diff options
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | auth-bsdauth.c | 5 | ||||
-rw-r--r-- | auth2-chall.c | 11 |
3 files changed, 16 insertions, 10 deletions
@@ -22,6 +22,14 @@ | |||
22 | - dtucker@cvs.openbsd.org 2005/01/17 22:48:39 | 22 | - dtucker@cvs.openbsd.org 2005/01/17 22:48:39 |
23 | [sshd.c] | 23 | [sshd.c] |
24 | Make debugging output continue after reexec; ok djm@ | 24 | Make debugging output continue after reexec; ok djm@ |
25 | - dtucker@cvs.openbsd.org 2005/01/19 13:11:47 | ||
26 | [auth-bsdauth.c auth2-chall.c] | ||
27 | Have keyboard-interactive code call the drivers even for responses for | ||
28 | invalid logins. This allows the drivers themselves to decide how to | ||
29 | handle them and prevent leaking information where possible. Existing | ||
30 | behaviour for bsdauth is maintained by checking authctxt->valid in the | ||
31 | bsdauth driver. Note that any third-party kbdint drivers will now need | ||
32 | to be able to handle responses for invalid logins. ok markus@ | ||
25 | 33 | ||
26 | 20050118 | 34 | 20050118 |
27 | - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement | 35 | - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement |
@@ -1994,4 +2002,4 @@ | |||
1994 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 2002 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
1995 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 2003 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
1996 | 2004 | ||
1997 | $Id: ChangeLog,v 1.3615 2005/01/20 00:03:08 dtucker Exp $ | 2005 | $Id: ChangeLog,v 1.3616 2005/01/20 00:05:34 dtucker Exp $ |
diff --git a/auth-bsdauth.c b/auth-bsdauth.c index 2ac27a7a2..920c977d8 100644 --- a/auth-bsdauth.c +++ b/auth-bsdauth.c | |||
@@ -22,7 +22,7 @@ | |||
22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
23 | */ | 23 | */ |
24 | #include "includes.h" | 24 | #include "includes.h" |
25 | RCSID("$OpenBSD: auth-bsdauth.c,v 1.5 2002/06/30 21:59:45 deraadt Exp $"); | 25 | RCSID("$OpenBSD: auth-bsdauth.c,v 1.6 2005/01/19 13:11:47 dtucker Exp $"); |
26 | 26 | ||
27 | #ifdef BSD_AUTH | 27 | #ifdef BSD_AUTH |
28 | #include "xmalloc.h" | 28 | #include "xmalloc.h" |
@@ -83,6 +83,9 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses) | |||
83 | Authctxt *authctxt = ctx; | 83 | Authctxt *authctxt = ctx; |
84 | int authok; | 84 | int authok; |
85 | 85 | ||
86 | if (!authctxt->valid) | ||
87 | return -1; | ||
88 | |||
86 | if (authctxt->as == 0) | 89 | if (authctxt->as == 0) |
87 | error("bsdauth_respond: no bsd auth session"); | 90 | error("bsdauth_respond: no bsd auth session"); |
88 | 91 | ||
diff --git a/auth2-chall.c b/auth2-chall.c index 486baaaa3..29234439c 100644 --- a/auth2-chall.c +++ b/auth2-chall.c | |||
@@ -23,7 +23,7 @@ | |||
23 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 23 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
24 | */ | 24 | */ |
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: auth2-chall.c,v 1.21 2004/06/01 14:20:45 dtucker Exp $"); | 26 | RCSID("$OpenBSD: auth2-chall.c,v 1.22 2005/01/19 13:11:47 dtucker Exp $"); |
27 | 27 | ||
28 | #include "ssh2.h" | 28 | #include "ssh2.h" |
29 | #include "auth.h" | 29 | #include "auth.h" |
@@ -274,12 +274,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) | |||
274 | } | 274 | } |
275 | packet_check_eom(); | 275 | packet_check_eom(); |
276 | 276 | ||
277 | if (authctxt->valid) { | 277 | res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response); |
278 | res = kbdintctxt->device->respond(kbdintctxt->ctxt, | ||
279 | nresp, response); | ||
280 | } else { | ||
281 | res = -1; | ||
282 | } | ||
283 | 278 | ||
284 | for (i = 0; i < nresp; i++) { | 279 | for (i = 0; i < nresp; i++) { |
285 | memset(response[i], 'r', strlen(response[i])); | 280 | memset(response[i], 'r', strlen(response[i])); |
@@ -291,7 +286,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) | |||
291 | switch (res) { | 286 | switch (res) { |
292 | case 0: | 287 | case 0: |
293 | /* Success! */ | 288 | /* Success! */ |
294 | authenticated = 1; | 289 | authenticated = authctxt->valid ? 1 : 0; |
295 | break; | 290 | break; |
296 | case 1: | 291 | case 1: |
297 | /* Authentication needs further interaction */ | 292 | /* Authentication needs further interaction */ |