Date: Thu, 25 Apr 2002 19:45:28 +1000 From: Joshua Goodall <joshua@roughtrade.net> To: Jordan Hubbard <jkh@winston.freebsd.org> Cc: Robert Watson <rwatson@FreeBSD.ORG>, hackers@FreeBSD.ORG Subject: Re: Erm, since everyone managed to HIJACK my sshd thread! ;) Message-ID: <20020425094528.GE86692@roughtrade.net> In-Reply-To: <17607.1019707688@winston.freebsd.org> References: <Pine.NEB.3.96L.1020424215852.55944O-100000@fledge.watson.org> <17607.1019707688@winston.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 24, 2002 at 09:08:08PM -0700, Jordan Hubbard wrote: > > BTW, what I'm suggesting here is the equivilent of the "no_fake_prompts" > > setting in pam_opie.so found in -CURRENT. Basically, if the flag is set, > > Again, by all means, generate some diffs and we'll look 'em over. I'm > far less interest in debating this in abstract terms and at least > Joshua provided a better implementation than what I was suggesting, > which is why I'm now just going to take his proposed change unless > someone gives me something better yet. n.b. this is actually an OPIE challenge, despite saying S/Key. Unfortunately the openssh in -stable totally ignores pam and talks directly to libopie, so we have to work inside sshd. Committing to -current was almost certainly unnecessary and regressing since the version there honours pam.d/sshd which doesn't have pam_opie on by default, and if you do put it in, you can use the no_fake_prompts option. I recommend backing that out. The following patch to -stable is opie & rwatson friendly, won't give a challenge unless you actually have an entry in /etc/opiepasswd, and has a knob for toggling fake challenges (which is off by default). Hopefully that satisfies everyone! Joshua Index: auth-chall.c =================================================================== RCS file: /cvs/src/crypto/openssh/auth-chall.c,v retrieving revision 1.2.2.1 diff -u -r1.2.2.1 auth-chall.c --- auth-chall.c 28 Sep 2001 01:33:33 -0000 1.2.2.1 +++ auth-chall.c 25 Apr 2002 09:28:16 -0000 @@ -28,6 +28,9 @@ #include "auth.h" #include "log.h" +#include "servconf.h" + +extern ServerOptions options; #ifdef BSD_AUTH char * @@ -77,9 +80,12 @@ { static char challenge[1024]; struct opie opie; + if (opie_haskey(authctxt->user) == 1 && + options.fake_challenge != 1) + return NULL; if (opiechallenge(&opie, authctxt->user, challenge) == -1) return NULL; - strlcat(challenge, "\nS/Key Password: ", sizeof challenge); + strlcat(challenge, "\nOPIE Password: ", sizeof challenge); return challenge; } int Index: servconf.c =================================================================== RCS file: /cvs/src/crypto/openssh/servconf.c,v retrieving revision 1.3.2.12 diff -u -r1.3.2.12 servconf.c --- servconf.c 25 Apr 2002 05:58:53 -0000 1.3.2.12 +++ servconf.c 25 Apr 2002 08:36:02 -0000 @@ -88,6 +88,7 @@ options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_reponse_authentication = -1; + options->fake_challenge = -1; options->permit_empty_passwd = -1; options->use_login = -1; options->allow_tcp_forwarding = -1; @@ -207,7 +208,9 @@ if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; if (options->challenge_reponse_authentication == -1) - options->challenge_reponse_authentication = 0; + options->challenge_reponse_authentication = 1; + if (options->fake_challenge == -1) + options->fake_challenge = 0; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; if (options->use_login == -1) @@ -248,7 +251,7 @@ #ifdef AFS sKrb4TgtPassing, sAFSTokenPassing, #endif - sChallengeResponseAuthentication, + sChallengeResponseAuthentication, sFakeChallenge, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, @@ -302,6 +305,7 @@ { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, { "challengeresponseauthentication", sChallengeResponseAuthentication }, { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ + { "fakechallenge", sFakeChallenge }, { "checkmail", sCheckMail }, { "listenaddress", sListenAddress }, { "printmotd", sPrintMotd }, @@ -647,6 +651,10 @@ case sChallengeResponseAuthentication: intptr = &options->challenge_reponse_authentication; + goto parse_flag; + + case sFakeChallenge: + intptr = &options->fake_challenge; goto parse_flag; case sPrintMotd: Index: servconf.h =================================================================== RCS file: /cvs/src/crypto/openssh/servconf.h,v retrieving revision 1.3.2.5 diff -u -r1.3.2.5 servconf.h --- servconf.h 28 Sep 2001 01:33:34 -0000 1.3.2.5 +++ servconf.h 25 Apr 2002 06:49:12 -0000 @@ -99,6 +99,7 @@ * authentication. */ int kbd_interactive_authentication; /* If true, permit */ int challenge_reponse_authentication; + int fake_challenge; int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int use_login; /* If true, login(1) is used */ Index: sshd.8 =================================================================== RCS file: /cvs/src/crypto/openssh/sshd.8,v retrieving revision 1.5.2.7 diff -u -r1.5.2.7 sshd.8 --- sshd.8 28 Sep 2001 01:33:35 -0000 1.5.2.7 +++ sshd.8 25 Apr 2002 09:39:50 -0000 @@ -414,6 +414,17 @@ can be used as wildcards in the patterns. Only user names are valid; a numerical user ID isn't recognized. By default login is allowed regardless of the user name. +.It Cm FakeChallenge +Specifies whether OPIE challenges should be attempted (and thus +randomly generated) if a user does not have an OPIE key setup +and ChallengeResponseAuthentication is set to +.Dq yes . +The argument must be +.Dq yes +or +.Dq no . +The default is +.Dq no . .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. Index: sshd_config =================================================================== RCS file: /cvs/src/crypto/openssh/sshd_config,v retrieving revision 1.4.2.7 diff -u -r1.4.2.7 sshd_config --- sshd_config 25 Apr 2002 05:58:53 -0000 1.4.2.7 +++ sshd_config 25 Apr 2002 08:36:19 -0000 @@ -48,8 +48,10 @@ PasswordAuthentication yes PermitEmptyPasswords no -# Uncomment to enable s/key passwords -#ChallengeResponseAuthentication yes +# Uncomment to disable s/key passwords +#ChallengeResponseAuthentication no +# Uncomment to generate fake s/key challenges +#FakeChallenge yes # To change Kerberos options #KerberosAuthentication no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020425094528.GE86692>