]> andersk Git - openssh.git/blobdiff - auth-chall.c
andersk / openssh.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
- djm@cvs.openbsd.org 2010/01/30 02:54:53
[openssh.git] / auth-chall.c
diff --git a/auth-chall.c b/auth-chall.c
index aced659c0c6b78c1b200fe56033153f109fafd87..919b1eaa43cfcdf2ec09bf1c95d05f2861c7f1a6 100644 (file)
--- a/auth-chall.c
+++ b/auth-chall.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth-chall.c,v 1.12 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -23,82 +24,100 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-chall.c,v 1.5 2001/03/02 18:54:30 deraadt Exp $");
 
+#include <sys/types.h>
+
+#include <stdarg.h>
+
+#include "xmalloc.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "log.h"
+#include "servconf.h"
+
+/* limited protocol v1 interface to kbd-interactive authentication */
+
+extern KbdintDevice *devices[];
+static KbdintDevice *device;
+extern ServerOptions options;
 
-#ifdef BSD_AUTH
 char *
-get_challenge(Authctxt *authctxt, char *devs)
+get_challenge(Authctxt *authctxt)
 {
-       char *challenge;
+       char *challenge, *name, *info, **prompts;
+       u_int i, numprompts;
+       u_int *echo_on;
 
-       if (authctxt->as != NULL) {
-               debug2("try reuse session");
-               challenge = auth_getitem(authctxt->as, AUTHV_CHALLENGE);
-               if (challenge != NULL) {
-                       debug2("reuse bsd auth session");
-                       return challenge;
-               }
-               auth_close(authctxt->as);
-               authctxt->as = NULL;
+#ifdef USE_PAM
+       if (!options.use_pam)
+               remove_kbdint_device("pam");
+#endif
+
+       device = devices[0]; /* we always use the 1st device for protocol 1 */
+       if (device == NULL)
+               return NULL;
+       if ((authctxt->kbdintctxt = device->init_ctx(authctxt)) == NULL)
+               return NULL;
+       if (device->query(authctxt->kbdintctxt, &name, &info,
+           &numprompts, &prompts, &echo_on)) {
+               device->free_ctx(authctxt->kbdintctxt);
+               authctxt->kbdintctxt = NULL;
+               return NULL;
        }
-       debug2("new bsd auth session");
-       if (devs == NULL || strlen(devs) == 0)
-               devs = authctxt->style;
-       debug3("bsd auth: devs %s", devs ? devs : "<default>");
-       authctxt->as = auth_userchallenge(authctxt->user, devs, "auth-ssh",
-           &challenge);
-        if (authctxt->as == NULL)
-                return NULL;
-       debug2("get_challenge: <%s>", challenge ? challenge : "EMPTY");
-       return challenge;
+       if (numprompts < 1)
+               fatal("get_challenge: numprompts < 1");
+       challenge = xstrdup(prompts[0]);
+       for (i = 0; i < numprompts; i++)
+               xfree(prompts[i]);
+       xfree(prompts);
+       xfree(name);
+       xfree(echo_on);
+       xfree(info);
+
+       return (challenge);
 }
 int
-verify_response(Authctxt *authctxt, char *response)
+verify_response(Authctxt *authctxt, const char *response)
 {
-       int authok;
+       char *resp[1], *name, *info, **prompts;
+       u_int i, numprompts, *echo_on;
+       int authenticated = 0;
 
-       if (authctxt->as == 0)
-               error("verify_response: no bsd auth session");
-       authok = auth_userresponse(authctxt->as, response, 0);
-       authctxt->as = NULL;
-       debug("verify_response: <%s> = <%d>", response, authok);
-       return authok != 0;
-}
-#else
-#ifdef SKEY
-#include <skey.h>
+       if (device == NULL)
+               return 0;
+       if (authctxt->kbdintctxt == NULL)
+               return 0;
+       resp[0] = (char *)response;
+       switch (device->respond(authctxt->kbdintctxt, 1, resp)) {
+       case 0: /* Success */
+               authenticated = 1;
+               break;
+       case 1: /* Postponed - retry with empty query for PAM */
+               if ((device->query(authctxt->kbdintctxt, &name, &info,
+                   &numprompts, &prompts, &echo_on)) != 0)
+                       break;
+               if (numprompts == 0 &&
+                   device->respond(authctxt->kbdintctxt, 0, resp) == 0)
+                       authenticated = 1;
 
-char *
-get_challenge(Authctxt *authctxt, char *devs)
-{
-       static char challenge[1024];
-       struct skey skey;
-       if (skeychallenge(&skey, authctxt->user, challenge) == -1)
-               return NULL;
-       strlcat(challenge, "\nS/Key Password: ", sizeof challenge);
-       return challenge;
-}
-int
-verify_response(Authctxt *authctxt, char *response)
-{
-       return (authctxt->valid &&
-           skey_haskey(authctxt->pw->pw_name) == 0 &&
-           skey_passcheck(authctxt->pw->pw_name, response) != -1);
-}
-#else
-/* not available */
-char *
-get_challenge(Authctxt *authctxt, char *devs)
-{
-       return NULL;
+               for (i = 0; i < numprompts; i++)
+                       xfree(prompts[i]);
+               xfree(prompts);
+               xfree(name);
+               xfree(echo_on);
+               xfree(info);
+               break;
+       }
+       device->free_ctx(authctxt->kbdintctxt);
+       authctxt->kbdintctxt = NULL;
+       return authenticated;
 }
-int
-verify_response(Authctxt *authctxt, char *response)
+void
+abandon_challenge_response(Authctxt *authctxt)
 {
-       return 0;
+       if (authctxt->kbdintctxt != NULL) {
+               device->free_ctx(authctxt->kbdintctxt);
+               authctxt->kbdintctxt = NULL;
+       }
 }
-#endif
-#endif
git-cvsimport mirror of OpenSSH
This page took 0.122249 seconds and 4 git commands to generate.