- markus@cvs.openbsd.org 2001/01/22 23:06:39
[auth1.c auth2.c readconf.c readconf.h servconf.c servconf.h
sshconnect1.c sshconnect2.c sshd.c]
rename skey -> challenge response.
auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
diff --git a/ChangeLog b/ChangeLog
index c8319d5..5052a0f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,11 @@
- stevesk@cvs.openbsd.org 2001/01/22 17:22:28
[sshconnect2.c sshd.c]
fix memory leaks in SSH2 key exchange; ok markus@
+ - markus@cvs.openbsd.org 2001/01/22 23:06:39
+ [auth1.c auth2.c readconf.c readconf.h servconf.c servconf.h
+ sshconnect1.c sshconnect2.c sshd.c]
+ rename skey -> challenge response.
+ auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
20010122
diff --git a/auth1.c b/auth1.c
index 50037fd..1dc2284 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.13 2001/01/21 19:05:43 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.14 2001/01/22 23:06:39 markus Exp $");
#ifdef HAVE_OSF_SIA
# include <sia.h>
@@ -281,7 +281,7 @@
case SSH_CMSG_AUTH_TIS:
debug("rcvd SSH_CMSG_AUTH_TIS");
- if (options.skey_authentication == 1) {
+ if (options.challenge_reponse_authentication == 1) {
char *challenge = get_challenge(authctxt, authctxt->style);
if (challenge != NULL) {
debug("sending challenge '%s'", challenge);
@@ -296,7 +296,7 @@
case SSH_CMSG_AUTH_TIS_RESPONSE:
debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
- if (options.skey_authentication == 1) {
+ if (options.challenge_reponse_authentication == 1) {
char *response = packet_get_string(&dlen);
debug("got response '%s'", response);
packet_integrity_check(plen, 4 + dlen, type);
diff --git a/auth2.c b/auth2.c
index 768fedd..99be9e1 100644
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.33 2001/01/22 08:32:53 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.34 2001/01/22 23:06:39 markus Exp $");
#ifdef HAVE_OSF_SIA
# include <sia.h>
@@ -123,6 +123,10 @@
x_authctxt = authctxt; /*XXX*/
+ /* challenge-reponse is implemented via keyboard interactive */
+ if (options.challenge_reponse_authentication)
+ options.kbd_interactive_authentication = 1;
+
#ifdef AFS
/* If machine has AFS, set process authentication group. */
if (k_hasafs()) {
@@ -401,7 +405,8 @@
debug("keyboard-interactive language %s devs %s", lang, devs);
- authenticated = auth2_challenge(authctxt, devs);
+ if (options.challenge_reponse_authentication)
+ authenticated = auth2_challenge(authctxt, devs);
#ifdef USE_PAM
if (authenticated == 0)
diff --git a/readconf.c b/readconf.c
index a10aaff..5c091c6 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.58 2001/01/21 19:05:53 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.59 2001/01/22 23:06:39 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
@@ -93,7 +93,7 @@
oBadOption,
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
- oSkeyAuthentication, oXAuthLocation,
+ oChallengeResponseAuthentication, oXAuthLocation,
#ifdef KRB4
oKerberosAuthentication,
#endif /* KRB4 */
@@ -104,7 +104,7 @@
oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
- oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication,
+ oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias
@@ -127,8 +127,10 @@
{ "kbdinteractivedevices", oKbdInteractiveDevices },
{ "rsaauthentication", oRSAAuthentication },
{ "pubkeyauthentication", oPubkeyAuthentication },
- { "dsaauthentication", oPubkeyAuthentication }, /* alias */
- { "skeyauthentication", oSkeyAuthentication },
+ { "dsaauthentication", oPubkeyAuthentication }, /* alias */
+ { "challengeresponseauthentication", oChallengeResponseAuthentication },
+ { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
+ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
#ifdef KRB4
{ "kerberosauthentication", oKerberosAuthentication },
#endif /* KRB4 */
@@ -165,7 +167,6 @@
{ "compressionlevel", oCompressionLevel },
{ "keepalive", oKeepAlives },
{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
- { "tisauthentication", oTISAuthentication },
{ "loglevel", oLogLevel },
{ NULL, 0 }
};
@@ -318,10 +319,8 @@
intptr = &options->rhosts_rsa_authentication;
goto parse_flag;
- case oTISAuthentication:
- /* fallthrough, there is no difference on the client side */
- case oSkeyAuthentication:
- intptr = &options->skey_authentication;
+ case oChallengeResponseAuthentication:
+ intptr = &options->challenge_reponse_authentication;
goto parse_flag;
#ifdef KRB4
@@ -669,7 +668,7 @@
options->rhosts_authentication = -1;
options->rsa_authentication = -1;
options->pubkey_authentication = -1;
- options->skey_authentication = -1;
+ options->challenge_reponse_authentication = -1;
#ifdef KRB4
options->kerberos_authentication = -1;
#endif
@@ -736,8 +735,8 @@
options->rsa_authentication = 1;
if (options->pubkey_authentication == -1)
options->pubkey_authentication = 1;
- if (options->skey_authentication == -1)
- options->skey_authentication = 0;
+ if (options->challenge_reponse_authentication == -1)
+ options->challenge_reponse_authentication = 0;
#ifdef KRB4
if (options->kerberos_authentication == -1)
options->kerberos_authentication = 1;
@@ -751,7 +750,7 @@
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
- options->kbd_interactive_authentication = 0;
+ options->kbd_interactive_authentication = 1;
if (options->rhosts_rsa_authentication == -1)
options->rhosts_rsa_authentication = 1;
if (options->fallback_to_rsh == -1)
diff --git a/readconf.h b/readconf.h
index 08ff708..241b716 100644
--- a/readconf.h
+++ b/readconf.h
@@ -11,7 +11,7 @@
* called by a name other than "ssh" or "Secure Shell".
*/
-/* RCSID("$OpenBSD: readconf.h,v 1.24 2000/12/27 12:30:20 markus Exp $"); */
+/* RCSID("$OpenBSD: readconf.h,v 1.25 2001/01/22 23:06:39 markus Exp $"); */
#ifndef READCONF_H
#define READCONF_H
@@ -36,7 +36,8 @@
* authentication. */
int rsa_authentication; /* Try RSA authentication. */
int pubkey_authentication; /* Try ssh2 pubkey authentication. */
- int skey_authentication; /* Try S/Key or TIS authentication. */
+ int challenge_reponse_authentication;
+ /* Try S/Key or TIS, authentication. */
#ifdef KRB4
int kerberos_authentication; /* Try Kerberos
* authentication. */
diff --git a/servconf.c b/servconf.c
index 7dfd040..2738c62 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.62 2001/01/21 19:05:55 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.63 2001/01/22 23:06:39 markus Exp $");
#ifdef KRB4
#include <krb.h>
@@ -77,7 +77,7 @@
#endif
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
- options->skey_authentication = -1;
+ options->challenge_reponse_authentication = -1;
options->permit_empty_passwd = -1;
options->use_login = -1;
options->allow_tcp_forwarding = -1;
@@ -171,8 +171,8 @@
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
- if (options->skey_authentication == -1)
- options->skey_authentication = 1;
+ if (options->challenge_reponse_authentication == -1)
+ options->challenge_reponse_authentication = 1;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
if (options->use_login == -1)
@@ -201,7 +201,7 @@
#ifdef AFS
sKerberosTgtPassing, sAFSTokenPassing,
#endif
- sSkeyAuthentication,
+ sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
@@ -243,7 +243,8 @@
#endif
{ "passwordauthentication", sPasswordAuthentication },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
- { "skeyauthentication", sSkeyAuthentication },
+ { "challengeresponseauthentication", sChallengeResponseAuthentication },
+ { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
{ "checkmail", sCheckMail },
{ "listenaddress", sListenAddress },
{ "printmotd", sPrintMotd },
@@ -537,8 +538,8 @@
intptr = &options->check_mail;
goto parse_flag;
- case sSkeyAuthentication:
- intptr = &options->skey_authentication;
+ case sChallengeResponseAuthentication:
+ intptr = &options->challenge_reponse_authentication;
goto parse_flag;
case sPrintMotd:
diff --git a/servconf.h b/servconf.h
index ea06949..e316367 100644
--- a/servconf.h
+++ b/servconf.h
@@ -11,7 +11,7 @@
* called by a name other than "ssh" or "Secure Shell".
*/
-/* RCSID("$OpenBSD: servconf.h,v 1.34 2001/01/19 12:45:27 markus Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.35 2001/01/22 23:06:40 markus Exp $"); */
#ifndef SERVCONF_H
#define SERVCONF_H
@@ -80,8 +80,7 @@
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
- int skey_authentication; /* If true, permit s/key
- * authentication. */
+ int challenge_reponse_authentication;
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
int use_login; /* If true, login(1) is used */
diff --git a/sshconnect1.c b/sshconnect1.c
index 2c09725..5a5a222 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,7 +13,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.19 2001/01/22 08:15:00 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.20 2001/01/22 23:06:40 markus Exp $");
#include <openssl/bn.h>
#include <openssl/evp.h>
@@ -613,7 +613,7 @@
* Note that the client code is not tied to s/key or TIS.
*/
int
-try_skey_authentication()
+try_challenge_reponse_authentication()
{
int type, i;
int payload_len;
@@ -621,7 +621,7 @@
char prompt[1024];
char *challenge, *response;
- debug("Doing skey authentication.");
+ debug("Doing challenge reponse authentication.");
for (i = 0; i < options.number_of_password_prompts; i++) {
/* request a challenge */
@@ -633,10 +633,10 @@
if (type != SSH_SMSG_FAILURE &&
type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
packet_disconnect("Protocol error: got %d in response "
- "to skey-auth", type);
+ "to SSH_CMSG_AUTH_TIS", type);
}
if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
- debug("No challenge for skey authentication.");
+ debug("No challenge.");
return 0;
}
challenge = packet_get_string(&clen);
@@ -665,7 +665,7 @@
return 1;
if (type != SSH_SMSG_FAILURE)
packet_disconnect("Protocol error: got %d in response "
- "to skey-auth-reponse", type);
+ "to SSH_CMSG_AUTH_TIS_RESPONSE", type);
}
/* failure */
return 0;
@@ -1018,10 +1018,10 @@
try_rsa_authentication(options.identity_files[i]))
return;
}
- /* Try skey authentication if the server supports it. */
+ /* Try challenge response authentication if the server supports it. */
if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
- options.skey_authentication && !options.batch_mode) {
- if (try_skey_authentication())
+ options.challenge_reponse_authentication && !options.batch_mode) {
+ if (try_challenge_reponse_authentication())
return;
}
/* Try password authentication if the server supports it. */
diff --git a/sshconnect2.c b/sshconnect2.c
index 1b44228..1d911b9 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.38 2001/01/22 17:22:28 stevesk Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.39 2001/01/22 23:06:40 markus Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
@@ -513,6 +513,9 @@
int type;
int plen;
+ if (options.challenge_reponse_authentication)
+ options.kbd_interactive_authentication = 1;
+
debug("send SSH2_MSG_SERVICE_REQUEST");
packet_start(SSH2_MSG_SERVICE_REQUEST);
packet_put_cstring("ssh-userauth");
diff --git a/sshd.c b/sshd.c
index 686e7c2..8535535 100644
--- a/sshd.c
+++ b/sshd.c
@@ -40,7 +40,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.156 2001/01/22 17:22:28 stevesk Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.157 2001/01/22 23:06:40 markus Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
@@ -1254,7 +1254,7 @@
if (options.afs_token_passing)
auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
#endif
- if (options.skey_authentication == 1)
+ if (options.challenge_reponse_authentication == 1)
auth_mask |= 1 << SSH_AUTH_TIS;
if (options.password_authentication)
auth_mask |= 1 << SSH_AUTH_PASSWORD;