Here is a new version of my partial auth patch against the April 24, 2001 CVS image. It fixes a couple of things (thanks to Karl M <karlm30 at hotmail.com>), and includes support for hostbased auth. It's still not pretty, but it works. 2 things Karl mentioned aren't fixed: - auth methods are still hard-coded into servconf.c. Fixing this would require a lot of work, and all the auth methods are hard-coded there as options, anyway. - The code has not been updated to follow the OpenBSD style guide. The style guide itself says that code should be updated if more than 50% of it is new. This is definitely not the case here, and I'm not about to go and reformat everything I touch. I'd appreciate any feedback folks have. -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body -------------- next part -------------- A non-text attachment was scrubbed... Name: partialdiff Type: application/octet-stream Size: 16209 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010424/282994a4/attachment.obj
Hi Carson... I'm a little confused...I don't think that I mentioned these points. I was looking at getting partial authentication working with CygWin. The code image I am running now, takes advantage of the fact that password authentication is done (last) as part of the list and that public key is the only other method used (so I only comment out the check_nt_auth there). I think that the check needs to be removed from the other methods (except password) and done as a final step after all methods in the authentication list have been completed. I didn't think I saw that when I read your patch. Also...It seems to me that it would be possible to do something similar for ssh1 authentication (possibly without the nice partial success messages and possible wothout control of the order of the steps). What are your thoughts on this? Thanks, ...Karl _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com
Hi Carson... If it is possible, I would like to see Authorder2 publickey,publickey:password do the "right thing" in the CygWin environment. Meaning (in my view of the world) that if the sshd user-id and the ssh user-id match, publickey authentication is performed. If the sshd user-id and the ssh user-id are different then publickey:password is performed. This requires knowing that the publickey succeeded, but we declared failure because of the user-id mismatch. It also requires remembering the longest successful prefix before starting a new authentication sequence. Thanks, ...Karl _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com
Hi Carson... Please help me understand the issues/constraints here. Regarding Authorder2 publickey,publickey:password what part of the syntax do you see as a problem? Is it that an authentication sequence is a propper subset of a later authentication sequence in the list? If I use Authorder2 publickey:method1,publickey:method2 and the public key succeeds but method1 fails, assuming no agent will the user see publickey method1 method2 or will he see publickey method1 publickey method2 I would hope and vote for the first. What I would hope to specify is: publickey (when ssh and sshd userids match) and publickey:password (when ssh and sshd userids differ). This gets the password to the sshd so that the userid can be changed in CygWin. Do you have any thoughts on the syntax for this that would be compatible with your syntax? Thanks, ...Karl _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com
Hi Carson... Do you have a copy of your patch against 2.9p1 that I can start from? Thanks, ...Karl>From: Carson Gaspar <carson at taltos.org> >To: Karl M <karlm30 at hotmail.com>, openssh-unix-dev at mindrot.org >Subject: Re: Updated partial auth patch against CVS >Date: Wed, 02 May 2001 11:47:28 -0700 > > > >--On Wednesday, May 02, 2001 11:10 AM -0700 Karl M <karlm30 at hotmail.com> >wrote: > >>Hi Carson... >> >>Please help me understand the issues/constraints here. Regarding >> >>Authorder2 publickey,publickey:password >> >>what part of the syntax do you see as a problem? Is it that an >>authentication sequence is a propper subset of a later authentication >>sequence in the list? > >Yes. Although "later" is irrelevant. If publickey succeeds, you're in. >You'll never be asked for a password. You're suggesting changing that >behaviour on Cygwin, making it platform-specific. That's bad. > >>If I use >> >>Authorder2 publickey:method1,publickey:method2 >> >>and the public key succeeds but method1 fails, assuming no agent will the >>user see >> >>publickey >>method1 >>method2 >> >>or will he see >> >>publickey >>method1 >>publickey >>method2 >> >>I would hope and vote for the first. > >Currently, it should show "method1,method2". This makes the client "do the >right thing" and let you re-try your flubbed password, without making you >re-enter your private key passphrase. > >>What I would hope to specify is: publickey (when ssh and sshd userids >>match) and publickey:password (when ssh and sshd userids differ). This >>gets the password to the sshd so that the userid can be changed in >>CygWin. Do you have any thoughts on the syntax for this that would be >>compatible with your syntax? > >publickey:cygwinoptpass > >and add code to handle the cygwin bizzaro world case. > >-- >Carson Gaspar - carson at taltos.org >Queen trapped in a butch body_________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com
Hi Carson... Here is what I have so far. This is a patch based on 2.5.2p2 with your patch. So this is a patch on top of your patch. This patch allows AuthOrder2 publickey:uidmatch,publickey:password for the CygWin environment. It also highlites a couple of minor things I found in your patch. When you have a 2.9p1 patch I will update this. Thanks, ...Karl _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: diffFromCarson252p2patch.txt Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010505/6931fa76/attachment.txt
Hi Carson and Corinna... Carson-->It seems to me that at the end of input_userauth_request it dosen't matter what uid we are set to (is this true?), so I think that I can remove the tempuid variable and the extra getuid/setuid operations. What do you think? Corinna-->The only call to check_nt_auth I left in auth2.c is in userauth_passwd. With a password, check_nt_auth always succeeds, so in doesn't need to be there. What do you think? Thanks, ...Karl _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com