summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2001-01-18 17:00:01 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2001-01-18 17:00:01 +0000
commit7132bfd52ca0f18bb1e926d3b0da86f89f55a3f5 (patch)
treee91c1e967ce5807278de0fcc6c77e3d51784ef72 /usr.bin
parenta4691d42f749de19890823deb77459b3bd91c42a (diff)
1) removes fake skey from sshd, since this will be much
harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/auth-passwd.c35
-rw-r--r--usr.bin/ssh/auth-skey.c198
-rw-r--r--usr.bin/ssh/auth.c94
-rw-r--r--usr.bin/ssh/auth.h15
-rw-r--r--usr.bin/ssh/auth1.c189
-rw-r--r--usr.bin/ssh/auth2-skey.c133
-rw-r--r--usr.bin/ssh/auth2.c112
-rw-r--r--usr.bin/ssh/serverloop.c4
-rw-r--r--usr.bin/ssh/session.c9
-rw-r--r--usr.bin/ssh/session.h2
-rw-r--r--usr.bin/ssh/sshconnect1.c5
-rw-r--r--usr.bin/ssh/sshd/Makefile6
12 files changed, 298 insertions, 504 deletions
diff --git a/usr.bin/ssh/auth-passwd.c b/usr.bin/ssh/auth-passwd.c
index f3bcee59023..409c3462521 100644
--- a/usr.bin/ssh/auth-passwd.c
+++ b/usr.bin/ssh/auth-passwd.c
@@ -11,30 +11,7 @@
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
*
- *
* Copyright (c) 1999 Dug Song. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- *
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -59,13 +36,15 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-passwd.c,v 1.18 2000/10/03 18:03:03 markus Exp $");
+RCSID("$OpenBSD: auth-passwd.c,v 1.19 2001/01/18 16:59:59 markus Exp $");
#include "packet.h"
#include "ssh.h"
#include "servconf.h"
#include "xmalloc.h"
+#include "auth.h"
+
/*
* Tries to authenticate the user using password. Returns true if
* authentication succeeds.
@@ -84,14 +63,6 @@ auth_password(struct passwd * pw, const char *password)
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
-#ifdef SKEY_VIA_PASSWD_IS_DISABLED
- if (options.skey_authentication == 1) {
- int ret = auth_skey_password(pw, password);
- if (ret == 1 || ret == 0)
- return ret;
- /* Fall back to ordinary passwd authentication. */
- }
-#endif
#ifdef KRB4
if (options.kerberos_authentication == 1) {
int ret = auth_krb4_password(pw, password);
diff --git a/usr.bin/ssh/auth-skey.c b/usr.bin/ssh/auth-skey.c
index 95ff6e4656b..156fee41ea3 100644
--- a/usr.bin/ssh/auth-skey.c
+++ b/usr.bin/ssh/auth-skey.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
+ * Copyright (c) 2001 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -23,183 +23,39 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-skey.c,v 1.9 2000/10/19 16:41:13 deraadt Exp $");
+RCSID("$OpenBSD: auth-skey.c,v 1.10 2001/01/18 16:59:59 markus Exp $");
#include "ssh.h"
-#include "packet.h"
-#include <sha1.h>
+#include "auth.h"
-/*
- * try skey authentication,
- * return 1 on success, 0 on failure, -1 if skey is not available
- */
-
-int
-auth_skey_password(struct passwd * pw, const char *password)
+#ifdef SKEY
+char *
+get_challenge(Authctxt *authctxt, char *devs)
{
- if (strncasecmp(password, "s/key", 5) == 0) {
- char *skeyinfo = skey_keyinfo(pw->pw_name);
- if (skeyinfo == NULL) {
- debug("generating fake skeyinfo for %.100s.",
- pw->pw_name);
- skeyinfo = skey_fake_keyinfo(pw->pw_name);
- }
- if (skeyinfo != NULL)
- packet_send_debug("%s", skeyinfo);
- /* Try again. */
- return 0;
- } else if (skey_haskey(pw->pw_name) == 0 &&
- skey_passcheck(pw->pw_name, (char *) password) != -1) {
- /* Authentication succeeded. */
- return 1;
- }
- /* Fall back to ordinary passwd authentication. */
- return -1;
+ static char challenge[1024];
+ struct skey skey;
+ if (skeychallenge(&skey, authctxt->user, challenge) == -1)
+ return NULL;
+ strlcat(challenge, "\nS/Key Password: ", sizeof challenge);
+ return challenge;
}
-
-/* from %OpenBSD: skeylogin.c,v 1.32 1999/08/16 14:46:56 millert Exp % */
-
-#define ROUND(x) (((x)[0] << 24) + (((x)[1]) << 16) + (((x)[2]) << 8) + \
- ((x)[3]))
-
-/*
- * hash_collapse()
- */
-static u_int32_t
-hash_collapse(s)
- u_char *s;
+int
+verify_response(Authctxt *authctxt, char *response)
{
- int len, target;
- u_int32_t i;
-
- if ((strlen(s) % sizeof(u_int32_t)) == 0)
- target = strlen(s); /* Multiple of 4 */
- else
- target = strlen(s) - (strlen(s) % sizeof(u_int32_t));
-
- for (i = 0, len = 0; len < target; len += 4)
- i ^= ROUND(s + len);
-
- return i;
+ return (authctxt->valid &&
+ skey_haskey(authctxt->pw->pw_name) == 0 &&
+ skey_passcheck(authctxt->pw->pw_name, response) != -1);
}
-
+#else
+/* not available */
char *
-skey_fake_keyinfo(char *username)
+get_challenge(Authctxt *authctxt, char *devs)
{
- int i;
- u_int ptr;
- u_char hseed[SKEY_MAX_SEED_LEN], flg = 1, *up;
- char pbuf[SKEY_MAX_PW_LEN+1];
- static char skeyprompt[SKEY_MAX_CHALLENGE+1];
- char *secret = NULL;
- size_t secretlen = 0;
- SHA1_CTX ctx;
- char *p, *u;
-
- /*
- * Base first 4 chars of seed on hostname.
- * Add some filler for short hostnames if necessary.
- */
- if (gethostname(pbuf, sizeof(pbuf)) == -1)
- *(p = pbuf) = '.';
- else
- for (p = pbuf; *p && isalnum(*p); p++)
- if (isalpha(*p) && isupper(*p))
- *p = tolower(*p);
- if (*p && pbuf - p < 4)
- (void)strncpy(p, "asjd", 4 - (pbuf - p));
- pbuf[4] = '\0';
-
- /* Hash the username if possible */
- if ((up = SHA1Data(username, strlen(username), NULL)) != NULL) {
- struct stat sb;
- time_t t;
- int fd;
-
- /* Collapse the hash */
- ptr = hash_collapse(up);
- memset(up, 0, strlen(up));
-
- /* See if the random file's there, else use ctime */
- if ((fd = open(_SKEY_RAND_FILE_PATH_, O_RDONLY)) != -1
- && fstat(fd, &sb) == 0 &&
- sb.st_size > (off_t)SKEY_MAX_SEED_LEN &&
- lseek(fd, ptr % (sb.st_size - SKEY_MAX_SEED_LEN),
- SEEK_SET) != -1 && read(fd, hseed,
- SKEY_MAX_SEED_LEN) == SKEY_MAX_SEED_LEN) {
- close(fd);
- fd = -1;
- secret = hseed;
- secretlen = SKEY_MAX_SEED_LEN;
- flg = 0;
- } else if (!stat(_PATH_MEM, &sb) || !stat("/", &sb)) {
- t = sb.st_ctime;
- secret = ctime(&t);
- secretlen = strlen(secret);
- flg = 0;
- }
- if (fd != -1)
- close(fd);
- }
-
- /* Put that in your pipe and smoke it */
- if (flg == 0) {
- /* Hash secret value with username */
- SHA1Init(&ctx);
- SHA1Update(&ctx, secret, secretlen);
- SHA1Update(&ctx, username, strlen(username));
- SHA1End(&ctx, up);
-
- /* Zero out */
- memset(secret, 0, secretlen);
-
- /* Now hash the hash */
- SHA1Init(&ctx);
- SHA1Update(&ctx, up, strlen(up));
- SHA1End(&ctx, up);
-
- ptr = hash_collapse(up + 4);
-
- for (i = 4; i < 9; i++) {
- pbuf[i] = (ptr % 10) + '0';
- ptr /= 10;
- }
- pbuf[i] = '\0';
-
- /* Sequence number */
- ptr = ((up[2] + up[3]) % 99) + 1;
-
- memset(up, 0, 20); /* SHA1 specific */
- free(up);
-
- (void)snprintf(skeyprompt, sizeof skeyprompt,
- "otp-%.*s %d %.*s",
- SKEY_MAX_HASHNAME_LEN,
- skey_get_algorithm(),
- ptr, SKEY_MAX_SEED_LEN,
- pbuf);
- } else {
- /* Base last 8 chars of seed on username */
- u = username;
- i = 8;
- p = &pbuf[4];
- do {
- if (*u == 0) {
- /* Pad remainder with zeros */
- while (--i >= 0)
- *p++ = '0';
- break;
- }
-
- *p++ = (*u++ % 10) + '0';
- } while (--i != 0);
- pbuf[12] = '\0';
-
- (void)snprintf(skeyprompt, sizeof skeyprompt,
- "otp-%.*s %d %.*s",
- SKEY_MAX_HASHNAME_LEN,
- skey_get_algorithm(),
- 99, SKEY_MAX_SEED_LEN, pbuf);
- }
- return skeyprompt;
+ return NULL;
+}
+int
+verify_response(Authctxt *authctxt, char *response)
+{
+ return 0;
}
+#endif
diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c
index 957b93db4c1..34df2ff5364 100644
--- a/usr.bin/ssh/auth.c
+++ b/usr.bin/ssh/auth.c
@@ -1,14 +1,4 @@
/*
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- * All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose. Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -33,25 +23,16 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.12 2001/01/13 18:56:48 markus Exp $");
+RCSID("$OpenBSD: auth.c,v 1.13 2001/01/18 16:59:59 markus Exp $");
#include "xmalloc.h"
-#include "rsa.h"
#include "ssh.h"
-#include "pty.h"
-#include "packet.h"
-#include "buffer.h"
-#include "mpaux.h"
-#include "servconf.h"
-#include "compat.h"
-#include "channels.h"
#include "match.h"
+#include "servconf.h"
#include "groupaccess.h"
-#include "bufaux.h"
-#include "ssh2.h"
#include "auth.h"
-#include "session.h"
+#include "auth-options.h"
/* import */
extern ServerOptions options;
@@ -130,3 +111,72 @@ allowed_user(struct passwd * pw)
/* We found no reason not to let this user try to log on... */
return 1;
}
+
+Authctxt *
+authctxt_new(void)
+{
+ Authctxt *authctxt = xmalloc(sizeof(*authctxt));
+ memset(authctxt, 0, sizeof(*authctxt));
+ return authctxt;
+}
+
+struct passwd *
+pwcopy(struct passwd *pw)
+{
+ struct passwd *copy = xmalloc(sizeof(*copy));
+ memset(copy, 0, sizeof(*copy));
+ copy->pw_name = xstrdup(pw->pw_name);
+ copy->pw_passwd = xstrdup(pw->pw_passwd);
+ copy->pw_uid = pw->pw_uid;
+ copy->pw_gid = pw->pw_gid;
+ copy->pw_class = xstrdup(pw->pw_class);
+ copy->pw_dir = xstrdup(pw->pw_dir);
+ copy->pw_shell = xstrdup(pw->pw_shell);
+ return copy;
+}
+
+void
+auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
+{
+ void (*authlog) (const char *fmt,...) = verbose;
+ char *authmsg;
+
+ /* Raise logging level */
+ if (authenticated == 1 ||
+ !authctxt->valid ||
+ authctxt->failures >= AUTH_FAIL_LOG ||
+ strcmp(method, "password") == 0)
+ authlog = log;
+
+ if (authctxt->postponed)
+ authmsg = "Postponed";
+ else
+ authmsg = authenticated ? "Accepted" : "Failed";
+
+ authlog("%s %s for %s%.100s from %.200s port %d%s",
+ authmsg,
+ method,
+ authctxt->valid ? "" : "illegal user ",
+ authctxt->valid && authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user,
+ get_remote_ipaddr(),
+ get_remote_port(),
+ info);
+}
+
+/*
+ * Check if the user is logging in as root and root logins are disallowed.
+ * Note that root login is _allways_ allowed for forced commands.
+ */
+int
+auth_root_allowed(void)
+{
+ if (options.permit_root_login)
+ return 1;
+ if (forced_command) {
+ log("Root login accepted for forced command.");
+ return 1;
+ } else {
+ log("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname());
+ return 0;
+ }
+}
diff --git a/usr.bin/ssh/auth.h b/usr.bin/ssh/auth.h
index 3c2e00c0719..65ba95997f2 100644
--- a/usr.bin/ssh/auth.h
+++ b/usr.bin/ssh/auth.h
@@ -21,7 +21,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $OpenBSD: auth.h,v 1.8 2000/12/28 14:25:51 markus Exp $
+ * $OpenBSD: auth.h,v 1.9 2001/01/18 16:59:59 markus Exp $
*/
#ifndef AUTH_H
#define AUTH_H
@@ -29,24 +29,33 @@
typedef struct Authctxt Authctxt;
struct Authctxt {
int success;
+ int postponed;
int valid;
int attempt;
int failures;
char *user;
char *service;
struct passwd *pw;
+ char *style;
};
void do_authentication(void);
void do_authentication2(void);
-void userauth_log(Authctxt *authctxt, int authenticated, char *method);
+Authctxt *authctxt_new(void);
+void auth_log(Authctxt *authctxt, int authenticated, char *method, char *info);
void userauth_reply(Authctxt *authctxt, int authenticated);
+int auth_root_allowed(void);
-int auth2_skey(Authctxt *authctxt);
+int auth2_challenge(Authctxt *authctxt, char *devs);
int allowed_user(struct passwd * pw);
+
+char *get_challenge(Authctxt *authctxt, char *devs);
+int verify_response(Authctxt *authctxt, char *response);
+
struct passwd * auth_get_user(void);
+struct passwd * pwcopy(struct passwd *pw);
#define AUTH_FAIL_MAX 6
#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
diff --git a/usr.bin/ssh/auth1.c b/usr.bin/ssh/auth1.c
index a0b072b73a1..eae86c408c8 100644
--- a/usr.bin/ssh/auth1.c
+++ b/usr.bin/ssh/auth1.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.10 2001/01/07 19:06:25 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.11 2001/01/18 16:59:59 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
@@ -43,52 +43,60 @@ get_authname(int type)
return "rhosts-rsa";
case SSH_CMSG_AUTH_RHOSTS:
return "rhosts";
+ case SSH_CMSG_AUTH_TIS:
+ case SSH_CMSG_AUTH_TIS_RESPONSE:
+ return "challenge-response";
#ifdef KRB4
case SSH_CMSG_AUTH_KERBEROS:
return "kerberos";
#endif
-#ifdef SKEY
- case SSH_CMSG_AUTH_TIS_RESPONSE:
- return "s/key";
-#endif
}
snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
return buf;
}
/*
- * read packets and try to authenticate local user 'luser'.
- * return if authentication is successful. not that pw == NULL
- * if the user does not exists or is not allowed to login.
- * each auth method has to 'fake' authentication for nonexisting
- * users.
+ * read packets, try to authenticate the user and
+ * return only if authentication is successful
*/
void
-do_authloop(struct passwd * pw, char *luser)
+do_authloop(Authctxt *authctxt)
{
int authenticated = 0;
- int attempt = 0;
u_int bits;
RSA *client_host_key;
BIGNUM *n;
char *client_user, *password;
- char user[1024];
+ char info[1024];
u_int dlen;
int plen, nlen, elen;
u_int ulen;
int type = 0;
- void (*authlog) (const char *fmt,...) = verbose;
+ struct passwd *pw = authctxt->pw;
+
+ debug("Attempting authentication for %s%.100s.",
+ authctxt->valid ? "" : "illegal user ", authctxt->user);
+
+ /* If the user has no password, accept authentication immediately. */
+ if (options.password_authentication &&
+#ifdef KRB4
+ (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
+#endif
+ auth_password(pw, "")) {
+ auth_log(authctxt, 1, "without authentication", "");
+ return;
+ }
/* Indicate that authentication is needed. */
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
- for (attempt = 1;; attempt++) {
+ for (;;) {
/* default to fail */
authenticated = 0;
- strlcpy(user, "", sizeof user);
+ info[0] = '\0';
/* Get a packet from the client. */
type = packet_read(&plen);
@@ -105,7 +113,7 @@ do_authloop(struct passwd * pw, char *luser)
char *tgt = packet_get_string(&dlen);
packet_integrity_check(plen, 4 + dlen, type);
if (!auth_kerberos_tgt(pw, tgt))
- verbose("Kerberos tgt REFUSED for %.100s", luser);
+ verbose("Kerberos tgt REFUSED for %.100s", authctxt->user);
xfree(tgt);
}
continue;
@@ -119,7 +127,7 @@ do_authloop(struct passwd * pw, char *luser)
char *token_string = packet_get_string(&dlen);
packet_integrity_check(plen, 4 + dlen, type);
if (!auth_afs_token(pw, token_string))
- verbose("AFS token REFUSED for %.100s", luser);
+ verbose("AFS token REFUSED for %.100s", authctxt->user);
xfree(token_string);
}
continue;
@@ -127,7 +135,6 @@ do_authloop(struct passwd * pw, char *luser)
#ifdef KRB4
case SSH_CMSG_AUTH_KERBEROS:
if (!options.kerberos_authentication) {
- /* packet_get_all(); */
verbose("Kerberos authentication disabled.");
break;
} else {
@@ -137,17 +144,17 @@ do_authloop(struct passwd * pw, char *luser)
char *kdata = packet_get_string((u_int *) &auth.length);
packet_integrity_check(plen, 4 + auth.length, type);
- if (auth.length < MAX_KTXT_LEN)
- memcpy(auth.dat, kdata, auth.length);
- xfree(kdata);
-
- if (pw != NULL) {
+ if (authctxt->valid) {
+ if (auth.length < MAX_KTXT_LEN)
+ memcpy(auth.dat, kdata, auth.length);
authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user);
if (authenticated) {
- snprintf(user, sizeof user, " tktuser %s", tkt_user);
+ snprintf(info, sizeof info,
+ " tktuser %.100s", tkt_user);
xfree(tkt_user);
}
}
+ xfree(kdata);
}
break;
#endif /* KRB4 */
@@ -169,7 +176,7 @@ do_authloop(struct passwd * pw, char *luser)
/* Try to authenticate using /etc/hosts.equiv and .rhosts. */
authenticated = auth_rhosts(pw, client_user);
- snprintf(user, sizeof user, " ruser %s", client_user);
+ snprintf(info, sizeof info, " ruser %.100s", client_user);
xfree(client_user);
break;
@@ -205,7 +212,7 @@ do_authloop(struct passwd * pw, char *luser)
authenticated = auth_rhosts_rsa(pw, client_user, client_host_key);
RSA_free(client_host_key);
- snprintf(user, sizeof user, " ruser %s", client_user);
+ snprintf(info, sizeof info, " ruser %.100s", client_user);
xfree(client_user);
break;
@@ -242,22 +249,14 @@ do_authloop(struct passwd * pw, char *luser)
xfree(password);
break;
-#ifdef SKEY
case SSH_CMSG_AUTH_TIS:
debug("rcvd SSH_CMSG_AUTH_TIS");
if (options.skey_authentication == 1) {
- char *skeyinfo = NULL;
- if (pw != NULL)
- skeyinfo = skey_keyinfo(pw->pw_name);
- if (skeyinfo == NULL) {
- debug("generating fake skeyinfo for %.100s.", luser);
- skeyinfo = skey_fake_keyinfo(luser);
- }
- if (skeyinfo != NULL) {
- /* we send our s/key- in tis-challenge messages */
- debug("sending challenge '%s'", skeyinfo);
+ char *challenge = get_challenge(authctxt, authctxt->style);
+ if (challenge != NULL) {
+ debug("sending challenge '%s'", challenge);
packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
- packet_put_cstring(skeyinfo);
+ packet_put_cstring(challenge);
packet_send();
packet_write_wait();
continue;
@@ -268,20 +267,13 @@ do_authloop(struct passwd * pw, char *luser)
debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
if (options.skey_authentication == 1) {
char *response = packet_get_string(&dlen);
- debug("skey response == '%s'", response);
+ debug("got response '%s'", response);
packet_integrity_check(plen, 4 + dlen, type);
- authenticated = (pw != NULL &&
- skey_haskey(pw->pw_name) == 0 &&
- skey_passcheck(pw->pw_name, response) != -1);
+ authenticated = verify_response(authctxt, response);
+ memset(response, 'r', dlen);
xfree(response);
}
break;
-#else
- case SSH_CMSG_AUTH_TIS:
- /* TIS Authentication is unsupported */
- log("TIS authentication unsupported.");
- break;
-#endif
default:
/*
@@ -291,46 +283,23 @@ do_authloop(struct passwd * pw, char *luser)
log("Unknown message during authentication: type %d", type);
break;
}
- if (authenticated && pw == NULL)
- fatal("internal error: authenticated for pw == NULL");
-
- /*
- * Check if the user is logging in as root and root logins
- * are disallowed.
- * Note that root login is allowed for forced commands.
- */
- if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) {
- if (forced_command) {
- log("Root login accepted for forced command.");
- } else {
- authenticated = 0;
- log("ROOT LOGIN REFUSED FROM %.200s",
- get_canonical_hostname());
- }
- }
+ if (!authctxt->valid && authenticated)
+ fatal("INTERNAL ERROR: authenticated invalid user %s",
+ authctxt->user);
- /* Raise logging level */
- if (authenticated ||
- attempt == AUTH_FAIL_LOG ||
- type == SSH_CMSG_AUTH_PASSWORD)
- authlog = log;
-
- authlog("%s %s for %s%.100s from %.200s port %d%s",
- authenticated ? "Accepted" : "Failed",
- get_authname(type),
- pw ? "" : "illegal user ",
- pw && pw->pw_uid == 0 ? "ROOT" : luser,
- get_remote_ipaddr(),
- get_remote_port(),
- user);
+ /* Special handling for root */
+ if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed())
+ authenticated = 0;
+
+ /* Log before sending the reply */
+ auth_log(authctxt, authenticated, get_authname(type), info);
if (authenticated)
return;
- if (attempt > AUTH_FAIL_MAX)
- packet_disconnect(AUTH_FAIL_MSG, luser);
+ if (authctxt->failures++ > AUTH_FAIL_MAX)
+ packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
- /* Send a message indicating that the authentication attempt failed. */
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
@@ -344,10 +313,11 @@ do_authloop(struct passwd * pw, char *luser)
void
do_authentication()
{
- struct passwd *pw, pwcopy;
+ Authctxt *authctxt;
+ struct passwd *pw;
int plen;
u_int ulen;
- char *user;
+ char *user, *style = NULL;
/* Get the name of the user that we wish to log in as. */
packet_read_expect(&plen, SSH_CMSG_USER);
@@ -356,6 +326,13 @@ do_authentication()
user = packet_get_string(&ulen);
packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
+ if ((style = strchr(user, ':')) != NULL)
+ *style++ = 0;
+
+ authctxt = authctxt_new();
+ authctxt->user = user;
+ authctxt->style = style;
+
setproctitle("%s", user);
#ifdef AFS
@@ -369,19 +346,13 @@ do_authentication()
/* Verify that the user is a valid user. */
pw = getpwnam(user);
if (pw && allowed_user(pw)) {
- /* Take a copy of the returned structure. */
- memset(&pwcopy, 0, sizeof(pwcopy));
- pwcopy.pw_name = xstrdup(pw->pw_name);
- pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
- pwcopy.pw_uid = pw->pw_uid;
- pwcopy.pw_gid = pw->pw_gid;
- pwcopy.pw_class = xstrdup(pw->pw_class);
- pwcopy.pw_dir = xstrdup(pw->pw_dir);
- pwcopy.pw_shell = xstrdup(pw->pw_shell);
- pw = &pwcopy;
+ authctxt->valid = 1;
+ pw = pwcopy(pw);
} else {
+ debug("do_authentication: illegal user %s", user);
pw = NULL;
}
+ authctxt->pw = pw;
/*
* If we are not running as root, the user must have the same uid as
@@ -390,31 +361,19 @@ do_authentication()
if (getuid() != 0 && pw && pw->pw_uid != getuid())
packet_disconnect("Cannot change user when server not running as root.");
- debug("Attempting authentication for %s%.100s.", pw ? "" : "illegal user ", user);
-
- /* If the user has no password, accept authentication immediately. */
- if (options.password_authentication &&
-#ifdef KRB4
- (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
-#endif /* KRB4 */
- auth_password(pw, "")) {
- /* Authentication with empty password succeeded. */
- log("Login for user %s from %.100s, accepted without authentication.",
- user, get_remote_ipaddr());
- } else {
- /* Loop until the user has been authenticated or the
- connection is closed, do_authloop() returns only if
- authentication is successful */
- do_authloop(pw, user);
- }
- if (pw == NULL)
- fatal("internal error, authentication successful for user '%.100s'", user);
+ /*
+ * Loop until the user has been authenticated or the connection is
+ * closed, do_authloop() returns only if authentication is successful
+ */
+ do_authloop(authctxt);
/* The user has been authenticated and accepted. */
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
- xfree(user);
+
+ xfree(authctxt->user);
+ xfree(authctxt);
/* Perform session preparation. */
do_authenticated(pw);
diff --git a/usr.bin/ssh/auth2-skey.c b/usr.bin/ssh/auth2-skey.c
index 26a01f840c8..7339ff01b74 100644
--- a/usr.bin/ssh/auth2-skey.c
+++ b/usr.bin/ssh/auth2-skey.c
@@ -1,5 +1,28 @@
+/*
+ * Copyright (c) 2001 Markus Friedl. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
#include "includes.h"
-RCSID("$OpenBSD: auth2-skey.c,v 1.2 2000/12/19 23:17:55 markus Exp $");
+RCSID("$OpenBSD: auth2-skey.c,v 1.3 2001/01/18 16:59:59 markus Exp $");
#include "ssh.h"
#include "ssh2.h"
@@ -8,52 +31,44 @@ RCSID("$OpenBSD: auth2-skey.c,v 1.2 2000/12/19 23:17:55 markus Exp $");
#include "xmalloc.h"
#include "dispatch.h"
-void send_userauth_into_request(Authctxt *authctxt, int echo);
-void input_userauth_info_response(int type, int plen, void *ctxt);
+void send_userauth_into_request(Authctxt *authctxt, char *challenge, int echo);
+void input_userauth_info_response(int type, int plen, void *ctxt);
/*
- * try skey authentication, always return -1 (= postponed) since we have to
- * wait for the s/key response.
+ * try challenge-reponse, return -1 (= postponed) if we have to
+ * wait for the response.
*/
int
-auth2_skey(Authctxt *authctxt)
+auth2_challenge(Authctxt *authctxt, char *devs)
{
- send_userauth_into_request(authctxt, 0);
- dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &input_userauth_info_response);
- return -1;
+ char *challenge;
+
+ if (!authctxt->valid || authctxt->user == NULL)
+ return 0;
+ if ((challenge = get_challenge(authctxt, devs)) == NULL)
+ return 0;
+ send_userauth_into_request(authctxt, challenge, 0);
+ dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
+ &input_userauth_info_response);
+ authctxt->postponed = 1;
+ return 0;
}
void
-send_userauth_into_request(Authctxt *authctxt, int echo)
+send_userauth_into_request(Authctxt *authctxt, char *challenge, int echo)
{
- int retval = -1;
- struct skey skey;
- char challenge[SKEY_MAX_CHALLENGE];
- char *fake;
-
- if (authctxt->user == NULL)
- fatal("send_userauth_into_request: internal error: no user");
+ int nprompts = 1;
- /* get skey challenge */
- if (authctxt->valid)
- retval = skeychallenge(&skey, authctxt->user, challenge);
-
- if (retval == -1) {
- fake = skey_fake_keyinfo(authctxt->user);
- strlcpy(challenge, fake, sizeof challenge);
- }
- /* send our info request */
packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
- packet_put_cstring("S/Key Authentication"); /* Name */
- packet_put_cstring(challenge); /* Instruction */
- packet_put_cstring(""); /* Language */
- packet_put_int(1); /* Number of prompts */
- packet_put_cstring(echo ?
- "Response [Echo]: ": "Response: "); /* Prompt */
- packet_put_char(echo); /* Echo */
+ /* name, instruction and language are unused */
+ packet_put_cstring("");
+ packet_put_cstring("");
+ packet_put_cstring("");
+ packet_put_int(nprompts);
+ packet_put_cstring(challenge);
+ packet_put_char(echo);
packet_send();
packet_write_wait();
- memset(challenge, 'c', sizeof challenge);
}
void
@@ -62,43 +77,37 @@ input_userauth_info_response(int type, int plen, void *ctxt)
Authctxt *authctxt = ctxt;
int authenticated = 0;
u_int nresp, rlen;
- char *resp, *method;
+ char *response, *method = "challenge-reponse";
if (authctxt == NULL)
- fatal("input_userauth_info_response: no authentication context");
-
- if (authctxt->attempt++ >= AUTH_FAIL_MAX)
- packet_disconnect("too many failed userauth_requests");
+ fatal("input_userauth_info_response: no authctxt");
+ authctxt->postponed = 0; /* reset */
nresp = packet_get_int();
if (nresp == 1) {
- /* we only support s/key and assume s/key for nresp == 1 */
- method = "s/key";
- resp = packet_get_string(&rlen);
+ response = packet_get_string(&rlen);
packet_done();
- if (strlen(resp) == 0) {
+ if (strlen(response) == 0) {
/*
- * if we received a null response, resend prompt with
- * echo enabled
+ * if we received an empty response, resend challenge
+ * with echo enabled
*/
- authenticated = -1;
- userauth_log(authctxt, authenticated, method);
- send_userauth_into_request(authctxt, 1);
- } else {
- /* verify skey response */
- if (authctxt->valid &&
- skey_haskey(authctxt->pw->pw_name) == 0 &&
- skey_passcheck(authctxt->pw->pw_name, resp) != -1) {
- authenticated = 1;
- } else {
- authenticated = 0;
+ char *challenge = get_challenge(authctxt, NULL);
+ if (challenge != NULL) {
+ send_userauth_into_request(authctxt,
+ challenge, 1);
+ authctxt->postponed = 1;
}
- memset(resp, 'r', rlen);
- /* unregister callback */
- dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
- userauth_log(authctxt, authenticated, method);
- userauth_reply(authctxt, authenticated);
+ } else if (authctxt->valid) {
+ authenticated = verify_response(authctxt, response);
+ memset(response, 'r', rlen);
}
- xfree(resp);
+ xfree(response);
+ }
+ auth_log(authctxt, authenticated, method, " ssh2");
+ if (!authctxt->postponed) {
+ /* unregister callback and send reply */
+ dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
+ userauth_reply(authctxt, authenticated);
}
}
diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c
index 8ac9aa0868b..e3743c4d956 100644
--- a/usr.bin/ssh/auth2.c
+++ b/usr.bin/ssh/auth2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.27 2001/01/13 18:56:48 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.28 2001/01/18 17:00:00 markus Exp $");
#include <openssl/dsa.h>
#include <openssl/rsa.h>
@@ -71,7 +71,6 @@ void input_service_request(int type, int plen, void *ctxt);
void input_userauth_request(int type, int plen, void *ctxt);
void protocol_error(int type, int plen, void *ctxt);
-
/* helper */
Authmethod *authmethod_lookup(const char *name);
struct passwd *pwcopy(struct passwd *pw);
@@ -108,12 +107,8 @@ Authmethod authmethods[] = {
void
do_authentication2()
{
- Authctxt *authctxt = xmalloc(sizeof(*authctxt));
- memset(authctxt, 'a', sizeof(*authctxt));
- authctxt->valid = 0;
- authctxt->attempt = 0;
- authctxt->failures = 0;
- authctxt->success = 0;
+ Authctxt *authctxt = authctxt_new();
+
x_authctxt = authctxt; /*XXX*/
#ifdef AFS
@@ -126,7 +121,7 @@ do_authentication2()
dispatch_init(&protocol_error);
dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
- do_authenticated2();
+ do_authenticated2(authctxt);
}
void
@@ -177,7 +172,7 @@ input_userauth_request(int type, int plen, void *ctxt)
{
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
- char *user, *service, *method;
+ char *user, *service, *method, *style = NULL;
int authenticated = 0;
if (authctxt == NULL)
@@ -189,6 +184,9 @@ input_userauth_request(int type, int plen, void *ctxt)
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+ if ((style = strchr(user, ':')) != NULL)
+ *style++ = 0;
+
if (authctxt->attempt++ == 0) {
/* setup auth context */
struct passwd *pw = NULL;
@@ -203,6 +201,7 @@ input_userauth_request(int type, int plen, void *ctxt)
}
authctxt->user = xstrdup(user);
authctxt->service = xstrdup(service);
+ authctxt->style = style ? xstrdup(style) : NULL; /* currently unused */
} else if (authctxt->valid) {
if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) {
@@ -211,29 +210,29 @@ input_userauth_request(int type, int plen, void *ctxt)
authctxt->valid = 0;
}
}
+ /* reset state */
+ dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &protocol_error);
+ authctxt->postponed = 0;
+ /* try to authenticate user */
m = authmethod_lookup(method);
if (m != NULL) {
debug2("input_userauth_request: try method %s", method);
authenticated = m->userauth(authctxt);
- } else {
- debug2("input_userauth_request: unsupported method %s", method);
- }
- if (!authctxt->valid && authenticated == 1) {
- log("input_userauth_request: INTERNAL ERROR: authenticated invalid user %s service %s", user, method);
- authenticated = 0;
}
+ if (!authctxt->valid && authenticated)
+ fatal("INTERNAL ERROR: authenticated invalid user %s",
+ authctxt->user);
/* Special handling for root */
- if (authenticated == 1 &&
- authctxt->valid && authctxt->pw->pw_uid == 0 && !options.permit_root_login) {
+ if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed())
authenticated = 0;
- log("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname());
- }
/* Log before sending the reply */
- userauth_log(authctxt, authenticated, method);
- userauth_reply(authctxt, authenticated);
+ auth_log(authctxt, authenticated, method, " ssh2");
+
+ if (!authctxt->postponed)
+ userauth_reply(authctxt, authenticated);
xfree(service);
xfree(user);
@@ -274,47 +273,13 @@ done:
return;
}
-void
-userauth_log(Authctxt *authctxt, int authenticated, char *method)
-{
- void (*authlog) (const char *fmt,...) = verbose;
- char *user = NULL, *authmsg = NULL;
-
- /* Raise logging level */
- if (authenticated == 1 ||
- !authctxt->valid ||
- authctxt->failures >= AUTH_FAIL_LOG ||
- strcmp(method, "password") == 0)
- authlog = log;
-
- if (authenticated == 1) {
- authmsg = "Accepted";
- } else if (authenticated == 0) {
- authmsg = "Failed";
- } else {
- authmsg = "Postponed";
- }
-
- if (authctxt->valid) {
- user = authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user;
- } else {
- user = authctxt->user ? authctxt->user : "NOUSER";
- }
-
- authlog("%s %s for %.200s from %.200s port %d ssh2",
- authmsg,
- method,
- user,
- get_remote_ipaddr(),
- get_remote_port());
-}
-
void
userauth_reply(Authctxt *authctxt, int authenticated)
{
char *methods;
+
/* XXX todo: check if multiple auth methods are needed */
- if (authenticated == 1) {
+ if (authenticated) {
/* turn off userauth */
dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error);
packet_start(SSH2_MSG_USERAUTH_SUCCESS);
@@ -322,9 +287,9 @@ userauth_reply(Authctxt *authctxt, int authenticated)
packet_write_wait();
/* now we can break out */
authctxt->success = 1;
- } else if (authenticated == 0) {
- if (authctxt->failures++ >= AUTH_FAIL_MAX)
- packet_disconnect("too many failed userauth_requests");
+ } else {
+ if (authctxt->failures++ > AUTH_FAIL_MAX)
+ packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
methods = authmethods_get();
packet_start(SSH2_MSG_USERAUTH_FAILURE);
packet_put_cstring(methods);
@@ -332,8 +297,6 @@ userauth_reply(Authctxt *authctxt, int authenticated)
packet_send();
packet_write_wait();
xfree(methods);
- } else {
- /* do nothing, we did already send a reply */
}
}
@@ -381,11 +344,9 @@ userauth_kbdint(Authctxt *authctxt)
packet_done();
debug("keyboard-interactive language %s devs %s", lang, devs);
-#ifdef SKEY
- /* XXX hardcoded, we should look at devs */
- if (options.skey_authentication != 0)
- authenticated = auth2_skey(authctxt);
-#endif
+
+ authenticated = auth2_challenge(authctxt, devs);
+
xfree(lang);
xfree(devs);
return authenticated;
@@ -668,18 +629,3 @@ user_key_allowed(struct passwd *pw, Key *key)
key_free(found);
return found_key;
}
-
-struct passwd *
-pwcopy(struct passwd *pw)
-{
- struct passwd *copy = xmalloc(sizeof(*copy));
- memset(copy, 0, sizeof(*copy));
- copy->pw_name = xstrdup(pw->pw_name);
- copy->pw_passwd = xstrdup(pw->pw_passwd);
- copy->pw_uid = pw->pw_uid;
- copy->pw_gid = pw->pw_gid;
- copy->pw_class = xstrdup(pw->pw_class);
- copy->pw_dir = xstrdup(pw->pw_dir);
- copy->pw_shell = xstrdup(pw->pw_shell);
- return copy;
-}
diff --git a/usr.bin/ssh/serverloop.c b/usr.bin/ssh/serverloop.c
index 7d7c0b95b38..2a4da54ff1d 100644
--- a/usr.bin/ssh/serverloop.c
+++ b/usr.bin/ssh/serverloop.c
@@ -35,7 +35,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.39 2000/12/27 14:19:21 markus Exp $");
+RCSID("$OpenBSD: serverloop.c,v 1.40 2001/01/18 17:00:00 markus Exp $");
#include "xmalloc.h"
#include "ssh.h"
@@ -47,10 +47,10 @@ RCSID("$OpenBSD: serverloop.c,v 1.39 2000/12/27 14:19:21 markus Exp $");
#include "compat.h"
#include "ssh2.h"
+#include "auth.h"
#include "session.h"
#include "dispatch.h"
#include "auth-options.h"
-#include "auth.h"
extern ServerOptions options;
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c
index cb857a748f9..318095cbfb4 100644
--- a/usr.bin/ssh/session.c
+++ b/usr.bin/ssh/session.c
@@ -33,7 +33,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.48 2001/01/13 18:43:31 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.49 2001/01/18 17:00:00 markus Exp $");
#include "xmalloc.h"
#include "ssh.h"
@@ -1668,10 +1668,8 @@ session_proctitle(Session *s)
}
void
-do_authenticated2(void)
+do_authenticated2(Authctxt *authctxt)
{
- struct passwd *pw;
-
/*
* Cancel the alarm we set to limit the time taken for
* authentication.
@@ -1682,8 +1680,7 @@ do_authenticated2(void)
startup_pipe = -1;
}
#ifdef HAVE_LOGIN_CAP
- pw = auth_get_user();
- if ((lc = login_getclass(pw->pw_class)) == NULL) {
+ if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) {
error("unable to get login class");
return;
}
diff --git a/usr.bin/ssh/session.h b/usr.bin/ssh/session.h
index bce99f77cb4..ee2e244c19b 100644
--- a/usr.bin/ssh/session.h
+++ b/usr.bin/ssh/session.h
@@ -28,7 +28,7 @@
void do_authenticated(struct passwd * pw);
/* SSH2 */
-void do_authenticated2(void);
+void do_authenticated2(Authctxt *ac);
int session_open(int id);
void session_input_channel_req(int id, void *arg);
void session_close_by_pid(pid_t pid, int status);
diff --git a/usr.bin/ssh/sshconnect1.c b/usr.bin/ssh/sshconnect1.c
index 17b381c13c7..b2d4e57bfbb 100644
--- a/usr.bin/ssh/sshconnect1.c
+++ b/usr.bin/ssh/sshconnect1.c
@@ -13,7 +13,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.15 2001/01/16 23:58:09 deraadt Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.16 2001/01/18 17:00:00 markus Exp $");
#include <openssl/bn.h>
#include <openssl/dsa.h>
@@ -630,7 +630,8 @@ try_skey_authentication()
}
challenge = packet_get_string(&clen);
packet_integrity_check(payload_len, (4 + clen), type);
- snprintf(prompt, sizeof prompt, "%s\nResponse: ", challenge);
+ snprintf(prompt, sizeof prompt, "%s%s", challenge,
+ strchr(challenge, '\n') ? "" : "\nResponse: ");
xfree(challenge);
if (i != 0)
error("Permission denied, please try again.");
diff --git a/usr.bin/ssh/sshd/Makefile b/usr.bin/ssh/sshd/Makefile
index 6e4b3fe8637..20b52da6a40 100644
--- a/usr.bin/ssh/sshd/Makefile
+++ b/usr.bin/ssh/sshd/Makefile
@@ -10,7 +10,7 @@ CFLAGS+=-DHAVE_LOGIN_CAP
SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
pty.c log-server.c login.c servconf.c serverloop.c \
auth.c auth1.c auth2.c auth-options.c session.c dh.c \
- groupaccess.c
+ auth-skey.c auth2-skey.c groupaccess.c
.include <bsd.own.mk> # for KERBEROS and AFS
@@ -26,10 +26,6 @@ LDADD+= -lkrb
DPADD+= ${LIBKRB}
.endif # KERBEROS
-.if (${SKEY:L} == "yes")
-SRCS+= auth-skey.c auth2-skey.c
-.endif
-
.include <bsd.prog.mk>
LDADD+= -lcrypto -lutil -lz