OPIE patch for current CVS
Wichert Akkerman
wichert at wiggy.net
Sun Nov 4 12:49:38 EST 2001
I redid my previous OPIE patch for the current ssh tree. It seems
to work fine here, and I'ld love to see it merged before the 3.0
release.
Wichert.
diff -x CVS -wNur ../cvs/other/openssh_cvs/Makefile.in openssh_cvs/Makefile.in
--- ../cvs/other/openssh_cvs/Makefile.in Mon Oct 22 02:53:59 2001
+++ openssh_cvs/Makefile.in Sun Nov 4 01:18:19 2001
@@ -50,7 +50,7 @@
SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
-SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o
+SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o auth-opie.o
MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out
MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1
diff -x CVS -wNur ../cvs/other/openssh_cvs/acconfig.h openssh_cvs/acconfig.h
--- ../cvs/other/openssh_cvs/acconfig.h Mon Oct 22 02:53:59 2001
+++ openssh_cvs/acconfig.h Sun Nov 4 01:34:28 2001
@@ -196,6 +196,9 @@
/* Define if you want S/Key support */
#undef SKEY
+/* Define if you want OPIE support */
+#undef OPIE
+
/* Define if you want TCP Wrappers support */
#undef LIBWRAP
diff -x CVS -wNur ../cvs/other/openssh_cvs/auth-opie.c openssh_cvs/auth-opie.c
--- ../cvs/other/openssh_cvs/auth-opie.c Thu Jan 1 01:00:00 1970
+++ openssh_cvs/auth-opie.c Sun Nov 4 02:42:50 2001
@@ -0,0 +1,106 @@
+/*
+ * Copyright (c) 2001 Wichert Akkerman. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+RCSID("$Id");
+
+#ifdef OPIE
+
+#include <opie.h>
+
+#include "xmalloc.h"
+#include "auth.h"
+
+static void *
+opie_init_ctx(Authctxt *authctxt)
+{
+ return authctxt;
+}
+
+#define PROMPT "\nOPIE Password: "
+
+static int
+opie_query(void *ctx, char **name, char **infotxt,
+ u_int* numprompts, char ***prompts, u_int **echo_on)
+{
+ Authctxt *authctxt = ctx;
+ char challenge[OPIE_CHALLENGE_MAX+64], *p;
+ int len;
+ struct opie opie;
+
+ if (opiechallenge(&opie, authctxt->user, challenge) != 0)
+ return -1;
+
+ opieverify(&opie, ""); /* Zap lock again */
+
+ *name = xstrdup("");
+ *infotxt = xstrdup("");
+ *numprompts = 1;
+ *prompts = xmalloc(*numprompts * sizeof(char*));
+ *echo_on = xmalloc(*numprompts * sizeof(u_int));
+ (*echo_on)[0] = 0;
+
+ len = strlen(challenge) + strlen(PROMPT) + 1;
+ p = xmalloc(len);
+ p[0] = '\0';
+ strlcat(p, challenge, len);
+ strlcat(p, PROMPT, len);
+ (*prompts)[0] = p;
+
+ return 0;
+}
+
+static int
+opie_respond(void *ctx, u_int numresponses, char **responses)
+{
+ struct opie opie;
+ char challenge[OPIE_CHALLENGE_MAX];
+ Authctxt *authctxt = ctx;
+
+ if (opiechallenge(&opie, authctxt->user, challenge) != 0)
+ return -1;
+
+ if (authctxt->valid &&
+ numresponses == 1 &&
+ opieverify(&opie, responses[0]) == 0)
+ return 0;
+ else
+ opieverify(&opie, ""); /* Always need to verify to keep locks
+ in sync */
+ return -1;
+}
+
+static void
+opie_free_ctx(void *ctx)
+{
+ /* we don't have a special context */
+}
+
+KbdintDevice opie_device = {
+ "opie",
+ opie_init_ctx,
+ opie_query,
+ opie_respond,
+ opie_free_ctx
+};
+#endif /* OPIE */
diff -x CVS -wNur ../cvs/other/openssh_cvs/auth2-chall.c openssh_cvs/auth2-chall.c
--- ../cvs/other/openssh_cvs/auth2-chall.c Wed Oct 3 19:12:44 2001
+++ openssh_cvs/auth2-chall.c Sun Nov 4 01:25:57 2001
@@ -42,6 +42,10 @@
#else
#ifdef SKEY
extern KbdintDevice skey_device;
+#else
+#ifdef OPIE
+extern KbdintDevice opie_device;
+#endif
#endif
#endif
@@ -51,6 +55,10 @@
#else
#ifdef SKEY
&skey_device,
+#else
+#ifdef OPIE
+ &opie_device,
+#endif
#endif
#endif
NULL
diff -x CVS -wNur ../cvs/other/openssh_cvs/configure.ac openssh_cvs/configure.ac
--- ../cvs/other/openssh_cvs/configure.ac Sat Oct 27 19:45:37 2001
+++ openssh_cvs/configure.ac Sun Nov 4 01:32:17 2001
@@ -514,6 +514,32 @@
]
)
+# Check whether user wants OPIE support
+OPIE_MSG="no"
+AC_ARG_WITH(opie,
+ [ --with-opie[[=PATH]] Enable OPIE support
+ (optionally in PATH)],
+ [
+ if test "x$withval" != "xno" ; then
+
+ if test "x$withval" != "xyes" ; then
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
+ LDFLAGS="$LDFLAGS -L${withval}/lib"
+ fi
+
+ AC_DEFINE(OPIE)
+ LIBS="-lopie $LIBS"
+ OPIE_MSG="yes"
+
+ AC_CHECK_FUNC(opiechallenge,
+ [],
+ [
+ AC_MSG_ERROR([** Incomplete or missing OPIE libraries.])
+ ])
+ fi
+ ]
+)
+
# Check whether user wants TCP wrappers support
TCPW_MSG="no"
AC_ARG_WITH(tcp-wrappers,
@@ -2211,6 +2237,7 @@
echo " Smartcard support: $SCARD_MSG"
echo " AFS support: $AFS_MSG"
echo " S/KEY support: $SKEY_MSG"
+echo " OPIE support: $OPIE_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
diff -x CVS -wNur ../cvs/other/openssh_cvs/readconf.c openssh_cvs/readconf.c
--- ../cvs/other/openssh_cvs/readconf.c Wed Oct 3 19:39:39 2001
+++ openssh_cvs/readconf.c Sun Nov 4 01:44:19 2001
@@ -141,6 +141,7 @@
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
+ { "opieauthentication", oChallengeResponseAuthentication }, /* alias */
#if defined(KRB4) || defined(KRB5)
{ "kerberosauthentication", oKerberosAuthentication },
#endif
diff -x CVS -wNur ../cvs/other/openssh_cvs/servconf.c openssh_cvs/servconf.c
--- ../cvs/other/openssh_cvs/servconf.c Wed Sep 12 18:32:15 2001
+++ openssh_cvs/servconf.c Sun Nov 4 01:44:27 2001
@@ -286,6 +286,7 @@
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
{ "challengeresponseauthentication", sChallengeResponseAuthentication },
{ "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
+ { "opieauthentication", sChallengeResponseAuthentication }, /* alias */
{ "checkmail", sDeprecated },
{ "listenaddress", sListenAddress },
{ "printmotd", sPrintMotd },
--
_________________________________________________________________
/ Nothing is fool-proof to a sufficiently talented fool \
| wichert at wiggy.net http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
More information about the openssh-unix-dev
mailing list