ab6b35a1d6
new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org>
106 lines
2.8 KiB
C
106 lines
2.8 KiB
C
#include "includes.h"
|
|
RCSID("$FreeBSD$");
|
|
RCSID("$OpenBSD: auth2-skey.c,v 1.1 2000/10/11 20:14:38 markus Exp $");
|
|
|
|
#include "ssh.h"
|
|
#include "ssh2.h"
|
|
#include "auth.h"
|
|
#include "packet.h"
|
|
#include "xmalloc.h"
|
|
#include "dispatch.h"
|
|
|
|
void send_userauth_into_request(Authctxt *authctxt, int echo);
|
|
void input_userauth_info_response(int type, int plen, void *ctxt);
|
|
|
|
/*
|
|
* try skey authentication, always return -1 (= postponed) since we have to
|
|
* wait for the s/key response.
|
|
*/
|
|
int
|
|
auth2_skey(Authctxt *authctxt)
|
|
{
|
|
send_userauth_into_request(authctxt, 0);
|
|
dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &input_userauth_info_response);
|
|
return -1;
|
|
}
|
|
|
|
void
|
|
send_userauth_into_request(Authctxt *authctxt, int echo)
|
|
{
|
|
int retval = -1;
|
|
struct opie skey;
|
|
char challenge[OPIE_CHALLENGE_MAX + 1];
|
|
char *fake;
|
|
|
|
if (authctxt->user == NULL)
|
|
fatal("send_userauth_into_request: internal error: no user");
|
|
|
|
/* get skey challenge */
|
|
if (authctxt->valid)
|
|
retval = opiechallenge(&skey, authctxt->user, challenge);
|
|
|
|
if (retval == -1) {
|
|
fake = skey_fake_keyinfo(authctxt->user);
|
|
strlcpy(challenge, fake, sizeof challenge);
|
|
}
|
|
/* send our info request */
|
|
packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
|
|
packet_put_cstring("S/Key Authentication"); /* Name */
|
|
packet_put_cstring(challenge); /* Instruction */
|
|
packet_put_cstring(""); /* Language */
|
|
packet_put_int(1); /* Number of prompts */
|
|
packet_put_cstring(echo ?
|
|
"Response [Echo]: ": "Response: "); /* Prompt */
|
|
packet_put_char(echo); /* Echo */
|
|
packet_send();
|
|
packet_write_wait();
|
|
memset(challenge, 'c', sizeof challenge);
|
|
}
|
|
|
|
void
|
|
input_userauth_info_response(int type, int plen, void *ctxt)
|
|
{
|
|
Authctxt *authctxt = ctxt;
|
|
int authenticated = 0;
|
|
unsigned int nresp, rlen;
|
|
char *resp, *method;
|
|
|
|
if (authctxt == NULL)
|
|
fatal("input_userauth_info_response: no authentication context");
|
|
|
|
if (authctxt->attempt++ >= AUTH_FAIL_MAX)
|
|
packet_disconnect("too many failed userauth_requests");
|
|
|
|
nresp = packet_get_int();
|
|
if (nresp == 1) {
|
|
/* we only support s/key and assume s/key for nresp == 1 */
|
|
method = "s/key";
|
|
resp = packet_get_string(&rlen);
|
|
packet_done();
|
|
if (strlen(resp) == 0) {
|
|
/*
|
|
* if we received a null response, resend prompt with
|
|
* echo enabled
|
|
*/
|
|
authenticated = -1;
|
|
userauth_log(authctxt, authenticated, method);
|
|
send_userauth_into_request(authctxt, 1);
|
|
} else {
|
|
/* verify skey response */
|
|
if (authctxt->valid &&
|
|
opie_haskey(authctxt->pw->pw_name) == 0 &&
|
|
opie_passverify(authctxt->pw->pw_name, resp) != -1) {
|
|
authenticated = 1;
|
|
} else {
|
|
authenticated = 0;
|
|
}
|
|
memset(resp, 'r', rlen);
|
|
/* unregister callback */
|
|
dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
|
|
userauth_log(authctxt, authenticated, method);
|
|
userauth_reply(authctxt, authenticated);
|
|
}
|
|
xfree(resp);
|
|
}
|
|
}
|