[PATCH] openssh 2.5.1p2 TIS authserv support
Balazs Scheidler
bazsi at balabit.hu
Wed Mar 14 03:31:06 EST 2001
Hi,
We have updated our TIS authserv support patch for OpenSSH 2.5.1p2. You'll
find it attached to my message.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
-------------- next part --------------
diff -urN openssh-2.5.1p2/Makefile.in openssh-2.5.1p2-tis/Makefile.in
--- openssh-2.5.1p2/Makefile.in Sun Feb 18 20:13:33 2001
+++ openssh-2.5.1p2-tis/Makefile.in Fri Mar 9 10:11:30 2001
@@ -48,7 +48,7 @@
SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o
-SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o sshpty.o log-server.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o
+SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o sshpty.o log-server.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o tisauth.o
TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1
CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh-keyscan.0 ssh.0 sshd.0 sftp-server.0 sftp.0
diff -urN openssh-2.5.1p2/acconfig.h openssh-2.5.1p2-tis/acconfig.h
--- openssh-2.5.1p2/acconfig.h Mon Feb 26 22:39:07 2001
+++ openssh-2.5.1p2-tis/acconfig.h Fri Mar 9 10:10:31 2001
@@ -299,6 +299,8 @@
/* Needed for SCO and NeXT */
#undef BROKEN_SAVED_UIDS
+#undef TIS_AUTH
+
@BOTTOM@
/* ******************* Shouldn't need to edit below this line ************** */
diff -urN openssh-2.5.1p2/auth-chall.c openssh-2.5.1p2-tis/auth-chall.c
--- openssh-2.5.1p2/auth-chall.c Sun Feb 18 07:01:00 2001
+++ openssh-2.5.1p2-tis/auth-chall.c Fri Mar 9 11:07:39 2001
@@ -68,7 +68,61 @@
return authok != 0;
}
#else
-#ifdef SKEY
+
+#if defined(SKEY) && defined(TIS_AUTH)
+#error "S/Key and TIS authentication is not supported at the same time"
+#endif
+
+#ifdef TIS_AUTH
+
+#include "tisauth.h"
+#include "servconf.h"
+#include "xmalloc.h"
+
+extern ServerOptions options;
+
+char *
+get_challenge(Authctxt *authctxt, char *devs)
+{
+ static char challenge[128];
+
+ if (!authctxt->tis) {
+ authctxt->tis = tis_connect_multi(options.authserv_addrs);
+ }
+ if (authctxt->tis) {
+ char *tis_chal;
+
+ if (authctxt->pw) {
+ tis_chal = tis_authenticate(authctxt->tis, authctxt->pw->pw_name);
+ }
+ else {
+ tis_chal = tis_fake_challenge();
+ }
+ strlcpy(challenge, tis_chal, sizeof(challenge));
+ xfree(tis_chal);
+
+ return challenge;
+ }
+ return NULL;
+}
+
+int
+verify_response(Authctxt *authctxt, char *response)
+{
+ int res;
+
+ if (!authctxt->tis) {
+ res = 0;
+ }
+ else {
+ res = tis_response(authctxt->tis, response);
+ tis_free(authctxt->tis);
+ authctxt->tis = NULL;
+ }
+ return res && authctxt->valid;
+}
+
+#elif SKEY
#include <skey.h>
char *
diff -urN openssh-2.5.1p2/auth.h openssh-2.5.1p2-tis/auth.h
--- openssh-2.5.1p2/auth.h Sun Feb 18 07:01:00 2001
+++ openssh-2.5.1p2-tis/auth.h Fri Mar 9 10:23:09 2001
@@ -49,6 +49,9 @@
#ifdef BSD_AUTH
auth_session_t *as;
#endif
+#ifdef TIS_AUTH
+ struct tis_context *tis;
+#endif
};
/*
diff -urN openssh-2.5.1p2/config.h.in openssh-2.5.1p2-tis/config.h.in
--- openssh-2.5.1p2/config.h.in Thu Mar 1 01:11:34 2001
+++ openssh-2.5.1p2-tis/config.h.in Fri Mar 9 11:01:48 2001
@@ -299,6 +299,8 @@
/* Needed for SCO and NeXT */
#undef BROKEN_SAVED_UIDS
+#undef TIS_AUTH
+
/* The number of bytes in a char. */
#undef SIZEOF_CHAR
diff -urN openssh-2.5.1p2/configure.in openssh-2.5.1p2-tis/configure.in
--- openssh-2.5.1p2/configure.in Wed Feb 28 23:16:12 2001
+++ openssh-2.5.1p2-tis/configure.in Fri Mar 9 10:13:39 2001
@@ -461,6 +461,18 @@
]
)
+# Check whether user wants TIS support
+TIS_MSG="no"
+AC_ARG_WITH(tis,
+ [ --with-tis Enable TIS authsrv support, may not be used with --with-skey],
+ [
+ if test "x$withval" != "xno" ; then
+ AC_DEFINE(TIS_AUTH)
+ TIS_MSG="yes"
+ fi
+ ]
+)
+
# Check whether user wants TCP wrappers support
TCPW_MSG="no"
AC_ARG_WITH(tcp-wrappers,
@@ -1780,6 +1792,7 @@
echo " KerberosIV support: $KRB4_MSG"
echo " AFS support: $AFS_MSG"
echo " S/KEY support: $SKEY_MSG"
+echo " TIS authsrv support: $TIS_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
diff -urN openssh-2.5.1p2/servconf.c openssh-2.5.1p2-tis/servconf.c
--- openssh-2.5.1p2/servconf.c Thu Feb 15 04:08:27 2001
+++ openssh-2.5.1p2-tis/servconf.c Fri Mar 9 11:12:14 2001
@@ -206,6 +209,9 @@
#ifdef AFS
sKerberosTgtPassing, sAFSTokenPassing,
#endif
+#ifdef TIS_AUTH
+ sAuthservAddress,
+#endif
sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
@@ -246,6 +252,9 @@
{ "kerberostgtpassing", sKerberosTgtPassing },
{ "afstokenpassing", sAFSTokenPassing },
#endif
+#ifdef TIS_AUTH
+ { "authservaddress", sAuthservAddress },
+#endif
{ "passwordauthentication", sPasswordAuthentication },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
{ "challengeresponseauthentication", sChallengeResponseAuthentication },
@@ -299,6 +308,34 @@
return sBadOption;
}
+#ifdef TIS_AUTH
+void
+add_authserv_addr(ServerOptions *options, char **addr)
+{
+ struct addrinfo hints, *ai, *aitop;
+ char *host, *service;
+ int gaierr;
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = IPv4or6;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
+
+ host = strdelim(addr);
+ service = strdelim(addr);
+
+ if ((gaierr = getaddrinfo(host, service, &hints, &aitop)) != 0)
+ fatal("bad addr or host: %s (%s)\n",
+ host ? host : "<NULL>",
+ gai_strerror(gaierr));
+ for (ai = aitop; ai->ai_next; ai = ai->ai_next)
+ ;
+ ai->ai_next = options->authserv_addrs;
+ options->authserv_addrs = aitop;
+
+}
+#endif
+
/*
* add listen address
*/
@@ -551,6 +588,12 @@
case sChallengeResponseAuthentication:
intptr = &options->challenge_reponse_authentication;
goto parse_flag;
+
+#ifdef TIS_AUTH
+ case sAuthservAddress:
+ add_authserv_addr(options, &cp);
+ break;
+#endif
case sPrintMotd:
intptr = &options->print_motd;
diff -urN openssh-2.5.1p2/servconf.h openssh-2.5.1p2-tis/servconf.h
--- openssh-2.5.1p2/servconf.h Thu Feb 15 04:08:27 2001
+++ openssh-2.5.1p2-tis/servconf.h Fri Mar 9 10:59:50 2001
@@ -90,6 +91,9 @@
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
int challenge_reponse_authentication;
+#ifdef TIS_AUTH
+ struct addrinfo *authserv_addrs;
+#endif
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
int use_login; /* If true, login(1) is used */
diff -urN openssh-2.5.1p2/tisauth.c openssh-2.5.1p2-tis/tisauth.c
--- openssh-2.5.1p2/tisauth.c Thu Jan 1 01:00:00 1970
+++ openssh-2.5.1p2-tis/tisauth.c Fri Mar 9 11:26:25 2001
@@ -0,0 +1,110 @@
+/*
+ * Copyright (c) 2000 BalaBit IT Ltd.
+ * All rights reserved
+ *
+ * Authors: Bal?zs Scheidler, Attila Szalay
+ *
+ */
+
+#include "includes.h"
+#include "ssh.h"
+
+#ifdef TIS_AUTH
+
+struct tis_context {
+ int connfd;
+};
+
+struct tis_context *tis_connect(struct sockaddr *addr, int addrlen)
+{
+ struct tis_context *ctx;
+ char line[128];
+ int fd;
+
+ fd = socket(addr->sa_family, SOCK_STREAM, 0);
+ if (fd < 0)
+ return NULL;
+
+ if (connect(fd, addr, addrlen) < 0) {
+ close(fd);
+ return NULL;
+ }
+
+ /* grab greeting line */
+ if (read(fd, line, sizeof(line)) < 0) {
+ close(fd);
+ return NULL;
+ }
+ ctx = malloc(sizeof(struct tis_context));
+ ctx->connfd = fd;
+ return ctx;
+}
+
+struct tis_context *tis_connect_multi(struct addrinfo *addrs)
+{
+ struct addrinfo *p;
+ struct tis_context *tis;
+
+ for (p = addrs; p; p = p->ai_next) {
+ tis = tis_connect(p->ai_addr, p->ai_addrlen);
+ if (tis)
+ return tis;
+ }
+ return NULL;
+}
+
+void tis_free(struct tis_context *ctx)
+{
+ if (ctx) {
+ close(ctx->connfd);
+ free(ctx);
+ }
+}
+
+char *tis_authenticate(struct tis_context *ctx, char *user)
+{
+ char line[128];
+ int length;
+
+ snprintf(line, 120, "authenticate \"%.32s\"\n", user);
+ if (send(ctx->connfd,line,strlen(line),0) < 0) {
+ return NULL;
+ }
+ if ((length = recv(ctx->connfd, line, sizeof(line) - 1, 0)) <= 0)
+ return NULL;
+ line[length] = 0;
+ if (line[length - 1] == '\n')
+ line[length - 1] = 0;
+ if (strncmp(line, "challenge", 9) != 0)
+ return NULL;
+ return strdup(line + 10);
+}
+
+int tis_response(struct tis_context *ctx, char *response)
+{
+ char line[128];
+ int length;
+
+ snprintf(line, 120, "response \"%.64s\"\n", response) ;
+ if (send(ctx->connfd, line, strlen(line), 0) < 0)
+ return 0;
+ if ((length = recv(ctx->connfd, line, sizeof(line) - 1, 0)) < 0)
+ return 0;
+ line[length] = 0;
+ if (strncmp(line, "ok", 2) == 0) {
+ return 1;
+ }
+ return 0;
+}
+
+char *tis_fake_challenge(void)
+{
+ char challenge[9];
+ unsigned long rnd;
+
+ rnd = time(NULL) ^ getpid();
+ snprintf(challenge, sizeof(challenge), "%ld", rnd);
+ return strdup(challenge);
+}
+
+#endif
diff -urN openssh-2.5.1p2/tisauth.h openssh-2.5.1p2-tis/tisauth.h
--- openssh-2.5.1p2/tisauth.h Thu Jan 1 01:00:00 1970
+++ openssh-2.5.1p2-tis/tisauth.h Fri Mar 9 10:10:31 2001
@@ -0,0 +1,14 @@
+#ifndef _TISAUTH_H_INCLUDED
+#define _TISAUTH_H_INCLUDED
+
+struct tis_context;
+
+struct tis_context *tis_connect(struct sockaddr *addr, int addrlen);
+struct tis_context *tis_connect_multi(struct addrinfo *addrs);
+void tis_free(struct tis_context *ctx);
+char *tis_authenticate(struct tis_context *ctx, char *user);
+int tis_response(struct tis_context *ctx, char *response);
+char *tis_fake_challenge(void);
+
+#endif
+
More information about the openssh-unix-dev
mailing list