From 611649ebf093bf030f2dde18103dde8c1af9226c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 20 Jan 2005 11:05:34 +1100 Subject: - dtucker@cvs.openbsd.org 2005/01/19 13:11:47 [auth-bsdauth.c auth2-chall.c] Have keyboard-interactive code call the drivers even for responses for invalid logins. This allows the drivers themselves to decide how to handle them and prevent leaking information where possible. Existing behaviour for bsdauth is maintained by checking authctxt->valid in the bsdauth driver. Note that any third-party kbdint drivers will now need to be able to handle responses for invalid logins. ok markus@ --- auth2-chall.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) (limited to 'auth2-chall.c') diff --git a/auth2-chall.c b/auth2-chall.c index 486baaaa3..29234439c 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -23,7 +23,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: auth2-chall.c,v 1.21 2004/06/01 14:20:45 dtucker Exp $"); +RCSID("$OpenBSD: auth2-chall.c,v 1.22 2005/01/19 13:11:47 dtucker Exp $"); #include "ssh2.h" #include "auth.h" @@ -274,12 +274,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) } packet_check_eom(); - if (authctxt->valid) { - res = kbdintctxt->device->respond(kbdintctxt->ctxt, - nresp, response); - } else { - res = -1; - } + res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response); for (i = 0; i < nresp; i++) { memset(response[i], 'r', strlen(response[i])); @@ -291,7 +286,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) switch (res) { case 0: /* Success! */ - authenticated = 1; + authenticated = authctxt->valid ? 1 : 0; break; case 1: /* Authentication needs further interaction */ -- cgit v1.2.3 From 3c66080aa26e5121805c80728a9c801b08a7870e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 20 Jan 2005 22:20:50 +1100 Subject: - (dtucker) [auth-chall.c auth.h auth2-chall.c] Bug #936: Remove pam from the list of available kbdint devices if UsePAM=no. ok djm@ --- ChangeLog | 4 +++- auth-chall.c | 7 +++++++ auth.h | 2 ++ auth2-chall.c | 24 ++++++++++++++++++++++++ 4 files changed, 36 insertions(+), 1 deletion(-) (limited to 'auth2-chall.c') diff --git a/ChangeLog b/ChangeLog index ec830bbb7..8af4ea5f7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,8 @@ - (dtucker) [loginrec.h] Bug #952: Increase size of username field to 128 bytes to prevent errors from login_init_entry() when the username is exactly 64 bytes(!) long. From brhamon at cisco.com, ok djm@ + - (dtucker) [auth-chall.c auth.h auth2-chall.c] Bug #936: Remove pam from + the list of available kbdint devices if UsePAM=no. ok djm@ 20050118 - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement @@ -2013,4 +2015,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3619 2005/01/20 11:07:29 dtucker Exp $ +$Id: ChangeLog,v 1.3620 2005/01/20 11:20:50 dtucker Exp $ diff --git a/auth-chall.c b/auth-chall.c index a9d314dd2..e4f783096 100644 --- a/auth-chall.c +++ b/auth-chall.c @@ -28,11 +28,13 @@ RCSID("$OpenBSD: auth-chall.c,v 1.9 2003/11/03 09:03:37 djm Exp $"); #include "auth.h" #include "log.h" #include "xmalloc.h" +#include "servconf.h" /* limited protocol v1 interface to kbd-interactive authentication */ extern KbdintDevice *devices[]; static KbdintDevice *device; +extern ServerOptions options; char * get_challenge(Authctxt *authctxt) @@ -41,6 +43,11 @@ get_challenge(Authctxt *authctxt) u_int i, numprompts; u_int *echo_on; +#ifdef USE_PAM + if (!options.use_pam) + remove_kbdint_device("pam"); +#endif + device = devices[0]; /* we always use the 1st device for protocol 1 */ if (device == NULL) return NULL; diff --git a/auth.h b/auth.h index 760337bea..6c0089dc7 100644 --- a/auth.h +++ b/auth.h @@ -130,6 +130,8 @@ int auth_shadow_pwexpired(Authctxt *); #endif #include "auth-pam.h" +void remove_kbdint_device(const char *); + void disable_forwarding(void); void do_authentication(Authctxt *); diff --git a/auth2-chall.c b/auth2-chall.c index 29234439c..384a543ee 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -32,6 +32,10 @@ RCSID("$OpenBSD: auth2-chall.c,v 1.22 2005/01/19 13:11:47 dtucker Exp $"); #include "xmalloc.h" #include "dispatch.h" #include "log.h" +#include "servconf.h" + +/* import */ +extern ServerOptions options; static int auth2_challenge_start(Authctxt *); static int send_userauth_info_request(Authctxt *); @@ -71,6 +75,21 @@ struct KbdintAuthctxt u_int nreq; }; +#ifdef USE_PAM +void +remove_kbdint_device(const char *devname) +{ + int i, j; + + for (i = 0; devices[i] != NULL; i++) + if (strcmp(devices[i]->name, devname) == 0) { + for (j = i; devices[j] != NULL; j++) + devices[j] = devices[j+1]; + i--; + } +} +#endif + static KbdintAuthctxt * kbdint_alloc(const char *devs) { @@ -78,6 +97,11 @@ kbdint_alloc(const char *devs) Buffer b; int i; +#ifdef USE_PAM + if (!options.use_pam) + remove_kbdint_device("pam"); +#endif + kbdintctxt = xmalloc(sizeof(KbdintAuthctxt)); if (strcmp(devs, "") == 0) { buffer_init(&b); -- cgit v1.2.3