Created
August 5, 2012 07:11
-
-
Save osamu/3262577 to your computer and use it in GitHub Desktop.
SecurID patch for openssh-6.0p1 (http://v_t_m.sweb.cz/OpenSSH/)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff -ruN openssh-6.0p1/Makefile.in openssh-6.0p1-secuireid/Makefile.in | |
| --- openssh-6.0p1/Makefile.in 2012-04-04 10:27:57.000000000 +0900 | |
| +++ openssh-6.0p1-secuireid/Makefile.in 2012-08-05 15:37:07.000000000 +0900 | |
| @@ -84,6 +84,7 @@ | |
| auth-chall.o auth2-chall.o groupaccess.o \ | |
| auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ | |
| auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ | |
| + auth2-securid.o \ | |
| monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ | |
| auth-krb5.o \ | |
| auth2-gss.o gss-serv.o gss-serv-krb5.o \ | |
| diff -ruN openssh-6.0p1/auth.h openssh-6.0p1-secuireid/auth.h | |
| --- openssh-6.0p1/auth.h 2011-05-29 20:39:38.000000000 +0900 | |
| +++ openssh-6.0p1-secuireid/auth.h 2012-08-05 15:37:07.000000000 +0900 | |
| @@ -73,6 +73,12 @@ | |
| #endif | |
| Buffer *loginmsg; | |
| void *methoddata; | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| + int securid_state; | |
| + void *securid_data; | |
| + char *securid_pin; | |
| + char *securid_real_user; | |
| +#endif | |
| }; | |
| /* | |
| * Every authentication method has to handle authentication requests for | |
| diff -ruN openssh-6.0p1/auth2-chall.c openssh-6.0p1-secuireid/auth2-chall.c | |
| --- openssh-6.0p1/auth2-chall.c 2009-01-28 14:13:39.000000000 +0900 | |
| +++ openssh-6.0p1-secuireid/auth2-chall.c 2012-08-05 15:37:07.000000000 +0900 | |
| @@ -53,6 +53,9 @@ | |
| #ifdef BSD_AUTH | |
| extern KbdintDevice bsdauth_device; | |
| #else | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| +extern KbdintDevice securid_device; | |
| +#endif | |
| #ifdef USE_PAM | |
| extern KbdintDevice sshpam_device; | |
| #endif | |
| @@ -65,6 +68,9 @@ | |
| #ifdef BSD_AUTH | |
| &bsdauth_device, | |
| #else | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| + &securid_device, | |
| +#endif | |
| #ifdef USE_PAM | |
| &sshpam_device, | |
| #endif | |
| @@ -221,6 +227,7 @@ | |
| debug2("auth2_challenge_start: devices %s", | |
| kbdintctxt->devices ? kbdintctxt->devices : "<empty>"); | |
| + kbd_next_device: | |
| if (kbdint_next_device(kbdintctxt) == 0) { | |
| auth2_challenge_stop(authctxt); | |
| return 0; | |
| @@ -228,10 +235,9 @@ | |
| debug("auth2_challenge_start: trying authentication method '%s'", | |
| kbdintctxt->device->name); | |
| - if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) { | |
| - auth2_challenge_stop(authctxt); | |
| - return 0; | |
| - } | |
| + if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) | |
| + goto kbd_next_device; | |
| + | |
| if (send_userauth_info_request(authctxt) == 0) { | |
| auth2_challenge_stop(authctxt); | |
| return 0; | |
| @@ -348,12 +354,16 @@ | |
| void | |
| privsep_challenge_enable(void) | |
| { | |
| -#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY) | |
| +#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY) || \ | |
| +defined (SECURID) || defined (SECURID_OLD) | |
| int n = 0; | |
| #endif | |
| #ifdef BSD_AUTH | |
| extern KbdintDevice mm_bsdauth_device; | |
| #endif | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| + extern KbdintDevice mm_securid_device; | |
| +#endif | |
| #ifdef USE_PAM | |
| extern KbdintDevice mm_sshpam_device; | |
| #endif | |
| @@ -364,6 +374,9 @@ | |
| #ifdef BSD_AUTH | |
| devices[n++] = &mm_bsdauth_device; | |
| #else | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| + devices[n++] = &mm_securid_device; | |
| +#endif | |
| #ifdef USE_PAM | |
| devices[n++] = &mm_sshpam_device; | |
| #endif | |
| diff -ruN openssh-6.0p1/config.h.in openssh-6.0p1-secuireid/config.h.in | |
| --- openssh-6.0p1/config.h.in 2012-04-20 14:03:32.000000000 +0900 | |
| +++ openssh-6.0p1-secuireid/config.h.in 2012-08-05 15:37:07.000000000 +0900 | |
| @@ -1353,6 +1353,12 @@ | |
| /* must supply username to passwd */ | |
| #undef PASSWD_NEEDS_USERNAME | |
| +/* Support for ACE/Server 5.x */ | |
| +#undef SECURID | |
| + | |
| +/* Support for ACE/Agent 3.x, which can comunicate with ACE/Server 3.x and 5.x too */ | |
| +#undef SECURID_OLD | |
| + | |
| /* Port number of PRNGD/EGD random number socket */ | |
| #undef PRNGD_PORT | |
| diff -ruN openssh-6.0p1/configure openssh-6.0p1-secuireid/configure | |
| --- openssh-6.0p1/configure 2012-04-20 14:03:38.000000000 +0900 | |
| +++ openssh-6.0p1-secuireid/configure 2012-08-05 15:37:07.000000000 +0900 | |
| @@ -1411,6 +1411,8 @@ | |
| --with-zlib=PATH Use zlib in PATH | |
| --without-zlib-version-check Disable zlib version check | |
| --with-skey[=PATH] Enable S/Key support (optionally in PATH) | |
| + --with-securid[=PATH] Enable ACE/Server (SecurID) support | |
| + (optionally in PATH) | |
| --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH) | |
| --with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH) | |
| --with-libedit[=PATH] Enable libedit support for sftp | |
| @@ -9002,6 +9004,91 @@ | |
| fi | |
| + | |
| + | |
| + | |
| +# Check whether user wants SecurID support | |
| +SECURID_MSG="no" | |
| + | |
| +# Check whether --with-securid or --without-securid was given. | |
| +if test "${with_securid+set}" = set; then | |
| + withval="$with_securid" | |
| + | |
| + if test "$withval" != "no" ; then | |
| + if test -n "$withval"; then | |
| + if test "$withval" = "yes"; then | |
| + # default location | |
| + withval="/var/ace" | |
| + fi | |
| + | |
| + # new client for ACE/Server version 5.x | |
| + echo "$as_me:$LINENO: checking for ACE/Agent libs version 5.x" >&5 | |
| +echo $ECHO_N "checking for ACE/Agent libs version 5.x... $ECHO_C" >&6 | |
| + if test -f "$withval/inc/acclnt.h"; then | |
| + case "$host" in | |
| + *-*-aix*) | |
| + PLATFORM="aix" | |
| + THREAD_LIBS="-lpthreads -lc_r" | |
| + ;; | |
| + *-*-hpux10*) | |
| + PLATFORM="hp" | |
| + THREAD_LIBS="-ldce" | |
| + ;; | |
| + *-*-hpux11*) | |
| + PLATFORM="hp11" | |
| + THREAD_LIBS="-lpthread" | |
| + ;; | |
| + *-*-linux*) | |
| + PLATFORM="lnx" | |
| + THREAD_LIBS="-lpthread" | |
| + ;; | |
| + *-*-solaris*) | |
| + PLATFORM="sol" | |
| + THREAD_LIBS="-lthread" | |
| + ;; | |
| + esac | |
| + if test -f "$withval/lib/$PLATFORM/libaceclnt.a"; then | |
| + echo "$as_me:$LINENO: result: found" >&5 | |
| +echo "${ECHO_T}found" >&6 | |
| + cat >>confdefs.h <<\_ACEOF | |
| +#define SECURID 1 | |
| +_ACEOF | |
| + | |
| + SECURID_MSG="yes (for 5.x)" | |
| + CFLAGS="$CFLAGS -I$withval/inc" | |
| + LIBS="$LIBS $withval/lib/$PLATFORM/libaceclnt.a $THREAD_LIBS" | |
| + fi | |
| + else | |
| + echo "$as_me:$LINENO: result: not found" >&5 | |
| +echo "${ECHO_T}not found" >&6 | |
| + # old client for ACE/server version 3.x | |
| + echo "$as_me:$LINENO: checking for ACE/Agent libs version 3.x" >&5 | |
| +echo $ECHO_N "checking for ACE/Agent libs version 3.x... $ECHO_C" >&6 | |
| + if test -f "$withval/sdiclient.a"; then | |
| + # sdiclient.a found in $withval | |
| + echo "$as_me:$LINENO: result: found" >&5 | |
| +echo "${ECHO_T}found" >&6 | |
| + cat >>confdefs.h <<\_ACEOF | |
| +#define SECURID_OLD 1 | |
| +_ACEOF | |
| + | |
| + SECURID_MSG="yes (for 3.x)" | |
| + CFLAGS="$CFLAGS -I$withval" | |
| + LIBS="$withval/sdiclient.a $LIBS" | |
| + else | |
| + echo "$as_me:$LINENO: result: not found" >&5 | |
| +echo "${ECHO_T}not found" >&6 | |
| + { { echo "$as_me:$LINENO: error: no ACE libs found !!" >&5 | |
| +echo "$as_me: error: no ACE libs found !!" >&2;} | |
| + { (exit 1); exit 1; }; } | |
| + fi | |
| + fi | |
| + fi | |
| + fi | |
| + | |
| + | |
| +fi; | |
| + | |
| # Check whether user wants TCP wrappers support | |
| TCPW_MSG="no" | |
| @@ -17925,6 +18012,7 @@ | |
| echo " SELinux support: $SELINUX_MSG" | |
| echo " Smartcard support: $SCARD_MSG" | |
| echo " S/KEY support: $SKEY_MSG" | |
| +echo " SecurID support: $SECURID_MSG" | |
| echo " TCP Wrappers support: $TCPW_MSG" | |
| echo " MD5 password support: $MD5_MSG" | |
| echo " libedit support: $LIBEDIT_MSG" | |
| diff -ruN openssh-6.0p1/configure.ac openssh-6.0p1-secuireid/configure.ac | |
| --- openssh-6.0p1/configure.ac 2012-04-19 20:46:38.000000000 +0900 | |
| +++ openssh-6.0p1-secuireid/configure.ac 2012-08-05 15:37:07.000000000 +0900 | |
| @@ -1313,6 +1313,75 @@ | |
| ] | |
| ) | |
| +AH_TEMPLATE([SECURID], [Support for ACE/Server 5.x]) | |
| +AH_TEMPLATE([SECURID_OLD], [Support for ACE/Agent 3.x, which can comunicate | |
| + with ACE/Server 3.x and 5.x too]) | |
| +# Check whether user wants SecurID support | |
| +SECURID_MSG="no" | |
| +AC_ARG_WITH(securid, | |
| + [ --with-securid[[=PATH]] Enable ACE/Server (SecurID) support | |
| + (optionally in PATH)], | |
| + [ | |
| + if test "$withval" != "no" ; then | |
| + if test -n "$withval"; then | |
| + if test "$withval" = "yes"; then | |
| + # default location | |
| + withval="/var/ace" | |
| + fi | |
| + | |
| + # new client for ACE/Server version 5.x | |
| + AC_MSG_CHECKING([for ACE/Agent libs version 5.x]) | |
| + if test -f "$withval/inc/acclnt.h"; then | |
| + case "$host" in | |
| + *-*-aix*) | |
| + PLATFORM="aix" | |
| + THREAD_LIBS="-lpthreads -lc_r" | |
| + ;; | |
| + *-*-hpux10*) | |
| + PLATFORM="hp" | |
| + THREAD_LIBS="-ldce" | |
| + ;; | |
| + *-*-hpux11*) | |
| + PLATFORM="hp11" | |
| + THREAD_LIBS="-lpthread" | |
| + ;; | |
| + *-*-linux*) | |
| + PLATFORM="lnx" | |
| + THREAD_LIBS="-lpthread" | |
| + ;; | |
| + *-*-solaris*) | |
| + PLATFORM="sol" | |
| + THREAD_LIBS="-lthread" | |
| + ;; | |
| + esac | |
| + if test -f "$withval/lib/$PLATFORM/libaceclnt.a"; then | |
| + AC_MSG_RESULT(found) | |
| + AC_DEFINE(SECURID) | |
| + SECURID_MSG="yes (for 5.x)" | |
| + CFLAGS="$CFLAGS -I$withval/inc" | |
| + LIBS="$LIBS $withval/lib/$PLATFORM/libaceclnt.a $THREAD_LIBS" | |
| + fi | |
| + else | |
| + AC_MSG_RESULT(not found) | |
| + # old client for ACE/server version 3.x | |
| + AC_MSG_CHECKING([for ACE/Agent libs version 3.x]) | |
| + if test -f "$withval/sdiclient.a"; then | |
| + # sdiclient.a found in $withval | |
| + AC_MSG_RESULT(found) | |
| + AC_DEFINE(SECURID_OLD) | |
| + SECURID_MSG="yes (for 3.x)" | |
| + CFLAGS="$CFLAGS -I$withval" | |
| + LIBS="$withval/sdiclient.a $LIBS" | |
| + else | |
| + AC_MSG_RESULT(not found) | |
| + AC_MSG_ERROR([no ACE libs found !!]) | |
| + fi | |
| + fi | |
| + fi | |
| + fi | |
| + ] | |
| +) | |
| + | |
| # Check whether user wants TCP wrappers support | |
| TCPW_MSG="no" | |
| AC_ARG_WITH([tcp-wrappers], | |
| diff -ruN openssh-6.0p1/monitor.c openssh-6.0p1-secuireid/monitor.c | |
| --- openssh-6.0p1/monitor.c 2012-02-11 06:16:09.000000000 +0900 | |
| +++ openssh-6.0p1-secuireid/monitor.c 2012-08-05 15:37:07.000000000 +0900 | |
| @@ -102,6 +102,10 @@ | |
| static Gssctxt *gsscontext = NULL; | |
| #endif | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| +#include "auth2-securid.h" | |
| +#endif | |
| + | |
| /* Imports */ | |
| extern ServerOptions options; | |
| extern u_int utmp_len; | |
| @@ -182,6 +186,12 @@ | |
| int mm_answer_gss_checkmic(int, Buffer *); | |
| #endif | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| +int mm_answer_securid_init_ctx(int, Buffer *); | |
| +int mm_answer_securid_query(int, Buffer *); | |
| +int mm_answer_securid_respond(int, Buffer *); | |
| +#endif | |
| + | |
| #ifdef SSH_AUDIT_EVENTS | |
| int mm_answer_audit_event(int, Buffer *); | |
| int mm_answer_audit_command(int, Buffer *); | |
| @@ -252,6 +262,11 @@ | |
| {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | |
| {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | |
| #endif | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| + {MONITOR_REQ_SECURID_INIT_CTX, MON_ISAUTH, mm_answer_securid_init_ctx}, | |
| + {MONITOR_REQ_SECURID_QUERY, MON_ISAUTH, mm_answer_securid_query}, | |
| + {MONITOR_REQ_SECURID_RESPOND, MON_AUTH, mm_answer_securid_respond}, | |
| +#endif | |
| #ifdef JPAKE | |
| {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, | |
| {MONITOR_REQ_JPAKE_STEP1, MON_ISAUTH, mm_answer_jpake_step1}, | |
| @@ -2105,6 +2120,96 @@ | |
| } | |
| #endif /* GSSAPI */ | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| +int | |
| +mm_answer_securid_init_ctx(int socket, Buffer *m) | |
| +{ | |
| + u_int success; | |
| + | |
| + debug3("%s entering", __func__); | |
| + | |
| + success = securid_init_ctx(authctxt) == NULL ? 0 : 1; | |
| + | |
| + buffer_clear(m); | |
| + buffer_put_int(m, success); | |
| + | |
| + auth_method = "securid"; | |
| + mm_request_send(socket, MONITOR_ANS_SECURID_INIT_CTX, m); | |
| + return 0; | |
| +} | |
| + | |
| +int | |
| +mm_answer_securid_query(int socket, Buffer *m) | |
| +{ | |
| + char *name, *infotxt; | |
| + u_int numprompts; | |
| + u_int *echo_on; | |
| + char **prompts; | |
| + u_int success; | |
| + | |
| + success = securid_query(authctxt, &name, &infotxt, &numprompts, | |
| + &prompts, &echo_on) < 0 ? 0 : 1; | |
| + | |
| + buffer_clear(m); | |
| + buffer_put_int(m, success); | |
| + if (success) { | |
| + buffer_put_cstring(m, prompts[0]); | |
| + buffer_put_int(m, echo_on[0]); | |
| + } | |
| + | |
| + debug3("%s: sending challenge success: %u", __func__, success); | |
| + mm_request_send(socket, MONITOR_ANS_SECURID_QUERY, m); | |
| + | |
| + if (success) { | |
| + xfree(name); | |
| + xfree(infotxt); | |
| + xfree(prompts); | |
| + xfree(echo_on); | |
| + } | |
| + | |
| + return 0; | |
| +} | |
| + | |
| +/* | |
| + * respond returns: 0 - success, 1 - need further interaction, | |
| + */ | |
| +int | |
| +mm_answer_securid_respond(int socket, Buffer *m) | |
| +{ | |
| + char **responses; | |
| + int authok, rlen; | |
| + | |
| + responses = xmalloc(sizeof(char *)); | |
| + responses[0] = buffer_get_string(m, &rlen); | |
| + | |
| + authok = securid_respond(authctxt, 1, responses); | |
| + | |
| + memset(responses[0], 0, rlen); | |
| + xfree(responses[0]); | |
| + xfree(responses); | |
| + | |
| + if (authok < 0) | |
| + authok = 100; | |
| + | |
| + /* | |
| + * kdyz jednou vratim 1, tak je to povazovano za uspesnou autentizaci | |
| + * a monitor se rozjede dal a neni radno do nej zasahovat, proto | |
| + * je securid_free_ctx zde | |
| + */ | |
| + if (authok != 1) | |
| + securid_free_ctx(authctxt); | |
| + | |
| + buffer_clear(m); | |
| + buffer_put_int(m, authok); | |
| + | |
| + mm_request_send(socket, MONITOR_ANS_SECURID_RESPOND, m); | |
| + | |
| + auth_method = "securid"; | |
| + | |
| + return (authok == 0); | |
| +} | |
| +#endif /* SECURID || SECURID_OLD */ | |
| + | |
| #ifdef JPAKE | |
| int | |
| mm_answer_jpake_step1(int sock, Buffer *m) | |
| diff -ruN openssh-6.0p1/monitor.h openssh-6.0p1-secuireid/monitor.h | |
| --- openssh-6.0p1/monitor.h 2011-06-20 13:42:23.000000000 +0900 | |
| +++ openssh-6.0p1-secuireid/monitor.h 2012-08-05 15:37:07.000000000 +0900 | |
| @@ -59,6 +59,11 @@ | |
| MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY, | |
| MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, | |
| MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| + MONITOR_REQ_SECURID_INIT_CTX, MONITOR_ANS_SECURID_INIT_CTX, | |
| + MONITOR_REQ_SECURID_QUERY, MONITOR_ANS_SECURID_QUERY, | |
| + MONITOR_REQ_SECURID_RESPOND, MONITOR_ANS_SECURID_RESPOND, | |
| +#endif | |
| MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND, | |
| MONITOR_REQ_TERM, | |
| MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1, | |
| diff -ruN openssh-6.0p1/monitor_wrap.c openssh-6.0p1-secuireid/monitor_wrap.c | |
| --- openssh-6.0p1/monitor_wrap.c 2011-06-20 13:42:23.000000000 +0900 | |
| +++ openssh-6.0p1-secuireid/monitor_wrap.c 2012-08-05 15:37:07.000000000 +0900 | |
| @@ -67,6 +67,9 @@ | |
| #ifdef GSSAPI | |
| #include "ssh-gss.h" | |
| #endif | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| +#include "auth2-securid.h" | |
| +#endif | |
| #include "monitor_wrap.h" | |
| #include "atomicio.h" | |
| #include "monitor_fdpass.h" | |
| @@ -1288,6 +1291,82 @@ | |
| return (authenticated); | |
| } | |
| #endif /* GSSAPI */ | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| +void * | |
| +mm_securid_init_ctx(struct Authctxt *authctxt) | |
| +{ | |
| + Buffer m; | |
| + u_int success; | |
| + | |
| + debug3("%s entering", __func__); | |
| + | |
| + buffer_init(&m); | |
| + | |
| + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SECURID_INIT_CTX, &m); | |
| + debug3("%s: waiting for MONITOR_ANS_SECURID_INIT_CTX (%d)", __func__, MONITOR_ANS_SECURID_INIT_CTX); | |
| + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SECURID_INIT_CTX, &m); | |
| + | |
| + success = buffer_get_int(&m); | |
| + buffer_free(&m); | |
| + | |
| + return ((success == 0) ? NULL : authctxt); | |
| +} | |
| + | |
| +int | |
| +mm_securid_query(void *ctx, char **name, char **infotxt, | |
| + u_int *numprompts, char ***prompts, u_int **echo_on) | |
| +{ | |
| + Buffer m; | |
| + u_int success; | |
| + | |
| + debug3("%s: entering", __func__); | |
| + | |
| + buffer_init(&m); | |
| + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SECURID_QUERY, &m); | |
| + debug3("%s: waiting for MONITOR_ANS_SECURID_QUERY (%d)", __func__, MONITOR_ANS_SECURID_QUERY); | |
| + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SECURID_QUERY, &m); | |
| + | |
| + success = buffer_get_int(&m); | |
| + if (success == 0) { | |
| + debug3("%s: no challenge", __func__); | |
| + buffer_free(&m); | |
| + return (-1); | |
| + } | |
| + | |
| + mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); | |
| + (*prompts)[0] = buffer_get_string(&m, NULL); | |
| + (*echo_on)[0] = buffer_get_int(&m); | |
| + | |
| + buffer_free(&m); | |
| + | |
| + return (0); | |
| +} | |
| + | |
| +/* | |
| + * respond returns: 0 - success, 1 - need further interaction, | |
| + */ | |
| +int | |
| +mm_securid_respond(void *ctx, u_int numresponses, char **responses) | |
| +{ | |
| + Buffer m; | |
| + int authok; | |
| + | |
| + debug3("%s: entering", __func__); | |
| + if (numresponses != 1) | |
| + return (-1); | |
| + | |
| + buffer_init(&m); | |
| + buffer_put_cstring(&m, responses[0]); | |
| + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SECURID_RESPOND, &m); | |
| + | |
| + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SECURID_RESPOND, &m); | |
| + | |
| + authok = buffer_get_int(&m); | |
| + buffer_free(&m); | |
| + | |
| + return authok; | |
| +} | |
| +#endif /* SECURID || SECURID_OLD */ | |
| #ifdef JPAKE | |
| void | |
| diff -ruN openssh-6.0p1/monitor_wrap.h openssh-6.0p1-secuireid/monitor_wrap.h | |
| --- openssh-6.0p1/monitor_wrap.h 2011-06-20 13:42:23.000000000 +0900 | |
| +++ openssh-6.0p1-secuireid/monitor_wrap.h 2012-08-05 15:37:07.000000000 +0900 | |
| @@ -102,6 +102,13 @@ | |
| int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **); | |
| int mm_skey_respond(void *, u_int, char **); | |
| +/* securid */ | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| +void *mm_securid_init_ctx(struct Authctxt *); | |
| +int mm_securid_query(void *, char **, char **, u_int *, char ***, u_int **); | |
| +int mm_securid_respond(void *, u_int, char **); | |
| +#endif | |
| + | |
| /* jpake */ | |
| struct modp_group; | |
| void mm_auth2_jpake_get_pwdata(struct Authctxt *, BIGNUM **, char **, char **); | |
| diff -ruN openssh-6.0p1/servconf.c openssh-6.0p1-secuireid/servconf.c | |
| --- openssh-6.0p1/servconf.c 2011-10-02 16:57:38.000000000 +0900 | |
| +++ openssh-6.0p1-secuireid/servconf.c 2012-08-05 15:37:07.000000000 +0900 | |
| @@ -98,6 +98,11 @@ | |
| options->kerberos_get_afs_token = -1; | |
| options->gss_authentication=-1; | |
| options->gss_cleanup_creds = -1; | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| + options->sdconf_rec_dir = NULL; | |
| + options->negate_securid_users = -1; | |
| + options->securid_user_env_var = NULL; | |
| +#endif | |
| options->password_authentication = -1; | |
| options->kbd_interactive_authentication = -1; | |
| options->challenge_response_authentication = -1; | |
| @@ -227,6 +232,10 @@ | |
| options->gss_authentication = 0; | |
| if (options->gss_cleanup_creds == -1) | |
| options->gss_cleanup_creds = 1; | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| + if (options->negate_securid_users == -1) | |
| + options->negate_securid_users = 0; | |
| +#endif | |
| if (options->password_authentication == -1) | |
| options->password_authentication = 1; | |
| if (options->kbd_interactive_authentication == -1) | |
| @@ -298,6 +307,11 @@ | |
| sBadOption, /* == unknown option */ | |
| /* Portable-specific options */ | |
| sUsePAM, | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| + sSDConfRecDir, | |
| + sNegateSecurIDUsers, | |
| + sSecurIDUserEnvVar, | |
| +#endif | |
| /* Standard Options */ | |
| sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, | |
| sPermitRootLogin, sLogFacility, sLogLevel, | |
| @@ -344,6 +358,11 @@ | |
| { "usepam", sUnsupported, SSHCFG_GLOBAL }, | |
| #endif | |
| { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| + { "sdconfrecdir", sSDConfRecDir }, | |
| + { "negatesecuridusers", sNegateSecurIDUsers }, | |
| + { "securiduserenvvar", sSecurIDUserEnvVar }, | |
| +#endif | |
| /* Standard Options */ | |
| { "port", sPort, SSHCFG_GLOBAL }, | |
| { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, | |
| @@ -966,6 +985,24 @@ | |
| intptr = &options->gss_cleanup_creds; | |
| goto parse_flag; | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| + case sSDConfRecDir: | |
| + charptr = &options->sdconf_rec_dir; | |
| + goto parse_filename; | |
| + | |
| + case sNegateSecurIDUsers: | |
| + intptr = &options->negate_securid_users; | |
| + goto parse_flag; | |
| + | |
| + case sSecurIDUserEnvVar: | |
| + charptr = &options->securid_user_env_var; | |
| +//parse_string: | |
| + arg = strdelim(&cp); | |
| + if (arg != NULL && *arg != '\0' && *charptr == NULL) | |
| + *charptr = xstrdup(arg); | |
| + break; | |
| +#endif | |
| + | |
| case sPasswordAuthentication: | |
| intptr = &options->password_authentication; | |
| goto parse_flag; | |
| diff -ruN openssh-6.0p1/servconf.h openssh-6.0p1-secuireid/servconf.h | |
| --- openssh-6.0p1/servconf.h 2011-06-23 07:30:03.000000000 +0900 | |
| +++ openssh-6.0p1-secuireid/servconf.h 2012-08-05 15:37:07.000000000 +0900 | |
| @@ -104,6 +104,13 @@ | |
| * authenticated with Kerberos. */ | |
| int gss_authentication; /* If true, permit GSSAPI authentication */ | |
| int gss_cleanup_creds; /* If true, destroy cred cache on logout */ | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| + char *sdconf_rec_dir; | |
| + int negate_securid_users; /* If set, securid_users file is used | |
| + * to determine who _doesn't_ get | |
| + * authed via SecurID */ | |
| + char *securid_user_env_var; | |
| +#endif | |
| int password_authentication; /* If true, permit password | |
| * authentication. */ | |
| int kbd_interactive_authentication; /* If true, permit */ | |
| diff -ruN openssh-6.0p1/session.c openssh-6.0p1-secuireid/session.c | |
| --- openssh-6.0p1/session.c 2011-11-04 08:55:24.000000000 +0900 | |
| +++ openssh-6.0p1-secuireid/session.c 2012-08-05 15:37:07.000000000 +0900 | |
| @@ -1273,6 +1273,16 @@ | |
| child_set_env(&env, &envsize, "KRB5CCNAME", | |
| s->authctxt->krb5_ccname); | |
| #endif | |
| + | |
| +#if defined (SECURID) || defined (SECURID_OLD) | |
| + if (s->authctxt->securid_real_user) { | |
| + if (options.securid_user_env_var != NULL) | |
| + child_set_env(&env, &envsize, options.securid_user_env_var, | |
| + s->authctxt->securid_real_user); | |
| + xfree(s->authctxt->securid_real_user); | |
| + } | |
| +#endif | |
| + | |
| #ifdef USE_PAM | |
| /* | |
| * Pull in any environment variables that may have | |
| diff -ruN openssh-6.0p1/sshd_config openssh-6.0p1-secuireid/sshd_config | |
| --- openssh-6.0p1/sshd_config 2011-05-29 20:39:39.000000000 +0900 | |
| +++ openssh-6.0p1-secuireid/sshd_config 2012-08-05 15:37:07.000000000 +0900 | |
| @@ -66,6 +66,16 @@ | |
| # Change to no to disable s/key passwords | |
| #ChallengeResponseAuthentication yes | |
| +# Directory where sdconf.rec file is located | |
| +#SDConfRecDir /... | |
| +#NegateSecurIDUsers no | |
| + | |
| +# for shared login in securid authentication you can specify ENV variable, | |
| +# which is set to login name of user, which was successfully authenticated | |
| +# against to ACE/Server | |
| +# WARNING: this is env variable and user can set it to different value | |
| +#SecurIDUserEnvVar SECURIDUSER | |
| + | |
| # Kerberos options | |
| #KerberosAuthentication no | |
| #KerberosOrLocalPasswd yes | |
| diff -ruN openssh-6.0p1/sshd_config.0 openssh-6.0p1-secuireid/sshd_config.0 | |
| --- openssh-6.0p1/sshd_config.0 2012-04-20 14:03:39.000000000 +0900 | |
| +++ openssh-6.0p1-secuireid/sshd_config.0 2012-08-05 15:37:07.000000000 +0900 | |
| @@ -434,6 +434,11 @@ | |
| increases linearly and all connection attempts are refused if the | |
| number of unauthenticated connections reaches ``full'' (60). | |
| + NegateSecurIDUsers | |
| + Negates the meaning of the /etc/ssh/securid_users file. Users in | |
| + this file will not require SecurID auth, but all others will. The | |
| + default is ``no''. | |
| + | |
| PasswordAuthentication | |
| Specifies whether password authentication is allowed. The | |
| default is ``yes''. | |
| @@ -534,6 +539,9 @@ | |
| default is ``yes''. This option applies to protocol version 1 | |
| only. | |
| + SDConfRecDir | |
| + Specifies the directory where the file sdconf.rec is located. | |
| + | |
| ServerKeyBits | |
| Defines the number of bits in the ephemeral protocol version 1 | |
| server key. The minimum value is 512, and the default is 1024. | |
| diff -ruN openssh-6.0p1/sshd_config.5 openssh-6.0p1-secuireid/sshd_config.5 | |
| --- openssh-6.0p1/sshd_config.5 2011-09-22 20:37:13.000000000 +0900 | |
| +++ openssh-6.0p1-secuireid/sshd_config.5 2012-08-05 15:37:07.000000000 +0900 | |
| @@ -763,6 +763,11 @@ | |
| are refused if the number of unauthenticated connections reaches | |
| .Dq full | |
| (60). | |
| +.It Cm NegateSecurIDUsers | |
| +Negates the meaning of the /etc/ssh/securid_users file. Users in | |
| +this file will not require SecurID auth, but all others will. | |
| +The default is | |
| +.Dq no . | |
| .It Cm PasswordAuthentication | |
| Specifies whether password authentication is allowed. | |
| The default is | |
| @@ -915,6 +920,8 @@ | |
| The default is | |
| .Dq yes . | |
| Note that this option applies to protocol version 2 only. | |
| +.It Cm SDConfRecDir | |
| +Specifies the directory where the file sdconf.rec is located. | |
| .It Cm RevokedKeys | |
| Specifies a list of revoked public keys. | |
| Keys listed in this file will be refused for public key authentication. | |
| @@ -926,6 +933,7 @@ | |
| The default is | |
| .Dq no . | |
| This option applies to protocol version 1 only. | |
| + | |
| .It Cm RSAAuthentication | |
| Specifies whether pure RSA authentication is allowed. | |
| The default is |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment