diff options
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/ssh/auth-chall.c | 44 | ||||
-rw-r--r-- | usr.bin/ssh/auth-passwd.c | 16 | ||||
-rw-r--r-- | usr.bin/ssh/auth.h | 14 | ||||
-rw-r--r-- | usr.bin/ssh/auth1.c | 12 | ||||
-rw-r--r-- | usr.bin/ssh/auth2.c | 12 | ||||
-rw-r--r-- | usr.bin/ssh/session.c | 14 |
6 files changed, 94 insertions, 18 deletions
diff --git a/usr.bin/ssh/auth-chall.c b/usr.bin/ssh/auth-chall.c index b4be5e2000e..ee7b6cd9653 100644 --- a/usr.bin/ssh/auth-chall.c +++ b/usr.bin/ssh/auth-chall.c @@ -23,10 +23,51 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-chall.c,v 1.5 2001/03/02 18:54:30 deraadt Exp $"); +RCSID("$OpenBSD: auth-chall.c,v 1.6 2001/03/20 18:57:04 markus Exp $"); #include "auth.h" +#include "log.h" +#ifdef BSD_AUTH +char * +get_challenge(Authctxt *authctxt, char *devs) +{ + char *challenge; + + if (authctxt->as != NULL) { + debug2("try reuse session"); + challenge = auth_getitem(authctxt->as, AUTHV_CHALLENGE); + if (challenge != NULL) { + debug2("reuse bsd auth session"); + return challenge; + } + auth_close(authctxt->as); + authctxt->as = NULL; + } + debug2("new bsd auth session"); + if (devs == NULL || strlen(devs) == 0) + devs = authctxt->style; + debug3("bsd auth: devs %s", devs ? devs : "<default>"); + authctxt->as = auth_userchallenge(authctxt->user, devs, "auth-ssh", + &challenge); + if (authctxt->as == NULL) + return NULL; + debug2("get_challenge: <%s>", challenge ? challenge : "EMPTY"); + return challenge; +} +int +verify_response(Authctxt *authctxt, char *response) +{ + int authok; + + if (authctxt->as == 0) + error("verify_response: no bsd auth session"); + authok = auth_userresponse(authctxt->as, response, 0); + authctxt->as = NULL; + debug("verify_response: <%s> = <%d>", response, authok); + return authok != 0; +} +#else #ifdef SKEY #include <skey.h> @@ -60,3 +101,4 @@ verify_response(Authctxt *authctxt, char *response) return 0; } #endif +#endif diff --git a/usr.bin/ssh/auth-passwd.c b/usr.bin/ssh/auth-passwd.c index 4ed105ee2e1..d97e7d928b3 100644 --- a/usr.bin/ssh/auth-passwd.c +++ b/usr.bin/ssh/auth-passwd.c @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-passwd.c,v 1.21 2001/02/12 16:16:23 markus Exp $"); +RCSID("$OpenBSD: auth-passwd.c,v 1.22 2001/03/20 18:57:04 markus Exp $"); #include "packet.h" #include "xmalloc.h" @@ -44,14 +44,17 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.21 2001/02/12 16:16:23 markus Exp $"); #include "servconf.h" #include "auth.h" + +extern ServerOptions options; + /* * Tries to authenticate the user using password. Returns true if * authentication succeeds. */ int -auth_password(struct passwd * pw, const char *password) +auth_password(Authctxt *authctxt, const char *password) { - extern ServerOptions options; + struct passwd * pw = authctxt->pw; char *encrypted_password; /* deny if no user. */ @@ -61,6 +64,13 @@ auth_password(struct passwd * pw, const char *password) return 0; if (*password == '\0' && options.permit_empty_passwd == 0) return 0; +#ifdef BSD_AUTH + if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", + (char *)password) == 0) + return 0; + else + return 1; +#endif #ifdef KRB4 if (options.kerberos_authentication == 1) { diff --git a/usr.bin/ssh/auth.h b/usr.bin/ssh/auth.h index a2e38e63d6c..c581f5b2a68 100644 --- a/usr.bin/ssh/auth.h +++ b/usr.bin/ssh/auth.h @@ -21,13 +21,20 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $OpenBSD: auth.h,v 1.12 2001/02/22 21:59:43 markus Exp $ + * $OpenBSD: auth.h,v 1.13 2001/03/20 18:57:04 markus Exp $ */ #ifndef AUTH_H #define AUTH_H #include <openssl/rsa.h> +#ifdef HAVE_LOGIN_CAP +#include <login_cap.h> +#endif +#ifdef BSD_AUTH +#include <bsd_auth.h> +#endif + typedef struct Authctxt Authctxt; struct Authctxt { int success; @@ -39,6 +46,9 @@ struct Authctxt { char *service; struct passwd *pw; char *style; +#ifdef BSD_AUTH + auth_session_t *as; +#endif }; /* @@ -59,7 +69,7 @@ auth_rhosts_rsa(struct passwd * pw, const char *client_user, RSA* client_host_ke * Tries to authenticate the user using password. Returns true if * authentication succeeds. */ -int auth_password(struct passwd * pw, const char *password); +int auth_password(Authctxt *authctxt, const char *password); /* * Performs the RSA authentication dialog with the client. This returns 0 if diff --git a/usr.bin/ssh/auth1.c b/usr.bin/ssh/auth1.c index d8a75686d03..3316b7e3586 100644 --- a/usr.bin/ssh/auth1.c +++ b/usr.bin/ssh/auth1.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.19 2001/03/08 18:47:12 stevesk Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.20 2001/03/20 18:57:04 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -83,7 +83,7 @@ do_authloop(Authctxt *authctxt) #ifdef KRB4 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif - auth_password(pw, "")) { + auth_password(authctxt, "")) { auth_log(authctxt, 1, "without authentication", ""); return; } @@ -244,7 +244,7 @@ do_authloop(Authctxt *authctxt) packet_integrity_check(plen, 4 + dlen, type); /* Try authentication with the password. */ - authenticated = auth_password(pw, password); + authenticated = auth_password(authctxt, password); memset(password, 0, strlen(password)); xfree(password); @@ -284,6 +284,12 @@ do_authloop(Authctxt *authctxt) log("Unknown message during authentication: type %d", type); break; } +#ifdef BSD_AUTH + if (authctxt->as) { + auth_close(authctxt->as); + authctxt->as = NULL; + } +#endif if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c index a92379d82ec..d5e29865122 100644 --- a/usr.bin/ssh/auth2.c +++ b/usr.bin/ssh/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.46 2001/03/11 13:25:36 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.47 2001/03/20 18:57:04 markus Exp $"); #include <openssl/evp.h> @@ -208,6 +208,12 @@ input_userauth_request(int type, int plen, void *ctxt) /* reset state */ dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &protocol_error); authctxt->postponed = 0; +#ifdef BSD_AUTH + if (authctxt->as) { + auth_close(authctxt->as); + authctxt->as = NULL; + } +#endif /* try to authenticate user */ m = authmethod_lookup(method); @@ -305,7 +311,7 @@ userauth_none(Authctxt *authctxt) m->enabled = NULL; packet_done(); userauth_banner(); - return authctxt->valid ? auth_password(authctxt->pw, "") : 0; + return authctxt->valid ? auth_password(authctxt, "") : 0; } int @@ -321,7 +327,7 @@ userauth_passwd(Authctxt *authctxt) password = packet_get_string(&len); packet_done(); if (authctxt->valid && - auth_password(authctxt->pw, password) == 1) + auth_password(authctxt, password) == 1) authenticated = 1; memset(password, 0, len); xfree(password); diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c index d97dd68f248..0f364d4b894 100644 --- a/usr.bin/ssh/session.c +++ b/usr.bin/ssh/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.61 2001/03/16 19:06:30 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.62 2001/03/20 18:57:04 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -58,10 +58,6 @@ RCSID("$OpenBSD: session.c,v 1.61 2001/03/16 19:06:30 markus Exp $"); #include "canohost.h" #include "session.h" -#ifdef HAVE_LOGIN_CAP -#include <login_cap.h> -#endif - /* types */ #define TTYSZ 64 @@ -831,8 +827,14 @@ do_child(Session *s, const char *command) (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { perror("unable to set user context"); exit(1); - } +#ifdef BSD_AUTH + if (auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) { + error("approval failure for %s", pw->pw_name); + fprintf(stderr, "Approval failure"); + exit(1); + } +#endif #else if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); |