diff options
| author | Damien Miller <djm@mindrot.org> | 2001-02-18 17:01:00 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2001-02-18 17:01:00 +1100 |
| commit | 60396b060b803fd2d20aa151dc0432a344f798b0 (patch) | |
| tree | 6027eced4465cbb8ab7146ba6cd3f9a89c38bd03 | |
| parent | 75da9a9e721bf0f73aab8a28505a62224c327d18 (diff) | |
- (djm) Merge BSD_AUTH support from Markus Friedl and David J. MacKenzie
enable with --with-bsd-auth.
| -rw-r--r-- | acconfig.h | 5 | ||||
| -rw-r--r-- | auth-chall.c | 42 | ||||
| -rw-r--r-- | auth-passwd.c | 14 | ||||
| -rw-r--r-- | auth.h | 12 | ||||
| -rw-r--r-- | auth1.c | 10 | ||||
| -rw-r--r-- | auth2.c | 10 | ||||
| -rw-r--r-- | configure.in | 18 | ||||
| -rw-r--r-- | session.c | 11 |
8 files changed, 109 insertions, 13 deletions
@@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.101 2001/02/09 01:55:36 djm Exp $ */ +/* $Id: acconfig.h,v 1.102 2001/02/18 06:01:00 djm Exp $ */ #ifndef _CONFIG_H #define _CONFIG_H @@ -290,6 +290,9 @@ /* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */ #undef IPV4_IN_IPV6 +/* Define if you have BSD auth support */ +#undef BSD_AUTH + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ diff --git a/auth-chall.c b/auth-chall.c index b6ec02a3..926c07ed 100644 --- a/auth-chall.c +++ b/auth-chall.c @@ -26,7 +26,48 @@ RCSID("$OpenBSD: auth-chall.c,v 1.4 2001/02/04 15:32:22 stevesk Exp $"); #include "auth.h" +#include "log.h" +#ifdef BSD_AUTH +char * +get_challenge(Authctxt *authctxt, char *devs) +{ + char *challenge; + + if (authctxt->as != NULL) { + debug2("try reuse session"); + challenge = auth_getitem(authctxt->as, AUTHV_CHALLENGE); + if (challenge != NULL) { + debug2("reuse bsd auth session"); + return challenge; + } + auth_close(authctxt->as); + authctxt->as = NULL; + } + debug2("new bsd auth session"); + if (devs == NULL || strlen(devs) == 0) + devs = authctxt->style; + debug3("bsd auth: devs %s", devs ? devs : "<default>"); + authctxt->as = auth_userchallenge(authctxt->user, devs, "auth-ssh", + &challenge); + if (authctxt->as == NULL) + return NULL; + debug2("get_challenge: <%s>", challenge ? challenge : "EMPTY"); + return challenge; +} +int +verify_response(Authctxt *authctxt, char *response) +{ + int authok; + + if (authctxt->as == 0) + error("verify_response: no bsd auth session"); + authok = auth_userresponse(authctxt->as, response, 0); + authctxt->as = NULL; + debug("verify_response: <%s> = <%d>", response, authok); + return authok != 0; +} +#else #ifdef SKEY #include <skey.h> @@ -60,3 +101,4 @@ verify_response(Authctxt *authctxt, char *response) return 0; } #endif +#endif diff --git a/auth-passwd.c b/auth-passwd.c index c849abdc..5a91e558 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -77,14 +77,17 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.21 2001/02/12 16:16:23 markus Exp $"); #define is_winnt (GetVersion() < 0x80000000) #endif + +extern ServerOptions options; + /* * Tries to authenticate the user using password. Returns true if * authentication succeeds. */ int -auth_password(struct passwd * pw, const char *password) +auth_password(Authctxt *authctxt, const char *password) { - extern ServerOptions options; + struct passwd * pw = authctxt->pw; char *encrypted_password; char *pw_password; char *salt; @@ -122,6 +125,13 @@ auth_password(struct passwd * pw, const char *password) #endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; +#ifdef BSD_AUTH + if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", + (char *)password) == 0) + return 0; + else + return 1; +#endif #ifdef HAVE_CYGWIN if (is_winnt) { @@ -28,6 +28,13 @@ #include <openssl/rsa.h> +#ifdef HAVE_LOGIN_CAP +#include <login_cap.h> +#endif +#ifdef BSD_AUTH +#include <bsd_auth.h> +#endif + typedef struct Authctxt Authctxt; struct Authctxt { int success; @@ -39,6 +46,9 @@ struct Authctxt { char *service; struct passwd *pw; char *style; +#ifdef BSD_AUTH + auth_session_t *as; +#endif }; /* @@ -59,7 +69,7 @@ auth_rhosts_rsa(struct passwd * pw, const char *client_user, RSA* client_host_ke * Tries to authenticate the user using password. Returns true if * authentication succeeds. */ -int auth_password(struct passwd * pw, const char *password); +int auth_password(Authctxt *authctxt, const char *password); /* * Performs the RSA authentication dialog with the client. This returns 0 if @@ -92,7 +92,7 @@ do_authloop(Authctxt *authctxt) #elif defined(HAVE_OSF_SIA) 0) { #else - auth_password(pw, "")) { + auth_password(authctxt, "")) { #endif auth_log(authctxt, 1, "without authentication", ""); return; @@ -262,7 +262,7 @@ do_authloop(Authctxt *authctxt) password); #else /* !USE_PAM && !HAVE_OSF_SIA */ /* Try authentication with the password. */ - authenticated = auth_password(pw, password); + authenticated = auth_password(authctxt, password); #endif /* USE_PAM */ memset(password, 0, strlen(password)); @@ -303,6 +303,12 @@ do_authloop(Authctxt *authctxt) log("Unknown message during authentication: type %d", type); break; } +#ifdef BSD_AUTH + if (authctxt->as) { + auth_close(authctxt->as); + authctxt->as = NULL; + } +#endif if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); @@ -218,6 +218,12 @@ input_userauth_request(int type, int plen, void *ctxt) /* reset state */ dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &protocol_error); authctxt->postponed = 0; +#ifdef BSD_AUTH + if (authctxt->as) { + auth_close(authctxt->as); + authctxt->as = NULL; + } +#endif /* try to authenticate user */ m = authmethod_lookup(method); @@ -341,7 +347,7 @@ userauth_none(Authctxt *authctxt) #elif defined(HAVE_OSF_SIA) return 0; #else /* !HAVE_OSF_SIA && !USE_PAM */ - return auth_password(authctxt->pw, ""); + return auth_password(authctxt, ""); #endif /* USE_PAM */ } @@ -366,7 +372,7 @@ userauth_passwd(Authctxt *authctxt) #elif defined(HAVE_OSF_SIA) auth_sia_password(authctxt->user, password) == 1) #else /* !USE_PAM && !HAVE_OSF_SIA */ - auth_password(authctxt->pw, password) == 1) + auth_password(authctxt, password) == 1) #endif /* USE_PAM */ authenticated = 1; memset(password, 0, len); diff --git a/configure.in b/configure.in index cbc866ad..a5870f33 100644 --- a/configure.in +++ b/configure.in @@ -1,4 +1,4 @@ -# $Id: configure.in,v 1.246 2001/02/18 04:29:29 djm Exp $ +# $Id: configure.in,v 1.247 2001/02/18 06:01:00 djm Exp $ AC_INIT(ssh.c) @@ -1411,6 +1411,17 @@ AC_ARG_WITH(4in6, ] ) +# Whether to enable BSD auth support +AC_ARG_WITH(bsd-auth, + [ --with-bsd-auth Enable BSD auth support], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(BSD_AUTH) + bsd_auth=yes + fi + ] +) + AC_MSG_CHECKING(whether to install ssh as suid root) AC_ARG_ENABLE(suid-ssh, [ --enable-suid-ssh Install ssh as suid root (default) @@ -1739,6 +1750,10 @@ echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Use IPv4 by default hack: $IPV4_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" +if test ! -z "$bsd_auth"; then + echo " BSD Auth support: yes" +fi + echo "" echo " Host: ${host}" @@ -1769,3 +1784,4 @@ if test ! -z "$NO_SFTP"; then echo "64bit integers." echo "" fi + @@ -89,10 +89,6 @@ RCSID("$OpenBSD: session.c,v 1.56 2001/02/16 14:03:43 markus Exp $"); # define S_UNOFILE_HARD S_UNOFILE "_hard" #endif -#ifdef HAVE_LOGIN_CAP -#include <login_cap.h> -#endif - /* types */ #define TTYSZ 64 @@ -1071,6 +1067,13 @@ do_child(const char *command, struct passwd * pw, const char *term, perror("unable to set user context"); exit(1); } +#ifdef BSD_AUTH + if (auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) { + error("approval failure for %s", pw->pw_name); + fprintf(stderr, "Approval failure"); + exit(1); + } +#endif # else /* HAVE_LOGIN_CAP */ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); |