OPIE patch for current CVS

mouring at etoh.eviladmin.org mouring at etoh.eviladmin.org
Sun Nov 4 16:25:09 EST 2001


Sorry 3.0 feature set occured when OpenBSD 3.0 went to cd pressing.

Sorry

- Ben

On Sun, 4 Nov 2001, Wichert Akkerman wrote:

>
> I redid my previous OPIE patch for the current ssh tree. It seems
> to work fine here, and I'ld love to see it merged before the 3.0
> release.
>
> Wichert.
>
>
> diff -x CVS -wNur ../cvs/other/openssh_cvs/Makefile.in openssh_cvs/Makefile.in
> --- ../cvs/other/openssh_cvs/Makefile.in	Mon Oct 22 02:53:59 2001
> +++ openssh_cvs/Makefile.in	Sun Nov  4 01:18:19 2001
> @@ -50,7 +50,7 @@
>
>  SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
>
> -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o
> +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o auth-opie.o
>
>  MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out
>  MANPAGES_IN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1
> diff -x CVS -wNur ../cvs/other/openssh_cvs/acconfig.h openssh_cvs/acconfig.h
> --- ../cvs/other/openssh_cvs/acconfig.h	Mon Oct 22 02:53:59 2001
> +++ openssh_cvs/acconfig.h	Sun Nov  4 01:34:28 2001
> @@ -196,6 +196,9 @@
>  /* Define if you want S/Key support */
>  #undef SKEY
>
> +/* Define if you want OPIE support */
> +#undef OPIE
> +
>  /* Define if you want TCP Wrappers support */
>  #undef LIBWRAP
>
> diff -x CVS -wNur ../cvs/other/openssh_cvs/auth-opie.c openssh_cvs/auth-opie.c
> --- ../cvs/other/openssh_cvs/auth-opie.c	Thu Jan  1 01:00:00 1970
> +++ openssh_cvs/auth-opie.c	Sun Nov  4 02:42:50 2001
> @@ -0,0 +1,106 @@
> +/*
> + * Copyright (c) 2001 Wichert Akkerman.  All rights reserved.
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions
> + * are met:
> + * 1. Redistributions of source code must retain the above copyright
> + *    notice, this list of conditions and the following disclaimer.
> + * 2. Redistributions in binary form must reproduce the above copyright
> + *    notice, this list of conditions and the following disclaimer in the
> + *    documentation and/or other materials provided with the distribution.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
> + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
> + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
> + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
> + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
> + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
> + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> + */
> +#include "includes.h"
> +RCSID("$Id");
> +
> +#ifdef OPIE
> +
> +#include <opie.h>
> +
> +#include "xmalloc.h"
> +#include "auth.h"
> +
> +static void *
> +opie_init_ctx(Authctxt *authctxt)
> +{
> +	return authctxt;
> +}
> +
> +#define PROMPT "\nOPIE Password: "
> +
> +static int
> +opie_query(void *ctx, char **name, char **infotxt,
> +    u_int* numprompts, char ***prompts, u_int **echo_on)
> +{
> +	Authctxt *authctxt = ctx;
> +	char challenge[OPIE_CHALLENGE_MAX+64], *p;
> +	int len;
> +	struct opie opie;
> +
> +	if (opiechallenge(&opie, authctxt->user, challenge) != 0)
> +		return -1;
> +
> +	opieverify(&opie, ""); /* Zap lock again */
> +
> +	*name       = xstrdup("");
> +	*infotxt    = xstrdup("");
> +	*numprompts = 1;
> +	*prompts = xmalloc(*numprompts * sizeof(char*));
> +	*echo_on = xmalloc(*numprompts * sizeof(u_int));
> +	(*echo_on)[0] = 0;
> +
> +	len = strlen(challenge) + strlen(PROMPT) + 1;
> +	p = xmalloc(len);
> +	p[0] = '\0';
> +	strlcat(p, challenge, len);
> +	strlcat(p, PROMPT, len);
> +	(*prompts)[0] = p;
> +
> +	return 0;
> +}
> +
> +static int
> +opie_respond(void *ctx, u_int numresponses, char **responses)
> +{
> +	struct opie opie;
> +	char challenge[OPIE_CHALLENGE_MAX];
> +	Authctxt *authctxt = ctx;
> +
> +	if (opiechallenge(&opie, authctxt->user, challenge) != 0)
> +		return -1;
> +
> +	if (authctxt->valid &&
> +	    numresponses == 1 &&
> +	    opieverify(&opie, responses[0]) == 0)
> +	    return 0;
> +	else
> +	    opieverify(&opie, ""); /* Always need to verify to keep locks
> +				      in sync */
> +	return -1;
> +}
> +
> +static void
> +opie_free_ctx(void *ctx)
> +{
> +	/* we don't have a special context */
> +}
> +
> +KbdintDevice opie_device = {
> +	"opie",
> +	opie_init_ctx,
> +	opie_query,
> +	opie_respond,
> +	opie_free_ctx
> +};
> +#endif /* OPIE */
> diff -x CVS -wNur ../cvs/other/openssh_cvs/auth2-chall.c openssh_cvs/auth2-chall.c
> --- ../cvs/other/openssh_cvs/auth2-chall.c	Wed Oct  3 19:12:44 2001
> +++ openssh_cvs/auth2-chall.c	Sun Nov  4 01:25:57 2001
> @@ -42,6 +42,10 @@
>  #else
>  #ifdef SKEY
>  extern KbdintDevice skey_device;
> +#else
> +#ifdef OPIE
> +extern KbdintDevice opie_device;
> +#endif
>  #endif
>  #endif
>
> @@ -51,6 +55,10 @@
>  #else
>  #ifdef SKEY
>  	&skey_device,
> +#else
> +#ifdef OPIE
> +	&opie_device,
> +#endif
>  #endif
>  #endif
>  	NULL
> diff -x CVS -wNur ../cvs/other/openssh_cvs/configure.ac openssh_cvs/configure.ac
> --- ../cvs/other/openssh_cvs/configure.ac	Sat Oct 27 19:45:37 2001
> +++ openssh_cvs/configure.ac	Sun Nov  4 01:32:17 2001
> @@ -514,6 +514,32 @@
>  	]
>  )
>
> +# Check whether user wants OPIE support
> +OPIE_MSG="no"
> +AC_ARG_WITH(opie,
> +	[  --with-opie[[=PATH]]      Enable OPIE support
> +                            (optionally in PATH)],
> +	[
> +		if test "x$withval" != "xno" ; then
> +
> +			if test "x$withval" != "xyes" ; then
> +				CPPFLAGS="$CPPFLAGS -I${withval}/include"
> +				LDFLAGS="$LDFLAGS -L${withval}/lib"
> +			fi
> +
> +			AC_DEFINE(OPIE)
> +			LIBS="-lopie $LIBS"
> +			OPIE_MSG="yes"
> +
> +			AC_CHECK_FUNC(opiechallenge,
> +				[],
> +				[
> +					AC_MSG_ERROR([** Incomplete or missing OPIE libraries.])
> +				])
> +		fi
> +	]
> +)
> +
>  # Check whether user wants TCP wrappers support
>  TCPW_MSG="no"
>  AC_ARG_WITH(tcp-wrappers,
> @@ -2211,6 +2237,7 @@
>  echo "             Smartcard support: $SCARD_MSG"
>  echo "                   AFS support: $AFS_MSG"
>  echo "                 S/KEY support: $SKEY_MSG"
> +echo "                  OPIE support: $OPIE_MSG"
>  echo "          TCP Wrappers support: $TCPW_MSG"
>  echo "          MD5 password support: $MD5_MSG"
>  echo "   IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
> diff -x CVS -wNur ../cvs/other/openssh_cvs/readconf.c openssh_cvs/readconf.c
> --- ../cvs/other/openssh_cvs/readconf.c	Wed Oct  3 19:39:39 2001
> +++ openssh_cvs/readconf.c	Sun Nov  4 01:44:19 2001
> @@ -141,6 +141,7 @@
>  	{ "challengeresponseauthentication", oChallengeResponseAuthentication },
>  	{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
>  	{ "tisauthentication", oChallengeResponseAuthentication },  /* alias */
> +	{ "opieauthentication", oChallengeResponseAuthentication },  /* alias */
>  #if defined(KRB4) || defined(KRB5)
>  	{ "kerberosauthentication", oKerberosAuthentication },
>  #endif
> diff -x CVS -wNur ../cvs/other/openssh_cvs/servconf.c openssh_cvs/servconf.c
> --- ../cvs/other/openssh_cvs/servconf.c	Wed Sep 12 18:32:15 2001
> +++ openssh_cvs/servconf.c	Sun Nov  4 01:44:27 2001
> @@ -286,6 +286,7 @@
>  	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
>  	{ "challengeresponseauthentication", sChallengeResponseAuthentication },
>  	{ "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
> +	{ "opieauthentication", sChallengeResponseAuthentication }, /* alias */
>  	{ "checkmail", sDeprecated },
>  	{ "listenaddress", sListenAddress },
>  	{ "printmotd", sPrintMotd },
>
> --
>   _________________________________________________________________
>  /       Nothing is fool-proof to a sufficiently talented fool     \
> | wichert at wiggy.net                   http://www.liacs.nl/~wichert/ |
> | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |
>




More information about the openssh-unix-dev mailing list