diff options
| author | Darren Tucker <dtucker@cvs.openbsd.org> | 2005-01-19 13:11:48 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@cvs.openbsd.org> | 2005-01-19 13:11:48 +0000 |
| commit | 33b3db42e399e40816dc09c27ca2c1135e03864f (patch) | |
| tree | 463a79cae95e31e53edc2fe9950501e9e3032699 | |
| parent | 426022726f7517d9f29850bd17ef2022337c86ab (diff) | |
Have keyboard-interactive code call the drivers even for responses for
invalid logins. This allows the drivers themselves to decide how to handle
them and prevent leaking information where possible. Existing behaviour for
bsdauth is maintained by checking authctxt->valid in the bsdauth driver.
Note that any third-party kbdint drivers will now need to be able to handle
responses for invalid logins. ok markus@
| -rw-r--r-- | usr.bin/ssh/auth-bsdauth.c | 5 | ||||
| -rw-r--r-- | usr.bin/ssh/auth2-chall.c | 11 |
2 files changed, 7 insertions, 9 deletions
diff --git a/usr.bin/ssh/auth-bsdauth.c b/usr.bin/ssh/auth-bsdauth.c index 2ac27a7a20e..920c977d85a 100644 --- a/usr.bin/ssh/auth-bsdauth.c +++ b/usr.bin/ssh/auth-bsdauth.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: auth-bsdauth.c,v 1.5 2002/06/30 21:59:45 deraadt Exp $"); +RCSID("$OpenBSD: auth-bsdauth.c,v 1.6 2005/01/19 13:11:47 dtucker Exp $"); #ifdef BSD_AUTH #include "xmalloc.h" @@ -83,6 +83,9 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses) Authctxt *authctxt = ctx; int authok; + if (!authctxt->valid) + return -1; + if (authctxt->as == 0) error("bsdauth_respond: no bsd auth session"); diff --git a/usr.bin/ssh/auth2-chall.c b/usr.bin/ssh/auth2-chall.c index 5901ed81ec9..2dfc139f768 100644 --- a/usr.bin/ssh/auth2-chall.c +++ b/usr.bin/ssh/auth2-chall.c @@ -23,7 +23,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: auth2-chall.c,v 1.21 2004/06/01 14:20:45 dtucker Exp $"); +RCSID("$OpenBSD: auth2-chall.c,v 1.22 2005/01/19 13:11:47 dtucker Exp $"); #include "ssh2.h" #include "auth.h" @@ -268,12 +268,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) } packet_check_eom(); - if (authctxt->valid) { - res = kbdintctxt->device->respond(kbdintctxt->ctxt, - nresp, response); - } else { - res = -1; - } + res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response); for (i = 0; i < nresp; i++) { memset(response[i], 'r', strlen(response[i])); @@ -285,7 +280,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) switch (res) { case 0: /* Success! */ - authenticated = 1; + authenticated = authctxt->valid ? 1 : 0; break; case 1: /* Authentication needs further interaction */ |