- (bal) OpenBSD CVS update

   - markus@cvs.openbsd.org 2000/12/10 17:01:53
     [sshconnect1.c]
     always request new challenge for skey/tis-auth, fixes interop with
     other implementations; report from roth@feep.net

diff --git a/ChangeLog b/ChangeLog
index ef9dd84b1311d57ff7373e48e30df9b59a5de334..8ba1a9e369ec09ba7ea0dad77200212b95f7bc27 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,11 @@
  - (bal) Applied patch to include ssh-keyscan into Redhat's package, and
    patch to install ssh-keyscan manpage.  Patch by Pekka Savola
    <pekka@netcore.fi>
+ - (bal) OpenbSD CVS update
+   - markus@cvs.openbsd.org 2000/12/10 17:01:53
+     [sshconnect1.c]
+     always request new challenge for skey/tis-auth, fixes interop with
+     other implementations; report from roth@feep.net
 
 20001210
  - (bal) OpenBSD CVS updates

diff --git a/sshconnect1.c b/sshconnect1.c
index 709329713388e5c93904fc85623aab7d28163d4d..f95c031da7e59c602b9e6effbf7d3800cc298768 100644 (file)
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,7 +13,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.11 2000/11/25 16:42:53 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.12 2000/12/10 17:01:53 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
@@ -604,37 +604,41 @@ try_skey_authentication()
        int type, i;
        int payload_len;
        unsigned int clen;
+       char prompt[1024];
        char *challenge, *response;
 
        debug("Doing skey authentication.");
 
-       /* request a challenge */
-       packet_start(SSH_CMSG_AUTH_TIS);
-       packet_send();
-       packet_write_wait();
-
-       type = packet_read(&payload_len);
-       if (type != SSH_SMSG_FAILURE &&
-           type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
-               packet_disconnect("Protocol error: got %d in response "
-                                 "to skey-auth", type);
-       }
-       if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
-               debug("No challenge for skey authentication.");
-               return 0;
-       }
-       challenge = packet_get_string(&clen);
-       packet_integrity_check(payload_len, (4 + clen), type);
-       if (options.cipher == SSH_CIPHER_NONE)
-               log("WARNING: Encryption is disabled! "
-                   "Reponse will be transmitted in clear text.");
-       fprintf(stderr, "%s\n", challenge);
-       xfree(challenge);
-       fflush(stderr);
        for (i = 0; i < options.number_of_password_prompts; i++) {
+               /* request a challenge */
+               packet_start(SSH_CMSG_AUTH_TIS);
+               packet_send();
+               packet_write_wait();
+
+               type = packet_read(&payload_len);
+               if (type != SSH_SMSG_FAILURE &&
+                   type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
+                       packet_disconnect("Protocol error: got %d in response "
+                           "to skey-auth", type);
+               }
+               if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
+                       debug("No challenge for skey authentication.");
+                       return 0;
+               }
+               challenge = packet_get_string(&clen);
+               packet_integrity_check(payload_len, (4 + clen), type);
+               snprintf(prompt, sizeof prompt, "%s\nResponse: ", challenge);
+               xfree(challenge);
                if (i != 0)
                        error("Permission denied, please try again.");
-               response = read_passphrase("Response: ", 0);
+               if (options.cipher == SSH_CIPHER_NONE)
+                       log("WARNING: Encryption is disabled! "
+                           "Reponse will be transmitted in clear text.");
+               response = read_passphrase(prompt, 0);
+               if (strcmp(response, "") == 0) {
+                       xfree(response);
+                       break;
+               }
                packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
                packet_put_string(response, strlen(response));
                memset(response, 0, strlen(response));
@@ -646,7 +650,7 @@ try_skey_authentication()
                        return 1;
                if (type != SSH_SMSG_FAILURE)
                        packet_disconnect("Protocol error: got %d in response "
-                                         "to skey-auth-reponse", type);
+                           "to skey-auth-reponse", type);
        }
        /* failure */
        return 0;