http://www.jmknoble.net/software/x11-ssh-askpass/
-S/Key Libraries:
-
-If you wish to use --with-skey then you will need the library below
-installed. No other S/Key library is currently known to be supported.
-
-http://www.sparc.spb.su/solaris/skey/
-
LibEdit:
sftp supports command-line editing via NetBSD's libedit. If your platform
--with-osfsia, --without-osfsia will enable or disable OSF1's Security
Integration Architecture. The default for OSF1 machines is enable.
---with-skey=PATH will enable S/Key one time password support. You will
-need the S/Key libraries and header files installed for this to work.
-
--with-md5-passwords will enable the use of MD5 passwords. Enable this
if your operating system uses MD5 passwords and the system crypt() does
not support them directly (see the crypt(3/3c) man page). If enabled, the
sshpty.o sshlogin.o servconf.o serverloop.o \
auth.o auth2.o auth-options.o session.o \
auth2-chall.o groupaccess.o \
- auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
+ auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
monitor.o monitor_wrap.o auth-krb5.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
- Use different PAM service name for kbdint vs regular auth (suggest from
Solar Designer)
- Ability to select which ChallengeResponseAuthentications may be used
- and order to try them in e.g. "ChallengeResponseAuthentication skey, pam"
+ and order to try them in e.g. "ChallengeResponseAuthentication pam"
- Complete Tru64 SIA support
- It looks like we could merge it into the password auth code to cut down
void auth2_challenge_stop(struct ssh *);
int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
int bsdauth_respond(void *, u_int, char **);
-int skey_query(void *, char **, char **, u_int *, char ***, u_int **);
-int skey_respond(void *, u_int, char **);
int allowed_user(struct passwd *);
struct passwd * getpwnamallow(const char *user);
int sys_auth_passwd(struct ssh *, const char *);
-#define SKEY_PROMPT "\nS/Key Password: "
-
#if defined(KRB5) && !defined(HEIMDAL)
#include <krb5.h>
krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
#ifdef USE_PAM
extern KbdintDevice sshpam_device;
#endif
-#ifdef SKEY
-extern KbdintDevice skey_device;
-#endif
#endif
KbdintDevice *devices[] = {
#ifdef USE_PAM
&sshpam_device,
#endif
-#ifdef SKEY
- &skey_device,
-#endif
#endif
NULL
};
void
privsep_challenge_enable(void)
{
-#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY)
+#if defined(BSD_AUTH) || defined(USE_PAM)
int n = 0;
#endif
#ifdef BSD_AUTH
#ifdef USE_PAM
extern KbdintDevice mm_sshpam_device;
#endif
-#ifdef SKEY
- extern KbdintDevice mm_skey_device;
-#endif
#ifdef BSD_AUTH
devices[n++] = &mm_bsdauth_device;
#ifdef USE_PAM
devices[n++] = &mm_sshpam_device;
#endif
-#ifdef SKEY
- devices[n++] = &mm_skey_device;
-#endif
#endif
}
AC_MSG_RESULT([no])
fi
-# Check whether user wants S/Key support
-SKEY_MSG="no"
-AC_ARG_WITH([skey],
- [ --with-skey[[=PATH]] Enable S/Key support (optionally in PATH)],
- [
- if test "x$withval" != "xno" ; then
-
- if test "x$withval" != "xyes" ; then
- CPPFLAGS="$CPPFLAGS -I${withval}/include"
- LDFLAGS="$LDFLAGS -L${withval}/lib"
- fi
-
- AC_DEFINE([SKEY], [1], [Define if you want S/Key support])
- LIBS="-lskey $LIBS"
- SKEY_MSG="yes"
-
- AC_MSG_CHECKING([for s/key support])
- AC_LINK_IFELSE(
- [AC_LANG_PROGRAM([[
-#include <stdio.h>
-#include <skey.h>
- ]], [[
- char *ff = skey_keyinfo(""); ff="";
- exit(0);
- ]])],
- [AC_MSG_RESULT([yes])],
- [
- AC_MSG_RESULT([no])
- AC_MSG_ERROR([** Incomplete or missing s/key libraries.])
- ])
- AC_MSG_CHECKING([if skeychallenge takes 4 arguments])
- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
-#include <stdio.h>
-#include <skey.h>
- ]], [[
- (void)skeychallenge(NULL,"name","",0);
- ]])],
- [
- AC_MSG_RESULT([yes])
- AC_DEFINE([SKEYCHALLENGE_4ARG], [1],
- [Define if your skeychallenge()
- function takes 4 arguments (NetBSD)])],
- [
- AC_MSG_RESULT([no])
- ])
- fi
- ]
-)
-
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
-echo " S/KEY support: $SKEY_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " libldns support: $LDNS_MSG"
# define krb5_get_err_text(context,code) error_message(code)
#endif
-#if defined(SKEYCHALLENGE_4ARG)
-# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c,d)
-#else
-# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c)
-#endif
-
/* Maximum number of file descriptors available */
#ifdef HAVE_SYSCONF
# define SSH_SYSFDMAX sysconf(_SC_OPEN_MAX)
# endif
#endif
-#ifdef SKEY
-#include <skey.h>
-#endif
-
#ifdef WITH_OPENSSL
#include <openssl/dh.h>
#endif
int mm_answer_authpassword(int, struct sshbuf *);
int mm_answer_bsdauthquery(int, struct sshbuf *);
int mm_answer_bsdauthrespond(int, struct sshbuf *);
-int mm_answer_skeyquery(int, struct sshbuf *);
-int mm_answer_skeyrespond(int, struct sshbuf *);
int mm_answer_keyallowed(int, struct sshbuf *);
int mm_answer_keyverify(int, struct sshbuf *);
int mm_answer_pty(int, struct sshbuf *);
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
{MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond},
-#endif
-#ifdef SKEY
- {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
- {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
#endif
{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
}
#endif
-#ifdef SKEY
-int
-mm_answer_skeyquery(int sock, struct sshbuf *m)
-{
- struct skey skey;
- char challenge[1024];
- u_int success;
- int r;
-
- success = _compat_skeychallenge(&skey, authctxt->user, challenge,
- sizeof(challenge)) < 0 ? 0 : 1;
-
- sshbuf_reset(m);
- if ((r = sshbuf_put_u32(m, success)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
- if (success) {
- if ((r = sshbuf_put_cstring(m, challenge)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
- }
- debug3("%s: sending challenge success: %u", __func__, success);
- mm_request_send(sock, MONITOR_ANS_SKEYQUERY, m);
-
- return (0);
-}
-
-int
-mm_answer_skeyrespond(int sock, struct sshbuf *m)
-{
- char *response;
- size_t rlen;
- int authok, r;
-
- if ((r = sshbuf_get_cstring(m, &response, &rlen)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
-
- authok = (options.challenge_response_authentication &&
- authctxt->valid &&
- skey_haskey(authctxt->pw->pw_name) == 0 &&
- skey_passcheck(authctxt->pw->pw_name, response) != -1);
-
- freezero(response, rlen);
-
- sshbuf_reset(m);
- if ((r = sshbuf_put_u32(m, authok)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
-
- debug3("%s: sending authenticated: %d", __func__, authok);
- mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
-
- auth_method = "keyboard-interactive";
- auth_submethod = "skey";
-
- return (authok != 0);
-}
-#endif
-
#ifdef USE_PAM
int
mm_answer_pam_start(int sock, struct sshbuf *m)
MONITOR_REQ_AUTHPASSWORD = 12, MONITOR_ANS_AUTHPASSWORD = 13,
MONITOR_REQ_BSDAUTHQUERY = 14, MONITOR_ANS_BSDAUTHQUERY = 15,
MONITOR_REQ_BSDAUTHRESPOND = 16, MONITOR_ANS_BSDAUTHRESPOND = 17,
- MONITOR_REQ_SKEYQUERY = 18, MONITOR_ANS_SKEYQUERY = 19,
- MONITOR_REQ_SKEYRESPOND = 20, MONITOR_ANS_SKEYRESPOND = 21,
MONITOR_REQ_KEYALLOWED = 22, MONITOR_ANS_KEYALLOWED = 23,
MONITOR_REQ_KEYVERIFY = 24, MONITOR_ANS_KEYVERIFY = 25,
MONITOR_REQ_KEYEXPORT = 26,
return ((authok == 0) ? -1 : 0);
}
-#ifdef SKEY
-int
-mm_skey_query(void *ctx, char **name, char **infotxt,
- u_int *numprompts, char ***prompts, u_int **echo_on)
-{
- struct sshbuf *m;
- u_int success;
- char *challenge;
- int r;
-
- debug3("%s: entering", __func__);
-
- if ((m = sshbuf_new()) == NULL)
- fatal("%s: sshbuf_new failed", __func__);
- mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYQUERY, m);
-
- mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SKEYQUERY, m);
- if ((r = sshbuf_get_u32(m, &success)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
- if (success == 0) {
- debug3("%s: no challenge", __func__);
- sshbuf_free(m);
- return (-1);
- }
-
- /* Get the challenge, and format the response */
- if ((r = sshbuf_get_cstring(m, &challenge, NULL)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
- sshbuf_free(m);
-
- debug3("%s: received challenge: %s", __func__, challenge);
-
- mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
-
- xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
- free(challenge);
-
- return (0);
-}
-
-int
-mm_skey_respond(void *ctx, u_int numresponses, char **responses)
-{
- struct sshbuf *m;
- int authok, r;
-
- debug3("%s: entering", __func__);
- if (numresponses != 1)
- return (-1);
-
- if ((m = sshbuf_new()) == NULL)
- fatal("%s: sshbuf_new failed", __func__);
- if ((r = sshbuf_put_cstring(m, responses[0])) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
- mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYRESPOND, m);
-
- mm_request_receive_expect(pmonitor->m_recvfd,
- MONITOR_ANS_SKEYRESPOND, m);
-
- if ((r = sshbuf_get_u32(m, &authok)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
- sshbuf_free(m);
-
- return ((authok == 0) ? -1 : 0);
-}
-#endif /* SKEY */
-
#ifdef SSH_AUDIT_EVENTS
void
mm_audit_event(ssh_audit_event_t event)
int mm_bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_bsdauth_respond(void *, u_int, char **);
-/* skey */
-int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
-int mm_skey_respond(void *, u_int, char **);
-
#endif /* _MM_WRAP_H_ */
{ "dsaauthentication", oPubkeyAuthentication }, /* alias */
{ "hostbasedauthentication", oHostbasedAuthentication },
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
- { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
+ { "skeyauthentication", oUnsupported },
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
{ "identityfile", oIdentityFile },
{ "identityfile2", oIdentityFile }, /* obsolete */
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
- { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
+ { "skeyauthentication", sDeprecated, SSHCFG_GLOBAL },
{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
The methods available vary depending on what the server supports.
For an OpenSSH server,
it may be zero or more of:
-.Cm bsdauth ,
-.Cm pam ,
+.Cm bsdauth
and
-.Cm skey .
+.Cm pam .
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
For keyboard interactive authentication it is also possible to
restrict authentication to a specific device by appending a
colon followed by the device identifier
-.Cm bsdauth ,
-.Cm pam ,
+.Cm bsdauth
or
-.Cm skey ,
+.Cm pam .
depending on the server configuration.
For example,
.Qq keyboard-interactive:bsdauth
projects / thirdparty / openssh-portable.git / commitdiff
