Sorry 3.0 feature set occured when OpenBSD 3.0 went to cd pressing.
Sorry
- Ben
On Sun, 4 Nov 2001, Wichert Akkerman wrote:
>
> I redid my previous OPIE patch for the current ssh tree. It seems
> to work fine here, and I'ld love to see it merged before the 3.0
> release.
>
> Wichert.
>
>
> diff -x CVS -wNur ../cvs/other/openssh_cvs/Makefile.in
openssh_cvs/Makefile.in
> --- ../cvs/other/openssh_cvs/Makefile.in Mon Oct 22 02:53:59 2001
> +++ openssh_cvs/Makefile.in Sun Nov 4 01:18:19 2001
> @@ -50,7 +50,7 @@
>
> SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o
readconf.o clientloop.o
>
> -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o
auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o
auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o
serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o
> +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o
auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o
auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o
serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o
auth-opie.o
>
> MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out
ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out
> MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1
sshd.8 sftp-server.8 sftp.1
> diff -x CVS -wNur ../cvs/other/openssh_cvs/acconfig.h
openssh_cvs/acconfig.h
> --- ../cvs/other/openssh_cvs/acconfig.h Mon Oct 22 02:53:59 2001
> +++ openssh_cvs/acconfig.h Sun Nov 4 01:34:28 2001
> @@ -196,6 +196,9 @@
> /* Define if you want S/Key support */
> #undef SKEY
>
> +/* Define if you want OPIE support */
> +#undef OPIE
> +
> /* Define if you want TCP Wrappers support */
> #undef LIBWRAP
>
> diff -x CVS -wNur ../cvs/other/openssh_cvs/auth-opie.c
openssh_cvs/auth-opie.c
> --- ../cvs/other/openssh_cvs/auth-opie.c Thu Jan 1 01:00:00 1970
> +++ openssh_cvs/auth-opie.c Sun Nov 4 02:42:50 2001
> @@ -0,0 +1,106 @@
> +/*
> + * Copyright (c) 2001 Wichert Akkerman. All rights reserved.
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions
> + * are met:
> + * 1. Redistributions of source code must retain the above copyright
> + * notice, this list of conditions and the following disclaimer.
> + * 2. Redistributions in binary form must reproduce the above copyright
> + * notice, this list of conditions and the following disclaimer in the
> + * documentation and/or other materials provided with the distribution.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY
EXPRESS OR
> + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES
> + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
> + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
> + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT
> + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE,
> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF
> + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> + */
> +#include "includes.h"
> +RCSID("$Id");
> +
> +#ifdef OPIE
> +
> +#include <opie.h>
> +
> +#include "xmalloc.h"
> +#include "auth.h"
> +
> +static void *
> +opie_init_ctx(Authctxt *authctxt)
> +{
> + return authctxt;
> +}
> +
> +#define PROMPT "\nOPIE Password: "
> +
> +static int
> +opie_query(void *ctx, char **name, char **infotxt,
> + u_int* numprompts, char ***prompts, u_int **echo_on)
> +{
> + Authctxt *authctxt = ctx;
> + char challenge[OPIE_CHALLENGE_MAX+64], *p;
> + int len;
> + struct opie opie;
> +
> + if (opiechallenge(&opie, authctxt->user, challenge) != 0)
> + return -1;
> +
> + opieverify(&opie, ""); /* Zap lock again */
> +
> + *name = xstrdup("");
> + *infotxt = xstrdup("");
> + *numprompts = 1;
> + *prompts = xmalloc(*numprompts * sizeof(char*));
> + *echo_on = xmalloc(*numprompts * sizeof(u_int));
> + (*echo_on)[0] = 0;
> +
> + len = strlen(challenge) + strlen(PROMPT) + 1;
> + p = xmalloc(len);
> + p[0] = '\0';
> + strlcat(p, challenge, len);
> + strlcat(p, PROMPT, len);
> + (*prompts)[0] = p;
> +
> + return 0;
> +}
> +
> +static int
> +opie_respond(void *ctx, u_int numresponses, char **responses)
> +{
> + struct opie opie;
> + char challenge[OPIE_CHALLENGE_MAX];
> + Authctxt *authctxt = ctx;
> +
> + if (opiechallenge(&opie, authctxt->user, challenge) != 0)
> + return -1;
> +
> + if (authctxt->valid &&
> + numresponses == 1 &&
> + opieverify(&opie, responses[0]) == 0)
> + return 0;
> + else
> + opieverify(&opie, ""); /* Always need to verify to keep
locks
> + in sync */
> + return -1;
> +}
> +
> +static void
> +opie_free_ctx(void *ctx)
> +{
> + /* we don't have a special context */
> +}
> +
> +KbdintDevice opie_device = {
> + "opie",
> + opie_init_ctx,
> + opie_query,
> + opie_respond,
> + opie_free_ctx
> +};
> +#endif /* OPIE */
> diff -x CVS -wNur ../cvs/other/openssh_cvs/auth2-chall.c
openssh_cvs/auth2-chall.c
> --- ../cvs/other/openssh_cvs/auth2-chall.c Wed Oct 3 19:12:44 2001
> +++ openssh_cvs/auth2-chall.c Sun Nov 4 01:25:57 2001
> @@ -42,6 +42,10 @@
> #else
> #ifdef SKEY
> extern KbdintDevice skey_device;
> +#else
> +#ifdef OPIE
> +extern KbdintDevice opie_device;
> +#endif
> #endif
> #endif
>
> @@ -51,6 +55,10 @@
> #else
> #ifdef SKEY
> &skey_device,
> +#else
> +#ifdef OPIE
> + &opie_device,
> +#endif
> #endif
> #endif
> NULL
> diff -x CVS -wNur ../cvs/other/openssh_cvs/configure.ac
openssh_cvs/configure.ac
> --- ../cvs/other/openssh_cvs/configure.ac Sat Oct 27 19:45:37 2001
> +++ openssh_cvs/configure.ac Sun Nov 4 01:32:17 2001
> @@ -514,6 +514,32 @@
> ]
> )
>
> +# Check whether user wants OPIE support
> +OPIE_MSG="no"
> +AC_ARG_WITH(opie,
> + [ --with-opie[[=PATH]] Enable OPIE support
> + (optionally in PATH)],
> + [
> + if test "x$withval" != "xno" ; then
> +
> + if test "x$withval" != "xyes" ; then
> + CPPFLAGS="$CPPFLAGS -I${withval}/include"
> + LDFLAGS="$LDFLAGS -L${withval}/lib"
> + fi
> +
> + AC_DEFINE(OPIE)
> + LIBS="-lopie $LIBS"
> + OPIE_MSG="yes"
> +
> + AC_CHECK_FUNC(opiechallenge,
> + [],
> + [
> + AC_MSG_ERROR([** Incomplete or missing OPIE libraries.])
> + ])
> + fi
> + ]
> +)
> +
> # Check whether user wants TCP wrappers support
> TCPW_MSG="no"
> AC_ARG_WITH(tcp-wrappers,
> @@ -2211,6 +2237,7 @@
> echo " Smartcard support: $SCARD_MSG"
> echo " AFS support: $AFS_MSG"
> echo " S/KEY support: $SKEY_MSG"
> +echo " OPIE support: $OPIE_MSG"
> echo " TCP Wrappers support: $TCPW_MSG"
> echo " MD5 password support: $MD5_MSG"
> echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
> diff -x CVS -wNur ../cvs/other/openssh_cvs/readconf.c
openssh_cvs/readconf.c
> --- ../cvs/other/openssh_cvs/readconf.c Wed Oct 3 19:39:39 2001
> +++ openssh_cvs/readconf.c Sun Nov 4 01:44:19 2001
> @@ -141,6 +141,7 @@
> { "challengeresponseauthentication",
oChallengeResponseAuthentication },
> { "skeyauthentication", oChallengeResponseAuthentication }, /*
alias */
> { "tisauthentication", oChallengeResponseAuthentication }, /*
alias */
> + { "opieauthentication", oChallengeResponseAuthentication }, /*
alias */
> #if defined(KRB4) || defined(KRB5)
> { "kerberosauthentication", oKerberosAuthentication },
> #endif
> diff -x CVS -wNur ../cvs/other/openssh_cvs/servconf.c
openssh_cvs/servconf.c
> --- ../cvs/other/openssh_cvs/servconf.c Wed Sep 12 18:32:15 2001
> +++ openssh_cvs/servconf.c Sun Nov 4 01:44:27 2001
> @@ -286,6 +286,7 @@
> { "kbdinteractiveauthentication", sKbdInteractiveAuthentication
},
> { "challengeresponseauthentication",
sChallengeResponseAuthentication },
> { "skeyauthentication", sChallengeResponseAuthentication }, /*
alias */
> + { "opieauthentication", sChallengeResponseAuthentication }, /*
alias */
> { "checkmail", sDeprecated },
> { "listenaddress", sListenAddress },
> { "printmotd", sPrintMotd },
>
> --
> _________________________________________________________________
> / Nothing is fool-proof to a sufficiently talented fool \
> | wichert at wiggy.net http://www.liacs.nl/~wichert/ |
> | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
>