-/* $OpenBSD: auth2-chall.c,v 1.31 2006/08/05 08:28:24 dtucker Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2001 Per Allansson. All rights reserved.
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-
#include "includes.h"
+RCSID("$OpenBSD: auth2-chall.c,v 1.8 2001/09/27 15:31:17 markus Exp $");
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-
-#include "xmalloc.h"
#include "ssh2.h"
-#include "key.h"
-#include "hostfile.h"
#include "auth.h"
-#include "buffer.h"
#include "packet.h"
+#include "xmalloc.h"
#include "dispatch.h"
+#include "auth.h"
#include "log.h"
-#include "servconf.h"
-
-/* import */
-extern ServerOptions options;
static int auth2_challenge_start(Authctxt *);
static int send_userauth_info_request(Authctxt *);
-static void input_userauth_info_response(int, u_int32_t, void *);
+static void input_userauth_info_response(int, int, void *);
#ifdef BSD_AUTH
extern KbdintDevice bsdauth_device;
#else
-#ifdef USE_PAM
-extern KbdintDevice sshpam_device;
-#endif
#ifdef SKEY
extern KbdintDevice skey_device;
#endif
#ifdef BSD_AUTH
&bsdauth_device,
#else
-#ifdef USE_PAM
- &sshpam_device,
-#endif
#ifdef SKEY
&skey_device,
#endif
char *devices;
void *ctxt;
KbdintDevice *device;
- u_int nreq;
};
-#ifdef USE_PAM
-void
-remove_kbdint_device(const char *devname)
-{
- int i, j;
-
- for (i = 0; devices[i] != NULL; i++)
- if (strcmp(devices[i]->name, devname) == 0) {
- for (j = i; devices[j] != NULL; j++)
- devices[j] = devices[j+1];
- i--;
- }
-}
-#endif
-
static KbdintAuthctxt *
kbdint_alloc(const char *devs)
{
KbdintAuthctxt *kbdintctxt;
- Buffer b;
int i;
-
-#ifdef USE_PAM
- if (!options.use_pam)
- remove_kbdint_device("pam");
-#endif
+ char buf[1024];
kbdintctxt = xmalloc(sizeof(KbdintAuthctxt));
if (strcmp(devs, "") == 0) {
- buffer_init(&b);
+ buf[0] = '\0';
for (i = 0; devices[i]; i++) {
- if (buffer_len(&b) > 0)
- buffer_append(&b, ",", 1);
- buffer_append(&b, devices[i]->name,
- strlen(devices[i]->name));
+ if (i != 0)
+ strlcat(buf, ",", sizeof(buf));
+ strlcat(buf, devices[i]->name, sizeof(buf));
}
- buffer_append(&b, "\0", 1);
- kbdintctxt->devices = xstrdup(buffer_ptr(&b));
- buffer_free(&b);
+ debug("kbdint_alloc: devices '%s'", buf);
+ kbdintctxt->devices = xstrdup(buf);
} else {
kbdintctxt->devices = xstrdup(devs);
}
- debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
kbdintctxt->ctxt = NULL;
kbdintctxt->device = NULL;
- kbdintctxt->nreq = 0;
return kbdintctxt;
}
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
xfree(t);
debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
- kbdintctxt->devices : "<empty>");
+ kbdintctxt->devices : "<empty>");
} while (kbdintctxt->devices && !kbdintctxt->device);
return kbdintctxt->device ? 1 : 0;
if (authctxt->user == NULL || !devs)
return 0;
- if (authctxt->kbdintctxt == NULL)
+ if (authctxt->kbdintctxt == NULL)
authctxt->kbdintctxt = kbdint_alloc(devs);
return auth2_challenge_start(authctxt);
}
-/* unregister kbd-int callbacks and context */
-void
-auth2_challenge_stop(Authctxt *authctxt)
-{
- /* unregister callback */
- dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
- if (authctxt->kbdintctxt != NULL) {
- kbdint_free(authctxt->kbdintctxt);
- authctxt->kbdintctxt = NULL;
- }
-}
-
/* side effect: sets authctxt->postponed if a reply was sent*/
static int
auth2_challenge_start(Authctxt *authctxt)
kbdintctxt->devices ? kbdintctxt->devices : "<empty>");
if (kbdint_next_device(kbdintctxt) == 0) {
- auth2_challenge_stop(authctxt);
+ kbdint_free(kbdintctxt);
+ authctxt->kbdintctxt = NULL;
return 0;
}
debug("auth2_challenge_start: trying authentication method '%s'",
kbdintctxt->device->name);
if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) {
- auth2_challenge_stop(authctxt);
+ kbdint_free(kbdintctxt);
+ authctxt->kbdintctxt = NULL;
return 0;
}
if (send_userauth_info_request(authctxt) == 0) {
- auth2_challenge_stop(authctxt);
+ kbdint_free(kbdintctxt);
+ authctxt->kbdintctxt = NULL;
return 0;
}
dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
{
KbdintAuthctxt *kbdintctxt;
char *name, *instr, **prompts;
- u_int i, *echo_on;
+ int i;
+ u_int numprompts, *echo_on;
kbdintctxt = authctxt->kbdintctxt;
if (kbdintctxt->device->query(kbdintctxt->ctxt,
- &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
+ &name, &instr, &numprompts, &prompts, &echo_on))
return 0;
packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
packet_put_cstring(name);
packet_put_cstring(instr);
- packet_put_cstring(""); /* language not used */
- packet_put_int(kbdintctxt->nreq);
- for (i = 0; i < kbdintctxt->nreq; i++) {
+ packet_put_cstring(""); /* language not used */
+ packet_put_int(numprompts);
+ for (i = 0; i < numprompts; i++) {
packet_put_cstring(prompts[i]);
packet_put_char(echo_on[i]);
}
packet_send();
packet_write_wait();
- for (i = 0; i < kbdintctxt->nreq; i++)
+ for (i = 0; i < numprompts; i++)
xfree(prompts[i]);
xfree(prompts);
xfree(echo_on);
}
static void
-input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
+input_userauth_info_response(int type, int plen, void *ctxt)
{
Authctxt *authctxt = ctxt;
KbdintAuthctxt *kbdintctxt;
- int authenticated = 0, res, len;
- u_int i, nresp;
+ int i, authenticated = 0, res, len;
+ u_int nresp;
char **response = NULL, *method;
if (authctxt == NULL)
authctxt->postponed = 0; /* reset */
nresp = packet_get_int();
- if (nresp != kbdintctxt->nreq)
- fatal("input_userauth_info_response: wrong number of replies");
- if (nresp > 100)
- fatal("input_userauth_info_response: too many replies");
if (nresp > 0) {
- response = xcalloc(nresp, sizeof(char *));
+ response = xmalloc(nresp * sizeof(char*));
for (i = 0; i < nresp; i++)
response[i] = packet_get_string(NULL);
}
- packet_check_eom();
+ packet_done();
- res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
+ if (authctxt->valid) {
+ res = kbdintctxt->device->respond(kbdintctxt->ctxt,
+ nresp, response);
+ } else {
+ res = -1;
+ }
for (i = 0; i < nresp; i++) {
memset(response[i], 'r', strlen(response[i]));
switch (res) {
case 0:
/* Success! */
- authenticated = authctxt->valid ? 1 : 0;
+ authenticated = 1;
break;
case 1:
/* Authentication needs further interaction */
- if (send_userauth_info_request(authctxt) == 1)
- authctxt->postponed = 1;
+ authctxt->postponed = 1;
+ if (send_userauth_info_request(authctxt) == 0) {
+ authctxt->postponed = 0;
+ }
break;
default:
/* Failure! */
len = strlen("keyboard-interactive") + 2 +
strlen(kbdintctxt->device->name);
method = xmalloc(len);
- snprintf(method, len, "keyboard-interactive/%s",
- kbdintctxt->device->name);
+ method[0] = '\0';
+ strlcat(method, "keyboard-interactive", len);
+ strlcat(method, "/", len);
+ strlcat(method, kbdintctxt->device->name, len);
if (!authctxt->postponed) {
+ /* unregister callback */
+ dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
+
if (authenticated) {
- auth2_challenge_stop(authctxt);
+ kbdint_free(kbdintctxt);
+ authctxt->kbdintctxt = NULL;
} else {
/* start next device */
/* may set authctxt->postponed */
userauth_finish(authctxt, authenticated, method);
xfree(method);
}
-
-void
-privsep_challenge_enable(void)
-{
-#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY)
- int n = 0;
-#endif
-#ifdef BSD_AUTH
- extern KbdintDevice mm_bsdauth_device;
-#endif
-#ifdef USE_PAM
- extern KbdintDevice mm_sshpam_device;
-#endif
-#ifdef SKEY
- extern KbdintDevice mm_skey_device;
-#endif
-
-#ifdef BSD_AUTH
- devices[n++] = &mm_bsdauth_device;
-#else
-#ifdef USE_PAM
- devices[n++] = &mm_sshpam_device;
-#endif
-#ifdef SKEY
- devices[n++] = &mm_skey_device;
-#endif
-#endif
-}