diff -Naur openssh-3.9p1/auth1.c openssh-3.9p1-authd-0.1/auth1.c --- openssh-3.9p1/auth1.c 2004-08-12 08:40:25.000000000 -0400 +++ openssh-3.9p1-authd-0.1/auth1.c 2004-08-26 18:41:02.509257984 -0400 @@ -25,6 +25,12 @@ #include "session.h" #include "uidswap.h" #include "monitor_wrap.h" +#include +#include +#include +#include +#include +#include /* import */ extern ServerOptions options; @@ -69,7 +75,12 @@ u_int dlen; u_int ulen; int prev, type = 0; - + /* XXX added for authd authentication */ + credentials ucred; + signature usig; + char *sigdata; + int siglen,j; + debug("Attempting authentication for %s%.100s.", authctxt->valid ? "" : "invalid user ", authctxt->user); @@ -118,6 +129,38 @@ /* Process the packet. */ switch (type) { + case SSH_CMSG_AUTH_AUTHD: + if (!options.authd_authentication) { + verbose("Authd authentication disabled."); + break; + } + /* XXX XXX + * Authentication with authd + */ + ucred.uid = packet_get_int (); + ucred.gid = packet_get_int (); + /* XXX not really ints here... */ + ucred.valid_from = (time_t)packet_get_int (); + ucred.valid_to = (time_t)packet_get_int (); + sigdata = (char *)packet_get_string (&siglen); + packet_check_eom (); + memcpy(usig.data,sigdata,AUTH_RSA_SIGLEN); + /* Check requested user against the uid provided + * in the authd credentials. + */ + if (ucred.uid != authctxt->pw->pw_uid) { + verbose ("User id match required for authd authentication!\n"); + memset(sigdata, 0, strlen(sigdata)); + xfree (sigdata); + break; + } + if(!use_privsep) + authenticated = (auth_verify_signature (&ucred,&usig) == AUTH_OK); + else + authenticated = PRIVSEP(auth_verify_signature (&ucred, &usig)); + memset(sigdata, 0, strlen(sigdata)); + xfree (sigdata); + break; case SSH_CMSG_AUTH_RHOSTS_RSA: if (!options.rhosts_rsa_authentication) { verbose("Rhosts with RSA authentication disabled."); @@ -334,4 +377,5 @@ packet_start(SSH_SMSG_SUCCESS); packet_send(); packet_write_wait(); + } diff -Naur openssh-3.9p1/auth2-authd.c openssh-3.9p1-authd-0.1/auth2-authd.c --- openssh-3.9p1/auth2-authd.c 1969-12-31 19:00:00.000000000 -0500 +++ openssh-3.9p1-authd-0.1/auth2-authd.c 2004-08-26 18:41:17.053046992 -0400 @@ -0,0 +1,73 @@ +/* + * Copyright (c) 2004 Rocketalc LLC. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" +#include "xmalloc.h" +#include "packet.h" +#include "log.h" +#include "auth.h" +#include "monitor_wrap.h" +#include "servconf.h" + +/* import */ +extern ServerOptions options; + +static int +userauth_authd(Authctxt *authctxt) +{ + credentials ucred; + signature usig; + char *sigdata; + int siglen; + int authenticated = 0; + if (!authctxt->valid) { + debug2("userauth_authd: disabled (user invalid)"); + return 0; + } + ucred.uid = packet_get_int (); + ucred.gid = packet_get_int (); + /* XXX not really integers...fix this */ + ucred.valid_from = (time_t)packet_get_int (); + ucred.valid_to = (time_t)packet_get_int (); + sigdata = packet_get_string (&siglen); + packet_check_eom (); + memcpy (usig.data, sigdata, AUTH_RSA_SIGLEN); + if (ucred.uid != authctxt->pw->pw_uid) + logit ("User id match required for authd authentication."); + else { + if(!use_privsep) + authenticated = (auth_verify_signature (&ucred, &usig) == AUTH_OK); + else + authenticated = PRIVSEP (auth_verify_signature (&ucred, &usig)); + } + memset (sigdata, 0, strlen(sigdata)); + xfree (sigdata); + return authenticated; +} + +Authmethod method_authd = { + "authd", + userauth_authd, + &options.authd_authentication +}; diff -Naur openssh-3.9p1/auth2.c openssh-3.9p1-authd-0.1/auth2.c --- openssh-3.9p1/auth2.c 2004-08-12 08:40:25.000000000 -0400 +++ openssh-3.9p1-authd-0.1/auth2.c 2004-08-23 16:11:14.000000000 -0400 @@ -55,9 +55,11 @@ #ifdef GSSAPI extern Authmethod method_gssapi; #endif +extern Authmethod method_authd; /* XXX AUTHD authentication */ Authmethod *authmethods[] = { &method_none, + &method_authd, &method_pubkey, #ifdef GSSAPI &method_gssapi, @@ -291,7 +293,7 @@ for (i = 0; authmethods[i] != NULL; i++) if (authmethods[i]->enabled != NULL && *(authmethods[i]->enabled) != 0 && - strcmp(name, authmethods[i]->name) == 0) + strcmp(name, authmethods[i]->name) == 0) return authmethods[i]; debug2("Unrecognized authentication method name: %s", name ? name : "NULL"); diff -Naur openssh-3.9p1/auth2-passwd.c openssh-3.9p1-authd-0.1/auth2-passwd.c --- openssh-3.9p1/auth2-passwd.c 2003-12-30 19:43:24.000000000 -0500 +++ openssh-3.9p1-authd-0.1/auth2-passwd.c 2004-08-23 15:41:27.000000000 -0400 @@ -42,7 +42,6 @@ int authenticated = 0; int change; u_int len, newlen; - change = packet_get_char(); password = packet_get_string(&len); if (change) { diff -Naur openssh-3.9p1/AUTHD_NOTES openssh-3.9p1-authd-0.1/AUTHD_NOTES --- openssh-3.9p1/AUTHD_NOTES 1969-12-31 19:00:00.000000000 -0500 +++ openssh-3.9p1-authd-0.1/AUTHD_NOTES 2004-08-27 08:31:53.703724488 -0400 @@ -0,0 +1,26 @@ +August 22, 2004 notes: + +* Should change this to use macros like #ifdef AUTHD and add a + --enable-authd option to configure. XXX +* time_t values in the authd credentials struct are transferred as + integers -- this must be fixed. +* It's silly to use the libe ssl functions from the authd project. + We should use the same RSA functions used by the OpenSSH code. +* Should make the location and name of the RSA pem files used by + the authd authentication scheme configurable. + +Files: +sshconnect1 -- client side (ssh) code modified to send authd request +sshconnect2 -- client side (ssh) code modified to send authd request +Added client side option "AuthdAuthentication" (yes/no) -- default is yes +The new option affects the readconf.c file. + +auth1.c -- server side (sshd) code modified to accept authd requests +auth2.c +auth2-authd.c + +serverconfig.c/.h -- added options->authd_authentication field and added + "useauthdauthentication" in the sshd config file. + +monitor_wrap.c/.h -- added privsep functions for auth_verify_signature +monitor.c -- (required by auth1.c and auth2-authd.c) diff -Naur openssh-3.9p1/auth.h openssh-3.9p1-authd-0.1/auth.h --- openssh-3.9p1/auth.h 2004-05-23 20:36:23.000000000 -0400 +++ openssh-3.9p1-authd-0.1/auth.h 2004-08-26 19:03:53.289867656 -0400 @@ -185,3 +185,8 @@ #define SKEY_PROMPT "\nS/Key Password: " #endif + + + +/* XXX Authd authentication */ +#include diff -Naur openssh-3.9p1/configure openssh-3.9p1-authd-0.1/configure --- openssh-3.9p1/configure 2004-08-17 08:54:53.000000000 -0400 +++ openssh-3.9p1-authd-0.1/configure 2004-08-26 18:34:04.426816176 -0400 @@ -24249,9 +24249,9 @@ exec 5>>config.log { echo - sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <&5 cat >&5 <<_CSEOF diff -Naur openssh-3.9p1/Makefile.in openssh-3.9p1-authd-0.1/Makefile.in --- openssh-3.9p1/Makefile.in 2004-08-15 07:01:37.000000000 -0400 +++ openssh-3.9p1-authd-0.1/Makefile.in 2004-08-26 18:54:08.821720320 -0400 @@ -42,7 +42,7 @@ LD=@LD@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -LIBS=@LIBS@ +LIBS=@LIBS@ -lauth -le LIBPAM=@LIBPAM@ LIBWRAP=@LIBWRAP@ AR=@AR@ @@ -82,7 +82,7 @@ auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \ monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ - auth-krb5.o \ + auth-krb5.o auth2-authd.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o diff -Naur openssh-3.9p1/monitor.c openssh-3.9p1-authd-0.1/monitor.c --- openssh-3.9p1/monitor.c 2004-07-17 03:05:14.000000000 -0400 +++ openssh-3.9p1-authd-0.1/monitor.c 2004-08-25 11:21:46.061843512 -0400 @@ -126,6 +126,7 @@ int mm_answer_rsa_response(int, Buffer *); int mm_answer_sesskey(int, Buffer *); int mm_answer_sessid(int, Buffer *); +int mm_answer_authverifysig(int, Buffer *); /* XXX Authd addition */ #ifdef USE_PAM int mm_answer_pam_start(int, Buffer *); @@ -178,6 +179,7 @@ {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, + {MONITOR_REQ_AUTH_VERIFY_SIG, MON_AUTH, mm_answer_authverifysig}, #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, @@ -223,6 +225,7 @@ {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge}, {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response}, + {MONITOR_REQ_AUTH_VERIFY_SIG, MON_AUTH, mm_answer_authverifysig}, #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond}, @@ -677,6 +680,45 @@ return (authenticated); } +int +mm_answer_authverifysig(int sock, Buffer *m) +{ + static int call_count; + credentials creds; + signature creds_sig; + char * sigdata; + u_int siglen; + int authenticated; + + creds.uid = buffer_get_int (m); + creds.gid = buffer_get_int (m); + /* XXX Specify appropriate type here instead of int */ + creds.valid_from = (time_t)buffer_get_int (m); + creds.valid_to = (time_t)buffer_get_int (m); + sigdata = buffer_get_string (m, &siglen); + memcpy (creds_sig.data, sigdata, AUTH_RSA_SIGLEN); + /* Only authenticate if the context is valid */ + authenticated = options.authd_authentication && + (auth_verify_signature (&creds, &creds_sig)==AUTH_OK); + memset(sigdata, 0, strlen(sigdata)); + xfree(sigdata); + + buffer_clear(m); + buffer_put_int(m, authenticated); + + debug3("%s: sending result %d", __func__, authenticated); + mm_request_send(sock, MONITOR_ANS_AUTH_VERIFY_SIG, m); + + call_count++; + if (siglen == 0 && call_count == 1) + auth_method = "none"; + else + auth_method = "authd"; + + /* Causes monitor loop to terminate if authenticated */ + return (authenticated); +} + #ifdef BSD_AUTH int mm_answer_bsdauthquery(int sock, Buffer *m) diff -Naur openssh-3.9p1/monitor.h openssh-3.9p1-authd-0.1/monitor.h --- openssh-3.9p1/monitor.h 2003-11-17 06:18:22.000000000 -0500 +++ openssh-3.9p1-authd-0.1/monitor.h 2004-08-23 00:51:52.000000000 -0400 @@ -59,6 +59,7 @@ MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY, MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, + MONITOR_REQ_AUTH_VERIFY_SIG, MONITOR_ANS_AUTH_VERIFY_SIG, MONITOR_REQ_TERM }; diff -Naur openssh-3.9p1/monitor_wrap.c openssh-3.9p1-authd-0.1/monitor_wrap.c --- openssh-3.9p1/monitor_wrap.c 2004-07-17 03:05:14.000000000 -0400 +++ openssh-3.9p1-authd-0.1/monitor_wrap.c 2004-08-25 11:04:33.433826832 -0400 @@ -59,6 +59,7 @@ #include "channels.h" #include "session.h" + #ifdef GSSAPI #include "ssh-gss.h" #endif @@ -299,6 +300,37 @@ return (authenticated); } +/* XXX XXX Do the authd authentication */ +int +mm_auth_verify_signature (credentials *creds, signature *creds_sig) +{ + Buffer m; + int authenticated = 0; + + debug3("%s entering", __func__); + + buffer_init (&m); + buffer_put_int (&m, creds->uid); + buffer_put_int (&m, creds->gid); + /* XXX These are not integers... */ + buffer_put_int (&m, (int)creds->valid_from); + buffer_put_int (&m, (int)creds->valid_to); + buffer_put_string (&m, creds_sig->data, AUTH_RSA_SIGLEN); + mm_request_send (pmonitor->m_recvfd, MONITOR_REQ_AUTH_VERIFY_SIG, &m); + + debug3("%s: waiting for MONITOR_ANS_AUTH_VERIFY_SIG", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTH_VERIFY_SIG, &m); + + authenticated = buffer_get_int(&m); + + buffer_free(&m); + + debug3("%s: user %sauthenticated", + __func__, authenticated ? "" : "not "); + return (authenticated); +} + + int mm_user_key_allowed(struct passwd *pw, Key *key) { @@ -1183,3 +1215,4 @@ return (authenticated); } #endif /* GSSAPI */ + diff -Naur openssh-3.9p1/monitor_wrap.h openssh-3.9p1-authd-0.1/monitor_wrap.h --- openssh-3.9p1/monitor_wrap.h 2004-06-21 22:56:02.000000000 -0400 +++ openssh-3.9p1-authd-0.1/monitor_wrap.h 2004-08-26 18:39:53.529744464 -0400 @@ -30,6 +30,15 @@ #include "key.h" #include "buffer.h" +/* XXX Authd headers */ +#include +#include +#include +#include +#include +#include + + extern int use_privsep; #define PRIVSEP(x) (use_privsep ? mm_##x : x) @@ -54,6 +63,7 @@ int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int); int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *); +int mm_auth_verify_signature (credentials *, signature *); BIGNUM *mm_auth_rsa_generate_challenge(Key *); #ifdef GSSAPI diff -Naur openssh-3.9p1/readconf.c openssh-3.9p1-authd-0.1/readconf.c --- openssh-3.9p1/readconf.c 2004-07-17 02:12:08.000000000 -0400 +++ openssh-3.9p1-authd-0.1/readconf.c 2004-08-23 12:17:06.000000000 -0400 @@ -107,7 +107,7 @@ oAddressFamily, oGssAuthentication, oGssDelegateCreds, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, - oDeprecated, oUnsupported + oDeprecated, oUnsupported, oUseAuthdAuthentication } OpCodes; /* Textual representations of the tokens. */ @@ -197,6 +197,7 @@ { "sendenv", oSendEnv }, { "controlpath", oControlPath }, { "controlmaster", oControlMaster }, + { "authdauthentication", oUseAuthdAuthentication }, { NULL, oBadOption } }; @@ -440,6 +441,10 @@ intptr = &options->tcp_keep_alive; goto parse_flag; + case oUseAuthdAuthentication: + intptr = &options->authd_authentication; + goto parse_flag; + case oNoHostAuthenticationForLocalhost: intptr = &options->no_host_authentication_for_localhost; goto parse_flag; @@ -917,6 +922,7 @@ options->num_send_env = 0; options->control_path = NULL; options->control_master = -1; + options->authd_authentication = -1; /* XXX AUTHD */ } /* @@ -929,6 +935,8 @@ { int len; + if (options->authd_authentication == -1) + options->authd_authentication = 1; /* XXX AUTHD */ if (options->forward_agent == -1) options->forward_agent = 0; if (options->forward_x11 == -1) diff -Naur openssh-3.9p1/readconf.h openssh-3.9p1-authd-0.1/readconf.h --- openssh-3.9p1/readconf.h 2004-07-17 02:12:08.000000000 -0400 +++ openssh-3.9p1-authd-0.1/readconf.h 2004-08-23 10:50:58.000000000 -0400 @@ -41,6 +41,7 @@ int rsa_authentication; /* Try RSA authentication. */ int pubkey_authentication; /* Try ssh2 pubkey authentication. */ int hostbased_authentication; /* ssh2's rhosts_rsa */ + int authd_authentication; /* XXX Try authd authentication */ int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ int gss_authentication; /* Try GSS authentication */ diff -Naur openssh-3.9p1/servconf.c openssh-3.9p1-authd-0.1/servconf.c --- openssh-3.9p1/servconf.c 2004-08-13 07:30:24.000000000 -0400 +++ openssh-3.9p1-authd-0.1/servconf.c 2004-08-23 12:18:20.000000000 -0400 @@ -102,6 +102,7 @@ options->authorized_keys_file = NULL; options->authorized_keys_file2 = NULL; options->num_accept_env = 0; + options->authd_authentication = -1; /* XXX AUTHD */ /* Needs to be accessable in many places */ use_privsep = -1; @@ -230,6 +231,8 @@ } if (options->authorized_keys_file == NULL) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; + if (options->authd_authentication == -1) + options->authd_authentication = 0; /*XXX AUTHD OFF BY DEFAULT*/ /* Turn privilege separation on by default */ if (use_privsep == -1) @@ -271,8 +274,8 @@ sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, - sUsePrivilegeSeparation, - sDeprecated, sUnsupported + sUsePrivilegeSeparation, + sDeprecated, sUnsupported, sUseAuthdAuthentication } ServerOpCodes; /* Textual representation of the tokens. */ @@ -372,6 +375,7 @@ { "authorizedkeysfile2", sAuthorizedKeysFile2 }, { "useprivilegeseparation", sUsePrivilegeSeparation}, { "acceptenv", sAcceptEnv }, + { "useauthdauthentication", sUseAuthdAuthentication}, { NULL, sBadOption } }; @@ -630,6 +634,10 @@ intptr = &options->rsa_authentication; goto parse_flag; + case sUseAuthdAuthentication: + intptr = &options->authd_authentication; + goto parse_flag; + case sPubkeyAuthentication: intptr = &options->pubkey_authentication; goto parse_flag; diff -Naur openssh-3.9p1/servconf.h openssh-3.9p1-authd-0.1/servconf.h --- openssh-3.9p1/servconf.h 2004-06-24 23:33:20.000000000 -0400 +++ openssh-3.9p1-authd-0.1/servconf.h 2004-08-22 22:57:56.000000000 -0400 @@ -73,6 +73,7 @@ * authentication. */ int hostbased_authentication; /* If true, permit ssh2 hostbased auth */ int hostbased_uses_name_from_packet_only; /* experimental */ + int authd_authentication; /* Experimental authd authentication XXX */ int rsa_authentication; /* If true, permit RSA authentication. */ int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */ int kerberos_authentication; /* If true, permit Kerberos diff -Naur openssh-3.9p1/ssh1.h openssh-3.9p1-authd-0.1/ssh1.h --- openssh-3.9p1/ssh1.h 2004-07-17 02:12:08.000000000 -0400 +++ openssh-3.9p1-authd-0.1/ssh1.h 2004-08-21 14:22:15.000000000 -0400 @@ -65,6 +65,7 @@ #define SSH_SMSG_AUTH_KERBEROS_RESPONSE 43 /* (KTEXT) */ #define SSH_CMSG_HAVE_KERBEROS_TGT 44 /* credentials (s) */ #define SSH_CMSG_HAVE_AFS_TOKEN 65 /* token (s) */ +#define SSH_CMSG_AUTH_AUTHD 45 /* credentials, signature */ /* protocol version 1.5 overloads some version 1.3 message types */ #define SSH_MSG_CHANNEL_INPUT_EOF SSH_MSG_CHANNEL_CLOSE diff -Naur openssh-3.9p1/ssh_config openssh-3.9p1-authd-0.1/ssh_config --- openssh-3.9p1/ssh_config 2003-08-13 06:37:05.000000000 -0400 +++ openssh-3.9p1-authd-0.1/ssh_config 2004-08-27 08:32:56.729143168 -0400 @@ -22,6 +22,7 @@ # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no +# AuthdAuthentication yes # BatchMode no # CheckHostIP yes # AddressFamily any diff -Naur openssh-3.9p1/sshconnect1.c openssh-3.9p1-authd-0.1/sshconnect1.c --- openssh-3.9p1/sshconnect1.c 2004-08-12 08:40:25.000000000 -0400 +++ openssh-3.9p1-authd-0.1/sshconnect1.c 2004-08-26 18:38:37.609286128 -0400 @@ -37,6 +37,14 @@ #include "canohost.h" #include "auth.h" +/* Authd headers */ +#include +#include +#include +#include +#include +#include + /* Session id for the current session. */ u_char session_id[16]; u_int supported_authentications = 0; @@ -306,6 +314,54 @@ return 0; } + + + +/* Try to authenticate the connection with authd. + * XXX XXX + */ +static int try_authd_authentication () +{ + int type,j; + credentials creds; + signature creds_sig; + auth_init_credentials (&creds, 30); + debug ("creds.uid %d\tcreds.gid %d",creds.uid,creds.gid); + /* Ask authd to sign our credentials */ + if (auth_get_signature (&creds, &creds_sig) != AUTH_OK) { + debug ("Local authd authentication failed."); + return 0; + } + +/* Tell the server that we are willing to authenticate using this key. */ + packet_start(SSH_CMSG_AUTH_AUTHD); + //packet_put_raw(&creds,sizeof(credentials)); + packet_put_int((int)creds.uid); + packet_put_int((int)creds.gid); + packet_put_int((int)creds.valid_from); + // XXX XXX Fix this...these are note ints! + packet_put_int((int)creds.valid_to); + packet_put_string(creds_sig.data,AUTH_RSA_SIGLEN); + packet_send(); + packet_write_wait(); + + /* Wait for server's response. */ + type = packet_read(); + + /* The server responds with failure if it doesn't admit our + authd authentication. */ + if (type == SSH_SMSG_SUCCESS) { + debug ("AUTHD authentication accepted."); + return 1; + } + else + debug ("Server refused authentication using authd."); + return 0; +} + + + + /* * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv * authentication and RSA host authentication. @@ -678,6 +734,13 @@ if (type != SSH_SMSG_FAILURE) packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type); + /* XXX XXX XXX + * Try authd authentication. + * Make this an option just like the regular chickens! + */ + if (try_authd_authentication ()) + goto success; + /* * Try .rhosts or /etc/hosts.equiv authentication with RSA host * authentication. diff -Naur openssh-3.9p1/sshconnect2.c openssh-3.9p1-authd-0.1/sshconnect2.c --- openssh-3.9p1/sshconnect2.c 2004-06-14 20:30:09.000000000 -0400 +++ openssh-3.9p1-authd-0.1/sshconnect2.c 2004-08-26 18:39:39.451884624 -0400 @@ -49,6 +49,13 @@ #include "canohost.h" #include "msg.h" #include "pathnames.h" +#include +#include +#include +#include +#include +#include + #ifdef GSSAPI #include "ssh-gss.h" @@ -200,6 +207,7 @@ int userauth_kbdint(Authctxt *); int userauth_hostbased(Authctxt *); int userauth_kerberos(Authctxt *); +int userauth_authd(Authctxt *); #ifdef GSSAPI int userauth_gssapi(Authctxt *authctxt); @@ -232,6 +240,9 @@ userauth_hostbased, &options.hostbased_authentication, NULL}, + {"authd", + userauth_authd, + &options.authd_authentication}, {"publickey", userauth_pubkey, &options.pubkey_authentication, @@ -718,6 +729,35 @@ return 1; } + +/* XXX Authd authentication */ +int +userauth_authd(Authctxt *authctxt) +{ + credentials creds; + signature creds_sig; + auth_init_credentials (&creds, 30); + debug ("creds.uid %d",creds.uid); + if (auth_get_signature (&creds, &creds_sig) != AUTH_OK) { + debug ("Local authd authentication failed."); + return 0; + } + packet_start(SSH2_MSG_USERAUTH_REQUEST); + packet_put_cstring(authctxt->server_user); + packet_put_cstring(authctxt->service); + packet_put_cstring(authctxt->method->name); + packet_put_int ((int)creds.uid); + packet_put_int ((int)creds.gid); + packet_put_int ((int)creds.valid_from); /*XXX really time_t...fix */ + packet_put_int ((int)creds.valid_to); + packet_put_string (creds_sig.data,AUTH_RSA_SIGLEN); + packet_send(); + packet_write_wait(); + + return 1; +} + + int userauth_passwd(Authctxt *authctxt) { diff -Naur openssh-3.9p1/sshd_config openssh-3.9p1-authd-0.1/sshd_config --- openssh-3.9p1/sshd_config 2004-05-23 20:36:24.000000000 -0400 +++ openssh-3.9p1-authd-0.1/sshd_config 2004-08-27 08:32:19.200848336 -0400 @@ -41,6 +41,8 @@ #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys +#UseAuthdAuthentication no + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2