freebsd-dev/crypto/openssh/auth2-skey.c
Brian Feldman 099584266b Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0
new features description elided in favor of checking out their
website.

Important new FreeBSD-version stuff: PAM support has been worked
in, partially from the "Unix" OpenSSH version, and a lot due to the
work of Eivind Eklend, too.

This requires at least the following in pam.conf:

sshd    auth    sufficient      pam_skey.so
sshd    auth    required        pam_unix.so                     try_first_pass
sshd    session required        pam_permit.so

Parts by:	Eivind Eklend <eivind@FreeBSD.org>
2000-12-05 02:55:12 +00:00

106 lines
2.8 KiB
C

#include "includes.h"
RCSID("$FreeBSD$");
RCSID("$OpenBSD: auth2-skey.c,v 1.1 2000/10/11 20:14:38 markus Exp $");
#include "ssh.h"
#include "ssh2.h"
#include "auth.h"
#include "packet.h"
#include "xmalloc.h"
#include "dispatch.h"
void send_userauth_into_request(Authctxt *authctxt, int echo);
void input_userauth_info_response(int type, int plen, void *ctxt);
/*
* try skey authentication, always return -1 (= postponed) since we have to
* wait for the s/key response.
*/
int
auth2_skey(Authctxt *authctxt)
{
send_userauth_into_request(authctxt, 0);
dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &input_userauth_info_response);
return -1;
}
void
send_userauth_into_request(Authctxt *authctxt, int echo)
{
int retval = -1;
struct opie skey;
char challenge[OPIE_CHALLENGE_MAX + 1];
char *fake;
if (authctxt->user == NULL)
fatal("send_userauth_into_request: internal error: no user");
/* get skey challenge */
if (authctxt->valid)
retval = opiechallenge(&skey, authctxt->user, challenge);
if (retval == -1) {
fake = skey_fake_keyinfo(authctxt->user);
strlcpy(challenge, fake, sizeof challenge);
}
/* send our info request */
packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
packet_put_cstring("S/Key Authentication"); /* Name */
packet_put_cstring(challenge); /* Instruction */
packet_put_cstring(""); /* Language */
packet_put_int(1); /* Number of prompts */
packet_put_cstring(echo ?
"Response [Echo]: ": "Response: "); /* Prompt */
packet_put_char(echo); /* Echo */
packet_send();
packet_write_wait();
memset(challenge, 'c', sizeof challenge);
}
void
input_userauth_info_response(int type, int plen, void *ctxt)
{
Authctxt *authctxt = ctxt;
int authenticated = 0;
unsigned int nresp, rlen;
char *resp, *method;
if (authctxt == NULL)
fatal("input_userauth_info_response: no authentication context");
if (authctxt->attempt++ >= AUTH_FAIL_MAX)
packet_disconnect("too many failed userauth_requests");
nresp = packet_get_int();
if (nresp == 1) {
/* we only support s/key and assume s/key for nresp == 1 */
method = "s/key";
resp = packet_get_string(&rlen);
packet_done();
if (strlen(resp) == 0) {
/*
* if we received a null response, resend prompt with
* echo enabled
*/
authenticated = -1;
userauth_log(authctxt, authenticated, method);
send_userauth_into_request(authctxt, 1);
} else {
/* verify skey response */
if (authctxt->valid &&
opie_haskey(authctxt->pw->pw_name) == 0 &&
opie_passverify(authctxt->pw->pw_name, resp) != -1) {
authenticated = 1;
} else {
authenticated = 0;
}
memset(resp, 'r', rlen);
/* unregister callback */
dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
userauth_log(authctxt, authenticated, method);
userauth_reply(authctxt, authenticated);
}
xfree(resp);
}
}