From 8ee58010252e6899333cf4fac6a9c1eab90fa9cf Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 20 Jan 2005 14:27:39 +1100 Subject: - dtucker@cvs.openbsd.org 2005/01/19 13:11:47 [auth-bsdauth.c auth2-chall.c] Have keyboard-interactive code call the drivers even for responses for invalid logins. This allows the drivers themselves to decide how to handle them and prevent leaking information where possible. Existing behaviour for bsdauth is maintained by checking authctxt->valid in the bsdauth driver. Note that any third-party kbdint drivers will now need to be able to handle responses for invalid logins. ok markus@ --- ChangeLog | 13 ++++++++++++- auth-bsdauth.c | 5 ++++- auth2-chall.c | 11 +++-------- 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index d3fd43c2..d6761159 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +20050120 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2005/01/19 13:11:47 + [auth-bsdauth.c auth2-chall.c] + Have keyboard-interactive code call the drivers even for responses for + invalid logins. This allows the drivers themselves to decide how to + handle them and prevent leaking information where possible. Existing + behaviour for bsdauth is maintained by checking authctxt->valid in the + bsdauth driver. Note that any third-party kbdint drivers will now need + to be able to handle responses for invalid logins. ok markus@ + 20041102 - (dtucker) [configure.ac includes.h] Bug #947: Fix compile error on HP-UX 10.x by testing for conflicts in shadow.h and undef'ing _INCLUDE__STDC__ @@ -1663,4 +1674,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3517.2.2 2004/11/02 09:29:53 dtucker Exp $ +$Id: ChangeLog,v 1.3517.2.3 2005/01/20 03:27:39 dtucker Exp $ diff --git a/auth-bsdauth.c b/auth-bsdauth.c index 2ac27a7a..920c977d 100644 --- a/auth-bsdauth.c +++ b/auth-bsdauth.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: auth-bsdauth.c,v 1.5 2002/06/30 21:59:45 deraadt Exp $"); +RCSID("$OpenBSD: auth-bsdauth.c,v 1.6 2005/01/19 13:11:47 dtucker Exp $"); #ifdef BSD_AUTH #include "xmalloc.h" @@ -83,6 +83,9 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses) Authctxt *authctxt = ctx; int authok; + if (!authctxt->valid) + return -1; + if (authctxt->as == 0) error("bsdauth_respond: no bsd auth session"); diff --git a/auth2-chall.c b/auth2-chall.c index 486baaaa..29234439 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -23,7 +23,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: auth2-chall.c,v 1.21 2004/06/01 14:20:45 dtucker Exp $"); +RCSID("$OpenBSD: auth2-chall.c,v 1.22 2005/01/19 13:11:47 dtucker Exp $"); #include "ssh2.h" #include "auth.h" @@ -274,12 +274,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) } packet_check_eom(); - if (authctxt->valid) { - res = kbdintctxt->device->respond(kbdintctxt->ctxt, - nresp, response); - } else { - res = -1; - } + res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response); for (i = 0; i < nresp; i++) { memset(response[i], 'r', strlen(response[i])); @@ -291,7 +286,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) switch (res) { case 0: /* Success! */ - authenticated = 1; + authenticated = authctxt->valid ? 1 : 0; break; case 1: /* Authentication needs further interaction */ -- cgit v1.2.3