summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBen Lindstrom <mouring@eviladmin.org>2001-01-23 03:12:10 +0000
committerBen Lindstrom <mouring@eviladmin.org>2001-01-23 03:12:10 +0000
commit95fb2dde7777c6afbffd80eba79a88811db55290 (patch)
treea008785c01c2bb513cc0c76bf1ac28f36cd9d9c9
parentb1985f727950dbb3d5c7de863ae0e2181ace53f8 (diff)
- markus@cvs.openbsd.org 2001/01/22 23:06:39
[auth1.c auth2.c readconf.c readconf.h servconf.c servconf.h sshconnect1.c sshconnect2.c sshd.c] rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
-rw-r--r--ChangeLog5
-rw-r--r--auth1.c6
-rw-r--r--auth2.c9
-rw-r--r--readconf.c27
-rw-r--r--readconf.h5
-rw-r--r--servconf.c17
-rw-r--r--servconf.h5
-rw-r--r--sshconnect1.c18
-rw-r--r--sshconnect2.c5
-rw-r--r--sshd.c4
10 files changed, 57 insertions, 44 deletions
diff --git a/ChangeLog b/ChangeLog
index c8319d5a..5052a0f1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,11 @@
- stevesk@cvs.openbsd.org 2001/01/22 17:22:28
[sshconnect2.c sshd.c]
fix memory leaks in SSH2 key exchange; ok markus@
+ - markus@cvs.openbsd.org 2001/01/22 23:06:39
+ [auth1.c auth2.c readconf.c readconf.h servconf.c servconf.h
+ sshconnect1.c sshconnect2.c sshd.c]
+ rename skey -> challenge response.
+ auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
20010122
diff --git a/auth1.c b/auth1.c
index 50037fd8..1dc2284a 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.13 2001/01/21 19:05:43 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.14 2001/01/22 23:06:39 markus Exp $");
#ifdef HAVE_OSF_SIA
# include <sia.h>
@@ -281,7 +281,7 @@ do_authloop(Authctxt *authctxt)
case SSH_CMSG_AUTH_TIS:
debug("rcvd SSH_CMSG_AUTH_TIS");
- if (options.skey_authentication == 1) {
+ if (options.challenge_reponse_authentication == 1) {
char *challenge = get_challenge(authctxt, authctxt->style);
if (challenge != NULL) {
debug("sending challenge '%s'", challenge);
@@ -296,7 +296,7 @@ do_authloop(Authctxt *authctxt)
case SSH_CMSG_AUTH_TIS_RESPONSE:
debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
- if (options.skey_authentication == 1) {
+ if (options.challenge_reponse_authentication == 1) {
char *response = packet_get_string(&dlen);
debug("got response '%s'", response);
packet_integrity_check(plen, 4 + dlen, type);
diff --git a/auth2.c b/auth2.c
index 768fedde..99be9e1b 100644
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.33 2001/01/22 08:32:53 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.34 2001/01/22 23:06:39 markus Exp $");
#ifdef HAVE_OSF_SIA
# include <sia.h>
@@ -123,6 +123,10 @@ do_authentication2()
x_authctxt = authctxt; /*XXX*/
+ /* challenge-reponse is implemented via keyboard interactive */
+ if (options.challenge_reponse_authentication)
+ options.kbd_interactive_authentication = 1;
+
#ifdef AFS
/* If machine has AFS, set process authentication group. */
if (k_hasafs()) {
@@ -401,7 +405,8 @@ userauth_kbdint(Authctxt *authctxt)
debug("keyboard-interactive language %s devs %s", lang, devs);
- authenticated = auth2_challenge(authctxt, devs);
+ if (options.challenge_reponse_authentication)
+ authenticated = auth2_challenge(authctxt, devs);
#ifdef USE_PAM
if (authenticated == 0)
diff --git a/readconf.c b/readconf.c
index a10aaff1..5c091c60 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.58 2001/01/21 19:05:53 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.59 2001/01/22 23:06:39 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
@@ -93,7 +93,7 @@ typedef enum {
oBadOption,
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
- oSkeyAuthentication, oXAuthLocation,
+ oChallengeResponseAuthentication, oXAuthLocation,
#ifdef KRB4
oKerberosAuthentication,
#endif /* KRB4 */
@@ -104,7 +104,7 @@ typedef enum {
oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
- oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication,
+ oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias
@@ -127,8 +127,10 @@ static struct {
{ "kbdinteractivedevices", oKbdInteractiveDevices },
{ "rsaauthentication", oRSAAuthentication },
{ "pubkeyauthentication", oPubkeyAuthentication },
- { "dsaauthentication", oPubkeyAuthentication }, /* alias */
- { "skeyauthentication", oSkeyAuthentication },
+ { "dsaauthentication", oPubkeyAuthentication }, /* alias */
+ { "challengeresponseauthentication", oChallengeResponseAuthentication },
+ { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
+ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
#ifdef KRB4
{ "kerberosauthentication", oKerberosAuthentication },
#endif /* KRB4 */
@@ -165,7 +167,6 @@ static struct {
{ "compressionlevel", oCompressionLevel },
{ "keepalive", oKeepAlives },
{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
- { "tisauthentication", oTISAuthentication },
{ "loglevel", oLogLevel },
{ NULL, 0 }
};
@@ -318,10 +319,8 @@ parse_flag:
intptr = &options->rhosts_rsa_authentication;
goto parse_flag;
- case oTISAuthentication:
- /* fallthrough, there is no difference on the client side */
- case oSkeyAuthentication:
- intptr = &options->skey_authentication;
+ case oChallengeResponseAuthentication:
+ intptr = &options->challenge_reponse_authentication;
goto parse_flag;
#ifdef KRB4
@@ -669,7 +668,7 @@ initialize_options(Options * options)
options->rhosts_authentication = -1;
options->rsa_authentication = -1;
options->pubkey_authentication = -1;
- options->skey_authentication = -1;
+ options->challenge_reponse_authentication = -1;
#ifdef KRB4
options->kerberos_authentication = -1;
#endif
@@ -736,8 +735,8 @@ fill_default_options(Options * options)
options->rsa_authentication = 1;
if (options->pubkey_authentication == -1)
options->pubkey_authentication = 1;
- if (options->skey_authentication == -1)
- options->skey_authentication = 0;
+ if (options->challenge_reponse_authentication == -1)
+ options->challenge_reponse_authentication = 0;
#ifdef KRB4
if (options->kerberos_authentication == -1)
options->kerberos_authentication = 1;
@@ -751,7 +750,7 @@ fill_default_options(Options * options)
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
- options->kbd_interactive_authentication = 0;
+ options->kbd_interactive_authentication = 1;
if (options->rhosts_rsa_authentication == -1)
options->rhosts_rsa_authentication = 1;
if (options->fallback_to_rsh == -1)
diff --git a/readconf.h b/readconf.h
index 08ff7083..241b7165 100644
--- a/readconf.h
+++ b/readconf.h
@@ -11,7 +11,7 @@
* called by a name other than "ssh" or "Secure Shell".
*/
-/* RCSID("$OpenBSD: readconf.h,v 1.24 2000/12/27 12:30:20 markus Exp $"); */
+/* RCSID("$OpenBSD: readconf.h,v 1.25 2001/01/22 23:06:39 markus Exp $"); */
#ifndef READCONF_H
#define READCONF_H
@@ -36,7 +36,8 @@ typedef struct {
* authentication. */
int rsa_authentication; /* Try RSA authentication. */
int pubkey_authentication; /* Try ssh2 pubkey authentication. */
- int skey_authentication; /* Try S/Key or TIS authentication. */
+ int challenge_reponse_authentication;
+ /* Try S/Key or TIS, authentication. */
#ifdef KRB4
int kerberos_authentication; /* Try Kerberos
* authentication. */
diff --git a/servconf.c b/servconf.c
index 7dfd040c..2738c62e 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.62 2001/01/21 19:05:55 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.63 2001/01/22 23:06:39 markus Exp $");
#ifdef KRB4
#include <krb.h>
@@ -77,7 +77,7 @@ initialize_server_options(ServerOptions *options)
#endif
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
- options->skey_authentication = -1;
+ options->challenge_reponse_authentication = -1;
options->permit_empty_passwd = -1;
options->use_login = -1;
options->allow_tcp_forwarding = -1;
@@ -171,8 +171,8 @@ fill_default_server_options(ServerOptions *options)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
- if (options->skey_authentication == -1)
- options->skey_authentication = 1;
+ if (options->challenge_reponse_authentication == -1)
+ options->challenge_reponse_authentication = 1;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
if (options->use_login == -1)
@@ -201,7 +201,7 @@ typedef enum {
#ifdef AFS
sKerberosTgtPassing, sAFSTokenPassing,
#endif
- sSkeyAuthentication,
+ sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
@@ -243,7 +243,8 @@ static struct {
#endif
{ "passwordauthentication", sPasswordAuthentication },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
- { "skeyauthentication", sSkeyAuthentication },
+ { "challengeresponseauthentication", sChallengeResponseAuthentication },
+ { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
{ "checkmail", sCheckMail },
{ "listenaddress", sListenAddress },
{ "printmotd", sPrintMotd },
@@ -537,8 +538,8 @@ parse_flag:
intptr = &options->check_mail;
goto parse_flag;
- case sSkeyAuthentication:
- intptr = &options->skey_authentication;
+ case sChallengeResponseAuthentication:
+ intptr = &options->challenge_reponse_authentication;
goto parse_flag;
case sPrintMotd:
diff --git a/servconf.h b/servconf.h
index ea069490..e3163670 100644
--- a/servconf.h
+++ b/servconf.h
@@ -11,7 +11,7 @@
* called by a name other than "ssh" or "Secure Shell".
*/
-/* RCSID("$OpenBSD: servconf.h,v 1.34 2001/01/19 12:45:27 markus Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.35 2001/01/22 23:06:40 markus Exp $"); */
#ifndef SERVCONF_H
#define SERVCONF_H
@@ -80,8 +80,7 @@ typedef struct {
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
- int skey_authentication; /* If true, permit s/key
- * authentication. */
+ int challenge_reponse_authentication;
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
int use_login; /* If true, login(1) is used */
diff --git a/sshconnect1.c b/sshconnect1.c
index 2c097256..5a5a2222 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,7 +13,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.19 2001/01/22 08:15:00 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.20 2001/01/22 23:06:40 markus Exp $");
#include <openssl/bn.h>
#include <openssl/evp.h>
@@ -613,7 +613,7 @@ send_afs_tokens(void)
* Note that the client code is not tied to s/key or TIS.
*/
int
-try_skey_authentication()
+try_challenge_reponse_authentication()
{
int type, i;
int payload_len;
@@ -621,7 +621,7 @@ try_skey_authentication()
char prompt[1024];
char *challenge, *response;
- debug("Doing skey authentication.");
+ debug("Doing challenge reponse authentication.");
for (i = 0; i < options.number_of_password_prompts; i++) {
/* request a challenge */
@@ -633,10 +633,10 @@ try_skey_authentication()
if (type != SSH_SMSG_FAILURE &&
type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
packet_disconnect("Protocol error: got %d in response "
- "to skey-auth", type);
+ "to SSH_CMSG_AUTH_TIS", type);
}
if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
- debug("No challenge for skey authentication.");
+ debug("No challenge.");
return 0;
}
challenge = packet_get_string(&clen);
@@ -665,7 +665,7 @@ try_skey_authentication()
return 1;
if (type != SSH_SMSG_FAILURE)
packet_disconnect("Protocol error: got %d in response "
- "to skey-auth-reponse", type);
+ "to SSH_CMSG_AUTH_TIS_RESPONSE", type);
}
/* failure */
return 0;
@@ -1018,10 +1018,10 @@ ssh_userauth(
try_rsa_authentication(options.identity_files[i]))
return;
}
- /* Try skey authentication if the server supports it. */
+ /* Try challenge response authentication if the server supports it. */
if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
- options.skey_authentication && !options.batch_mode) {
- if (try_skey_authentication())
+ options.challenge_reponse_authentication && !options.batch_mode) {
+ if (try_challenge_reponse_authentication())
return;
}
/* Try password authentication if the server supports it. */
diff --git a/sshconnect2.c b/sshconnect2.c
index 1b442287..1d911b9b 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.38 2001/01/22 17:22:28 stevesk Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.39 2001/01/22 23:06:40 markus Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
@@ -513,6 +513,9 @@ ssh_userauth2(const char *server_user, char *host)
int type;
int plen;
+ if (options.challenge_reponse_authentication)
+ options.kbd_interactive_authentication = 1;
+
debug("send SSH2_MSG_SERVICE_REQUEST");
packet_start(SSH2_MSG_SERVICE_REQUEST);
packet_put_cstring("ssh-userauth");
diff --git a/sshd.c b/sshd.c
index 686e7c26..85355359 100644
--- a/sshd.c
+++ b/sshd.c
@@ -40,7 +40,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.156 2001/01/22 17:22:28 stevesk Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.157 2001/01/22 23:06:40 markus Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
@@ -1254,7 +1254,7 @@ do_ssh1_kex(void)
if (options.afs_token_passing)
auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
#endif
- if (options.skey_authentication == 1)
+ if (options.challenge_reponse_authentication == 1)
auth_mask |= 1 << SSH_AUTH_TIS;
if (options.password_authentication)
auth_mask |= 1 << SSH_AUTH_PASSWORD;