- (djm) Merge BSD_AUTH support from Markus Friedl and David J. MacKenzie

enable with --with-bsd-auth.
2001-02-18 17:01:00 +11:00 · 2001-02-18 17:01:00 +11:00 · 60396b060b
parent 75da9a9e72
commit 60396b060b
8 changed files with 109 additions and 13 deletions
--- a/acconfig.h
+++ b/acconfig.h
@ -1,4 +1,4 @@
-/* $Id: acconfig.h,v 1.101 2001/02/09 01:55:36 djm Exp $ */
+/* $Id: acconfig.h,v 1.102 2001/02/18 06:01:00 djm Exp $ */

 #ifndef _CONFIG_H
 #define _CONFIG_H
@ -290,6 +290,9 @@
 /* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */
 #undef IPV4_IN_IPV6

+/* Define if you have BSD auth support */
+#undef BSD_AUTH
+
@BOTTOM@

 /* ******************* Shouldn't need to edit below this line ************** */
--- a/auth-chall.c
+++ b/auth-chall.c
@ -26,7 +26,48 @@
 RCSID("$OpenBSD: auth-chall.c,v 1.4 2001/02/04 15:32:22 stevesk Exp $");

 #include "auth.h"
+#include "log.h"

+#ifdef BSD_AUTH
+char *
+get_challenge(Authctxt *authctxt, char *devs)
+{
+	char *challenge;
+
+	if (authctxt->as != NULL) {
+		debug2("try reuse session");
+		challenge = auth_getitem(authctxt->as, AUTHV_CHALLENGE);
+		if (challenge != NULL) {
+			debug2("reuse bsd auth session");
+			return challenge;
+		}
+		auth_close(authctxt->as);
+		authctxt->as = NULL;
+	}
+	debug2("new bsd auth session");
+	if (devs == NULL || strlen(devs) == 0)
+		devs = authctxt->style;
+	debug3("bsd auth: devs %s", devs ? devs : "<default>");
+	authctxt->as = auth_userchallenge(authctxt->user, devs, "auth-ssh",
+	    &challenge);
+        if (authctxt->as == NULL)
+                return NULL;
+	debug2("get_challenge: <%s>", challenge ? challenge : "EMPTY");
+	return challenge;
+}
+int
+verify_response(Authctxt *authctxt, char *response)
+{
+	int authok;
+
+	if (authctxt->as == 0)
+		error("verify_response: no bsd auth session");
+	authok = auth_userresponse(authctxt->as, response, 0);
+	authctxt->as = NULL;
+	debug("verify_response: <%s> = <%d>", response, authok);
+	return authok != 0;
+}
+#else
 #ifdef SKEY
 #include <skey.h>

@ -60,3 +101,4 @@ verify_response(Authctxt *authctxt, char *response)
 	return 0;
 }
 #endif
+#endif
--- a/auth-passwd.c
+++ b/auth-passwd.c
@ -77,14 +77,17 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.21 2001/02/12 16:16:23 markus Exp $");
 #define is_winnt       (GetVersion() < 0x80000000)
 #endif

+
+extern ServerOptions options;
+
 /*
 * Tries to authenticate the user using password.  Returns true if
 * authentication succeeds.
 */
 int
-auth_password(struct passwd * pw, const char *password)
+auth_password(Authctxt *authctxt, const char *password)
 {
-	extern ServerOptions options;
+	struct passwd * pw = authctxt->pw;
 	char *encrypted_password;
 	char *pw_password;
 	char *salt;
@ -122,6 +125,13 @@ auth_password(struct passwd * pw, const char *password)
 #endif
 	if (*password == '\0' && options.permit_empty_passwd == 0)
 		return 0;
+#ifdef BSD_AUTH
+	if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
+	    (char *)password) == 0)
+		return 0;
+	else
+		return 1;
+#endif

 #ifdef HAVE_CYGWIN
 	if (is_winnt) {
--- a/auth.h
+++ b/auth.h
@ -28,6 +28,13 @@

 #include <openssl/rsa.h>

+#ifdef HAVE_LOGIN_CAP
+#include <login_cap.h>
+#endif
+#ifdef BSD_AUTH
+#include <bsd_auth.h>
+#endif
+
 typedef struct Authctxt Authctxt;
 struct Authctxt {
 	int success;
@ -39,6 +46,9 @@ struct Authctxt {
 	char *service;
 	struct passwd *pw;
 	char *style;
+#ifdef BSD_AUTH
+	auth_session_t *as;
+#endif
 };

 /*
@ -59,7 +69,7 @@ auth_rhosts_rsa(struct passwd * pw, const char *client_user, RSA* client_host_ke
 * Tries to authenticate the user using password.  Returns true if
 * authentication succeeds.
 */
-int     auth_password(struct passwd * pw, const char *password);
+int     auth_password(Authctxt *authctxt, const char *password);

 /*
 * Performs the RSA authentication dialog with the client.  This returns 0 if
--- a/auth1.c
+++ b/auth1.c
@ -92,7 +92,7 @@ do_authloop(Authctxt *authctxt)
 #elif defined(HAVE_OSF_SIA)
 	    0) {
 #else
-	    auth_password(pw, "")) {
+	    auth_password(authctxt, "")) {
 #endif
 		auth_log(authctxt, 1, "without authentication", "");
 		return;
@ -262,7 +262,7 @@ do_authloop(Authctxt *authctxt)
 			    password);
 #else /* !USE_PAM && !HAVE_OSF_SIA */
 			/* Try authentication with the password. */
-			authenticated = auth_password(pw, password);
+			authenticated = auth_password(authctxt, password);
 #endif /* USE_PAM */

 			memset(password, 0, strlen(password));
@ -303,6 +303,12 @@ do_authloop(Authctxt *authctxt)
 			log("Unknown message during authentication: type %d", type);
 			break;
 		}
+#ifdef BSD_AUTH
+		if (authctxt->as) {
+			auth_close(authctxt->as);
+			authctxt->as = NULL;
+		}
+#endif
 		if (!authctxt->valid && authenticated)
 			fatal("INTERNAL ERROR: authenticated invalid user %s",
 			    authctxt->user);
--- a/auth2.c
+++ b/auth2.c
@ -218,6 +218,12 @@ input_userauth_request(int type, int plen, void *ctxt)
 	/* reset state */
 	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &protocol_error);
 	authctxt->postponed = 0;
+#ifdef BSD_AUTH
+	if (authctxt->as) {
+		auth_close(authctxt->as);
+		authctxt->as = NULL;
+	}
+#endif

 	/* try to authenticate user */
 	m = authmethod_lookup(method);
@ -341,7 +347,7 @@ userauth_none(Authctxt *authctxt)
 #elif defined(HAVE_OSF_SIA)
 	return 0;
 #else /* !HAVE_OSF_SIA && !USE_PAM */
-	return auth_password(authctxt->pw, "");
+	return auth_password(authctxt, "");
 #endif /* USE_PAM */
 }

@ -366,7 +372,7 @@ userauth_passwd(Authctxt *authctxt)
 #elif defined(HAVE_OSF_SIA)
 	    auth_sia_password(authctxt->user, password) == 1)
 #else /* !USE_PAM && !HAVE_OSF_SIA */
-	    auth_password(authctxt->pw, password) == 1)
+	    auth_password(authctxt, password) == 1)
 #endif /* USE_PAM */
 		authenticated = 1;
 	memset(password, 0, len);
--- a/configure.in
+++ b/configure.in
@ -1,4 +1,4 @@
-# $Id: configure.in,v 1.246 2001/02/18 04:29:29 djm Exp $
+# $Id: configure.in,v 1.247 2001/02/18 06:01:00 djm Exp $

 AC_INIT(ssh.c)

@ -1411,6 +1411,17 @@ AC_ARG_WITH(4in6,
 	]
 )

+# Whether to enable BSD auth support
+AC_ARG_WITH(bsd-auth,
+	[  --with-bsd-auth         Enable BSD auth support],
+	[
+		if test "x$withval" != "xno" ; then	
+			AC_DEFINE(BSD_AUTH)
+			bsd_auth=yes
+		fi
+	]
+)
+
 AC_MSG_CHECKING(whether to install ssh as suid root)
 AC_ARG_ENABLE(suid-ssh,
 [  --enable-suid-ssh       Install ssh as suid root (default)
@ -1739,6 +1750,10 @@ echo "   IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
 echo "      Use IPv4 by default hack: $IPV4_HACK_MSG"
 echo "       Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"

+if test ! -z "$bsd_auth"; then
+	echo "              BSD Auth support: yes"
+fi
+
 echo ""

 echo "              Host: ${host}"
@ -1769,3 +1784,4 @@ if test ! -z "$NO_SFTP"; then
 	echo "64bit integers."
 	echo ""
 fi
+
--- a/session.c
+++ b/session.c
@ -89,10 +89,6 @@ RCSID("$OpenBSD: session.c,v 1.56 2001/02/16 14:03:43 markus Exp $");
 # define S_UNOFILE_HARD	S_UNOFILE "_hard"
 #endif

-#ifdef HAVE_LOGIN_CAP
-#include <login_cap.h>
-#endif
-
 /* types */

 #define TTYSZ 64
@ -1071,6 +1067,13 @@ do_child(const char *command, struct passwd * pw, const char *term,
 				perror("unable to set user context");
 				exit(1);
 			}
+#ifdef BSD_AUTH
+			if (auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) {
+				error("approval failure for %s", pw->pw_name);
+				fprintf(stderr, "Approval failure");
+				exit(1);
+			}
+#endif
 # else /* HAVE_LOGIN_CAP */
 			if (setlogin(pw->pw_name) < 0)
 				error("setlogin failed: %s", strerror(errno));