[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ssh & opie



The list server didnt like the last message. Here is is again.

-- 
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01 
--- Begin Message ---
Thanks for the pointer. My problem with that approach is that I dont want
to modify the SSH protocol as I would like to use some Windows ssh client
for which I dont have source code.

Happily I've found a solution to my problem. While playing with one of
these windows clients I notice they had a checkbox for "TIS authentication".
Wondering what this was I looked at the source code. Lo and behold,
this is nothing more than a challenge / responce authentication. And the
best part is the seveal windows client (and the unix client) already
support it.

After a few hours of hacking I came up with the patch attached to this
message. I've had no time to clean it up but with works for me. No longer
do I have to use the hack of sending the challenge in a debug message
and having to authenticate multiple times.

To work you have to add "TISAuthentication = yes" to the client and server
config. As it is the patch will only work with the pam_opie module as
the TIS protocol requires that the first PAM conversation message be a
TEXT_INFO message or the client will get confused. This could be fixed
by having some static flag of whether we've seen a TEXT_INFO message when
we get a PAM_PROMT_ECHO* message and if we havent we send the challenge
packate with something like "Password:". This would enable the patch
to make sshd work with other modules as well.

Anyway must get some sleep now.

-- 
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01 
--- /tmp/sshd.c.old	Mon Nov 23 22:17:28 1998
+++ sshd.c	Mon Nov 23 22:24:32 1998
@@ -673,6 +673,60 @@
     NULL
 };
 
+static int pamconv2 (int num_msg,
+                     const struct pam_message **msg,
+                     struct pam_response **resp,
+                     void *appdata_ptr) {
+  int count = 0, replies = 0;
+  struct pam_response *reply = NULL;
+  int size = sizeof(struct pam_response);
+  int type;
+  char *response;
+
+  for (count = 0; count < num_msg; count++) {
+    switch (msg[count]->msg_style) {
+      case PAM_PROMPT_ECHO_ON:
+      case PAM_PROMPT_ECHO_OFF:
+        if (reply)
+          realloc(reply, size);
+        else
+          reply = malloc(size);
+        if (!reply) return PAM_CONV_ERR;
+        size += sizeof(struct pam_response);
+        type = packet_read();
+        if (type != SSH_CMSG_AUTH_TIS_RESPONSE) {
+          packet_get_all();
+          log_msg("Protocol error: got %d in response to TIS challenge", type);
+          free(reply);
+          return PAM_CONV_ERR;
+        }
+        response = packet_get_string(NULL);
+        reply[replies].resp_retcode = PAM_SUCCESS;
+        reply[replies++].resp = xstrdup (response);
+          /* PAM frees resp */
+        break;
+      case PAM_TEXT_INFO:
+        packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
+        packet_put_string(msg[count]->msg, strlen(msg[count]->msg));
+        packet_send();
+        packet_write_wait();
+        break;
+      case PAM_ERROR_MSG:
+      default:
+        /* Must be an error of some sort... */
+        free (reply);
+        return PAM_CONV_ERR;
+    }
+  }
+  if (reply) *resp = reply;
+  return PAM_SUCCESS;
+}
+
+static struct pam_conv tis_conv = {
+    pamconv2,
+    NULL
+};
+
 void pam_cleanup_proc (void *context) {
   if (retval == PAM_SUCCESS) 
     retval = pam_close_session ((pam_handle_t *)pamh, 0);
@@ -1503,7 +1557,7 @@
     auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
   if (options.rsa_authentication)
     auth_mask |= 1 << SSH_AUTH_RSA;
-#ifdef HAVE_TIS
+#if defined(HAVE_TIS) || defined(HAVE_PAM)
   if (options.tis_authentication)
     auth_mask |= 1 << SSH_AUTH_TIS;
 #endif
@@ -2496,7 +2550,7 @@
 	  }
 	  break;
 
-#ifdef HAVE_TIS
+#if defined(HAVE_TIS) || defined(HAVE_PAM)
 	case SSH_CMSG_AUTH_TIS:
 	  /* Support for TIS authentication server
 	     Contributed by Andre April <Andre.April@cediti.be>. */
@@ -2506,6 +2560,29 @@
 	    log_msg("Tis authsrv authentication disabled.");
 	    break;
 	  } else {
+#ifdef HAVE_PAM
+{
+  	  /* PAM hack to support c/r modules ala opie by aleph1 */
+	  debug("TIS PAM hack...");
+    retval = origretval;
+    if (pam_set_item((pam_handle_t *)pamh, PAM_CONV, &tis_conv) != PAM_SUCCESS)
+    {
+      debug("pam_set_item(PAM_CONV)");
+      break;
+    }
+
+    if (retval == PAM_SUCCESS)
+      retval = pam_authenticate ((pam_handle_t *)pamh, 0);
+    if (retval == PAM_SUCCESS)
+      retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
+    if (retval == PAM_SUCCESS)
+    {
+      authentication_type = SSH_AUTH_TIS;
+      authenticated = 1;
+      break;
+    }
+  }
+#else /* HAVE_PAM */
 	    char buf[128];
 	    char prompt[128];
 	    char mapping[128];
@@ -2628,6 +2705,7 @@
 	      xfree(password);
 	      break;
 	    }
+#endif /* HAVE_PAM */
 	  }
 	  break;	/* TIS authsrv authentication not supported */
 #endif

Attachment: pgp00000.pgp
Description: PGP signature


--- End Message ---

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []