summaryrefslogtreecommitdiff
path: root/usr.bin/ssh
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2001-01-22 23:06:41 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2001-01-22 23:06:41 +0000
commit8e4f404512c799cf8ac277683c702f775aafe0a2 (patch)
treec7f0c48a16136d3cfde5842577f7a5e3ee2b5782 /usr.bin/ssh
parentfeddccaed728d7faf57681f6df4133432574282c (diff)
rename skey -> challenge response.
auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r--usr.bin/ssh/auth1.c6
-rw-r--r--usr.bin/ssh/auth2.c9
-rw-r--r--usr.bin/ssh/readconf.c27
-rw-r--r--usr.bin/ssh/readconf.h5
-rw-r--r--usr.bin/ssh/servconf.c17
-rw-r--r--usr.bin/ssh/servconf.h5
-rw-r--r--usr.bin/ssh/sshconnect1.c18
-rw-r--r--usr.bin/ssh/sshconnect2.c5
-rw-r--r--usr.bin/ssh/sshd.c4
9 files changed, 52 insertions, 44 deletions
diff --git a/usr.bin/ssh/auth1.c b/usr.bin/ssh/auth1.c
index cba6085afc3..b19901d0578 100644
--- a/usr.bin/ssh/auth1.c
+++ b/usr.bin/ssh/auth1.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.13 2001/01/21 19:05:43 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.14 2001/01/22 23:06:39 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
@@ -252,7 +252,7 @@ do_authloop(Authctxt *authctxt)
case SSH_CMSG_AUTH_TIS:
debug("rcvd SSH_CMSG_AUTH_TIS");
- if (options.skey_authentication == 1) {
+ if (options.challenge_reponse_authentication == 1) {
char *challenge = get_challenge(authctxt, authctxt->style);
if (challenge != NULL) {
debug("sending challenge '%s'", challenge);
@@ -266,7 +266,7 @@ do_authloop(Authctxt *authctxt)
break;
case SSH_CMSG_AUTH_TIS_RESPONSE:
debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
- if (options.skey_authentication == 1) {
+ if (options.challenge_reponse_authentication == 1) {
char *response = packet_get_string(&dlen);
debug("got response '%s'", response);
packet_integrity_check(plen, 4 + dlen, type);
diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c
index 8bfb1b66407..441d08f7737 100644
--- a/usr.bin/ssh/auth2.c
+++ b/usr.bin/ssh/auth2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.33 2001/01/22 08:32:53 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.34 2001/01/22 23:06:39 markus Exp $");
#include <openssl/evp.h>
@@ -110,6 +110,10 @@ do_authentication2()
x_authctxt = authctxt; /*XXX*/
+ /* challenge-reponse is implemented via keyboard interactive */
+ if (options.challenge_reponse_authentication)
+ options.kbd_interactive_authentication = 1;
+
#ifdef AFS
/* If machine has AFS, set process authentication group. */
if (k_hasafs()) {
@@ -344,7 +348,8 @@ userauth_kbdint(Authctxt *authctxt)
debug("keyboard-interactive language %s devs %s", lang, devs);
- authenticated = auth2_challenge(authctxt, devs);
+ if (options.challenge_reponse_authentication)
+ authenticated = auth2_challenge(authctxt, devs);
xfree(lang);
xfree(devs);
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index b2b3f10d5f5..2a55cedfb56 100644
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.58 2001/01/21 19:05:53 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.59 2001/01/22 23:06:39 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
@@ -93,7 +93,7 @@ typedef enum {
oBadOption,
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
- oSkeyAuthentication, oXAuthLocation,
+ oChallengeResponseAuthentication, oXAuthLocation,
#ifdef KRB4
oKerberosAuthentication,
#endif /* KRB4 */
@@ -104,7 +104,7 @@ typedef enum {
oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
- oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication,
+ oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias
@@ -127,8 +127,10 @@ static struct {
{ "kbdinteractivedevices", oKbdInteractiveDevices },
{ "rsaauthentication", oRSAAuthentication },
{ "pubkeyauthentication", oPubkeyAuthentication },
- { "dsaauthentication", oPubkeyAuthentication }, /* alias */
- { "skeyauthentication", oSkeyAuthentication },
+ { "dsaauthentication", oPubkeyAuthentication }, /* alias */
+ { "challengeresponseauthentication", oChallengeResponseAuthentication },
+ { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
+ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
#ifdef KRB4
{ "kerberosauthentication", oKerberosAuthentication },
#endif /* KRB4 */
@@ -165,7 +167,6 @@ static struct {
{ "compressionlevel", oCompressionLevel },
{ "keepalive", oKeepAlives },
{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
- { "tisauthentication", oTISAuthentication },
{ "loglevel", oLogLevel },
{ NULL, 0 }
};
@@ -316,10 +317,8 @@ parse_flag:
intptr = &options->rhosts_rsa_authentication;
goto parse_flag;
- case oTISAuthentication:
- /* fallthrough, there is no difference on the client side */
- case oSkeyAuthentication:
- intptr = &options->skey_authentication;
+ case oChallengeResponseAuthentication:
+ intptr = &options->challenge_reponse_authentication;
goto parse_flag;
#ifdef KRB4
@@ -667,7 +666,7 @@ initialize_options(Options * options)
options->rhosts_authentication = -1;
options->rsa_authentication = -1;
options->pubkey_authentication = -1;
- options->skey_authentication = -1;
+ options->challenge_reponse_authentication = -1;
#ifdef KRB4
options->kerberos_authentication = -1;
#endif
@@ -734,8 +733,8 @@ fill_default_options(Options * options)
options->rsa_authentication = 1;
if (options->pubkey_authentication == -1)
options->pubkey_authentication = 1;
- if (options->skey_authentication == -1)
- options->skey_authentication = 0;
+ if (options->challenge_reponse_authentication == -1)
+ options->challenge_reponse_authentication = 0;
#ifdef KRB4
if (options->kerberos_authentication == -1)
options->kerberos_authentication = 1;
@@ -749,7 +748,7 @@ fill_default_options(Options * options)
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
- options->kbd_interactive_authentication = 0;
+ options->kbd_interactive_authentication = 1;
if (options->rhosts_rsa_authentication == -1)
options->rhosts_rsa_authentication = 1;
if (options->fallback_to_rsh == -1)
diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h
index 08ff70839e8..241b7165c0a 100644
--- a/usr.bin/ssh/readconf.h
+++ b/usr.bin/ssh/readconf.h
@@ -11,7 +11,7 @@
* called by a name other than "ssh" or "Secure Shell".
*/
-/* RCSID("$OpenBSD: readconf.h,v 1.24 2000/12/27 12:30:20 markus Exp $"); */
+/* RCSID("$OpenBSD: readconf.h,v 1.25 2001/01/22 23:06:39 markus Exp $"); */
#ifndef READCONF_H
#define READCONF_H
@@ -36,7 +36,8 @@ typedef struct {
* authentication. */
int rsa_authentication; /* Try RSA authentication. */
int pubkey_authentication; /* Try ssh2 pubkey authentication. */
- int skey_authentication; /* Try S/Key or TIS authentication. */
+ int challenge_reponse_authentication;
+ /* Try S/Key or TIS, authentication. */
#ifdef KRB4
int kerberos_authentication; /* Try Kerberos
* authentication. */
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index 67a82b8e867..9f292b6a549 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.62 2001/01/21 19:05:55 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.63 2001/01/22 23:06:39 markus Exp $");
#ifdef KRB4
#include <krb.h>
@@ -76,7 +76,7 @@ initialize_server_options(ServerOptions *options)
#endif
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
- options->skey_authentication = -1;
+ options->challenge_reponse_authentication = -1;
options->permit_empty_passwd = -1;
options->use_login = -1;
options->allow_tcp_forwarding = -1;
@@ -170,8 +170,8 @@ fill_default_server_options(ServerOptions *options)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
- if (options->skey_authentication == -1)
- options->skey_authentication = 1;
+ if (options->challenge_reponse_authentication == -1)
+ options->challenge_reponse_authentication = 1;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
if (options->use_login == -1)
@@ -200,7 +200,7 @@ typedef enum {
#ifdef AFS
sKerberosTgtPassing, sAFSTokenPassing,
#endif
- sSkeyAuthentication,
+ sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
@@ -242,7 +242,8 @@ static struct {
#endif
{ "passwordauthentication", sPasswordAuthentication },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
- { "skeyauthentication", sSkeyAuthentication },
+ { "challengeresponseauthentication", sChallengeResponseAuthentication },
+ { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
{ "checkmail", sCheckMail },
{ "listenaddress", sListenAddress },
{ "printmotd", sPrintMotd },
@@ -536,8 +537,8 @@ parse_flag:
intptr = &options->check_mail;
goto parse_flag;
- case sSkeyAuthentication:
- intptr = &options->skey_authentication;
+ case sChallengeResponseAuthentication:
+ intptr = &options->challenge_reponse_authentication;
goto parse_flag;
case sPrintMotd:
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index ea0694905f2..e31636701fb 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -11,7 +11,7 @@
* called by a name other than "ssh" or "Secure Shell".
*/
-/* RCSID("$OpenBSD: servconf.h,v 1.34 2001/01/19 12:45:27 markus Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.35 2001/01/22 23:06:40 markus Exp $"); */
#ifndef SERVCONF_H
#define SERVCONF_H
@@ -80,8 +80,7 @@ typedef struct {
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
- int skey_authentication; /* If true, permit s/key
- * authentication. */
+ int challenge_reponse_authentication;
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
int use_login; /* If true, login(1) is used */
diff --git a/usr.bin/ssh/sshconnect1.c b/usr.bin/ssh/sshconnect1.c
index 2c097256a4f..5a5a2222752 100644
--- a/usr.bin/ssh/sshconnect1.c
+++ b/usr.bin/ssh/sshconnect1.c
@@ -13,7 +13,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.19 2001/01/22 08:15:00 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.20 2001/01/22 23:06:40 markus Exp $");
#include <openssl/bn.h>
#include <openssl/evp.h>
@@ -613,7 +613,7 @@ send_afs_tokens(void)
* Note that the client code is not tied to s/key or TIS.
*/
int
-try_skey_authentication()
+try_challenge_reponse_authentication()
{
int type, i;
int payload_len;
@@ -621,7 +621,7 @@ try_skey_authentication()
char prompt[1024];
char *challenge, *response;
- debug("Doing skey authentication.");
+ debug("Doing challenge reponse authentication.");
for (i = 0; i < options.number_of_password_prompts; i++) {
/* request a challenge */
@@ -633,10 +633,10 @@ try_skey_authentication()
if (type != SSH_SMSG_FAILURE &&
type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
packet_disconnect("Protocol error: got %d in response "
- "to skey-auth", type);
+ "to SSH_CMSG_AUTH_TIS", type);
}
if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
- debug("No challenge for skey authentication.");
+ debug("No challenge.");
return 0;
}
challenge = packet_get_string(&clen);
@@ -665,7 +665,7 @@ try_skey_authentication()
return 1;
if (type != SSH_SMSG_FAILURE)
packet_disconnect("Protocol error: got %d in response "
- "to skey-auth-reponse", type);
+ "to SSH_CMSG_AUTH_TIS_RESPONSE", type);
}
/* failure */
return 0;
@@ -1018,10 +1018,10 @@ ssh_userauth(
try_rsa_authentication(options.identity_files[i]))
return;
}
- /* Try skey authentication if the server supports it. */
+ /* Try challenge response authentication if the server supports it. */
if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
- options.skey_authentication && !options.batch_mode) {
- if (try_skey_authentication())
+ options.challenge_reponse_authentication && !options.batch_mode) {
+ if (try_challenge_reponse_authentication())
return;
}
/* Try password authentication if the server supports it. */
diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c
index 1b442287660..1d911b9bbde 100644
--- a/usr.bin/ssh/sshconnect2.c
+++ b/usr.bin/ssh/sshconnect2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.38 2001/01/22 17:22:28 stevesk Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.39 2001/01/22 23:06:40 markus Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
@@ -513,6 +513,9 @@ ssh_userauth2(const char *server_user, char *host)
int type;
int plen;
+ if (options.challenge_reponse_authentication)
+ options.kbd_interactive_authentication = 1;
+
debug("send SSH2_MSG_SERVICE_REQUEST");
packet_start(SSH2_MSG_SERVICE_REQUEST);
packet_put_cstring("ssh-userauth");
diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c
index 3790acb0161..12729eeb37a 100644
--- a/usr.bin/ssh/sshd.c
+++ b/usr.bin/ssh/sshd.c
@@ -40,7 +40,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.156 2001/01/22 17:22:28 stevesk Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.157 2001/01/22 23:06:40 markus Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
@@ -1230,7 +1230,7 @@ do_ssh1_kex(void)
if (options.afs_token_passing)
auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
#endif
- if (options.skey_authentication == 1)
+ if (options.challenge_reponse_authentication == 1)
auth_mask |= 1 << SSH_AUTH_TIS;
if (options.password_authentication)
auth_mask |= 1 << SSH_AUTH_PASSWORD;