From: djm Date: Sun, 18 Feb 2001 06:01:00 +0000 (+0000) Subject: - (djm) Merge BSD_AUTH support from Markus Friedl and David J. MacKenzie X-Git-Tag: V_2_5_0_P1~4 X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/commitdiff_plain/af774732e689a492c7d9684bf0dcc9e6f303750c - (djm) Merge BSD_AUTH support from Markus Friedl and David J. MacKenzie enable with --with-bsd-auth. --- diff --git a/acconfig.h b/acconfig.h index bcd40096..03bda370 100644 --- a/acconfig.h +++ b/acconfig.h @@ -290,6 +290,9 @@ /* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */ #undef IPV4_IN_IPV6 +/* Define if you have BSD auth support */ +#undef BSD_AUTH + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ diff --git a/auth-chall.c b/auth-chall.c index b6ec02a3..926c07ed 100644 --- a/auth-chall.c +++ b/auth-chall.c @@ -26,7 +26,48 @@ RCSID("$OpenBSD: auth-chall.c,v 1.4 2001/02/04 15:32:22 stevesk Exp $"); #include "auth.h" +#include "log.h" +#ifdef BSD_AUTH +char * +get_challenge(Authctxt *authctxt, char *devs) +{ + char *challenge; + + if (authctxt->as != NULL) { + debug2("try reuse session"); + challenge = auth_getitem(authctxt->as, AUTHV_CHALLENGE); + if (challenge != NULL) { + debug2("reuse bsd auth session"); + return challenge; + } + auth_close(authctxt->as); + authctxt->as = NULL; + } + debug2("new bsd auth session"); + if (devs == NULL || strlen(devs) == 0) + devs = authctxt->style; + debug3("bsd auth: devs %s", devs ? devs : ""); + authctxt->as = auth_userchallenge(authctxt->user, devs, "auth-ssh", + &challenge); + if (authctxt->as == NULL) + return NULL; + debug2("get_challenge: <%s>", challenge ? challenge : "EMPTY"); + return challenge; +} +int +verify_response(Authctxt *authctxt, char *response) +{ + int authok; + + if (authctxt->as == 0) + error("verify_response: no bsd auth session"); + authok = auth_userresponse(authctxt->as, response, 0); + authctxt->as = NULL; + debug("verify_response: <%s> = <%d>", response, authok); + return authok != 0; +} +#else #ifdef SKEY #include @@ -60,3 +101,4 @@ verify_response(Authctxt *authctxt, char *response) return 0; } #endif +#endif diff --git a/auth-passwd.c b/auth-passwd.c index c849abdc..5a91e558 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -77,14 +77,17 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.21 2001/02/12 16:16:23 markus Exp $"); #define is_winnt (GetVersion() < 0x80000000) #endif + +extern ServerOptions options; + /* * Tries to authenticate the user using password. Returns true if * authentication succeeds. */ int -auth_password(struct passwd * pw, const char *password) +auth_password(Authctxt *authctxt, const char *password) { - extern ServerOptions options; + struct passwd * pw = authctxt->pw; char *encrypted_password; char *pw_password; char *salt; @@ -122,6 +125,13 @@ auth_password(struct passwd * pw, const char *password) #endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; +#ifdef BSD_AUTH + if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", + (char *)password) == 0) + return 0; + else + return 1; +#endif #ifdef HAVE_CYGWIN if (is_winnt) { diff --git a/auth.h b/auth.h index 0684f6ff..45755339 100644 --- a/auth.h +++ b/auth.h @@ -28,6 +28,13 @@ #include +#ifdef HAVE_LOGIN_CAP +#include +#endif +#ifdef BSD_AUTH +#include +#endif + typedef struct Authctxt Authctxt; struct Authctxt { int success; @@ -39,6 +46,9 @@ struct Authctxt { char *service; struct passwd *pw; char *style; +#ifdef BSD_AUTH + auth_session_t *as; +#endif }; /* @@ -59,7 +69,7 @@ auth_rhosts_rsa(struct passwd * pw, const char *client_user, RSA* client_host_ke * Tries to authenticate the user using password. Returns true if * authentication succeeds. */ -int auth_password(struct passwd * pw, const char *password); +int auth_password(Authctxt *authctxt, const char *password); /* * Performs the RSA authentication dialog with the client. This returns 0 if diff --git a/auth1.c b/auth1.c index 11c56a51..beccf2b4 100644 --- a/auth1.c +++ b/auth1.c @@ -92,7 +92,7 @@ do_authloop(Authctxt *authctxt) #elif defined(HAVE_OSF_SIA) 0) { #else - auth_password(pw, "")) { + auth_password(authctxt, "")) { #endif auth_log(authctxt, 1, "without authentication", ""); return; @@ -262,7 +262,7 @@ do_authloop(Authctxt *authctxt) password); #else /* !USE_PAM && !HAVE_OSF_SIA */ /* Try authentication with the password. */ - authenticated = auth_password(pw, password); + authenticated = auth_password(authctxt, password); #endif /* USE_PAM */ memset(password, 0, strlen(password)); @@ -303,6 +303,12 @@ do_authloop(Authctxt *authctxt) log("Unknown message during authentication: type %d", type); break; } +#ifdef BSD_AUTH + if (authctxt->as) { + auth_close(authctxt->as); + authctxt->as = NULL; + } +#endif if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); diff --git a/auth2.c b/auth2.c index 88fca2c9..cd3886dc 100644 --- a/auth2.c +++ b/auth2.c @@ -218,6 +218,12 @@ input_userauth_request(int type, int plen, void *ctxt) /* reset state */ dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &protocol_error); authctxt->postponed = 0; +#ifdef BSD_AUTH + if (authctxt->as) { + auth_close(authctxt->as); + authctxt->as = NULL; + } +#endif /* try to authenticate user */ m = authmethod_lookup(method); @@ -341,7 +347,7 @@ userauth_none(Authctxt *authctxt) #elif defined(HAVE_OSF_SIA) return 0; #else /* !HAVE_OSF_SIA && !USE_PAM */ - return auth_password(authctxt->pw, ""); + return auth_password(authctxt, ""); #endif /* USE_PAM */ } @@ -366,7 +372,7 @@ userauth_passwd(Authctxt *authctxt) #elif defined(HAVE_OSF_SIA) auth_sia_password(authctxt->user, password) == 1) #else /* !USE_PAM && !HAVE_OSF_SIA */ - auth_password(authctxt->pw, password) == 1) + auth_password(authctxt, password) == 1) #endif /* USE_PAM */ authenticated = 1; memset(password, 0, len); diff --git a/configure.in b/configure.in index cf93ed67..951c6bb1 100644 --- a/configure.in +++ b/configure.in @@ -1411,6 +1411,17 @@ AC_ARG_WITH(4in6, ] ) +# Whether to enable BSD auth support +AC_ARG_WITH(bsd-auth, + [ --with-bsd-auth Enable BSD auth support], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(BSD_AUTH) + bsd_auth=yes + fi + ] +) + AC_MSG_CHECKING(whether to install ssh as suid root) AC_ARG_ENABLE(suid-ssh, [ --enable-suid-ssh Install ssh as suid root (default) @@ -1739,6 +1750,10 @@ echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Use IPv4 by default hack: $IPV4_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" +if test ! -z "$bsd_auth"; then + echo " BSD Auth support: yes" +fi + echo "" echo " Host: ${host}" @@ -1769,3 +1784,4 @@ if test ! -z "$NO_SFTP"; then echo "64bit integers." echo "" fi + diff --git a/session.c b/session.c index 4e2471f2..b84f19ea 100644 --- a/session.c +++ b/session.c @@ -89,10 +89,6 @@ RCSID("$OpenBSD: session.c,v 1.56 2001/02/16 14:03:43 markus Exp $"); # define S_UNOFILE_HARD S_UNOFILE "_hard" #endif -#ifdef HAVE_LOGIN_CAP -#include -#endif - /* types */ #define TTYSZ 64 @@ -1071,6 +1067,13 @@ do_child(const char *command, struct passwd * pw, const char *term, perror("unable to set user context"); exit(1); } +#ifdef BSD_AUTH + if (auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) { + error("approval failure for %s", pw->pw_name); + fprintf(stderr, "Approval failure"); + exit(1); + } +#endif # else /* HAVE_LOGIN_CAP */ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno));