diff options
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r-- | usr.bin/ssh/readconf.c | 22 | ||||
-rw-r--r-- | usr.bin/ssh/readconf.h | 3 | ||||
-rw-r--r-- | usr.bin/ssh/ssh.1 | 12 | ||||
-rw-r--r-- | usr.bin/ssh/ssh.h | 11 | ||||
-rw-r--r-- | usr.bin/ssh/sshconnect.c | 49 | ||||
-rw-r--r-- | usr.bin/ssh/sshd.c | 45 |
6 files changed, 121 insertions, 21 deletions
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index 219035d5c65..675bf7ef1dd 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -14,7 +14,7 @@ Functions for reading the configuration files. */ #include "includes.h" -RCSID("$Id: readconf.c,v 1.15 1999/11/19 16:04:17 markus Exp $"); +RCSID("$Id: readconf.c,v 1.16 1999/11/22 21:52:41 markus Exp $"); #include "ssh.h" #include "cipher.h" @@ -91,6 +91,7 @@ typedef enum oBadOption, oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication, oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh, + oSkeyAuthentication, #ifdef KRB4 oKerberosAuthentication, #endif /* KRB4 */ @@ -120,6 +121,7 @@ static struct { "rhostsauthentication", oRhostsAuthentication }, { "passwordauthentication", oPasswordAuthentication }, { "rsaauthentication", oRSAAuthentication }, + { "skeyauthentication", oSkeyAuthentication }, #ifdef KRB4 { "kerberosauthentication", oKerberosAuthentication }, #endif /* KRB4 */ @@ -288,6 +290,12 @@ process_config_line(Options *options, const char *host, intptr = &options->rhosts_rsa_authentication; goto parse_flag; + case oTISAuthentication: + /* fallthrough, there is no difference on the client side */ + case oSkeyAuthentication: + intptr = &options->skey_authentication; + goto parse_flag; + #ifdef KRB4 case oKerberosAuthentication: intptr = &options->kerberos_authentication; @@ -350,15 +358,6 @@ process_config_line(Options *options, const char *host, case oNumberOfPasswordPrompts: intptr = &options->number_of_password_prompts; goto parse_int; - - case oTISAuthentication: - cp = strtok(NULL, WHITESPACE); - if (cp != 0 && (strcmp(cp, "yes") == 0 || strcmp(cp, "true") == 0)) - fprintf(stderr, - "%.99s line %d: Warning, TIS is not supported.\n", - filename, - linenum); - break; case oCompressionLevel: intptr = &options->compression_level; @@ -598,6 +597,7 @@ void initialize_options(Options *options) options->use_privileged_port = -1; options->rhosts_authentication = -1; options->rsa_authentication = -1; + options->skey_authentication = -1; #ifdef KRB4 options->kerberos_authentication = -1; #endif @@ -648,6 +648,8 @@ void fill_default_options(Options *options) options->rhosts_authentication = 1; if (options->rsa_authentication == -1) options->rsa_authentication = 1; + if (options->skey_authentication == -1) + options->skey_authentication = 0; #ifdef KRB4 if (options->kerberos_authentication == -1) options->kerberos_authentication = 1; diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h index 24e7e7c5374..91eb23dc133 100644 --- a/usr.bin/ssh/readconf.h +++ b/usr.bin/ssh/readconf.h @@ -13,7 +13,7 @@ Functions for reading the configuration file. */ -/* RCSID("$Id: readconf.h,v 1.9 1999/11/14 21:45:07 markus Exp $"); */ +/* RCSID("$Id: readconf.h,v 1.10 1999/11/22 21:52:41 markus Exp $"); */ #ifndef READCONF_H #define READCONF_H @@ -38,6 +38,7 @@ typedef struct int rhosts_authentication; /* Try rhosts authentication. */ int rhosts_rsa_authentication;/* Try rhosts with RSA authentication. */ int rsa_authentication; /* Try RSA authentication. */ + int skey_authentication; /* Try S/Key or TIS authentication. */ #ifdef KRB4 int kerberos_authentication; /* Try Kerberos authentication. */ #endif diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1 index 33de9fa92c0..a793b8c8308 100644 --- a/usr.bin/ssh/ssh.1 +++ b/usr.bin/ssh/ssh.1 @@ -9,7 +9,7 @@ .\" .\" Created: Sat Apr 22 21:55:14 1995 ylo .\" -.\" $Id: ssh.1,v 1.26 1999/11/17 21:08:07 aaron Exp $ +.\" $Id: ssh.1,v 1.27 1999/11/22 21:52:41 markus Exp $ .\" .Dd September 25, 1999 .Dt SSH 1 @@ -662,6 +662,16 @@ or RSA authentication will only be attempted if the identity file exists, or an authentication agent is running. +.It Cm SkeyAuthentication +Specifies whether to use +.Xr skey 1 +authentication. The argument to +this keyword must be +.Dq yes +or +.Dq no . +The default is +.Dq no . .It Cm CheckHostIP If this flag is set to .Dq yes , diff --git a/usr.bin/ssh/ssh.h b/usr.bin/ssh/ssh.h index 85923137bbc..5cd7eb92f55 100644 --- a/usr.bin/ssh/ssh.h +++ b/usr.bin/ssh/ssh.h @@ -13,7 +13,7 @@ Generic header file for ssh. */ -/* RCSID("$Id: ssh.h,v 1.23 1999/11/22 21:02:38 markus Exp $"); */ +/* RCSID("$Id: ssh.h,v 1.24 1999/11/22 21:52:42 markus Exp $"); */ #ifndef SSH_H #define SSH_H @@ -141,7 +141,7 @@ only by root, whereas ssh_config should be world-readable. */ #define SSH_AUTH_RSA 2 #define SSH_AUTH_PASSWORD 3 #define SSH_AUTH_RHOSTS_RSA 4 - /* 5 is TIS */ +#define SSH_AUTH_TIS 5 #define SSH_AUTH_KERBEROS 6 #define SSH_PASS_KERBEROS_TGT 7 /* 8 to 15 are reserved */ @@ -195,10 +195,9 @@ only by root, whereas ssh_config should be world-readable. */ #define SSH_MSG_DEBUG 36 /* string */ #define SSH_CMSG_REQUEST_COMPRESSION 37 /* level 1-9 (int) */ #define SSH_CMSG_MAX_PACKET_SIZE 38 /* size 4k-1024k (int) */ -#define SSH_CMSG_AUTH_TIS 39 /* this is proto-1.5, but we ignore TIS */ -#define SSH_SMSG_AUTH_TIS_CHALLENGE 40 -#define SSH_CMSG_AUTH_TIS_RESPONSE 41 - +#define SSH_CMSG_AUTH_TIS 39 /* we use this for s/key */ +#define SSH_SMSG_AUTH_TIS_CHALLENGE 40 /* challenge (string) */ +#define SSH_CMSG_AUTH_TIS_RESPONSE 41 /* response (string) */ #define SSH_CMSG_AUTH_KERBEROS 42 /* (KTEXT) */ #define SSH_SMSG_AUTH_KERBEROS_RESPONSE 43 /* (KTEXT) */ #define SSH_CMSG_HAVE_KERBEROS_TGT 44 /* credentials (s) */ diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c index 2a2a43189cc..80bf17c7f43 100644 --- a/usr.bin/ssh/sshconnect.c +++ b/usr.bin/ssh/sshconnect.c @@ -15,7 +15,7 @@ login (authentication) dialog. */ #include "includes.h" -RCSID("$Id: sshconnect.c,v 1.36 1999/11/19 19:58:18 markus Exp $"); +RCSID("$Id: sshconnect.c,v 1.37 1999/11/22 21:52:42 markus Exp $"); #include <ssl/bn.h> #include "xmalloc.h" @@ -1495,6 +1495,53 @@ void ssh_login(int host_key_valid, if (try_rsa_authentication(pw, options.identity_files[i])) return; /* Successful connection. */ } + + /* Try skey authentication if the server supports it. */ + if ((supported_authentications & (1 << SSH_AUTH_TIS)) && + options.skey_authentication && !options.batch_mode) + { + debug("Doing skey authentication."); + + /* request a challenge */ + packet_start(SSH_CMSG_AUTH_TIS); + packet_send(); + packet_write_wait(); + + type = packet_read(&payload_len); + if (type != SSH_SMSG_FAILURE && + type != SSH_SMSG_AUTH_TIS_CHALLENGE) { + packet_disconnect("Protocol error: got %d in response " + "to skey auth", type); + } + if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) { + debug("No challenge for skey authentication."); + } else { + char *challenge, *response; + challenge = packet_get_string(&payload_len); + if (options.cipher == SSH_CIPHER_NONE) + log("WARNING: Encryption is disabled! " + "Reponse will be transmitted in clear text."); + fprintf(stderr, "%s\n", challenge); + fflush(stderr); + for (i = 0; i < options.number_of_password_prompts; i++) { + if (i != 0) + error("Permission denied, please try again."); + response = read_passphrase("Response: ", 0); + packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); + packet_put_string(response, strlen(response)); + memset(response, 0, strlen(response)); + xfree(response); + packet_send(); + packet_write_wait(); + type = packet_read(&payload_len); + if (type == SSH_SMSG_SUCCESS) + return; + if (type != SSH_SMSG_FAILURE) + packet_disconnect("Protocol error: got %d in response " + "to skey auth", type); + } + } + } /* Try password authentication if the server supports it. */ if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) && diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c index eda984b4788..55a981737ca 100644 --- a/usr.bin/ssh/sshd.c +++ b/usr.bin/ssh/sshd.c @@ -18,7 +18,7 @@ agent connections. */ #include "includes.h" -RCSID("$Id: sshd.c,v 1.62 1999/11/22 21:02:39 markus Exp $"); +RCSID("$Id: sshd.c,v 1.63 1999/11/22 21:52:42 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -210,6 +210,10 @@ get_authname(int type) case SSH_CMSG_AUTH_KERBEROS: return "kerberos"; #endif +#ifdef SKEY + case SSH_CMSG_AUTH_TIS_RESPONSE: + return "s/key"; +#endif } fatal("get_authname: unknown auth %d: internal error", type); return NULL; @@ -835,6 +839,10 @@ do_connection() if (options.afs_token_passing) auth_mask |= 1 << SSH_PASS_AFS_TOKEN; #endif +#ifdef SKEY + if (options.skey_authentication == 1) + auth_mask |= 1 << SSH_AUTH_TIS; +#endif if (options.password_authentication) auth_mask |= 1 << SSH_AUTH_PASSWORD; packet_put_int(auth_mask); @@ -1303,10 +1311,43 @@ do_authloop(struct passwd *pw) xfree(password); break; +#ifdef SKEY + case SSH_CMSG_AUTH_TIS: + debug("rcvd SSH_CMSG_AUTH_TIS"); + if (options.skey_authentication == 1) { + char *skeyinfo = skey_keyinfo(pw->pw_name); + if (skeyinfo == NULL) { + debug("generating fake skeyinfo for %.100s.", pw->pw_name); + skeyinfo = skey_fake_keyinfo(pw->pw_name); + } + if (skeyinfo != NULL) { + /* we send our s/key- in tis-challenge messages */ + debug("sending challenge '%s'", skeyinfo); + packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); + packet_put_string(skeyinfo, strlen(skeyinfo)); + packet_send(); + packet_write_wait(); + continue; + } + } + break; + case SSH_CMSG_AUTH_TIS_RESPONSE: + debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE"); + if (options.skey_authentication == 1) { + char *response = packet_get_string(&dlen); + debug("skey response == '%s'", response); + packet_integrity_check(plen, 4 + dlen, type); + authenticated = (skey_haskey(pw->pw_name) == 0 && + skey_passcheck(pw->pw_name, response) != -1); + xfree(response); + } + break; +#else case SSH_CMSG_AUTH_TIS: /* TIS Authentication is unsupported */ - log("TIS authentication disabled."); + log("TIS authentication unsupported."); break; +#endif default: /* Any unknown messages will be ignored (and failure returned) |