | #ifdef HAVE_CYGWIN | 421 | #ifdef HAVE_CYGWIN |
422 | if (check_nt_auth(0, authctxt->pw->pw_uid) == 0) | 422 | if (check_nt_auth(0, authctxt->pw->pw_uid) == 0) |
423 | return(0); | 423 | return(0); |
diff --git a/readconf.c b/readconf.c index 75005b3fe..542c76f33 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -12,7 +12,7 @@ | |||
12 | */ | 12 | */ |
13 | 13 | ||
14 | #include "includes.h" | 14 | #include "includes.h" |
15 | RCSID("$OpenBSD: readconf.c,v 1.77 2001/04/30 11:18:51 markus Exp $"); | 15 | RCSID("$OpenBSD: readconf.c,v 1.78 2001/05/18 14:13:28 markus Exp $"); |
16 | 16 | ||
17 | #include "ssh.h" | 17 | #include "ssh.h" |
18 | #include "xmalloc.h" | 18 | #include "xmalloc.h" |
@@ -333,7 +333,7 @@ parse_flag: | |||
333 | goto parse_flag; | 333 | goto parse_flag; |
334 | 334 | ||
335 | case oChallengeResponseAuthentication: | 335 | case oChallengeResponseAuthentication: |
336 | intptr = &options->challenge_reponse_authentication; | 336 | intptr = &options->challenge_response_authentication; |
337 | goto parse_flag; | 337 | goto parse_flag; |
338 | 338 | ||
339 | #ifdef KRB4 | 339 | #ifdef KRB4 |
@@ -723,7 +723,7 @@ initialize_options(Options * options) | |||
723 | options->rhosts_authentication = -1; | 723 | options->rhosts_authentication = -1; |
724 | options->rsa_authentication = -1; | 724 | options->rsa_authentication = -1; |
725 | options->pubkey_authentication = -1; | 725 | options->pubkey_authentication = -1; |
726 | options->challenge_reponse_authentication = -1; | 726 | options->challenge_response_authentication = -1; |
727 | #ifdef KRB4 | 727 | #ifdef KRB4 |
728 | options->kerberos_authentication = -1; | 728 | options->kerberos_authentication = -1; |
729 | #endif | 729 | #endif |
@@ -797,8 +797,8 @@ fill_default_options(Options * options) | |||
797 | options->rsa_authentication = 1; | 797 | options->rsa_authentication = 1; |
798 | if (options->pubkey_authentication == -1) | 798 | if (options->pubkey_authentication == -1) |
799 | options->pubkey_authentication = 1; | 799 | options->pubkey_authentication = 1; |
800 | if (options->challenge_reponse_authentication == -1) | 800 | if (options->challenge_response_authentication == -1) |
801 | options->challenge_reponse_authentication = 0; | 801 | options->challenge_response_authentication = 0; |
802 | #ifdef KRB4 | 802 | #ifdef KRB4 |
803 | if (options->kerberos_authentication == -1) | 803 | if (options->kerberos_authentication == -1) |
804 | options->kerberos_authentication = 1; | 804 | options->kerberos_authentication = 1; |
diff --git a/readconf.h b/readconf.h index 4b20c93bf..489ffc8c1 100644 --- a/readconf.h +++ b/readconf.h | |||
@@ -11,7 +11,7 @@ | |||
11 | * called by a name other than "ssh" or "Secure Shell". | 11 | * called by a name other than "ssh" or "Secure Shell". |
12 | */ | 12 | */ |
13 | 13 | ||
14 | /* RCSID("$OpenBSD: readconf.h,v 1.31 2001/04/30 11:18:52 markus Exp $"); */ | 14 | /* RCSID("$OpenBSD: readconf.h,v 1.32 2001/05/18 14:13:29 markus Exp $"); */ |
15 | 15 | ||
16 | #ifndef READCONF_H | 16 | #ifndef READCONF_H |
17 | #define READCONF_H | 17 | #define READCONF_H |
@@ -39,7 +39,7 @@ typedef struct { | |||
39 | int rsa_authentication; /* Try RSA authentication. */ | 39 | int rsa_authentication; /* Try RSA authentication. */ |
40 | int pubkey_authentication; /* Try ssh2 pubkey authentication. */ | 40 | int pubkey_authentication; /* Try ssh2 pubkey authentication. */ |
41 | int hostbased_authentication; /* ssh2's rhosts_rsa */ | 41 | int hostbased_authentication; /* ssh2's rhosts_rsa */ |
42 | int challenge_reponse_authentication; | 42 | int challenge_response_authentication; |
43 | /* Try S/Key or TIS, authentication. */ | 43 | /* Try S/Key or TIS, authentication. */ |
44 | #ifdef KRB4 | 44 | #ifdef KRB4 |
45 | int kerberos_authentication; /* Try Kerberos | 45 | int kerberos_authentication; /* Try Kerberos |
diff --git a/servconf.c b/servconf.c index 37f607772..02d06bdad 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -10,7 +10,7 @@ | |||
10 | */ | 10 | */ |
11 | 11 | ||
12 | #include "includes.h" | 12 | #include "includes.h" |
13 | RCSID("$OpenBSD: servconf.c,v 1.79 2001/05/03 21:43:01 stevesk Exp $"); | 13 | RCSID("$OpenBSD: servconf.c,v 1.80 2001/05/18 14:13:29 markus Exp $"); |
14 | 14 | ||
15 | #ifdef KRB4 | 15 | #ifdef KRB4 |
16 | #include <krb.h> | 16 | #include <krb.h> |
@@ -81,7 +81,7 @@ initialize_server_options(ServerOptions *options) | |||
81 | #endif | 81 | #endif |
82 | options->password_authentication = -1; | 82 | options->password_authentication = -1; |
83 | options->kbd_interactive_authentication = -1; | 83 | options->kbd_interactive_authentication = -1; |
84 | options->challenge_reponse_authentication = -1; | 84 | options->challenge_response_authentication = -1; |
85 | options->permit_empty_passwd = -1; | 85 | options->permit_empty_passwd = -1; |
86 | options->use_login = -1; | 86 | options->use_login = -1; |
87 | options->allow_tcp_forwarding = -1; | 87 | options->allow_tcp_forwarding = -1; |
@@ -186,8 +186,8 @@ fill_default_server_options(ServerOptions *options) | |||
186 | options->password_authentication = 1; | 186 | options->password_authentication = 1; |
187 | if (options->kbd_interactive_authentication == -1) | 187 | if (options->kbd_interactive_authentication == -1) |
188 | options->kbd_interactive_authentication = 0; | 188 | options->kbd_interactive_authentication = 0; |
189 | if (options->challenge_reponse_authentication == -1) | 189 | if (options->challenge_response_authentication == -1) |
190 | options->challenge_reponse_authentication = 1; | 190 | options->challenge_response_authentication = 1; |
191 | if (options->permit_empty_passwd == -1) | 191 | if (options->permit_empty_passwd == -1) |
192 | options->permit_empty_passwd = 0; | 192 | options->permit_empty_passwd = 0; |
193 | if (options->use_login == -1) | 193 | if (options->use_login == -1) |
@@ -603,7 +603,7 @@ parse_flag: | |||
603 | goto parse_flag; | 603 | goto parse_flag; |
604 | 604 | ||
605 | case sChallengeResponseAuthentication: | 605 | case sChallengeResponseAuthentication: |
606 | intptr = &options->challenge_reponse_authentication; | 606 | intptr = &options->challenge_response_authentication; |
607 | goto parse_flag; | 607 | goto parse_flag; |
608 | 608 | ||
609 | case sPrintMotd: | 609 | case sPrintMotd: |
diff --git a/servconf.h b/servconf.h index 78bca97f3..a319a5c69 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -11,7 +11,7 @@ | |||
11 | * called by a name other than "ssh" or "Secure Shell". | 11 | * called by a name other than "ssh" or "Secure Shell". |
12 | */ | 12 | */ |
13 | 13 | ||
14 | /* RCSID("$OpenBSD: servconf.h,v 1.41 2001/04/13 22:46:53 beck Exp $"); */ | 14 | /* RCSID("$OpenBSD: servconf.h,v 1.42 2001/05/18 14:13:29 markus Exp $"); */ |
15 | 15 | ||
16 | #ifndef SERVCONF_H | 16 | #ifndef SERVCONF_H |
17 | #define SERVCONF_H | 17 | #define SERVCONF_H |
@@ -92,7 +92,7 @@ typedef struct { | |||
92 | int password_authentication; /* If true, permit password | 92 | int password_authentication; /* If true, permit password |
93 | * authentication. */ | 93 | * authentication. */ |
94 | int kbd_interactive_authentication; /* If true, permit */ | 94 | int kbd_interactive_authentication; /* If true, permit */ |
95 | int challenge_reponse_authentication; | 95 | int challenge_response_authentication; |
96 | int permit_empty_passwd; /* If false, do not permit empty | 96 | int permit_empty_passwd; /* If false, do not permit empty |
97 | * passwords. */ | 97 | * passwords. */ |
98 | int use_login; /* If true, login(1) is used */ | 98 | int use_login; /* If true, login(1) is used */ |
diff --git a/sshconnect1.c b/sshconnect1.c index d42676676..c0fe86293 100644 --- a/sshconnect1.c +++ b/sshconnect1.c | |||
@@ -13,7 +13,7 @@ | |||
13 | */ | 13 | */ |
14 | 14 | ||
15 | #include "includes.h" | 15 | #include "includes.h" |
16 | RCSID("$OpenBSD: sshconnect1.c,v 1.31 2001/04/17 08:14:01 markus Exp $"); | 16 | RCSID("$OpenBSD: sshconnect1.c,v 1.32 2001/05/18 14:13:29 markus Exp $"); |
17 | 17 | ||
18 | #include <openssl/bn.h> | 18 | #include <openssl/bn.h> |
19 | #include <openssl/evp.h> | 19 | #include <openssl/evp.h> |
@@ -616,7 +616,7 @@ send_afs_tokens(void) | |||
616 | * Note that the client code is not tied to s/key or TIS. | 616 | * Note that the client code is not tied to s/key or TIS. |
617 | */ | 617 | */ |
618 | int | 618 | int |
619 | try_challenge_reponse_authentication(void) | 619 | try_challenge_response_authentication(void) |
620 | { | 620 | { |
621 | int type, i; | 621 | int type, i; |
622 | int payload_len; | 622 | int payload_len; |
@@ -1024,8 +1024,8 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host, | |||
1024 | } | 1024 | } |
1025 | /* Try challenge response authentication if the server supports it. */ | 1025 | /* Try challenge response authentication if the server supports it. */ |
1026 | if ((supported_authentications & (1 << SSH_AUTH_TIS)) && | 1026 | if ((supported_authentications & (1 << SSH_AUTH_TIS)) && |
1027 | options.challenge_reponse_authentication && !options.batch_mode) { | 1027 | options.challenge_response_authentication && !options.batch_mode) { |
1028 | if (try_challenge_reponse_authentication()) | 1028 | if (try_challenge_response_authentication()) |
1029 | return; | 1029 | return; |
1030 | } | 1030 | } |
1031 | /* Try password authentication if the server supports it. */ | 1031 | /* Try password authentication if the server supports it. */ |
diff --git a/sshconnect2.c b/sshconnect2.c index 14e3d401a..75bd53d08 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: sshconnect2.c,v 1.72 2001/04/18 23:43:26 markus Exp $"); | 26 | RCSID("$OpenBSD: sshconnect2.c,v 1.73 2001/05/18 14:13:29 markus Exp $"); |
27 | 27 | ||
28 | #include <openssl/bn.h> | 28 | #include <openssl/bn.h> |
29 | #include <openssl/md5.h> | 29 | #include <openssl/md5.h> |
@@ -229,7 +229,7 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, | |||
229 | int type; | 229 | int type; |
230 | int plen; | 230 | int plen; |
231 | 231 | ||
232 | if (options.challenge_reponse_authentication) | 232 | if (options.challenge_response_authentication) |
233 | options.kbd_interactive_authentication = 1; | 233 | options.kbd_interactive_authentication = 1; |
234 | 234 | ||
235 | debug("send SSH2_MSG_SERVICE_REQUEST"); | 235 | debug("send SSH2_MSG_SERVICE_REQUEST"); |
@@ -787,6 +787,7 @@ input_userauth_info_req(int type, int plen, void *ctxt) | |||
787 | packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE); | 787 | packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE); |
788 | packet_put_int(num_prompts); | 788 | packet_put_int(num_prompts); |
789 | 789 | ||
790 | debug2("input_userauth_info_req: num_prompts %d", num_prompts); | ||
790 | for (i = 0; i < num_prompts; i++) { | 791 | for (i = 0; i < num_prompts; i++) { |
791 | prompt = packet_get_string(NULL); | 792 | prompt = packet_get_string(NULL); |
792 | echo = packet_get_char(); | 793 | echo = packet_get_char(); |
@@ -40,7 +40,7 @@ | |||
40 | */ | 40 | */ |
41 | 41 | ||
42 | #include "includes.h" | 42 | #include "includes.h" |
43 | RCSID("$OpenBSD: sshd.c,v 1.195 2001/04/15 16:58:03 markus Exp $"); | 43 | RCSID("$OpenBSD: sshd.c,v 1.196 2001/05/18 14:13:29 markus Exp $"); |
44 | 44 | ||
45 | #include <openssl/dh.h> | 45 | #include <openssl/dh.h> |
46 | #include <openssl/bn.h> | 46 | #include <openssl/bn.h> |
@@ -1265,7 +1265,7 @@ do_ssh1_kex(void) | |||
1265 | if (options.afs_token_passing) | 1265 | if (options.afs_token_passing) |
1266 | auth_mask |= 1 << SSH_PASS_AFS_TOKEN; | 1266 | auth_mask |= 1 << SSH_PASS_AFS_TOKEN; |
1267 | #endif | 1267 | #endif |
1268 | if (options.challenge_reponse_authentication == 1) | 1268 | if (options.challenge_response_authentication == 1) |
1269 | auth_mask |= 1 << SSH_AUTH_TIS; | 1269 | auth_mask |= 1 << SSH_AUTH_TIS; |
1270 | if (options.password_authentication) | 1270 | if (options.password_authentication) |
1271 | auth_mask |= 1 << SSH_AUTH_PASSWORD; | 1271 | auth_mask |= 1 << SSH_AUTH_PASSWORD; |