From d464095c8447edcf32849c5edaa30e59beb7e943 Mon Sep 17 00:00:00 2001 From: mouring Date: Tue, 23 Jan 2001 03:12:10 +0000 Subject: [PATCH] - markus@cvs.openbsd.org 2001/01/22 23:06:39 [auth1.c auth2.c readconf.c readconf.h servconf.c servconf.h sshconnect1.c sshconnect2.c sshd.c] rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled. --- ChangeLog | 5 +++++ auth1.c | 6 +++--- auth2.c | 9 +++++++-- readconf.c | 27 +++++++++++++-------------- readconf.h | 5 +++-- servconf.c | 17 +++++++++-------- servconf.h | 5 ++--- sshconnect1.c | 18 +++++++++--------- sshconnect2.c | 5 ++++- sshd.c | 4 ++-- 10 files changed, 57 insertions(+), 44 deletions(-) diff --git a/ChangeLog b/ChangeLog index c8319d5a..5052a0f1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,11 @@ - stevesk@cvs.openbsd.org 2001/01/22 17:22:28 [sshconnect2.c sshd.c] fix memory leaks in SSH2 key exchange; ok markus@ + - markus@cvs.openbsd.org 2001/01/22 23:06:39 + [auth1.c auth2.c readconf.c readconf.h servconf.c servconf.h + sshconnect1.c sshconnect2.c sshd.c] + rename skey -> challenge response. + auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled. 20010122 diff --git a/auth1.c b/auth1.c index 50037fd8..1dc2284a 100644 --- a/auth1.c +++ b/auth1.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.13 2001/01/21 19:05:43 markus Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.14 2001/01/22 23:06:39 markus Exp $"); #ifdef HAVE_OSF_SIA # include @@ -281,7 +281,7 @@ do_authloop(Authctxt *authctxt) case SSH_CMSG_AUTH_TIS: debug("rcvd SSH_CMSG_AUTH_TIS"); - if (options.skey_authentication == 1) { + if (options.challenge_reponse_authentication == 1) { char *challenge = get_challenge(authctxt, authctxt->style); if (challenge != NULL) { debug("sending challenge '%s'", challenge); @@ -296,7 +296,7 @@ do_authloop(Authctxt *authctxt) case SSH_CMSG_AUTH_TIS_RESPONSE: debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE"); - if (options.skey_authentication == 1) { + if (options.challenge_reponse_authentication == 1) { char *response = packet_get_string(&dlen); debug("got response '%s'", response); packet_integrity_check(plen, 4 + dlen, type); diff --git a/auth2.c b/auth2.c index 768fedde..99be9e1b 100644 --- a/auth2.c +++ b/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.33 2001/01/22 08:32:53 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.34 2001/01/22 23:06:39 markus Exp $"); #ifdef HAVE_OSF_SIA # include @@ -123,6 +123,10 @@ do_authentication2() x_authctxt = authctxt; /*XXX*/ + /* challenge-reponse is implemented via keyboard interactive */ + if (options.challenge_reponse_authentication) + options.kbd_interactive_authentication = 1; + #ifdef AFS /* If machine has AFS, set process authentication group. */ if (k_hasafs()) { @@ -401,7 +405,8 @@ userauth_kbdint(Authctxt *authctxt) debug("keyboard-interactive language %s devs %s", lang, devs); - authenticated = auth2_challenge(authctxt, devs); + if (options.challenge_reponse_authentication) + authenticated = auth2_challenge(authctxt, devs); #ifdef USE_PAM if (authenticated == 0) diff --git a/readconf.c b/readconf.c index a10aaff1..5c091c60 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.58 2001/01/21 19:05:53 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.59 2001/01/22 23:06:39 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -93,7 +93,7 @@ typedef enum { oBadOption, oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication, oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh, - oSkeyAuthentication, oXAuthLocation, + oChallengeResponseAuthentication, oXAuthLocation, #ifdef KRB4 oKerberosAuthentication, #endif /* KRB4 */ @@ -104,7 +104,7 @@ typedef enum { oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, - oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication, + oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias @@ -127,8 +127,10 @@ static struct { { "kbdinteractivedevices", oKbdInteractiveDevices }, { "rsaauthentication", oRSAAuthentication }, { "pubkeyauthentication", oPubkeyAuthentication }, - { "dsaauthentication", oPubkeyAuthentication }, /* alias */ - { "skeyauthentication", oSkeyAuthentication }, + { "dsaauthentication", oPubkeyAuthentication }, /* alias */ + { "challengeresponseauthentication", oChallengeResponseAuthentication }, + { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ + { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ #ifdef KRB4 { "kerberosauthentication", oKerberosAuthentication }, #endif /* KRB4 */ @@ -165,7 +167,6 @@ static struct { { "compressionlevel", oCompressionLevel }, { "keepalive", oKeepAlives }, { "numberofpasswordprompts", oNumberOfPasswordPrompts }, - { "tisauthentication", oTISAuthentication }, { "loglevel", oLogLevel }, { NULL, 0 } }; @@ -318,10 +319,8 @@ parse_flag: intptr = &options->rhosts_rsa_authentication; goto parse_flag; - case oTISAuthentication: - /* fallthrough, there is no difference on the client side */ - case oSkeyAuthentication: - intptr = &options->skey_authentication; + case oChallengeResponseAuthentication: + intptr = &options->challenge_reponse_authentication; goto parse_flag; #ifdef KRB4 @@ -669,7 +668,7 @@ initialize_options(Options * options) options->rhosts_authentication = -1; options->rsa_authentication = -1; options->pubkey_authentication = -1; - options->skey_authentication = -1; + options->challenge_reponse_authentication = -1; #ifdef KRB4 options->kerberos_authentication = -1; #endif @@ -736,8 +735,8 @@ fill_default_options(Options * options) options->rsa_authentication = 1; if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; - if (options->skey_authentication == -1) - options->skey_authentication = 0; + if (options->challenge_reponse_authentication == -1) + options->challenge_reponse_authentication = 0; #ifdef KRB4 if (options->kerberos_authentication == -1) options->kerberos_authentication = 1; @@ -751,7 +750,7 @@ fill_default_options(Options * options) if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) - options->kbd_interactive_authentication = 0; + options->kbd_interactive_authentication = 1; if (options->rhosts_rsa_authentication == -1) options->rhosts_rsa_authentication = 1; if (options->fallback_to_rsh == -1) diff --git a/readconf.h b/readconf.h index 08ff7083..241b7165 100644 --- a/readconf.h +++ b/readconf.h @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: readconf.h,v 1.24 2000/12/27 12:30:20 markus Exp $"); */ +/* RCSID("$OpenBSD: readconf.h,v 1.25 2001/01/22 23:06:39 markus Exp $"); */ #ifndef READCONF_H #define READCONF_H @@ -36,7 +36,8 @@ typedef struct { * authentication. */ int rsa_authentication; /* Try RSA authentication. */ int pubkey_authentication; /* Try ssh2 pubkey authentication. */ - int skey_authentication; /* Try S/Key or TIS authentication. */ + int challenge_reponse_authentication; + /* Try S/Key or TIS, authentication. */ #ifdef KRB4 int kerberos_authentication; /* Try Kerberos * authentication. */ diff --git a/servconf.c b/servconf.c index 7dfd040c..2738c62e 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.62 2001/01/21 19:05:55 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.63 2001/01/22 23:06:39 markus Exp $"); #ifdef KRB4 #include @@ -77,7 +77,7 @@ initialize_server_options(ServerOptions *options) #endif options->password_authentication = -1; options->kbd_interactive_authentication = -1; - options->skey_authentication = -1; + options->challenge_reponse_authentication = -1; options->permit_empty_passwd = -1; options->use_login = -1; options->allow_tcp_forwarding = -1; @@ -171,8 +171,8 @@ fill_default_server_options(ServerOptions *options) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; - if (options->skey_authentication == -1) - options->skey_authentication = 1; + if (options->challenge_reponse_authentication == -1) + options->challenge_reponse_authentication = 1; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; if (options->use_login == -1) @@ -201,7 +201,7 @@ typedef enum { #ifdef AFS sKerberosTgtPassing, sAFSTokenPassing, #endif - sSkeyAuthentication, + sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, @@ -243,7 +243,8 @@ static struct { #endif { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, - { "skeyauthentication", sSkeyAuthentication }, + { "challengeresponseauthentication", sChallengeResponseAuthentication }, + { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ { "checkmail", sCheckMail }, { "listenaddress", sListenAddress }, { "printmotd", sPrintMotd }, @@ -537,8 +538,8 @@ parse_flag: intptr = &options->check_mail; goto parse_flag; - case sSkeyAuthentication: - intptr = &options->skey_authentication; + case sChallengeResponseAuthentication: + intptr = &options->challenge_reponse_authentication; goto parse_flag; case sPrintMotd: diff --git a/servconf.h b/servconf.h index ea069490..e3163670 100644 --- a/servconf.h +++ b/servconf.h @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: servconf.h,v 1.34 2001/01/19 12:45:27 markus Exp $"); */ +/* RCSID("$OpenBSD: servconf.h,v 1.35 2001/01/22 23:06:40 markus Exp $"); */ #ifndef SERVCONF_H #define SERVCONF_H @@ -80,8 +80,7 @@ typedef struct { int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ - int skey_authentication; /* If true, permit s/key - * authentication. */ + int challenge_reponse_authentication; int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int use_login; /* If true, login(1) is used */ diff --git a/sshconnect1.c b/sshconnect1.c index 2c097256..5a5a2222 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.19 2001/01/22 08:15:00 markus Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.20 2001/01/22 23:06:40 markus Exp $"); #include #include @@ -613,7 +613,7 @@ send_afs_tokens(void) * Note that the client code is not tied to s/key or TIS. */ int -try_skey_authentication() +try_challenge_reponse_authentication() { int type, i; int payload_len; @@ -621,7 +621,7 @@ try_skey_authentication() char prompt[1024]; char *challenge, *response; - debug("Doing skey authentication."); + debug("Doing challenge reponse authentication."); for (i = 0; i < options.number_of_password_prompts; i++) { /* request a challenge */ @@ -633,10 +633,10 @@ try_skey_authentication() if (type != SSH_SMSG_FAILURE && type != SSH_SMSG_AUTH_TIS_CHALLENGE) { packet_disconnect("Protocol error: got %d in response " - "to skey-auth", type); + "to SSH_CMSG_AUTH_TIS", type); } if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) { - debug("No challenge for skey authentication."); + debug("No challenge."); return 0; } challenge = packet_get_string(&clen); @@ -665,7 +665,7 @@ try_skey_authentication() return 1; if (type != SSH_SMSG_FAILURE) packet_disconnect("Protocol error: got %d in response " - "to skey-auth-reponse", type); + "to SSH_CMSG_AUTH_TIS_RESPONSE", type); } /* failure */ return 0; @@ -1018,10 +1018,10 @@ ssh_userauth( try_rsa_authentication(options.identity_files[i])) return; } - /* Try skey authentication if the server supports it. */ + /* Try challenge response authentication if the server supports it. */ if ((supported_authentications & (1 << SSH_AUTH_TIS)) && - options.skey_authentication && !options.batch_mode) { - if (try_skey_authentication()) + options.challenge_reponse_authentication && !options.batch_mode) { + if (try_challenge_reponse_authentication()) return; } /* Try password authentication if the server supports it. */ diff --git a/sshconnect2.c b/sshconnect2.c index 1b442287..1d911b9b 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.38 2001/01/22 17:22:28 stevesk Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.39 2001/01/22 23:06:40 markus Exp $"); #include #include @@ -513,6 +513,9 @@ ssh_userauth2(const char *server_user, char *host) int type; int plen; + if (options.challenge_reponse_authentication) + options.kbd_interactive_authentication = 1; + debug("send SSH2_MSG_SERVICE_REQUEST"); packet_start(SSH2_MSG_SERVICE_REQUEST); packet_put_cstring("ssh-userauth"); diff --git a/sshd.c b/sshd.c index 686e7c26..85355359 100644 --- a/sshd.c +++ b/sshd.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.156 2001/01/22 17:22:28 stevesk Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.157 2001/01/22 23:06:40 markus Exp $"); #include #include @@ -1254,7 +1254,7 @@ do_ssh1_kex(void) if (options.afs_token_passing) auth_mask |= 1 << SSH_PASS_AFS_TOKEN; #endif - if (options.skey_authentication == 1) + if (options.challenge_reponse_authentication == 1) auth_mask |= 1 << SSH_AUTH_TIS; if (options.password_authentication) auth_mask |= 1 << SSH_AUTH_PASSWORD; -- 2.45.2