summaryrefslogtreecommitdiff
path: root/usr.bin/ssh
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>1999-11-22 21:52:43 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>1999-11-22 21:52:43 +0000
commit5b2767279ec547fef43cb37fe3a504031abef9ba (patch)
tree43c8fd23ea469150ab3b029bb517d039976c889f /usr.bin/ssh
parente635c41f03fe35686ec48598b5ff248c2485d8bb (diff)
tranfer s/key challenge/response data in SSH_SMSG_AUTH_TIS_CHALLENGE
messages. allows use of s/key in windows (ttssh, securecrt) and ssh-1.2.27 clients without 'ssh -v', ok: niels@
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r--usr.bin/ssh/readconf.c22
-rw-r--r--usr.bin/ssh/readconf.h3
-rw-r--r--usr.bin/ssh/ssh.112
-rw-r--r--usr.bin/ssh/ssh.h11
-rw-r--r--usr.bin/ssh/sshconnect.c49
-rw-r--r--usr.bin/ssh/sshd.c45
6 files changed, 121 insertions, 21 deletions
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index 219035d5c65..675bf7ef1dd 100644
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c
@@ -14,7 +14,7 @@ Functions for reading the configuration files.
*/
#include "includes.h"
-RCSID("$Id: readconf.c,v 1.15 1999/11/19 16:04:17 markus Exp $");
+RCSID("$Id: readconf.c,v 1.16 1999/11/22 21:52:41 markus Exp $");
#include "ssh.h"
#include "cipher.h"
@@ -91,6 +91,7 @@ typedef enum
oBadOption,
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
+ oSkeyAuthentication,
#ifdef KRB4
oKerberosAuthentication,
#endif /* KRB4 */
@@ -120,6 +121,7 @@ static struct
{ "rhostsauthentication", oRhostsAuthentication },
{ "passwordauthentication", oPasswordAuthentication },
{ "rsaauthentication", oRSAAuthentication },
+ { "skeyauthentication", oSkeyAuthentication },
#ifdef KRB4
{ "kerberosauthentication", oKerberosAuthentication },
#endif /* KRB4 */
@@ -288,6 +290,12 @@ process_config_line(Options *options, const char *host,
intptr = &options->rhosts_rsa_authentication;
goto parse_flag;
+ case oTISAuthentication:
+ /* fallthrough, there is no difference on the client side */
+ case oSkeyAuthentication:
+ intptr = &options->skey_authentication;
+ goto parse_flag;
+
#ifdef KRB4
case oKerberosAuthentication:
intptr = &options->kerberos_authentication;
@@ -350,15 +358,6 @@ process_config_line(Options *options, const char *host,
case oNumberOfPasswordPrompts:
intptr = &options->number_of_password_prompts;
goto parse_int;
-
- case oTISAuthentication:
- cp = strtok(NULL, WHITESPACE);
- if (cp != 0 && (strcmp(cp, "yes") == 0 || strcmp(cp, "true") == 0))
- fprintf(stderr,
- "%.99s line %d: Warning, TIS is not supported.\n",
- filename,
- linenum);
- break;
case oCompressionLevel:
intptr = &options->compression_level;
@@ -598,6 +597,7 @@ void initialize_options(Options *options)
options->use_privileged_port = -1;
options->rhosts_authentication = -1;
options->rsa_authentication = -1;
+ options->skey_authentication = -1;
#ifdef KRB4
options->kerberos_authentication = -1;
#endif
@@ -648,6 +648,8 @@ void fill_default_options(Options *options)
options->rhosts_authentication = 1;
if (options->rsa_authentication == -1)
options->rsa_authentication = 1;
+ if (options->skey_authentication == -1)
+ options->skey_authentication = 0;
#ifdef KRB4
if (options->kerberos_authentication == -1)
options->kerberos_authentication = 1;
diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h
index 24e7e7c5374..91eb23dc133 100644
--- a/usr.bin/ssh/readconf.h
+++ b/usr.bin/ssh/readconf.h
@@ -13,7 +13,7 @@ Functions for reading the configuration file.
*/
-/* RCSID("$Id: readconf.h,v 1.9 1999/11/14 21:45:07 markus Exp $"); */
+/* RCSID("$Id: readconf.h,v 1.10 1999/11/22 21:52:41 markus Exp $"); */
#ifndef READCONF_H
#define READCONF_H
@@ -38,6 +38,7 @@ typedef struct
int rhosts_authentication; /* Try rhosts authentication. */
int rhosts_rsa_authentication;/* Try rhosts with RSA authentication. */
int rsa_authentication; /* Try RSA authentication. */
+ int skey_authentication; /* Try S/Key or TIS authentication. */
#ifdef KRB4
int kerberos_authentication; /* Try Kerberos authentication. */
#endif
diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1
index 33de9fa92c0..a793b8c8308 100644
--- a/usr.bin/ssh/ssh.1
+++ b/usr.bin/ssh/ssh.1
@@ -9,7 +9,7 @@
.\"
.\" Created: Sat Apr 22 21:55:14 1995 ylo
.\"
-.\" $Id: ssh.1,v 1.26 1999/11/17 21:08:07 aaron Exp $
+.\" $Id: ssh.1,v 1.27 1999/11/22 21:52:41 markus Exp $
.\"
.Dd September 25, 1999
.Dt SSH 1
@@ -662,6 +662,16 @@ or
RSA authentication will only be
attempted if the identity file exists, or an authentication agent is
running.
+.It Cm SkeyAuthentication
+Specifies whether to use
+.Xr skey 1
+authentication. The argument to
+this keyword must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
.It Cm CheckHostIP
If this flag is set to
.Dq yes ,
diff --git a/usr.bin/ssh/ssh.h b/usr.bin/ssh/ssh.h
index 85923137bbc..5cd7eb92f55 100644
--- a/usr.bin/ssh/ssh.h
+++ b/usr.bin/ssh/ssh.h
@@ -13,7 +13,7 @@ Generic header file for ssh.
*/
-/* RCSID("$Id: ssh.h,v 1.23 1999/11/22 21:02:38 markus Exp $"); */
+/* RCSID("$Id: ssh.h,v 1.24 1999/11/22 21:52:42 markus Exp $"); */
#ifndef SSH_H
#define SSH_H
@@ -141,7 +141,7 @@ only by root, whereas ssh_config should be world-readable. */
#define SSH_AUTH_RSA 2
#define SSH_AUTH_PASSWORD 3
#define SSH_AUTH_RHOSTS_RSA 4
- /* 5 is TIS */
+#define SSH_AUTH_TIS 5
#define SSH_AUTH_KERBEROS 6
#define SSH_PASS_KERBEROS_TGT 7
/* 8 to 15 are reserved */
@@ -195,10 +195,9 @@ only by root, whereas ssh_config should be world-readable. */
#define SSH_MSG_DEBUG 36 /* string */
#define SSH_CMSG_REQUEST_COMPRESSION 37 /* level 1-9 (int) */
#define SSH_CMSG_MAX_PACKET_SIZE 38 /* size 4k-1024k (int) */
-#define SSH_CMSG_AUTH_TIS 39 /* this is proto-1.5, but we ignore TIS */
-#define SSH_SMSG_AUTH_TIS_CHALLENGE 40
-#define SSH_CMSG_AUTH_TIS_RESPONSE 41
-
+#define SSH_CMSG_AUTH_TIS 39 /* we use this for s/key */
+#define SSH_SMSG_AUTH_TIS_CHALLENGE 40 /* challenge (string) */
+#define SSH_CMSG_AUTH_TIS_RESPONSE 41 /* response (string) */
#define SSH_CMSG_AUTH_KERBEROS 42 /* (KTEXT) */
#define SSH_SMSG_AUTH_KERBEROS_RESPONSE 43 /* (KTEXT) */
#define SSH_CMSG_HAVE_KERBEROS_TGT 44 /* credentials (s) */
diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c
index 2a2a43189cc..80bf17c7f43 100644
--- a/usr.bin/ssh/sshconnect.c
+++ b/usr.bin/ssh/sshconnect.c
@@ -15,7 +15,7 @@ login (authentication) dialog.
*/
#include "includes.h"
-RCSID("$Id: sshconnect.c,v 1.36 1999/11/19 19:58:18 markus Exp $");
+RCSID("$Id: sshconnect.c,v 1.37 1999/11/22 21:52:42 markus Exp $");
#include <ssl/bn.h>
#include "xmalloc.h"
@@ -1495,6 +1495,53 @@ void ssh_login(int host_key_valid,
if (try_rsa_authentication(pw, options.identity_files[i]))
return; /* Successful connection. */
}
+
+ /* Try skey authentication if the server supports it. */
+ if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
+ options.skey_authentication && !options.batch_mode)
+ {
+ debug("Doing skey authentication.");
+
+ /* request a challenge */
+ packet_start(SSH_CMSG_AUTH_TIS);
+ packet_send();
+ packet_write_wait();
+
+ type = packet_read(&payload_len);
+ if (type != SSH_SMSG_FAILURE &&
+ type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
+ packet_disconnect("Protocol error: got %d in response "
+ "to skey auth", type);
+ }
+ if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
+ debug("No challenge for skey authentication.");
+ } else {
+ char *challenge, *response;
+ challenge = packet_get_string(&payload_len);
+ if (options.cipher == SSH_CIPHER_NONE)
+ log("WARNING: Encryption is disabled! "
+ "Reponse will be transmitted in clear text.");
+ fprintf(stderr, "%s\n", challenge);
+ fflush(stderr);
+ for (i = 0; i < options.number_of_password_prompts; i++) {
+ if (i != 0)
+ error("Permission denied, please try again.");
+ response = read_passphrase("Response: ", 0);
+ packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
+ packet_put_string(response, strlen(response));
+ memset(response, 0, strlen(response));
+ xfree(response);
+ packet_send();
+ packet_write_wait();
+ type = packet_read(&payload_len);
+ if (type == SSH_SMSG_SUCCESS)
+ return;
+ if (type != SSH_SMSG_FAILURE)
+ packet_disconnect("Protocol error: got %d in response "
+ "to skey auth", type);
+ }
+ }
+ }
/* Try password authentication if the server supports it. */
if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) &&
diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c
index eda984b4788..55a981737ca 100644
--- a/usr.bin/ssh/sshd.c
+++ b/usr.bin/ssh/sshd.c
@@ -18,7 +18,7 @@ agent connections.
*/
#include "includes.h"
-RCSID("$Id: sshd.c,v 1.62 1999/11/22 21:02:39 markus Exp $");
+RCSID("$Id: sshd.c,v 1.63 1999/11/22 21:52:42 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
@@ -210,6 +210,10 @@ get_authname(int type)
case SSH_CMSG_AUTH_KERBEROS:
return "kerberos";
#endif
+#ifdef SKEY
+ case SSH_CMSG_AUTH_TIS_RESPONSE:
+ return "s/key";
+#endif
}
fatal("get_authname: unknown auth %d: internal error", type);
return NULL;
@@ -835,6 +839,10 @@ do_connection()
if (options.afs_token_passing)
auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
#endif
+#ifdef SKEY
+ if (options.skey_authentication == 1)
+ auth_mask |= 1 << SSH_AUTH_TIS;
+#endif
if (options.password_authentication)
auth_mask |= 1 << SSH_AUTH_PASSWORD;
packet_put_int(auth_mask);
@@ -1303,10 +1311,43 @@ do_authloop(struct passwd *pw)
xfree(password);
break;
+#ifdef SKEY
+ case SSH_CMSG_AUTH_TIS:
+ debug("rcvd SSH_CMSG_AUTH_TIS");
+ if (options.skey_authentication == 1) {
+ char *skeyinfo = skey_keyinfo(pw->pw_name);
+ if (skeyinfo == NULL) {
+ debug("generating fake skeyinfo for %.100s.", pw->pw_name);
+ skeyinfo = skey_fake_keyinfo(pw->pw_name);
+ }
+ if (skeyinfo != NULL) {
+ /* we send our s/key- in tis-challenge messages */
+ debug("sending challenge '%s'", skeyinfo);
+ packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
+ packet_put_string(skeyinfo, strlen(skeyinfo));
+ packet_send();
+ packet_write_wait();
+ continue;
+ }
+ }
+ break;
+ case SSH_CMSG_AUTH_TIS_RESPONSE:
+ debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
+ if (options.skey_authentication == 1) {
+ char *response = packet_get_string(&dlen);
+ debug("skey response == '%s'", response);
+ packet_integrity_check(plen, 4 + dlen, type);
+ authenticated = (skey_haskey(pw->pw_name) == 0 &&
+ skey_passcheck(pw->pw_name, response) != -1);
+ xfree(response);
+ }
+ break;
+#else
case SSH_CMSG_AUTH_TIS:
/* TIS Authentication is unsupported */
- log("TIS authentication disabled.");
+ log("TIS authentication unsupported.");
break;
+#endif
default:
/* Any unknown messages will be ignored (and failure returned)