This repository has been archived by the owner on Feb 1, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathopenssh-5.1p1+SecurID_v1.3.2.patch
12499 lines (12251 loc) · 393 KB
/
openssh-5.1p1+SecurID_v1.3.2.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
diff -ruN openssh-5.1p1/Makefile.in openssh-5.1p1-securid/Makefile.in
--- openssh-5.1p1/Makefile.in Tue Jul 8 10:21:12 2008
+++ openssh-5.1p1-securid/Makefile.in Mon Sep 1 01:50:28 2008
@@ -85,7 +85,7 @@
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
auth-krb5.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
- loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
+ loginrec.o auth-pam.o auth-shadow.o auth-sia.o auth-securid.o md5crypt.o \
audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
diff -ruN openssh-5.1p1/README.SecurID openssh-5.1p1-securid/README.SecurID
--- openssh-5.1p1/README.SecurID
+++ openssh-5.1p1-securid/README.SecurID Mon Sep 1 01:49:34 2008
@@ -0,0 +1,194 @@
+/*
+ * Author: Theo Schlossnagle <[email protected]>
+ * Copyright (c) 2000-2002 Theo Schlossnagle <[email protected]>
+ * All rights reserved
+ *
+ * Created: September 21, 2000
+ * License: OpenSSH License. See the license for OpenSSH for more details.
+ *
+ * Update for ACE 5.X by Jim Matthews -- [email protected]
+ * Patch works only for OpenSSH version v5.1p1
+ *
+ * September 01, 2008: -- [email protected]
+ * Updated to support openssh v5.1p1
+ *
+ * February 02, 2007: -- [email protected]
+ * Updated to support openssh v4.5p1
+ *
+ * October 04, 2006: -- [email protected]
+ * Updated to support openssh v4.4p1
+ * Updated auth-securid.c with additional includes which are now required.
+ *
+ * February 11, 2006: -- [email protected]
+ * Updated to support openssh v4.3p1
+ *
+ * September 10, 2005: -- [email protected]
+ * Updated to support openssh v4.2p1
+ * Fixed bug in auth-securid.c where securid_usersfile_find is used even if
+ * SECURID is undefined at config time - found by Mike Frysinger.
+ *
+ * June 16, 2005: -- [email protected]
+ * Updated to support openssh v4.1p1
+ *
+ * March 15, 2005: -- [email protected]
+ * Updated to support openssh v4.0p1
+ *
+ * Aug 18, 2004: -- [email protected]
+ * Updated to support openssh v3.9p1
+ * Added #ifdef SECURID in a comple of places it wasn't used and should have been
+ * for consistency in monitor.c and monitor.h
+ *
+ * Aug 15, 2004: -- [email protected]
+ * Updated to support openssh v3.8.1p1
+ *
+ * March 1, 2004: -- [email protected]
+ * Updated to support openssh v3.8p1
+ *
+ * September 27, 2003: -- [email protected]
+ * Updated to support openssh v3.7.1p2
+ * Re-added SecurID man page entries previously included in the v3.6.1p2 patch.
+ * Changed "plen" from type int to type u_int in function mm_answer_authsecurid in
+ * monitor.c to conform with openssh.
+ *
+ * September 17, 2003: -- [email protected]
+ * Updated to support openssh v3.7.1p1.
+ *
+ * September 16, 2003: -- [email protected]
+ * Updated to support openssh v3.7p1.
+ * In auth-securid.c log has changed to logit since it changed in v3.7p1.
+ * In pam-auth.c securid auth function is no longer needed. v3.7p1 completely
+ * changed the way PAM is handled.
+ *
+ * June 4th, 2003: -- Nicolas Lidzborski <[email protected]>
+ * Updated to support openssh v3.6.1p2
+ *
+ * April 5th, 2003: -- [email protected]
+ * Updated to support openssh v3.6.1p1.
+ * Modified to support both new (5.X+) and old (<= 4.X) securid client API libraries.
+ * Added --with-securid-old for <= 4.X support, --with-securid is for new API support.
+ * Added sd_close for ACE server disconnect at the end of authentication for old API support.
+ *
+ * March 3rd, 2003: -- [email protected]
+ * Changed "user not in [securid] allow", "user in [securid] deny" SecurID messages from
+ * type "error" to type "log" in auth-securid.c.
+ *
+ * March 1st, 2003: -- [email protected]
+ * Rewrote functions in auth-securid.c to support the ACE server version 5.X API.
+ * Modified configure script to check for new libaceclnt.a and acexport.h.
+ * Fixed AllowNonSecurid option in monitor.c and servconf.c so it actually works now.
+ * Fixed potential memory leak in auth-securid.c for SecurID shell assignment variable.
+ *
+ * October 22nd, 2002:
+ * Updated to 3.5p1 -- [email protected]
+ * incorporated a few minor fixes for the auth phase.
+ *
+ * June 26th, 2002:
+ * Updated to 3.4p1 -- [email protected]
+ * Revamped the auth mechanism to use the new privilege separation code.
+ * Updated man pages in their new locations.
+ *
+ * March 15th, 2002:
+ * Updated to 3.1p1 -- [email protected]
+ * Added beeter support for auth2-pam. Added NegateSecurIDUsers option to
+ * negate the meaning of the SecureIDUsersFile option.
+ *
+ * December 11th, 2001:
+ * Updated to 3.0.2p1 -- [email protected]
+ * no new features
+ *
+ * December 3rd, 2001:
+ * Updated to 3.0.1p1 -- [email protected]
+ * no new features
+ *
+ * November 8th, 2001:
+ * Updated to 3.0p1 -- [email protected]
+ * no new features
+ *
+ * September 30th, 2001:
+ * Updated to 2.9.9p2 -- [email protected]
+ * no new features
+ *
+ * June 28, 2001:
+ * Updated to 2.9p2 -- [email protected]
+ * no new features
+ *
+ * April 24, 2001:
+ * Updated to 2.9p1 -- [email protected]
+ * added autoconf clauses to fault if sdiclient.a and headers aren't there.
+ *
+ * April 21, 2001:
+ * Updated to 2.5.2p2 -- [email protected]
+ * Incorporated some bug fixes from Anders Olsen to fix next-token code.
+ *
+ * March 19, 2001:
+ * Updated to 2.5.2p1 -- [email protected]
+ *
+ * December 20, 2000:
+ * Updated to 2.3.0p1 -- [email protected]
+ *
+ * Jan 9th, 2001:
+ * Added SecurIDUsersFile, SecurIDIgnoreShell, AllowNonSecurID directives
+ * to the sshd_config file. These parameters are documented in the man page.
+ * This provides a more logical seperationg between fail-through due to system
+ * failure and fall-through by configuration. (fall-through vs. fail-through)
+ * -- [email protected]
+ */
+
+Seems like a few people are interested. So here is the patch.
+
+This has only been tested on UNICIES that support PAM. There is untested
+(only 5 lines) code in auth-passwd.c that should provide the same
+functionality for normal (non-PAM) password verifications.
+
+The patch is logical quite small, the physical patch bulky because it contains
+all the line number changes in "configure" after running autoconf on the
+modified configure.in file (in which I changed maybe 10 lines -- Yuk.)
+
+The sshd man page has been patched too :-) Read it for the two new options
+relating to SecurID.
+
+How it works:
+
+0) apply patch ;-) You must use GNU patch (get it from ftp.gnu.org, it free.)
+1) copy ACE headers (in SecurID inc directory) into either a standard
+ include place (like /usr/local/include) or into the openssh source tree or add
+ the --with-cflags=-I/path/to/ace/inc (where the include files are located)
+2) copy the libaceclnt.a (for ACE 5.X) or sdiclient.a (for ACE <= 4.X) for your
+ OS (from /path/to/ace/lib/<arch>) into the openssh source tree.
+
+Make sure that /var/ace contains your sdconf.rec, etc. If you installed
+SecurID client or server on a machine it should be this way already. If you
+used a non-standard install location do a "ln -s /path/to/ace/data /var/ace"
+
+3) add --with-securid to the configure flags for new ACE 5.X support. Use
+ --with-securid-old for ACE API version 4.X and older.
+
+It will trigger if a user has a shell in /etc/passwd that ends with "sdshell"
+and it snags your shell the same way sdshell does. Users with other shells
+will log in as if SecurID didn't exist.
+
+Done:
+ o Normal passcode verification
+ o Enter next token for verification
+ (use ssh -v to see the *useful* debgging messages)
+
+ssh -v will let you know if:
+ o your code was accepted.
+ o your code was rejected.
+ o you are required to wait for the next token and enter that.
+
+TODO:
+ o Handle PIN creation and changing (as their are by default three log in
+attempts, it should be straight forward to integrate in these additions --
+both of these operations require exactly three user inputs.)
+ o Add sshd_config parameter to specify the VAR_ACE location (forced to
+/var/ace OR VAR_ACE environment variable now.)
+
+DISCLAIMER:
+ I works for me (yes, in production). If you get locked out of a production
+system becuase you replaced your sshd with this one, feeling really dumb is
+YOUR responsibility NOT mine. It is not my fault :-D
+
+Hope this is useful! scp (and all other tools that can use ssh like rsync and
+cvs) will work now!!!! Hooray!
+
diff -ruN openssh-5.1p1/auth-passwd.c openssh-5.1p1-securid/auth-passwd.c
--- openssh-5.1p1/auth-passwd.c Fri Oct 26 00:25:12 2007
+++ openssh-5.1p1-securid/auth-passwd.c Mon Sep 1 01:51:28 2008
@@ -101,6 +101,18 @@
/* Fall back to ordinary passwd authentication. */
}
#endif
+#ifdef SECURID
+ if (options.securid_authentication == 1) {
+ int ret = auth_securid(authctxt, password);
+ if (ret >= 0)
+ return ret;
+ /* Only returns < 0 if the account is not a SecurID account */
+ /* Fall back to ordinary passwd authentication. */
+ if(ret<0 && !options.allow_nonsecurid) {
+ return 0;
+ }
+ }
+#endif
#ifdef HAVE_CYGWIN
if (is_winnt) {
HANDLE hToken = cygwin_logon_user(pw, password);
diff -ruN openssh-5.1p1/auth-securid.c openssh-5.1p1-securid/auth-securid.c
--- openssh-5.1p1/auth-securid.c
+++ openssh-5.1p1-securid/auth-securid.c Mon Sep 1 01:52:09 2008
@@ -0,0 +1,318 @@
+/*
+ * Author: Theo Schlossnagle <[email protected]>
+ * Copyright (c) 2000 Theo Schlossnagle <[email protected]>
+ * All rights reserved
+ * Created: September 21, 2000
+ * This file contains the code to process a SecurID authentication
+ * including the "next token" request.
+ */
+
+/*
+ * Added ACE Server API version 5.X Support
+ * Jim Matthews (JWM)
+ *
+ */
+
+#include "includes.h"
+
+/* RCSID("$OpenBSD: auth-securid.c,v 1.0 2000/09/21 01:39:38 jesus Exp $"); */
+/* $Id: auth-securid.c,v 1.3.1 2006/10/04 23:22:12 jmatthew Exp jmatthew $ */
+
+#include "packet.h"
+#include "ssh.h"
+#include "log.h"
+#include "servconf.h"
+#include "xmalloc.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+
+#include <string.h>
+#include <errno.h>
+
+#ifdef WITH_AIXAUTHENTICATE
+# include <login.h>
+#endif
+#ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW
+# include <hpsecurity.h>
+# include <prot.h>
+#endif
+#ifdef HAVE_SHADOW_H
+# include <shadow.h>
+#endif
+#ifdef HAVE_GETPWANAM
+# include <sys/label.h>
+# include <sys/audit.h>
+# include <pwdadj.h>
+#endif
+#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
+# include "md5crypt.h"
+#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
+
+#ifdef SECURID
+#ifdef SECURID_NEW
+/* Only need acexport.h for 5.0 API JWM */
+# include "acexport.h"
+
+#else
+
+# include "sdi_athd.h"
+# include "sdconf.h"
+# include "sdacmvls.h"
+
+union config_record configure;
+#endif
+#endif
+
+/*
+ * Tries to authenticate the user using password. Returns true if
+ * authentication succeeds.
+ */
+#define INBUFFLEN 256
+
+/* Added ifdef 09102005 JWM */
+#ifdef SECURID
+int
+securid_usersfile_find(const char *pw_name)
+{
+ extern ServerOptions options;
+ FILE *inf;
+ char inbuff[INBUFFLEN];
+ struct stat fileinfo;
+ int retval = 0;
+
+ if(!options.securid_usersfile) {
+ error("In securid_usersfile_find() with NULL filename!");
+ return -1;
+ }
+ if(lstat(options.securid_usersfile, &fileinfo)) {
+ error("Cannot open %s: %s",
+ options.securid_usersfile, strerror(errno));
+ return -1;
+ }
+ if(fileinfo.st_mode & (S_IWOTH|S_IWGRP)) {
+ error("SecurIDUsersFile is writeable by group and other");
+ return -1;
+ }
+ if(!(inf = fopen(options.securid_usersfile, "r"))) {
+ error("Cannot open %s: %s",
+ options.securid_usersfile, strerror(errno));
+ return -1;
+ }
+ while(fgets(inbuff,INBUFFLEN-1,inf) != NULL) {
+ if(inbuff[strlen(inbuff) - 1] == '\n')
+ inbuff[strlen(inbuff) - 1] = '\0';
+ retval = !strcmp(inbuff,pw_name);
+ if(retval) break;
+ }
+ fclose(inf);
+ if(retval) return 1;
+ debug2("Failed to find %s in %s",
+ pw_name, options.securid_usersfile);
+ return 0;
+}
+#endif
+
+int
+auth_securid(Authctxt *authctxt, const char *password)
+{
+ static int state = 0; /* This tells us where we expect a
+ 0 "PIN"
+ 1 "Next Token"
+ */
+ int doauth;
+ char *ecp;
+ /* Changed this to static, since pw->shell does not get redefined, prevents mem leak JWM */
+ /* Allocate 256 chars for shell JWM */
+ static char shell[256];
+ extern ServerOptions options;
+ struct passwd *pw;
+#ifndef SECURID
+ return -1;
+#else
+ /* Add static for the nexttoken case -- Anders Olsen 20010409 */
+ /* API Change for ACE version 5.03 JWM */
+#ifdef SECURID_NEW
+ static SDI_HANDLE sd_dat;
+#else
+ static struct SD_CLIENT sd_dat, *sd;
+#endif
+
+ pw = authctxt->pw;
+ /* Check for users with no sdshell and pass them by. */
+ if(options.securid_usersfile) {
+ doauth = securid_usersfile_find(pw->pw_name);
+ if(!options.negate_securid_users && doauth == 0) {
+ /* file is there, user is not, option respected */
+ /* log instead of error JWM */
+ logit("User Not In SecurID Users Allow File");
+ if(options.allow_nonsecurid) return -1;
+ return 0;
+ } else if(options.negate_securid_users && doauth == 1) {
+ /* file is there, user is, option negated */
+ /* log instead of error JWM */
+ logit("User In SecurID Users Deny File");
+ if(options.allow_nonsecurid) return -1;
+ return 0;
+ } else if(doauth < 0) { /* File not there or bad perms! */
+ error("Failing SecurID login attempt");
+ return 0; /* Fail */
+ }
+ } else {
+ /* No users securid_usersfile
+ so use shells that end in sdshell */
+ if (!((ecp = strstr(pw->pw_shell, "sdshell")) &&
+ (*(ecp+7)=='\0'))) {
+ if(options.allow_nonsecurid) {
+ return -1;
+ } else {
+ return 0;
+ }
+ }
+ }
+ /* sd_check on with an empty password causes segfault against some
+ versions of sdiclient -- Anders Olsen 20010409 */
+ if (*password == '\0') {
+ debug2("auth_securid: empty password, skipping");
+ return 0;
+ }
+ /* Don't reopen session to securid-server is nexttoken
+ -- Adres Olsen 20010410 */
+ if (state == 0) {
+ int ret;
+#ifdef SECURID_NEW
+ /* API Change for ACE version 5.03 JWM */
+ /* Initialize the ace client, test for sdconf.rec and other setup */
+ if(AceInitialize() == SD_FALSE) {
+ error("SecurID: Failed to initialize ACE API library.");
+ if(options.securid_fallback) return -1;
+ return 0;
+ }
+ /* API Change for ACE version 5.03 JWM */
+ /* Initialize communication, check connection to server, etc */
+ ret = SD_Init(&sd_dat);
+ if(ret != ACM_OK) {
+ if(ret == ACE_INIT_NO_RESOURCE) {
+ error("SecurID: Couldn't allocate memory.");
+ }
+ if(ret == ACE_INIT_SOCKET_FAIL) {
+ error("SecurID: Couldn't create socket.");
+ }
+ error("SecurID: Couldn't establish client/server communications.");
+ if(options.securid_fallback) return -1;
+ return 0;
+ }
+ /* API addition for ACE version 5.03 JWM */
+ /* Lock Server */
+ if(SD_Lock(sd_dat,pw->pw_name) == ACM_OK) {
+ debug("SecurID: Locked Server");
+ } else {
+ error("SecurID: Failed to lock server.");
+ return 0;
+ }
+ /* API Change for version 5.03 JWM */
+ /* Check for valid authentication */
+ ret = SD_Check(sd_dat, (char *)password, pw->pw_name);
+ if(ret == ACM_OK) {
+ goto success;
+ } else {
+ if(ret == ACM_ACCESS_DENIED) {
+ error("SecurID: authentication failed.");
+ }
+ if(ret == ACM_NEXT_CODE_REQUIRED) {
+ error("SecurID: needs next token.");
+ state = 1; /* Process next try as sd_next */
+ }
+ if(ret == ACE_UNDEFINED_PASSCODE) {
+ error("SecurID: passcode invalid length or null");
+ }
+ if(ret == ACE_UNDEFINED_USERNAME) {
+ error("SecurID: username invalid length or null");
+ }
+ if(ret == ACE_ERR_INVALID_HANDLE) {
+ error("SecurID: handle value invalid");
+ }
+ if(ret == ACM_NEW_PIN_REQUIRED) {
+ error("SecurID: new pin required");
+ }
+ return 0; /* Failed! */
+ }
+#else /* else old securid */
+ memset(&sd_dat, 0, sizeof(sd_dat)); /* clear struct */
+ sd = &sd_dat;
+
+ if(creadcfg()) {
+ /* Can't read sdconf.rec! Gotta bail */
+ error("SecurID: Couldn't read sdconf.rec.");
+ if(options.securid_fallback) return -1;
+ return 0;
+ }
+ if(sd_init(sd)) {
+ /* Can't establish client/server comms! Gotta bail */
+ error("SecurID: Couldn't establish client/server communications.");
+ if(options.securid_fallback) return -1;
+ return 0;
+ }
+ /* Auth PIN... */
+ ret = sd_check((char *)password, pw->pw_name, sd);
+ if(ret == ACM_OK) {
+ goto success;
+ }
+ if(ret == ACM_ACCESS_DENIED) {
+ error("SecurID: passcode rejected.");
+ return 0; /* Failed! */
+ }
+ if(ret == ACM_NEXT_CODE_REQUIRED) {
+ error("SecurID: needs next token.");
+ state = 1; /* Process next try as sd_next */
+ return 0; /* Fail, so ssh will prmpt again */
+ }
+#endif
+ } else {
+ /* Auth next token... */
+ int ret;
+ state = 0; /* Set back to PIN mode */
+#ifdef SECURID_NEW
+ /* API Change for version 5.03 JWM */
+ ret = SD_Next(sd_dat, (char *)password);
+#else
+ ret = sd_next((char *)password, sd);
+#endif
+ if(ret == ACM_OK) {
+ goto success;
+ }
+ error("SecurID: passcode rejected.");
+ return 0; /* Failed */
+ }
+ error("SecurID: unhandled sdcheck() return code.");
+ return 0; /* Failed! */
+
+success:
+#ifdef SECURID_NEW
+ /* Clear mem for shell */
+ memset(shell, 0, sizeof(shell));
+#endif
+ if(!options.securid_ignore_shell) {
+#ifdef SECURID_NEW
+ /* Changed for ACE 5.0 API JWM */
+ if(!AceGetShell(sd_dat,shell)) {
+ error("SecurID: Failed to get user's shell from server.");
+ return 0;
+ }
+#else
+ strcpy(shell,sd->shell);
+#endif
+ pw->pw_shell = shell;
+ }
+#ifdef SECURID_NEW
+ if(SD_Close(sd_dat) != ACM_OK) {
+ error("SecurID: SD_Close - Handle invalid.");
+ }
+#else
+ if(!sd_close()) {
+ error("SecurID: sd_close failed.");
+ }
+#endif
+ return 1; /* Success */
+#endif
+}
diff -ruN openssh-5.1p1/auth.h openssh-5.1p1-securid/auth.h
--- openssh-5.1p1/auth.h Wed Jul 2 08:37:30 2008
+++ openssh-5.1p1-securid/auth.h Mon Sep 1 01:52:47 2008
@@ -107,6 +107,9 @@
auth_rhosts2(struct passwd *, const char *, const char *, const char *);
int auth_rhosts_rsa(Authctxt *, char *, Key *);
+#ifdef SECURID
+int auth_securid(Authctxt *, const char *);
+#endif
int auth_password(Authctxt *, const char *);
int auth_rsa(Authctxt *, BIGNUM *);
int auth_rsa_challenge_dialog(Key *);
diff -ruN openssh-5.1p1/auth2-passwd.c openssh-5.1p1-securid/auth2-passwd.c
--- openssh-5.1p1/auth2-passwd.c Fri Aug 4 22:39:39 2006
+++ openssh-5.1p1-securid/auth2-passwd.c Mon Sep 1 01:54:59 2008
@@ -64,6 +64,20 @@
}
packet_check_eom();
+#ifdef SECURID
+ /* Try SecurID regardless */
+ if (authctxt->valid && options.securid_authentication == 1) {
+ authenticated = PRIVSEP(auth_securid(authctxt, password));
+ /* Only returns < 0 if the account is not a SecurID account */
+ /* Fall back to ordinary passwd authentication. */
+ if(authenticated < 0)
+ authenticated = 0;
+ else
+ goto passreturn;
+ }
+ /* No... continue */
+#endif
+
if (change)
logit("password change not supported");
else if (PRIVSEP(auth_password(authctxt, password)) == 1)
@@ -72,6 +86,9 @@
if (check_nt_auth(1, authctxt->pw) == 0)
authenticated = 0;
#endif
+#ifdef SECURID
+passreturn:
+#endif
memset(password, 0, len);
xfree(password);
return authenticated;
diff -ruN openssh-5.1p1/config.h.in openssh-5.1p1-securid/config.h.in
--- openssh-5.1p1/config.h.in Mon Jul 21 04:30:49 2008
+++ openssh-5.1p1-securid/config.h.in Mon Sep 1 01:55:29 2008
@@ -1254,6 +1254,10 @@
/* Location of PRNGD/EGD random number socket */
#undef PRNGD_SOCKET
+/* Define if you want SecurID support */
+#undef SECURID
+#undef SECURID_NEW
+
/* read(1) can return 0 for a non-closed fd */
#undef PTY_ZEROREAD
diff -ruN openssh-5.1p1/configure openssh-5.1p1-securid/configure
--- openssh-5.1p1/configure Mon Jul 21 04:30:50 2008
+++ openssh-5.1p1-securid/configure Mon Sep 1 02:13:42 2008
@@ -1,7 +1,7 @@
#! /bin/sh
# From configure.ac Revision: 1.409 .
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for OpenSSH Portable.
+# Generated by GNU Autoconf 2.60 for OpenSSH Portable.
#
# Report bugs to <[email protected]>.
#
@@ -13,8 +13,7 @@
## M4sh Initialization. ##
## --------------------- ##
-# Be more Bourne compatible
-DUALCASE=1; export DUALCASE # for MKS sh
+# Be Bourne compatible
if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
emulate sh
NULLCMD=:
@@ -23,13 +22,10 @@
alias -g '${1+"$@"}'='"$@"'
setopt NO_GLOB_SUBST
else
- case `(set -o) 2>/dev/null` in
- *posix*) set -o posix ;;
-esac
-
+ case `(set -o) 2>/dev/null` in *posix*) set -o posix;; esac
fi
-
-
+BIN_SH=xpg4; export BIN_SH # for Tru64
+DUALCASE=1; export DUALCASE # for MKS sh
# PATH needs CR
@@ -203,7 +199,7 @@
echo as_func_ret_failure succeeded.
fi
-if (set x; as_func_ret_success y && test x = \"\$1\" ); then
+if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
:
else
exitcode=1
@@ -222,7 +218,7 @@
else
as_candidate_shells=
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
+for as_dir in /usr/bin/posix$PATH_SEPARATOR/bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
@@ -240,6 +236,7 @@
# Try only shells that exist, to save several forks.
if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
{ ("$as_shell") 2> /dev/null <<\_ASEOF
+# Be Bourne compatible
if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
emulate sh
NULLCMD=:
@@ -248,12 +245,10 @@
alias -g '${1+"$@"}'='"$@"'
setopt NO_GLOB_SUBST
else
- case `(set -o) 2>/dev/null` in
- *posix*) set -o posix ;;
-esac
-
+ case `(set -o) 2>/dev/null` in *posix*) set -o posix;; esac
fi
-
+BIN_SH=xpg4; export BIN_SH # for Tru64
+DUALCASE=1; export DUALCASE # for MKS sh
:
_ASEOF
@@ -261,6 +256,7 @@
CONFIG_SHELL=$as_shell
as_have_required=yes
if { "$as_shell" 2> /dev/null <<\_ASEOF
+# Be Bourne compatible
if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
emulate sh
NULLCMD=:
@@ -269,12 +265,10 @@
alias -g '${1+"$@"}'='"$@"'
setopt NO_GLOB_SUBST
else
- case `(set -o) 2>/dev/null` in
- *posix*) set -o posix ;;
-esac
-
+ case `(set -o) 2>/dev/null` in *posix*) set -o posix;; esac
fi
-
+BIN_SH=xpg4; export BIN_SH # for Tru64
+DUALCASE=1; export DUALCASE # for MKS sh
:
(as_func_return () {
@@ -407,7 +401,7 @@
echo as_func_ret_failure succeeded.
fi
-if (set x; as_func_ret_success y && test x = \"\$1\" ); then
+if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
:
else
exitcode=1
@@ -521,28 +515,19 @@
as_mkdir_p=false
fi
-if test -x / >/dev/null 2>&1; then
- as_test_x='test -x'
+# Find out whether ``test -x'' works. Don't use a zero-byte file, as
+# systems may use methods other than mode bits to determine executability.
+cat >conf$$.file <<_ASEOF
+#! /bin/sh
+exit 0
+_ASEOF
+chmod +x conf$$.file
+if test -x conf$$.file >/dev/null 2>&1; then
+ as_executable_p="test -x"
else
- if ls -dL / >/dev/null 2>&1; then
- as_ls_L_option=L
- else
- as_ls_L_option=
- fi
- as_test_x='
- eval sh -c '\''
- if test -d "$1"; then
- test -d "$1/.";
- else
- case $1 in
- -*)set "./$1";;
- esac;
- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
- ???[sx]*):;;*)false;;esac;fi
- '\'' sh
- '
+ as_executable_p=:
fi
-as_executable_p=$as_test_x
+rm -f conf$$.file
# Sed expression to map a string onto a valid CPP name.
as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@@ -583,36 +568,36 @@
# Factoring default headers for most tests.
ac_includes_default="\
#include <stdio.h>
-#ifdef HAVE_SYS_TYPES_H
+#if HAVE_SYS_TYPES_H
# include <sys/types.h>
#endif
-#ifdef HAVE_SYS_STAT_H
+#if HAVE_SYS_STAT_H
# include <sys/stat.h>
#endif
-#ifdef STDC_HEADERS
+#if STDC_HEADERS
# include <stdlib.h>
# include <stddef.h>
#else
-# ifdef HAVE_STDLIB_H
+# if HAVE_STDLIB_H
# include <stdlib.h>
# endif
#endif
-#ifdef HAVE_STRING_H
-# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
+#if HAVE_STRING_H
+# if !STDC_HEADERS && HAVE_MEMORY_H
# include <memory.h>
# endif
# include <string.h>
#endif
-#ifdef HAVE_STRINGS_H
+#if HAVE_STRINGS_H
# include <strings.h>
#endif
-#ifdef HAVE_INTTYPES_H
+#if HAVE_INTTYPES_H
# include <inttypes.h>
#endif
-#ifdef HAVE_STDINT_H
+#if HAVE_STDINT_H
# include <stdint.h>
#endif
-#ifdef HAVE_UNISTD_H
+#if HAVE_UNISTD_H
# include <unistd.h>
#endif"
@@ -733,7 +718,6 @@
CC
CFLAGS
LDFLAGS
-LIBS
CPPFLAGS
CPP'
@@ -841,10 +825,10 @@
-disable-* | --disable-*)
ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
# Reject names that are not valid shell variable names.
- expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+ expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null &&
{ echo "$as_me: error: invalid feature name: $ac_feature" >&2
{ (exit 1); exit 1; }; }
- ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+ ac_feature=`echo $ac_feature | sed 's/-/_/g'`
eval enable_$ac_feature=no ;;
-docdir | --docdir | --docdi | --doc | --do)
@@ -860,10 +844,10 @@
-enable-* | --enable-*)
ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
# Reject names that are not valid shell variable names.
- expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+ expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null &&
{ echo "$as_me: error: invalid feature name: $ac_feature" >&2
{ (exit 1); exit 1; }; }
- ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+ ac_feature=`echo $ac_feature | sed 's/-/_/g'`
eval enable_$ac_feature=\$ac_optarg ;;
-exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
@@ -1057,19 +1041,19 @@
-with-* | --with-*)
ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
# Reject names that are not valid shell variable names.
- expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+ expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null &&
{ echo "$as_me: error: invalid package name: $ac_package" >&2
{ (exit 1); exit 1; }; }
- ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+ ac_package=`echo $ac_package| sed 's/-/_/g'`
eval with_$ac_package=\$ac_optarg ;;
-without-* | --without-*)
ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
# Reject names that are not valid shell variable names.
- expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+ expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null &&
{ echo "$as_me: error: invalid package name: $ac_package" >&2
{ (exit 1); exit 1; }; }
- ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+ ac_package=`echo $ac_package | sed 's/-/_/g'`
eval with_$ac_package=no ;;
--x)
@@ -1337,6 +1321,8 @@
--with-zlib=PATH Use zlib in PATH
--without-zlib-version-check Disable zlib version check
--with-skey[=PATH] Enable S/Key support (optionally in PATH)
+ --with-securid Enable ACE 5.X+ SecurID support
+ --with-securid-old Enable SecurID 4.X and earlier SecurID support
--with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
--with-libedit[=PATH] Enable libedit support for sftp
--with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)
@@ -1371,7 +1357,6 @@
CFLAGS C compiler flags
LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
nonstandard directory <lib dir>
- LIBS libraries to pass to the linker, e.g. -l<library>
CPPFLAGS C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
you have headers in a nonstandard directory <include dir>
CPP C preprocessor
@@ -1441,7 +1426,7 @@
if $ac_init_version; then
cat <<\_ACEOF
OpenSSH configure Portable
-generated by GNU Autoconf 2.61
+generated by GNU Autoconf 2.60
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
@@ -1455,7 +1440,7 @@
running configure, to aid debugging if configure makes a mistake.
It was created by OpenSSH $as_me Portable, which was
-generated by GNU Autoconf 2.61. Invocation command line was
+generated by GNU Autoconf 2.60. Invocation command line was
$ $0 $@
@@ -1834,7 +1819,7 @@
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_CC="${ac_tool_prefix}gcc"
echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@@ -1874,7 +1859,7 @@
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_CC="gcc"
echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@@ -1931,7 +1916,7 @@
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_CC="${ac_tool_prefix}cc"
echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@@ -1972,7 +1957,7 @@
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; }; then
if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
ac_prog_rejected=yes
continue
@@ -2030,7 +2015,7 @@
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@@ -2074,7 +2059,7 @@
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_prog_ac_ct_CC="$ac_prog"
echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
@@ -2215,7 +2200,7 @@
# in a Makefile. We should not override ac_cv_exeext if it was cached,
# so that the user can short-circuit this test for compilers unknown to
# Autoconf.
-for ac_file in $ac_files ''
+for ac_file in $ac_files
do
test -f "$ac_file" || continue
case $ac_file in
@@ -2243,12 +2228,6 @@
test "$ac_cv_exeext" = no && ac_cv_exeext=
else
- ac_file=''
-fi
-
-{ echo "$as_me:$LINENO: result: $ac_file" >&5
-echo "${ECHO_T}$ac_file" >&6; }
-if test -z "$ac_file"; then
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
@@ -2260,6 +2239,8 @@
fi
ac_exeext=$ac_cv_exeext
+{ echo "$as_me:$LINENO: result: $ac_file" >&5
+echo "${ECHO_T}$ac_file" >&6; }
# Check that the compiler produces executables we can run. If not, either
# the compiler is broken, or we cross compile.
@@ -2437,10 +2418,27 @@
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } && {
- test -z "$ac_c_werror_flag" ||