summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/auth-chall.c44
-rw-r--r--usr.bin/ssh/auth-passwd.c16
-rw-r--r--usr.bin/ssh/auth.h14
-rw-r--r--usr.bin/ssh/auth1.c12
-rw-r--r--usr.bin/ssh/auth2.c12
-rw-r--r--usr.bin/ssh/session.c14
6 files changed, 94 insertions, 18 deletions
diff --git a/usr.bin/ssh/auth-chall.c b/usr.bin/ssh/auth-chall.c
index b4be5e2000e..ee7b6cd9653 100644
--- a/usr.bin/ssh/auth-chall.c
+++ b/usr.bin/ssh/auth-chall.c
@@ -23,10 +23,51 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-chall.c,v 1.5 2001/03/02 18:54:30 deraadt Exp $");
+RCSID("$OpenBSD: auth-chall.c,v 1.6 2001/03/20 18:57:04 markus Exp $");
#include "auth.h"
+#include "log.h"
+#ifdef BSD_AUTH
+char *
+get_challenge(Authctxt *authctxt, char *devs)
+{
+ char *challenge;
+
+ if (authctxt->as != NULL) {
+ debug2("try reuse session");
+ challenge = auth_getitem(authctxt->as, AUTHV_CHALLENGE);
+ if (challenge != NULL) {
+ debug2("reuse bsd auth session");
+ return challenge;
+ }
+ auth_close(authctxt->as);
+ authctxt->as = NULL;
+ }
+ debug2("new bsd auth session");
+ if (devs == NULL || strlen(devs) == 0)
+ devs = authctxt->style;
+ debug3("bsd auth: devs %s", devs ? devs : "<default>");
+ authctxt->as = auth_userchallenge(authctxt->user, devs, "auth-ssh",
+ &challenge);
+ if (authctxt->as == NULL)
+ return NULL;
+ debug2("get_challenge: <%s>", challenge ? challenge : "EMPTY");
+ return challenge;
+}
+int
+verify_response(Authctxt *authctxt, char *response)
+{
+ int authok;
+
+ if (authctxt->as == 0)
+ error("verify_response: no bsd auth session");
+ authok = auth_userresponse(authctxt->as, response, 0);
+ authctxt->as = NULL;
+ debug("verify_response: <%s> = <%d>", response, authok);
+ return authok != 0;
+}
+#else
#ifdef SKEY
#include <skey.h>
@@ -60,3 +101,4 @@ verify_response(Authctxt *authctxt, char *response)
return 0;
}
#endif
+#endif
diff --git a/usr.bin/ssh/auth-passwd.c b/usr.bin/ssh/auth-passwd.c
index 4ed105ee2e1..d97e7d928b3 100644
--- a/usr.bin/ssh/auth-passwd.c
+++ b/usr.bin/ssh/auth-passwd.c
@@ -36,7 +36,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-passwd.c,v 1.21 2001/02/12 16:16:23 markus Exp $");
+RCSID("$OpenBSD: auth-passwd.c,v 1.22 2001/03/20 18:57:04 markus Exp $");
#include "packet.h"
#include "xmalloc.h"
@@ -44,14 +44,17 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.21 2001/02/12 16:16:23 markus Exp $");
#include "servconf.h"
#include "auth.h"
+
+extern ServerOptions options;
+
/*
* Tries to authenticate the user using password. Returns true if
* authentication succeeds.
*/
int
-auth_password(struct passwd * pw, const char *password)
+auth_password(Authctxt *authctxt, const char *password)
{
- extern ServerOptions options;
+ struct passwd * pw = authctxt->pw;
char *encrypted_password;
/* deny if no user. */
@@ -61,6 +64,13 @@ auth_password(struct passwd * pw, const char *password)
return 0;
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
+#ifdef BSD_AUTH
+ if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
+ (char *)password) == 0)
+ return 0;
+ else
+ return 1;
+#endif
#ifdef KRB4
if (options.kerberos_authentication == 1) {
diff --git a/usr.bin/ssh/auth.h b/usr.bin/ssh/auth.h
index a2e38e63d6c..c581f5b2a68 100644
--- a/usr.bin/ssh/auth.h
+++ b/usr.bin/ssh/auth.h
@@ -21,13 +21,20 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $OpenBSD: auth.h,v 1.12 2001/02/22 21:59:43 markus Exp $
+ * $OpenBSD: auth.h,v 1.13 2001/03/20 18:57:04 markus Exp $
*/
#ifndef AUTH_H
#define AUTH_H
#include <openssl/rsa.h>
+#ifdef HAVE_LOGIN_CAP
+#include <login_cap.h>
+#endif
+#ifdef BSD_AUTH
+#include <bsd_auth.h>
+#endif
+
typedef struct Authctxt Authctxt;
struct Authctxt {
int success;
@@ -39,6 +46,9 @@ struct Authctxt {
char *service;
struct passwd *pw;
char *style;
+#ifdef BSD_AUTH
+ auth_session_t *as;
+#endif
};
/*
@@ -59,7 +69,7 @@ auth_rhosts_rsa(struct passwd * pw, const char *client_user, RSA* client_host_ke
* Tries to authenticate the user using password. Returns true if
* authentication succeeds.
*/
-int auth_password(struct passwd * pw, const char *password);
+int auth_password(Authctxt *authctxt, const char *password);
/*
* Performs the RSA authentication dialog with the client. This returns 0 if
diff --git a/usr.bin/ssh/auth1.c b/usr.bin/ssh/auth1.c
index d8a75686d03..3316b7e3586 100644
--- a/usr.bin/ssh/auth1.c
+++ b/usr.bin/ssh/auth1.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.19 2001/03/08 18:47:12 stevesk Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.20 2001/03/20 18:57:04 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
@@ -83,7 +83,7 @@ do_authloop(Authctxt *authctxt)
#ifdef KRB4
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif
- auth_password(pw, "")) {
+ auth_password(authctxt, "")) {
auth_log(authctxt, 1, "without authentication", "");
return;
}
@@ -244,7 +244,7 @@ do_authloop(Authctxt *authctxt)
packet_integrity_check(plen, 4 + dlen, type);
/* Try authentication with the password. */
- authenticated = auth_password(pw, password);
+ authenticated = auth_password(authctxt, password);
memset(password, 0, strlen(password));
xfree(password);
@@ -284,6 +284,12 @@ do_authloop(Authctxt *authctxt)
log("Unknown message during authentication: type %d", type);
break;
}
+#ifdef BSD_AUTH
+ if (authctxt->as) {
+ auth_close(authctxt->as);
+ authctxt->as = NULL;
+ }
+#endif
if (!authctxt->valid && authenticated)
fatal("INTERNAL ERROR: authenticated invalid user %s",
authctxt->user);
diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c
index a92379d82ec..d5e29865122 100644
--- a/usr.bin/ssh/auth2.c
+++ b/usr.bin/ssh/auth2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.46 2001/03/11 13:25:36 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.47 2001/03/20 18:57:04 markus Exp $");
#include <openssl/evp.h>
@@ -208,6 +208,12 @@ input_userauth_request(int type, int plen, void *ctxt)
/* reset state */
dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &protocol_error);
authctxt->postponed = 0;
+#ifdef BSD_AUTH
+ if (authctxt->as) {
+ auth_close(authctxt->as);
+ authctxt->as = NULL;
+ }
+#endif
/* try to authenticate user */
m = authmethod_lookup(method);
@@ -305,7 +311,7 @@ userauth_none(Authctxt *authctxt)
m->enabled = NULL;
packet_done();
userauth_banner();
- return authctxt->valid ? auth_password(authctxt->pw, "") : 0;
+ return authctxt->valid ? auth_password(authctxt, "") : 0;
}
int
@@ -321,7 +327,7 @@ userauth_passwd(Authctxt *authctxt)
password = packet_get_string(&len);
packet_done();
if (authctxt->valid &&
- auth_password(authctxt->pw, password) == 1)
+ auth_password(authctxt, password) == 1)
authenticated = 1;
memset(password, 0, len);
xfree(password);
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c
index d97dd68f248..0f364d4b894 100644
--- a/usr.bin/ssh/session.c
+++ b/usr.bin/ssh/session.c
@@ -33,7 +33,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.61 2001/03/16 19:06:30 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.62 2001/03/20 18:57:04 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -58,10 +58,6 @@ RCSID("$OpenBSD: session.c,v 1.61 2001/03/16 19:06:30 markus Exp $");
#include "canohost.h"
#include "session.h"
-#ifdef HAVE_LOGIN_CAP
-#include <login_cap.h>
-#endif
-
/* types */
#define TTYSZ 64
@@ -831,8 +827,14 @@ do_child(Session *s, const char *command)
(LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
perror("unable to set user context");
exit(1);
-
}
+#ifdef BSD_AUTH
+ if (auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) {
+ error("approval failure for %s", pw->pw_name);
+ fprintf(stderr, "Approval failure");
+ exit(1);
+ }
+#endif
#else
if (setlogin(pw->pw_name) < 0)
error("setlogin failed: %s", strerror(errno));