From 235c7c4e3bf046982c2d8242f30aacffa01073d1 Mon Sep 17 00:00:00 2001 From: "markus@openbsd.org" Date: Mon, 9 Jul 2018 21:53:45 +0000 Subject: upstream: sshd: switch monitor to sshbuf API; lots of help & ok djm@ OpenBSD-Commit-ID: d89bd02d33974fd35ca0b8940d88572227b34a48 --- monitor.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'monitor.h') diff --git a/monitor.h b/monitor.h index d68f67458..0c7635000 100644 --- a/monitor.h +++ b/monitor.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.h,v 1.20 2016/09/28 16:33:07 djm Exp $ */ +/* $OpenBSD: monitor.h,v 1.21 2018/07/09 21:53:45 markus Exp $ */ /* * Copyright 2002 Niels Provos @@ -87,8 +87,8 @@ struct mon_table; int monitor_read(struct monitor*, struct mon_table *, struct mon_table **); /* Prototypes for request sending and receiving */ -void mm_request_send(int, enum monitor_reqtype, Buffer *); -void mm_request_receive(int, Buffer *); -void mm_request_receive_expect(int, enum monitor_reqtype, Buffer *); +void mm_request_send(int, enum monitor_reqtype, struct sshbuf *); +void mm_request_receive(int, struct sshbuf *); +void mm_request_receive_expect(int, enum monitor_reqtype, struct sshbuf *); #endif /* _MONITOR_H_ */ -- cgit v1.2.3 From 87f08be054b7eeadbb9cdeb3fb4872be79ccf218 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 Jul 2018 13:18:28 +1000 Subject: Remove support for S/Key Most people will 1) be using modern multi-factor authentication methods like TOTP/OATH etc and 2) be getting support for multi-factor authentication via PAM or BSD Auth. --- INSTALL | 10 --------- Makefile.in | 2 +- TODO | 2 +- auth.h | 4 ---- auth2-chall.c | 14 +----------- configure.ac | 50 ------------------------------------------- defines.h | 6 ------ monitor.c | 66 --------------------------------------------------------- monitor.h | 2 -- monitor_wrap.c | 67 ---------------------------------------------------------- monitor_wrap.h | 4 ---- readconf.c | 2 +- servconf.c | 2 +- ssh_config.5 | 5 ++--- sshd_config.5 | 5 ++--- 15 files changed, 9 insertions(+), 232 deletions(-) (limited to 'monitor.h') diff --git a/INSTALL b/INSTALL index d5275113b..3fd265dbf 100644 --- a/INSTALL +++ b/INSTALL @@ -66,13 +66,6 @@ passphrase requester. This is maintained separately at: http://www.jmknoble.net/software/x11-ssh-askpass/ -S/Key Libraries: - -If you wish to use --with-skey then you will need the library below -installed. No other S/Key library is currently known to be supported. - -http://www.sparc.spb.su/solaris/skey/ - LibEdit: sftp supports command-line editing via NetBSD's libedit. If your platform @@ -184,9 +177,6 @@ it if lastlog is installed in a different place. --with-osfsia, --without-osfsia will enable or disable OSF1's Security Integration Architecture. The default for OSF1 machines is enable. ---with-skey=PATH will enable S/Key one time password support. You will -need the S/Key libraries and header files installed for this to work. - --with-md5-passwords will enable the use of MD5 passwords. Enable this if your operating system uses MD5 passwords and the system crypt() does not support them directly (see the crypt(3/3c) man page). If enabled, the diff --git a/Makefile.in b/Makefile.in index c3b67aa61..ac744cbd2 100644 --- a/Makefile.in +++ b/Makefile.in @@ -110,7 +110,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ sshpty.o sshlogin.o servconf.o serverloop.o \ auth.o auth2.o auth-options.o session.o \ auth2-chall.o groupaccess.o \ - auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ + auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \ monitor.o monitor_wrap.o auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ diff --git a/TODO b/TODO index 771162b30..b76529c96 100644 --- a/TODO +++ b/TODO @@ -35,7 +35,7 @@ Programming: - Use different PAM service name for kbdint vs regular auth (suggest from Solar Designer) - Ability to select which ChallengeResponseAuthentications may be used - and order to try them in e.g. "ChallengeResponseAuthentication skey, pam" + and order to try them in e.g. "ChallengeResponseAuthentication pam" - Complete Tru64 SIA support - It looks like we could merge it into the password auth code to cut down diff --git a/auth.h b/auth.h index 29491df98..977562f0a 100644 --- a/auth.h +++ b/auth.h @@ -187,8 +187,6 @@ int auth2_challenge(struct ssh *, char *); void auth2_challenge_stop(struct ssh *); int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **); int bsdauth_respond(void *, u_int, char **); -int skey_query(void *, char **, char **, u_int *, char ***, u_int **); -int skey_respond(void *, u_int, char **); int allowed_user(struct passwd *); struct passwd * getpwnamallow(const char *user); @@ -239,8 +237,6 @@ pid_t subprocess(const char *, struct passwd *, int sys_auth_passwd(struct ssh *, const char *); -#define SKEY_PROMPT "\nS/Key Password: " - #if defined(KRB5) && !defined(HEIMDAL) #include krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *); diff --git a/auth2-chall.c b/auth2-chall.c index 4fd18f467..2d5cff448 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -58,9 +58,6 @@ extern KbdintDevice bsdauth_device; #ifdef USE_PAM extern KbdintDevice sshpam_device; #endif -#ifdef SKEY -extern KbdintDevice skey_device; -#endif #endif KbdintDevice *devices[] = { @@ -70,9 +67,6 @@ KbdintDevice *devices[] = { #ifdef USE_PAM &sshpam_device, #endif -#ifdef SKEY - &skey_device, -#endif #endif NULL }; @@ -369,7 +363,7 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh) void privsep_challenge_enable(void) { -#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY) +#if defined(BSD_AUTH) || defined(USE_PAM) int n = 0; #endif #ifdef BSD_AUTH @@ -378,9 +372,6 @@ privsep_challenge_enable(void) #ifdef USE_PAM extern KbdintDevice mm_sshpam_device; #endif -#ifdef SKEY - extern KbdintDevice mm_skey_device; -#endif #ifdef BSD_AUTH devices[n++] = &mm_bsdauth_device; @@ -388,8 +379,5 @@ privsep_challenge_enable(void) #ifdef USE_PAM devices[n++] = &mm_sshpam_device; #endif -#ifdef SKEY - devices[n++] = &mm_skey_device; -#endif #endif } diff --git a/configure.ac b/configure.ac index 8c6827a7b..c4c759d4e 100644 --- a/configure.ac +++ b/configure.ac @@ -1495,55 +1495,6 @@ else AC_MSG_RESULT([no]) fi -# Check whether user wants S/Key support -SKEY_MSG="no" -AC_ARG_WITH([skey], - [ --with-skey[[=PATH]] Enable S/Key support (optionally in PATH)], - [ - if test "x$withval" != "xno" ; then - - if test "x$withval" != "xyes" ; then - CPPFLAGS="$CPPFLAGS -I${withval}/include" - LDFLAGS="$LDFLAGS -L${withval}/lib" - fi - - AC_DEFINE([SKEY], [1], [Define if you want S/Key support]) - LIBS="-lskey $LIBS" - SKEY_MSG="yes" - - AC_MSG_CHECKING([for s/key support]) - AC_LINK_IFELSE( - [AC_LANG_PROGRAM([[ -#include -#include - ]], [[ - char *ff = skey_keyinfo(""); ff=""; - exit(0); - ]])], - [AC_MSG_RESULT([yes])], - [ - AC_MSG_RESULT([no]) - AC_MSG_ERROR([** Incomplete or missing s/key libraries.]) - ]) - AC_MSG_CHECKING([if skeychallenge takes 4 arguments]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ -#include -#include - ]], [[ - (void)skeychallenge(NULL,"name","",0); - ]])], - [ - AC_MSG_RESULT([yes]) - AC_DEFINE([SKEYCHALLENGE_4ARG], [1], - [Define if your skeychallenge() - function takes 4 arguments (NetBSD)])], - [ - AC_MSG_RESULT([no]) - ]) - fi - ] -) - # Check whether user wants to use ldns LDNS_MSG="no" AC_ARG_WITH(ldns, @@ -5219,7 +5170,6 @@ echo " PAM support: $PAM_MSG" echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" -echo " S/KEY support: $SKEY_MSG" echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" echo " libldns support: $LDNS_MSG" diff --git a/defines.h b/defines.h index 3fa5ec5a9..8f4213062 100644 --- a/defines.h +++ b/defines.h @@ -660,12 +660,6 @@ struct winsize { # define krb5_get_err_text(context,code) error_message(code) #endif -#if defined(SKEYCHALLENGE_4ARG) -# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c,d) -#else -# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c) -#endif - /* Maximum number of file descriptors available */ #ifdef HAVE_SYSCONF # define SSH_SYSFDMAX sysconf(_SC_OPEN_MAX) diff --git a/monitor.c b/monitor.c index 78f9c5038..d4b4b0471 100644 --- a/monitor.c +++ b/monitor.c @@ -56,10 +56,6 @@ # endif #endif -#ifdef SKEY -#include -#endif - #ifdef WITH_OPENSSL #include #endif @@ -122,8 +118,6 @@ int mm_answer_authserv(int, struct sshbuf *); int mm_answer_authpassword(int, struct sshbuf *); int mm_answer_bsdauthquery(int, struct sshbuf *); int mm_answer_bsdauthrespond(int, struct sshbuf *); -int mm_answer_skeyquery(int, struct sshbuf *); -int mm_answer_skeyrespond(int, struct sshbuf *); int mm_answer_keyallowed(int, struct sshbuf *); int mm_answer_keyverify(int, struct sshbuf *); int mm_answer_pty(int, struct sshbuf *); @@ -211,10 +205,6 @@ struct mon_table mon_dispatch_proto20[] = { #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond}, -#endif -#ifdef SKEY - {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, - {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, #endif {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, @@ -960,62 +950,6 @@ mm_answer_bsdauthrespond(int sock, struct sshbuf *m) } #endif -#ifdef SKEY -int -mm_answer_skeyquery(int sock, struct sshbuf *m) -{ - struct skey skey; - char challenge[1024]; - u_int success; - int r; - - success = _compat_skeychallenge(&skey, authctxt->user, challenge, - sizeof(challenge)) < 0 ? 0 : 1; - - sshbuf_reset(m); - if ((r = sshbuf_put_u32(m, success)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); - if (success) { - if ((r = sshbuf_put_cstring(m, challenge)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); - } - debug3("%s: sending challenge success: %u", __func__, success); - mm_request_send(sock, MONITOR_ANS_SKEYQUERY, m); - - return (0); -} - -int -mm_answer_skeyrespond(int sock, struct sshbuf *m) -{ - char *response; - size_t rlen; - int authok, r; - - if ((r = sshbuf_get_cstring(m, &response, &rlen)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); - - authok = (options.challenge_response_authentication && - authctxt->valid && - skey_haskey(authctxt->pw->pw_name) == 0 && - skey_passcheck(authctxt->pw->pw_name, response) != -1); - - freezero(response, rlen); - - sshbuf_reset(m); - if ((r = sshbuf_put_u32(m, authok)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); - - debug3("%s: sending authenticated: %d", __func__, authok); - mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m); - - auth_method = "keyboard-interactive"; - auth_submethod = "skey"; - - return (authok != 0); -} -#endif - #ifdef USE_PAM int mm_answer_pam_start(int sock, struct sshbuf *m) diff --git a/monitor.h b/monitor.h index 0c7635000..16047299f 100644 --- a/monitor.h +++ b/monitor.h @@ -39,8 +39,6 @@ enum monitor_reqtype { MONITOR_REQ_AUTHPASSWORD = 12, MONITOR_ANS_AUTHPASSWORD = 13, MONITOR_REQ_BSDAUTHQUERY = 14, MONITOR_ANS_BSDAUTHQUERY = 15, MONITOR_REQ_BSDAUTHRESPOND = 16, MONITOR_ANS_BSDAUTHRESPOND = 17, - MONITOR_REQ_SKEYQUERY = 18, MONITOR_ANS_SKEYQUERY = 19, - MONITOR_REQ_SKEYRESPOND = 20, MONITOR_ANS_SKEYRESPOND = 21, MONITOR_REQ_KEYALLOWED = 22, MONITOR_ANS_KEYALLOWED = 23, MONITOR_REQ_KEYVERIFY = 24, MONITOR_ANS_KEYVERIFY = 25, MONITOR_REQ_KEYEXPORT = 26, diff --git a/monitor_wrap.c b/monitor_wrap.c index 3cb26c2ac..732fb3476 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -867,73 +867,6 @@ mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses) return ((authok == 0) ? -1 : 0); } -#ifdef SKEY -int -mm_skey_query(void *ctx, char **name, char **infotxt, - u_int *numprompts, char ***prompts, u_int **echo_on) -{ - struct sshbuf *m; - u_int success; - char *challenge; - int r; - - debug3("%s: entering", __func__); - - if ((m = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYQUERY, m); - - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SKEYQUERY, m); - if ((r = sshbuf_get_u32(m, &success)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); - if (success == 0) { - debug3("%s: no challenge", __func__); - sshbuf_free(m); - return (-1); - } - - /* Get the challenge, and format the response */ - if ((r = sshbuf_get_cstring(m, &challenge, NULL)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); - sshbuf_free(m); - - debug3("%s: received challenge: %s", __func__, challenge); - - mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); - - xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT); - free(challenge); - - return (0); -} - -int -mm_skey_respond(void *ctx, u_int numresponses, char **responses) -{ - struct sshbuf *m; - int authok, r; - - debug3("%s: entering", __func__); - if (numresponses != 1) - return (-1); - - if ((m = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); - if ((r = sshbuf_put_cstring(m, responses[0])) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYRESPOND, m); - - mm_request_receive_expect(pmonitor->m_recvfd, - MONITOR_ANS_SKEYRESPOND, m); - - if ((r = sshbuf_get_u32(m, &authok)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); - sshbuf_free(m); - - return ((authok == 0) ? -1 : 0); -} -#endif /* SKEY */ - #ifdef SSH_AUDIT_EVENTS void mm_audit_event(ssh_audit_event_t event) diff --git a/monitor_wrap.h b/monitor_wrap.h index a3ac17d1d..644da081d 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -97,8 +97,4 @@ void mm_send_keystate(struct monitor*); int mm_bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_bsdauth_respond(void *, u_int, char **); -/* skey */ -int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **); -int mm_skey_respond(void *, u_int, char **); - #endif /* _MM_WRAP_H_ */ diff --git a/readconf.c b/readconf.c index 4ab312fff..4b11bab5e 100644 --- a/readconf.c +++ b/readconf.c @@ -230,7 +230,7 @@ static struct { { "dsaauthentication", oPubkeyAuthentication }, /* alias */ { "hostbasedauthentication", oHostbasedAuthentication }, { "challengeresponseauthentication", oChallengeResponseAuthentication }, - { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ + { "skeyauthentication", oUnsupported }, { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ { "identityfile", oIdentityFile }, { "identityfile2", oIdentityFile }, /* obsolete */ diff --git a/servconf.c b/servconf.c index aafefde93..f1010b3b9 100644 --- a/servconf.c +++ b/servconf.c @@ -564,7 +564,7 @@ static struct { { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, - { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ + { "skeyauthentication", sDeprecated, SSHCFG_GLOBAL }, { "checkmail", sDeprecated, SSHCFG_GLOBAL }, { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, diff --git a/ssh_config.5 b/ssh_config.5 index fe52578f4..f499396a3 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -997,10 +997,9 @@ The default is to use the server specified list. The methods available vary depending on what the server supports. For an OpenSSH server, it may be zero or more of: -.Cm bsdauth , -.Cm pam , +.Cm bsdauth and -.Cm skey . +.Cm pam . .It Cm KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. diff --git a/sshd_config.5 b/sshd_config.5 index 02d8e436b..e1b54ba20 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -205,10 +205,9 @@ keyboard-interactive authentication before public key. For keyboard interactive authentication it is also possible to restrict authentication to a specific device by appending a colon followed by the device identifier -.Cm bsdauth , -.Cm pam , +.Cm bsdauth or -.Cm skey , +.Cm pam . depending on the server configuration. For example, .Qq keyboard-interactive:bsdauth -- cgit v1.2.3