Hi, We have updated our TIS authserv support patch for OpenSSH 2.5.1p2. You'll find it attached to my message. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 -------------- next part -------------- diff -urN openssh-2.5.1p2/Makefile.in openssh-2.5.1p2-tis/Makefile.in --- openssh-2.5.1p2/Makefile.in Sun Feb 18 20:13:33 2001 +++ openssh-2.5.1p2-tis/Makefile.in Fri Mar 9 10:11:30 2001 @@ -48,7 +48,7 @@ SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o sshpty.o log-server.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o sshpty.o log-server.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o tisauth.o TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh-keyscan.0 ssh.0 sshd.0 sftp-server.0 sftp.0 diff -urN openssh-2.5.1p2/acconfig.h openssh-2.5.1p2-tis/acconfig.h --- openssh-2.5.1p2/acconfig.h Mon Feb 26 22:39:07 2001 +++ openssh-2.5.1p2-tis/acconfig.h Fri Mar 9 10:10:31 2001 @@ -299,6 +299,8 @@ /* Needed for SCO and NeXT */ #undef BROKEN_SAVED_UIDS +#undef TIS_AUTH + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ diff -urN openssh-2.5.1p2/auth-chall.c openssh-2.5.1p2-tis/auth-chall.c --- openssh-2.5.1p2/auth-chall.c Sun Feb 18 07:01:00 2001 +++ openssh-2.5.1p2-tis/auth-chall.c Fri Mar 9 11:07:39 2001 @@ -68,7 +68,61 @@ return authok != 0; } #else -#ifdef SKEY + +#if defined(SKEY) && defined(TIS_AUTH) +#error "S/Key and TIS authentication is not supported at the same time" +#endif + +#ifdef TIS_AUTH + +#include "tisauth.h" +#include "servconf.h" +#include "xmalloc.h" + +extern ServerOptions options; + +char * +get_challenge(Authctxt *authctxt, char *devs) +{ + static char challenge[128]; + + if (!authctxt->tis) { + authctxt->tis = tis_connect_multi(options.authserv_addrs); + } + if (authctxt->tis) { + char *tis_chal; + + if (authctxt->pw) { + tis_chal = tis_authenticate(authctxt->tis, authctxt->pw->pw_name); + } + else { + tis_chal = tis_fake_challenge(); + } + strlcpy(challenge, tis_chal, sizeof(challenge)); + xfree(tis_chal); + + return challenge; + } + return NULL; +} + +int +verify_response(Authctxt *authctxt, char *response) +{ + int res; + + if (!authctxt->tis) { + res = 0; + } + else { + res = tis_response(authctxt->tis, response); + tis_free(authctxt->tis); + authctxt->tis = NULL; + } + return res && authctxt->valid; +} + +#elif SKEY #include <skey.h> char * diff -urN openssh-2.5.1p2/auth.h openssh-2.5.1p2-tis/auth.h --- openssh-2.5.1p2/auth.h Sun Feb 18 07:01:00 2001 +++ openssh-2.5.1p2-tis/auth.h Fri Mar 9 10:23:09 2001 @@ -49,6 +49,9 @@ #ifdef BSD_AUTH auth_session_t *as; #endif +#ifdef TIS_AUTH + struct tis_context *tis; +#endif }; /* diff -urN openssh-2.5.1p2/config.h.in openssh-2.5.1p2-tis/config.h.in --- openssh-2.5.1p2/config.h.in Thu Mar 1 01:11:34 2001 +++ openssh-2.5.1p2-tis/config.h.in Fri Mar 9 11:01:48 2001 @@ -299,6 +299,8 @@ /* Needed for SCO and NeXT */ #undef BROKEN_SAVED_UIDS +#undef TIS_AUTH + /* The number of bytes in a char. */ #undef SIZEOF_CHAR diff -urN openssh-2.5.1p2/configure.in openssh-2.5.1p2-tis/configure.in --- openssh-2.5.1p2/configure.in Wed Feb 28 23:16:12 2001 +++ openssh-2.5.1p2-tis/configure.in Fri Mar 9 10:13:39 2001 @@ -461,6 +461,18 @@ ] ) +# Check whether user wants TIS support +TIS_MSG="no" +AC_ARG_WITH(tis, + [ --with-tis Enable TIS authsrv support, may not be used with --with-skey], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(TIS_AUTH) + TIS_MSG="yes" + fi + ] +) + # Check whether user wants TCP wrappers support TCPW_MSG="no" AC_ARG_WITH(tcp-wrappers, @@ -1780,6 +1792,7 @@ echo " KerberosIV support: $KRB4_MSG" echo " AFS support: $AFS_MSG" echo " S/KEY support: $SKEY_MSG" +echo " TIS authsrv support: $TIS_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" diff -urN openssh-2.5.1p2/servconf.c openssh-2.5.1p2-tis/servconf.c --- openssh-2.5.1p2/servconf.c Thu Feb 15 04:08:27 2001 +++ openssh-2.5.1p2-tis/servconf.c Fri Mar 9 11:12:14 2001 @@ -206,6 +209,9 @@ #ifdef AFS sKerberosTgtPassing, sAFSTokenPassing, #endif +#ifdef TIS_AUTH + sAuthservAddress, +#endif sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, @@ -246,6 +252,9 @@ { "kerberostgtpassing", sKerberosTgtPassing }, { "afstokenpassing", sAFSTokenPassing }, #endif +#ifdef TIS_AUTH + { "authservaddress", sAuthservAddress }, +#endif { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, { "challengeresponseauthentication", sChallengeResponseAuthentication }, @@ -299,6 +308,34 @@ return sBadOption; } +#ifdef TIS_AUTH +void +add_authserv_addr(ServerOptions *options, char **addr) +{ + struct addrinfo hints, *ai, *aitop; + char *host, *service; + int gaierr; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = IPv4or6; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; + + host = strdelim(addr); + service = strdelim(addr); + + if ((gaierr = getaddrinfo(host, service, &hints, &aitop)) != 0) + fatal("bad addr or host: %s (%s)\n", + host ? host : "<NULL>", + gai_strerror(gaierr)); + for (ai = aitop; ai->ai_next; ai = ai->ai_next) + ; + ai->ai_next = options->authserv_addrs; + options->authserv_addrs = aitop; + +} +#endif + /* * add listen address */ @@ -551,6 +588,12 @@ case sChallengeResponseAuthentication: intptr = &options->challenge_reponse_authentication; goto parse_flag; + +#ifdef TIS_AUTH + case sAuthservAddress: + add_authserv_addr(options, &cp); + break; +#endif case sPrintMotd: intptr = &options->print_motd; diff -urN openssh-2.5.1p2/servconf.h openssh-2.5.1p2-tis/servconf.h --- openssh-2.5.1p2/servconf.h Thu Feb 15 04:08:27 2001 +++ openssh-2.5.1p2-tis/servconf.h Fri Mar 9 10:59:50 2001 @@ -90,6 +91,9 @@ * authentication. */ int kbd_interactive_authentication; /* If true, permit */ int challenge_reponse_authentication; +#ifdef TIS_AUTH + struct addrinfo *authserv_addrs; +#endif int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int use_login; /* If true, login(1) is used */ diff -urN openssh-2.5.1p2/tisauth.c openssh-2.5.1p2-tis/tisauth.c --- openssh-2.5.1p2/tisauth.c Thu Jan 1 01:00:00 1970 +++ openssh-2.5.1p2-tis/tisauth.c Fri Mar 9 11:26:25 2001 @@ -0,0 +1,110 @@ +/* + * Copyright (c) 2000 BalaBit IT Ltd. + * All rights reserved + * + * Authors: Bal?zs Scheidler, Attila Szalay + * + */ + +#include "includes.h" +#include "ssh.h" + +#ifdef TIS_AUTH + +struct tis_context { + int connfd; +}; + +struct tis_context *tis_connect(struct sockaddr *addr, int addrlen) +{ + struct tis_context *ctx; + char line[128]; + int fd; + + fd = socket(addr->sa_family, SOCK_STREAM, 0); + if (fd < 0) + return NULL; + + if (connect(fd, addr, addrlen) < 0) { + close(fd); + return NULL; + } + + /* grab greeting line */ + if (read(fd, line, sizeof(line)) < 0) { + close(fd); + return NULL; + } + ctx = malloc(sizeof(struct tis_context)); + ctx->connfd = fd; + return ctx; +} + +struct tis_context *tis_connect_multi(struct addrinfo *addrs) +{ + struct addrinfo *p; + struct tis_context *tis; + + for (p = addrs; p; p = p->ai_next) { + tis = tis_connect(p->ai_addr, p->ai_addrlen); + if (tis) + return tis; + } + return NULL; +} + +void tis_free(struct tis_context *ctx) +{ + if (ctx) { + close(ctx->connfd); + free(ctx); + } +} + +char *tis_authenticate(struct tis_context *ctx, char *user) +{ + char line[128]; + int length; + + snprintf(line, 120, "authenticate \"%.32s\"\n", user); + if (send(ctx->connfd,line,strlen(line),0) < 0) { + return NULL; + } + if ((length = recv(ctx->connfd, line, sizeof(line) - 1, 0)) <= 0) + return NULL; + line[length] = 0; + if (line[length - 1] == '\n') + line[length - 1] = 0; + if (strncmp(line, "challenge", 9) != 0) + return NULL; + return strdup(line + 10); +} + +int tis_response(struct tis_context *ctx, char *response) +{ + char line[128]; + int length; + + snprintf(line, 120, "response \"%.64s\"\n", response) ; + if (send(ctx->connfd, line, strlen(line), 0) < 0) + return 0; + if ((length = recv(ctx->connfd, line, sizeof(line) - 1, 0)) < 0) + return 0; + line[length] = 0; + if (strncmp(line, "ok", 2) == 0) { + return 1; + } + return 0; +} + +char *tis_fake_challenge(void) +{ + char challenge[9]; + unsigned long rnd; + + rnd = time(NULL) ^ getpid(); + snprintf(challenge, sizeof(challenge), "%ld", rnd); + return strdup(challenge); +} + +#endif diff -urN openssh-2.5.1p2/tisauth.h openssh-2.5.1p2-tis/tisauth.h --- openssh-2.5.1p2/tisauth.h Thu Jan 1 01:00:00 1970 +++ openssh-2.5.1p2-tis/tisauth.h Fri Mar 9 10:10:31 2001 @@ -0,0 +1,14 @@ +#ifndef _TISAUTH_H_INCLUDED +#define _TISAUTH_H_INCLUDED + +struct tis_context; + +struct tis_context *tis_connect(struct sockaddr *addr, int addrlen); +struct tis_context *tis_connect_multi(struct addrinfo *addrs); +void tis_free(struct tis_context *ctx); +char *tis_authenticate(struct tis_context *ctx, char *user); +int tis_response(struct tis_context *ctx, char *response); +char *tis_fake_challenge(void); + +#endif +