Date: Thu, 25 Apr 2002 19:45:28 +1000 From: Joshua Goodall <joshua@roughtrade.net> To: Jordan Hubbard <jkh@winston.freebsd.org> Cc: Robert Watson <rwatson@FreeBSD.ORG>, hackers@FreeBSD.ORG Subject: Re: Erm, since everyone managed to HIJACK my sshd thread! ;) Message-ID: <20020425094528.GE86692@roughtrade.net> In-Reply-To: <17607.1019707688@winston.freebsd.org> References: <Pine.NEB.3.96L.1020424215852.55944O-100000@fledge.watson.org> <17607.1019707688@winston.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 24, 2002 at 09:08:08PM -0700, Jordan Hubbard wrote:
> > BTW, what I'm suggesting here is the equivilent of the "no_fake_prompts"
> > setting in pam_opie.so found in -CURRENT. Basically, if the flag is set,
>
> Again, by all means, generate some diffs and we'll look 'em over. I'm
> far less interest in debating this in abstract terms and at least
> Joshua provided a better implementation than what I was suggesting,
> which is why I'm now just going to take his proposed change unless
> someone gives me something better yet.
n.b. this is actually an OPIE challenge, despite saying S/Key.
Unfortunately the openssh in -stable totally ignores pam and talks
directly to libopie, so we have to work inside sshd.
Committing to -current was almost certainly unnecessary and regressing
since the version there honours pam.d/sshd which doesn't have
pam_opie on by default, and if you do put it in, you can use the
no_fake_prompts option. I recommend backing that out.
The following patch to -stable is opie & rwatson friendly, won't
give a challenge unless you actually have an entry in /etc/opiepasswd,
and has a knob for toggling fake challenges (which is off by default).
Hopefully that satisfies everyone!
Joshua
Index: auth-chall.c
===================================================================
RCS file: /cvs/src/crypto/openssh/auth-chall.c,v
retrieving revision 1.2.2.1
diff -u -r1.2.2.1 auth-chall.c
--- auth-chall.c 28 Sep 2001 01:33:33 -0000 1.2.2.1
+++ auth-chall.c 25 Apr 2002 09:28:16 -0000
@@ -28,6 +28,9 @@
#include "auth.h"
#include "log.h"
+#include "servconf.h"
+
+extern ServerOptions options;
#ifdef BSD_AUTH
char *
@@ -77,9 +80,12 @@
{
static char challenge[1024];
struct opie opie;
+ if (opie_haskey(authctxt->user) == 1 &&
+ options.fake_challenge != 1)
+ return NULL;
if (opiechallenge(&opie, authctxt->user, challenge) == -1)
return NULL;
- strlcat(challenge, "\nS/Key Password: ", sizeof challenge);
+ strlcat(challenge, "\nOPIE Password: ", sizeof challenge);
return challenge;
}
int
Index: servconf.c
===================================================================
RCS file: /cvs/src/crypto/openssh/servconf.c,v
retrieving revision 1.3.2.12
diff -u -r1.3.2.12 servconf.c
--- servconf.c 25 Apr 2002 05:58:53 -0000 1.3.2.12
+++ servconf.c 25 Apr 2002 08:36:02 -0000
@@ -88,6 +88,7 @@
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_reponse_authentication = -1;
+ options->fake_challenge = -1;
options->permit_empty_passwd = -1;
options->use_login = -1;
options->allow_tcp_forwarding = -1;
@@ -207,7 +208,9 @@
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_reponse_authentication == -1)
- options->challenge_reponse_authentication = 0;
+ options->challenge_reponse_authentication = 1;
+ if (options->fake_challenge == -1)
+ options->fake_challenge = 0;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
if (options->use_login == -1)
@@ -248,7 +251,7 @@
#ifdef AFS
sKrb4TgtPassing, sAFSTokenPassing,
#endif
- sChallengeResponseAuthentication,
+ sChallengeResponseAuthentication, sFakeChallenge,
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset,
@@ -302,6 +305,7 @@
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
{ "challengeresponseauthentication", sChallengeResponseAuthentication },
{ "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
+ { "fakechallenge", sFakeChallenge },
{ "checkmail", sCheckMail },
{ "listenaddress", sListenAddress },
{ "printmotd", sPrintMotd },
@@ -647,6 +651,10 @@
case sChallengeResponseAuthentication:
intptr = &options->challenge_reponse_authentication;
+ goto parse_flag;
+
+ case sFakeChallenge:
+ intptr = &options->fake_challenge;
goto parse_flag;
case sPrintMotd:
Index: servconf.h
===================================================================
RCS file: /cvs/src/crypto/openssh/servconf.h,v
retrieving revision 1.3.2.5
diff -u -r1.3.2.5 servconf.h
--- servconf.h 28 Sep 2001 01:33:34 -0000 1.3.2.5
+++ servconf.h 25 Apr 2002 06:49:12 -0000
@@ -99,6 +99,7 @@
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
int challenge_reponse_authentication;
+ int fake_challenge;
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
int use_login; /* If true, login(1) is used */
Index: sshd.8
===================================================================
RCS file: /cvs/src/crypto/openssh/sshd.8,v
retrieving revision 1.5.2.7
diff -u -r1.5.2.7 sshd.8
--- sshd.8 28 Sep 2001 01:33:35 -0000 1.5.2.7
+++ sshd.8 25 Apr 2002 09:39:50 -0000
@@ -414,6 +414,17 @@
can be used as wildcards in the patterns.
Only user names are valid; a numerical user ID isn't recognized.
By default login is allowed regardless of the user name.
+.It Cm FakeChallenge
+Specifies whether OPIE challenges should be attempted (and thus
+randomly generated) if a user does not have an OPIE key setup
+and ChallengeResponseAuthentication is set to
+.Dq yes .
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client.
Index: sshd_config
===================================================================
RCS file: /cvs/src/crypto/openssh/sshd_config,v
retrieving revision 1.4.2.7
diff -u -r1.4.2.7 sshd_config
--- sshd_config 25 Apr 2002 05:58:53 -0000 1.4.2.7
+++ sshd_config 25 Apr 2002 08:36:19 -0000
@@ -48,8 +48,10 @@
PasswordAuthentication yes
PermitEmptyPasswords no
-# Uncomment to enable s/key passwords
-#ChallengeResponseAuthentication yes
+# Uncomment to disable s/key passwords
+#ChallengeResponseAuthentication no
+# Uncomment to generate fake s/key challenges
+#FakeChallenge yes
# To change Kerberos options
#KerberosAuthentication no
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020425094528.GE86692>