Date: Fri, 26 Nov 1999 18:13:07 -0800 (PST) From: gshapiro+FreeBSD-gnats@gshapiro.net To: FreeBSD-gnats-submit@freebsd.org Subject: ports/15107: FreeBSD S/Key support for OpenSSH 1.2 Message-ID: <199911270213.dAR2D7P83190@horsey.gshapiro.net>
next in thread | raw e-mail | index | archive | help
>Number: 15107
>Category: ports
>Synopsis: Patch for FreeBSD s/key support in OpenSSH 1.2
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Nov 26 18:20:00 PST 1999
>Closed-Date:
>Last-Modified:
>Originator: Gregory Neil Shapiro
>Release: FreeBSD 3.3-STABLE i386
>Organization:
>Environment:
FreeBSD 3.3-STABLE with openssh date tag 'Tue Nov 23 18:52:21 EST 1999'
>Description:
ports/security/openssh doesn't successfully compile if SKEY=yes. The
OpenBSD S/Key library has routines missing from the FreeBSD version.
The patch included in the "Fix" section of this reports provides the missing
functionality to get S/Key working with OpenSSH under FreeBSD.
>How-To-Repeat:
>Fix:
The compatibility functions were brought in from the current OpenBSD
source tree for libskey. There is one exception, FreeBSD's skeychallenge()
is unsafe as it uses sprintf(). Therefore, I've brought it's functionality
directly into skey_keyinfo() and used snprintf() to prevent any possibility
of buffer overflows.
--- auth-skey.c:preSkey Fri Nov 26 17:26:12 1999
+++ auth-skey.c Fri Nov 26 18:01:54 1999
@@ -2,6 +2,7 @@
RCSID("$Id: auth-skey.c,v 1.3 1999/11/23 22:25:52 markus Exp $");
#include "ssh.h"
+#ifndef __FreeBSD__
#include <sha1.h>
/* from %OpenBSD: skeylogin.c,v 1.32 1999/08/16 14:46:56 millert Exp % */
@@ -148,3 +149,108 @@
}
return skeyprompt;
}
+#else /* __FreeBSD__ */
+
+char *
+skey_fake_keyinfo(char *username)
+{
+ return NULL;
+}
+
+/* from %OpenBSD: skey.h,v 1.13 1999/07/15 14:33:48 provos Exp $
+
+/* Max length of an S/Key seed (rfc1938) */
+#ifndef SKEY_MAX_SEED_LEN
+#define SKEY_MAX_SEED_LEN 16
+#endif
+
+/* Max length of hash algorithm name (md4/md5/sha1/rmd160) */
+#define SKEY_MAX_HASHNAME_LEN 6
+
+/* Max length of S/Key challenge (otp-???? 9999 seed) */
+#ifndef SKEY_MAX_CHALLENGE
+#define SKEY_MAX_CHALLENGE (11 + SKEY_MAX_HASHNAME_LEN + SKEY_MAX_SEED_LEN)
+#endif
+
+/* from %OpenBSD: skeylogin.c,v 1.33 1999/11/26 19:26:17 deraadt Exp % */
+
+/*
+ * skey_haskey()
+ *
+ * Returns: 1 user doesnt exist, -1 file error, 0 user exists.
+ *
+ */
+int
+skey_haskey(username)
+ char *username;
+{
+ struct skey skey;
+ int i;
+
+ i = skeylookup(&skey, username);
+
+ if (skey.keyfile != NULL) {
+ fclose(skey.keyfile);
+ skey.keyfile = NULL;
+ }
+ return(i);
+}
+
+/*
+ * skey_keyinfo()
+ *
+ * Returns the current sequence number and
+ * seed for the passed user.
+ *
+ */
+char *
+skey_keyinfo(username)
+ char *username;
+{
+ int i;
+ static char str[SKEY_MAX_CHALLENGE];
+ struct skey skey;
+
+ /* NOTE: FreeBSD's skeychallenge() isn't safe to call directly */
+ i = skeylookup(&skey, username);
+ if (i == -1)
+ return(0);
+
+ if (skey.keyfile != NULL) {
+ fclose(skey.keyfile);
+ skey.keyfile = NULL;
+ }
+
+ if (i == 1)
+ return(0);
+
+ snprintf(str, sizeof str, "s/key %d %s", skey.n - 1, skey.seed);
+ return(str);
+}
+
+/*
+ * skey_passcheck()
+ *
+ * Check to see if answer is the correct one to the current
+ * challenge.
+ *
+ * Returns: 0 success, -1 failure
+ *
+ */
+int
+skey_passcheck(username, passwd)
+ char *username, *passwd;
+{
+ int i;
+ struct skey skey;
+
+ i = skeylookup(&skey, username);
+ if (i == -1 || i == 1)
+ return(-1);
+
+ if (skeyverify(&skey, passwd) == 0)
+ return(skey.n);
+
+ return(-1);
+}
+#endif /* __FreeBSD__ */
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911270213.dAR2D7P83190>