Attachment #1452 for bug #1438

View | Details | Raw Unified | Return to bug 1438
Collapse All | Expand All

Lines 79-88 Link Here

(-)openssh-4.7p1/Makefile.in (+1 lines)
79	SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \	79	SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
80	sshpty.o sshlogin.o servconf.o serverloop.o \	80	sshpty.o sshlogin.o servconf.o serverloop.o \
81	auth.o auth1.o auth2.o auth-options.o session.o \	81	auth.o auth1.o auth2.o auth-options.o session.o \
82	auth-chall.o auth2-chall.o groupaccess.o \	82	auth-chall.o auth2-chall.o groupaccess.o \
83	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \	83	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
		84	auth-obc.o \
84	auth2-none.o auth2-passwd.o auth2-pubkey.o \	85	auth2-none.o auth2-passwd.o auth2-pubkey.o \
85	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \	86	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
86	auth-krb5.o \	87	auth-krb5.o \
87	auth2-gss.o gss-serv.o gss-serv-krb5.o \	88	auth2-gss.o gss-serv.o gss-serv-krb5.o \
88	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \	89	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \

Lines 1222-1231 Link Here

(-)openssh-4.7p1/config.h.in (+3 lines)
1222	#undef SIZEOF_SHORT_INT	1222	#undef SIZEOF_SHORT_INT
1223		1223
1224	/* Define if you want S/Key support */	1224	/* Define if you want S/Key support */
1225	#undef SKEY	1225	#undef SKEY
1226		1226
		1227	/* Define if you want OBC support */
		1228	#undef USE_OBC
		1229
1227	/* Define if your skeychallenge() function takes 4 arguments (NetBSD) */	1230	/* Define if your skeychallenge() function takes 4 arguments (NetBSD) */
1228	#undef SKEYCHALLENGE_4ARG	1231	#undef SKEYCHALLENGE_4ARG
1229		1232
1230	/* Define if you want smartcard support */	1233	/* Define if you want smartcard support */
1231	#undef SMARTCARD	1234	#undef SMARTCARD




        		)
		fi
	]
)

# Check whether user wants OBC support
OBC_MSG="no"
AC_ARG_WITH(obc,
	[  --with-obc      Enable out-of-band challenge support],
	[
		if test "x$withval" != "xno" ; then

			AC_DEFINE(USE_OBC, 1, [Define if you want OBC support])
			OBC_MSG="yes"

			AC_MSG_CHECKING([for out-of-band (obc) support])
		fi
	]
)

# Check whether user wants TCP wrappers support
TCPW_MSG="no"
AC_ARG_WITH(tcp-wrappers,
	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
	[

echo "                   OSF SIA support: $SIA_MSG"
echo "                 KerberosV support: $KRB5_MSG"
echo "                   SELinux support: $SELINUX_MSG"
echo "                 Smartcard support: $SCARD_MSG"
echo "                     S/KEY support: $SKEY_MSG"
echo "                       OBC support: $OBC_MSG"
echo "              TCP Wrappers support: $TCPW_MSG"
echo "              MD5 password support: $MD5_MSG"
echo "                   libedit support: $LIBEDIT_MSG"
echo "  Solaris process contract support: $SPC_MSG"
echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"

Lines 57-66 Link Here

(-)openssh-4.7p1/auth2-chall.c (-3 / +15 lines)
57	extern KbdintDevice sshpam_device;	57	extern KbdintDevice sshpam_device;
58	#endif	58	#endif
59	#ifdef SKEY	59	#ifdef SKEY
60	extern KbdintDevice skey_device;	60	extern KbdintDevice skey_device;
61	#endif	61	#endif
		62	#ifdef USE_OBC
		63	extern KbdintDevice obc_device;
		64	#endif
62	#endif	65	#endif
63		66
64	KbdintDevice *devices[] = {	67	KbdintDevice *devices[] = {
65	#ifdef BSD_AUTH	68	#ifdef BSD_AUTH
66	&bsdauth_device,	69	&bsdauth_device,
Lines 69-78 Link Here
69	&sshpam_device,	72	&sshpam_device,
70	#endif	73	#endif
71	#ifdef SKEY	74	#ifdef SKEY
72	&skey_device,	75	&skey_device,
73	#endif	76	#endif
		77	#ifdef USE_OBC
		78	&obc_device,
		79	#endif
74	#endif	80	#endif
75	NULL	81	NULL
76	};	82	};
77		83
78	typedef struct KbdintAuthctxt KbdintAuthctxt;	84	typedef struct KbdintAuthctxt KbdintAuthctxt;
Lines 88-98 Link Here
88	void	94	void
89	remove_kbdint_device(const char *devname)	95	remove_kbdint_device(const char *devname)
90	{	96	{
91	int i, j;	97	int i, j;
92		98
93	for (i = 0; devices[i] != NULL; i++)
94	if (strcmp(devices[i]->name, devname) == 0) {	99	if (strcmp(devices[i]->name, devname) == 0) {
95	for (j = i; devices[j] != NULL; j++)	100	for (j = i; devices[j] != NULL; j++)
96	devices[j] = devices[j+1];	101	devices[j] = devices[j+1];
97	i--;	102	i--;
98	}	103	}
Lines 104-113 Link Here
104	{	109	{
105	KbdintAuthctxt *kbdintctxt;	110	KbdintAuthctxt *kbdintctxt;
106	Buffer b;	111	Buffer b;
107	int i;	112	int i;
108		113
		114
109	#ifdef USE_PAM	115	#ifdef USE_PAM
110	if (!options.use_pam)	116	if (!options.use_pam)
111	remove_kbdint_device("pam");	117	remove_kbdint_device("pam");
112	#endif	118	#endif
113		119
Lines 193-203 Link Here
193	authctxt->user ? authctxt->user : "<nouser>",	199	authctxt->user ? authctxt->user : "<nouser>",
194	devs ? devs : "<no devs>");	200	devs ? devs : "<no devs>");
195		201
196	if (authctxt->user == NULL \|\| !devs)	202	if (authctxt->user == NULL \|\| !devs)
197	return 0;	203	return 0;
198	if (authctxt->kbdintctxt == NULL)	204	if (authctxt->kbdintctxt == NULL)
199	authctxt->kbdintctxt = kbdint_alloc(devs);	205	authctxt->kbdintctxt = kbdint_alloc(devs);
200	return auth2_challenge_start(authctxt);	206	return auth2_challenge_start(authctxt);
201	}	207	}
202		208
203	/* unregister kbd-int callbacks and context */	209	/* unregister kbd-int callbacks and context */
Lines 350-360 Link Here
350	}	356	}
351		357
352	void	358	void
353	privsep_challenge_enable(void)	359	privsep_challenge_enable(void)
354	{	360	{
355	#if defined(BSD_AUTH) \|\| defined(USE_PAM) \|\| defined(SKEY)	361	#if defined(BSD_AUTH) \|\| defined(USE_PAM) \|\| defined(SKEY) \|\| defined(USE_OBC)
356	int n = 0;	362	int n = 0;
357	#endif	363	#endif
358	#ifdef BSD_AUTH	364	#ifdef BSD_AUTH
359	extern KbdintDevice mm_bsdauth_device;	365	extern KbdintDevice mm_bsdauth_device;
360	#endif	366	#endif
Lines 362-378 Link Here
362	extern KbdintDevice mm_sshpam_device;	368	extern KbdintDevice mm_sshpam_device;
363	#endif	369	#endif
364	#ifdef SKEY	370	#ifdef SKEY
365	extern KbdintDevice mm_skey_device;	371	extern KbdintDevice mm_skey_device;
366	#endif	372	#endif
		373	#ifdef USE_OBC
		374	extern KbdintDevice mm_obc_device;
		375	#endif
367		376
368	#ifdef BSD_AUTH	377	#ifdef BSD_AUTH
369	devices[n++] = &mm_bsdauth_device;	378	devices[n++] = &mm_bsdauth_device;
370	#else	379	#else
371	#ifdef USE_PAM	380	#ifdef USE_PAM
372	devices[n++] = &mm_sshpam_device;	381	devices[n++] = &mm_sshpam_device;
373	#endif	382	#endif
374	#ifdef SKEY	383	#ifdef SKEY
375	devices[n++] = &mm_skey_device;	384	devices[n++] = &mm_skey_device;
376	#endif	385	#endif
		386	#ifdef USE_OBC
		387	devices[n++] = &mm_obc_device;
		388	#endif
377	#endif	389	#endif
378	}	390	}




	char		*krb5_ticket_file;
	char		*krb5_ccname;
#endif
	Buffer		*loginmsg;
	void		*methoddata;
	char		*obc;
};
/*
 * Every authentication method has to handle authentication requests for
 * non-existing users, or for users that are not allowed to login. In this
 * case 'valid' is set to 0, but 'user' points to the username requested by

void	auth2_challenge_stop(Authctxt *);
int	bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
int	bsdauth_respond(void *, u_int, char **);
int	skey_query(void *, char **, char **, u_int *, char ***, u_int **);
int	skey_respond(void *, u_int, char **);
int	obc_challenge(Authctxt *);
int	obc_auth(Authctxt *);
int	obc_send(char *, char *, char *);

int	allowed_user(struct passwd *);
struct passwd * getpwnamallow(const char *user);

char	*get_challenge(Authctxt *);




/* $OpenBSD: auth-obc.c,v 0.5 2008/02/04 07:55:00 pgsery Exp $ */
/*
 * Copyright (c) 2008 Paul Sery.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

/* This code was derived from Markus Friedl's auth-skey.c and
	Daniel B. Cid's Ossec/sendmail.c */

#include "includes.h"

#include <sys/types.h>

#include <string.h>
#include <stdarg.h>

#include "xmalloc.h"
#include "packet.h"
#include "log.h"
#include "key.h"
#include "hostfile.h"
#include "auth.h"
#include "buffer.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
#include "servconf.h"
#include "uidswap.h"

#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/types.h>  
#include <string.h>
#include <stdarg.h>
#include <unistd.h>     
#include "includes.h"   
#include "log.h"

/* import */
extern ServerOptions options;

#define OS_SIZE_1024    1024

#define OS_SUCCESS       0      /* Success */
#define OS_INVALID      -1      /* Invalid entry */
#define OS_NOTFOUND     -2      /* Entry not found */
#define OS_FILERR       -3      /* Error in the file */
#define OS_SIZELIM      -4      /* Size limit problem */
#define OS_CFGERR       -5      /* Configuration error */
#define OS_SOCKTERR     -6      /* Socket error */
#define OS_MISVALUE     -7      /* There are values missing */
#define OS_CONNERR      -8      /* Connection failed */
#define OS_UNDEF        -9      /* Uknown error */
#define OS_MEMERR       -10     /* Memory Error */
#define OS_SOCKBUSY -11 /* Busy socket -- try again */

#define OS_ENDFILE      -20     /* End of file */
#define OS_FINISH       -21     /* Finished this task */


/* Return codes (from SMTP server) */
#define VALIDBANNER             "220"
#define VALIDMAIL               "250"
#define VALIDDATA               "354"

/* Default values use to connect */
#define SMTP_DEFAULT_PORT       "25"
#define HELOMSG                 "Helo openssh\r\n"
#define MAILFROM                "Mail From: <%s>\r\n"
#define RCPTTO                  "Rcpt To: <%s>\r\n"
#define DATAMSG                 "DATA\r\n"
#define FROM                    "From: <%s>\r\n"
#define TO                          "To: <%s>\r\n"
#define CC                          "Cc: <%s>\r\n"
#define SUBJECT                 "Subject: %s\r\n"
#define ENDDATA                 "\r\n.\r\n"
#define QUITMSG                 "QUIT\r\n"

void 
display_ip(struct addrinfo *ip)
{
                struct sockaddr_in *sa = (struct sockaddr_in *) ip->ai_addr;
                struct in_addr *inadr = (struct in_addr *) &sa->sin_addr.s_addr;
                debug3("challenge smtp server ip: %-16s", inet_ntoa(*inadr));
                if (ip->ai_canonname && *ip->ai_canonname) 
                        debug3("canonical name: %s", ip->ai_canonname);
}

char *
obc_recv_tcp(int socket, int sizet)
{
	char *ret;
	int retsize=0;

	ret = (char *) calloc((sizet), sizeof(char));
	if(ret == NULL)
		return(NULL);
       
	if((retsize = recv(socket, ret, sizet-1,0)) <= 0)
		return(NULL);

	return(ret);
}

void  
obc_send_tcp(int socket, char *type, char *msg, int size)
{
        int result;
        char snd_msg[128];

        if (size) {
                memset(snd_msg,'\0',size);
                snprintf(snd_msg,size+1, type, msg);
                result = send(socket, snd_msg, strlen(snd_msg),0);
        } else {
                result = send(socket, type, strlen(type),0);
        }

        if (result == -1)
                error("obc send tcp: %d",OS_SOCKTERR);
}

int 
obc_connect_smtp(char *smtp_server, char *port)
{
        int err, sock, result;
        struct addrinfo hints, *ip_info, *ip;

        memset(&hints, 0, sizeof(struct addrinfo));
        hints.ai_family = AF_UNSPEC;    /* Allow IPv4 or IPv6 */
        hints.ai_socktype = SOCK_DGRAM; /* Datagram socket */
        hints.ai_flags = 0;
        hints.ai_protocol = 0;          /* Any protocol */

        if ( (err = getaddrinfo(smtp_server, "25", &hints, &ip_info) != 0) ) {
                debug3("%s: getaddrinfo %s\n", __func__, gai_strerror(err));
                return(-1);
        }

        for (ip = ip_info; ip != NULL; ip = ip->ai_next) {
                display_ip(ip);
                if ( (sock = socket(PF_INET,SOCK_STREAM,IPPROTO_TCP)) < 0) {
                        debug3("%s: can't open socket %d", __func__, sock);
                        close(sock);
                        continue;
                }
                if ( (result = connect(sock, ip->ai_addr, ip->ai_addrlen)) < 0) 
                        debug3("%s: %s", __func__, gai_strerror(result));
                else 
                        break;
        }

        if (ip == NULL) {
                debug3("%s: Could not connect",__func__);
                return(-1);
        }

        return(sock);
}

void
check_msg(int socket,char *msg,char *type, char *res)
{
	if((msg == NULL)||(!strcmp(res, msg)))
	{
		if(msg)
			free(msg);
		close(socket);
	}
	free(msg);
}

int 
obc_send(char *obc, char *email_addr, char *smtp_server)
{
	int socket;
	char *msg;
	char final_to[512];

	if(obc  == NULL)
		debug3("%s: no message to send",__func__);
    
	/* Connecting to the smtp server */
	socket = obc_connect_smtp(smtp_server, SMTP_DEFAULT_PORT);
	if(socket < 0)
		return(socket);

	msg = obc_recv_tcp(socket, OS_SIZE_1024);
	check_msg(socket,msg,"returned banner",VALIDBANNER);

	obc_send_tcp(socket,HELOMSG,NULL,0);
	msg = obc_recv_tcp(socket, OS_SIZE_1024);
	check_msg(socket,msg,HELOMSG,VALIDMAIL);

	obc_send_tcp(socket, MAILFROM, email_addr, 128);
	msg = obc_recv_tcp(socket, OS_SIZE_1024);
	check_msg(socket,msg,MAILFROM,VALIDMAIL);

	obc_send_tcp(socket,RCPTTO,email_addr,128);
	msg = obc_recv_tcp(socket, OS_SIZE_1024);
	check_msg(socket,msg,RCPTTO,VALIDMAIL);

	obc_send_tcp(socket,DATAMSG,NULL,0);
	msg = obc_recv_tcp(socket, OS_SIZE_1024);
	check_msg(socket,msg,DATAMSG,VALIDMAIL);

	/* Building "From" and "To" in the e-mail header */
		final_to[0] = '\0';
	obc_send_tcp(socket,final_to,NULL,0);
	obc_send_tcp(socket, TO,email_addr,128);
	obc_send_tcp(socket, FROM, email_addr, 128);
	obc_send_tcp(socket, SUBJECT,"Out-of-band challenge",128);
	obc_send_tcp(socket, obc, NULL, 0);

	/* Sending end of data \r\n.\r\n */
	obc_send_tcp(socket,ENDDATA,NULL,0);
	msg = obc_recv_tcp(socket, OS_SIZE_1024);

	/* quitting and closing socket */
	obc_send_tcp(socket,QUITMSG,NULL,0);
	msg = obc_recv_tcp(socket, OS_SIZE_1024);

	/* Returning 0 (success) */
	close(socket);

	return(0);
}

int 
obc_gen(struct Authctxt *authctxt)
{
        int i,ran,obc_length=4;
        char *obc,cpool[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
        size_t nchars = sizeof(cpool) - 1;

        /* generate out-of-bound challenge (obc) */
        obc=malloc(obc_length+1);
        if (obc == NULL)
                exit(-1);

        for (i=0;i<obc_length;i++) {
                ran = arc4random();
                obc[i] = cpool[ran%nchars];
        }
        obc[obc_length] = '\0';

	authctxt->obc = obc;

        return 1;
}

int
obc_challenge(Authctxt *authctxt)
{
        int i, result=0;
        char *alias=NULL,*email_addr=NULL;

        for (i=0; options.challenge_users[i] != NULL; i++) {
                alias=strtok(options.challenge_users[i],":");
                email_addr=strtok(NULL,":");
                if (strcmp(authctxt->user,alias) == 0)
			obc_gen(authctxt);
                        result = obc_send(authctxt->obc,email_addr,
                                options.challengesmtpserver);
        }
        debug2("%s: challenge sent to %s at %s via %s",
                __func__, alias ,email_addr,options.challengesmtpserver);

        return(result);
}

int 
obc_haskey(char *pw_name)
{
	if (pw_name != NULL) 
		return 0;
	else
		return 1;
}

int 
obc_passcheck(char *obc_local, char *obc_remote)
{
	if (strcmp(obc_local, obc_remote) == 0)
		return 1;

	return 0;
}

static void *
obc_init_ctx(Authctxt *authctxt)
{
	int result;
	result=obc_challenge(authctxt);
        return authctxt;
}

int
obc_query(void *ctx, char **name, char **infotxt,
    u_int* numprompts, char ***prompts, u_int **echo_on)
{
        *name = xstrdup("");
        *infotxt = xstrdup("");
        *numprompts = 1;
        *prompts = xcalloc(*numprompts, sizeof(char *));
        *echo_on = xcalloc(*numprompts, sizeof(u_int));

        xasprintf(*prompts, "Enter out-of-band challenge:");

        return 0;
}

int
obc_respond(void *ctx, u_int numresponses, char **responses)
{
	Authctxt *authctxt = ctx;

	if (authctxt->valid &&
		numresponses == 1 &&
		obc_haskey(authctxt->obc) == 0 && 
		obc_passcheck(authctxt->obc, responses[0]) == 1)
			return 0;
	return -1;
}

static void
obc_free_ctx(void *ctx)
{
	Authctxt *authctx = ctx;

	authctx->obc = NULL;
}

KbdintDevice obc_device = {
        "obc",
        obc_init_ctx,
	obc_query,
	obc_respond,
        obc_free_ctx
};

KbdintDevice mm_obc_device = {
        "obc",
        obc_init_ctx,
	mm_obc_query,
	mm_obc_respond,
        obc_free_ctx
};

Lines 156-165 Link Here

(-)openssh-4.7p1/monitor.c (-8 / +36 lines)
156	int mm_answer_pam_query(int, Buffer *);	156	int mm_answer_pam_query(int, Buffer *);
157	int mm_answer_pam_respond(int, Buffer *);	157	int mm_answer_pam_respond(int, Buffer *);
158	int mm_answer_pam_free_ctx(int, Buffer *);	158	int mm_answer_pam_free_ctx(int, Buffer *);
159	#endif	159	#endif
160		160
		161	#ifdef USE_OBC
		162	int mm_answer_obc_query(int, Buffer *);
		163	int mm_answer_obc_respond(int, Buffer *);
		164	#endif
		165
161	#ifdef GSSAPI	166	#ifdef GSSAPI
162	int mm_answer_gss_setup_ctx(int, Buffer *);	167	int mm_answer_gss_setup_ctx(int, Buffer *);
163	int mm_answer_gss_accept_ctx(int, Buffer *);	168	int mm_answer_gss_accept_ctx(int, Buffer *);
164	int mm_answer_gss_userok(int, Buffer *);	169	int mm_answer_gss_userok(int, Buffer *);
165	int mm_answer_gss_checkmic(int, Buffer *);	170	int mm_answer_gss_checkmic(int, Buffer *);
Lines 223-232 Link Here
223	#endif	228	#endif
224	#ifdef SKEY	229	#ifdef SKEY
225	{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},	230	{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
226	{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},	231	{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
227	#endif	232	#endif
		233	#ifdef USE_OBC
		234	{MONITOR_REQ_OBCQUERY, MON_ISAUTH, mm_answer_obc_query},
		235	{MONITOR_REQ_OBCRESPOND, MON_AUTH, mm_answer_obc_respond},
		236	#endif
228	{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},	237	{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
229	{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},	238	{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
230	#ifdef GSSAPI	239	#ifdef GSSAPI
231	{MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},	240	{MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
232	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},	241	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
Lines 264-273 Link Here
264	#endif	273	#endif
265	#ifdef SKEY	274	#ifdef SKEY
266	{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},	275	{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
267	{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},	276	{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
268	#endif	277	#endif
		278	#ifdef USE_OBC
		279	{MONITOR_REQ_OBCQUERY, MON_ISAUTH, mm_answer_obc_query},
		280	{MONITOR_REQ_OBCRESPOND, MON_AUTH, mm_answer_obc_respond},
		281	#endif
269	#ifdef USE_PAM	282	#ifdef USE_PAM
270	{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},	283	{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
271	{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},	284	{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
272	{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},	285	{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
273	{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},	286	{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
Lines 810-842 Link Here
810	debug3("%s: sending challenge success: %u", __func__, success);	823	debug3("%s: sending challenge success: %u", __func__, success);
811	mm_request_send(sock, MONITOR_ANS_SKEYQUERY, m);	824	mm_request_send(sock, MONITOR_ANS_SKEYQUERY, m);
812		825
813	return (0);	826	return (0);
814	}	827	}
		828	#endif
815		829
		830	#ifdef USE_OBC
816	int	831	int
817	mm_answer_skeyrespond(int sock, Buffer *m)	832	mm_answer_obc_query(int sock, Buffer *m)
		833	{
		834	char challenge[1024];
		835	u_int success=1;
		836
		837	buffer_clear(m);
		838	buffer_put_int(m, success);
		839	if (success)
		840	buffer_put_cstring(m, challenge);
		841
		842	debug3("%s: sending challenge success: %u", __func__, success);
		843
		844	mm_request_send(sock, MONITOR_ANS_OBCQUERY, m);
		845
		846	return (0);
		847	}
		848
		849	int
		850	mm_answer_obc_respond(int sock, Buffer *m)
818	{	851	{
819	char *response;	852	char *response;
820	int authok;	853	int authok;
821		854
822	response = buffer_get_string(m, NULL);	855	response = buffer_get_string(m, NULL);
823		856
824	authok = (options.challenge_response_authentication &&
825	authctxt->valid &&
826	skey_haskey(authctxt->pw->pw_name) == 0 &&
827	skey_passcheck(authctxt->pw->pw_name, response) != -1);
828
829	xfree(response);	857	xfree(response);
830		858
831	buffer_clear(m);	859	buffer_clear(m);
832	buffer_put_int(m, authok);	860	buffer_put_int(m, authok);
833		861
834	debug3("%s: sending authenticated: %d", __func__, authok);	862	debug3("%s: sending authenticated: %d", __func__, authok);
835	mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);	863	mm_request_send(sock, MONITOR_ANS_OBCRESPOND, m);
836		864
837	auth_method = "skey";	865	auth_method = "obc";
838		866
839	return (authok != 0);	867	return (authok != 0);
840	}	868	}
841	#endif	869	#endif
842		870

Lines 37-46 Link Here

(-)openssh-4.7p1/monitor.h (+2 lines)
37	MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD,	37	MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD,
38	MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY,	38	MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY,
39	MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND,	39	MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND,
40	MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY,	40	MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY,
41	MONITOR_REQ_SKEYRESPOND, MONITOR_ANS_SKEYRESPOND,	41	MONITOR_REQ_SKEYRESPOND, MONITOR_ANS_SKEYRESPOND,
		42	MONITOR_REQ_OBCQUERY, MONITOR_ANS_OBCQUERY,
		43	MONITOR_REQ_OBCRESPOND, MONITOR_ANS_OBCRESPOND,
42	MONITOR_REQ_KEYALLOWED, MONITOR_ANS_KEYALLOWED,	44	MONITOR_REQ_KEYALLOWED, MONITOR_ANS_KEYALLOWED,
43	MONITOR_REQ_KEYVERIFY, MONITOR_ANS_KEYVERIFY,	45	MONITOR_REQ_KEYVERIFY, MONITOR_ANS_KEYVERIFY,
44	MONITOR_REQ_KEYEXPORT,	46	MONITOR_REQ_KEYEXPORT,
45	MONITOR_REQ_PTY, MONITOR_ANS_PTY,	47	MONITOR_REQ_PTY, MONITOR_ANS_PTY,
46	MONITOR_REQ_PTYCLEANUP,	48	MONITOR_REQ_PTYCLEANUP,




{
	Buffer m;
	u_int i;
	int ret;

	debug2("%s", __func__);
	buffer_init(&m);
	buffer_put_int(&m, num);
	for (i = 0; i < num; ++i)
		buffer_put_cstring(&m, resp[i]);
	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m);
	debug2("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__);
	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m);
	ret = buffer_get_int(&m);
	debug2("%s: pam_respond returned %d", __func__, ret);
	buffer_free(&m);
	return (ret);
}

void


	return ((authok == 0) ? -1 : 0);
}
#endif /* SKEY */

#ifdef USE_OBC
int
mm_obc_query(void *ctx, char **name, char **infotxt,
   u_int *numprompts, char ***prompts, u_int **echo_on)
{
	Buffer m;
	u_int success;
	char *challenge;

	buffer_init(&m);
	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_OBCQUERY, &m);

	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_OBCQUERY,
	    &m);
	success = buffer_get_int(&m);
	if (success == 0) {
		debug3("%s: no challenge", __func__);
		buffer_free(&m);
		return (-1);
	}

	/* Get the challenge, and format the response */
	challenge  = buffer_get_string(&m, NULL);
	buffer_free(&m);

	debug2("%s: received challenge: %s", __func__, challenge);

	mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);

	xasprintf(*prompts, "%s%s", challenge, "Out-of-band challenge: ");
	xfree(challenge);

	return (0);
}

int
mm_obc_respond(void *ctx, u_int numresponses, char **responses)
{
	Buffer m;
	int authok;
        Authctxt *authctxt = ctx;

	debug3("%s entering", __func__);
	if (numresponses != 1)
		return (-1);

	buffer_init(&m);
	buffer_put_cstring(&m, responses[0]);
	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_OBCRESPOND, &m);

	mm_request_receive_expect(pmonitor->m_recvfd,
	    MONITOR_ANS_OBCRESPOND, &m);

	authok = buffer_get_int(&m);
	buffer_free(&m);
			authctxt->postponed = 0;

        if (authctxt->valid &&
                numresponses == 1 &&
                obc_haskey(authctxt->obc) == 0 &&
                obc_passcheck(authctxt->obc, responses[0]) == 1) {
                        return 0;
	}
	return -1;
}
#endif /* USE_OBC */


void
mm_ssh1_session_id(u_char session_id[16])
{
	Buffer m;
	int i;

	buffer_free(&m);
	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
	return (authenticated);
}
#endif /* GSSAPI */

#ifdef USE_OBC
int 
mm_obc_connect_smtp(char *smtp_server, char *port)
{
        int err, sock, result;
        struct addrinfo hints, *ip_info, *ip;

        debug3("[obc_connect] host %s, port %s",smtp_server,port);

        memset(&hints, 0, sizeof(struct addrinfo));
        hints.ai_family = AF_UNSPEC;    /* Allow IPv4 or IPv6 */
        hints.ai_socktype = SOCK_DGRAM; /* Datagram socket */
        hints.ai_flags = 0;
        hints.ai_protocol = 0;          /* Any protocol */

        if ( (err = getaddrinfo(smtp_server, "25", &hints, &ip_info) != 0) ) {
/*        if ( (err = getaddrinfo("76.96.30.117", "25", &hints, &ip_info) != 0) ) {*/
                debug3("[obc_connect]getaddrinfo: %s\n", gai_strerror(err));
                return(-1);
        }

        for (ip = ip_info; ip != NULL; ip = ip->ai_next) {
                display_ip(ip);
                if ( (sock = socket(PF_INET,SOCK_STREAM,IPPROTO_TCP)) < 0) {
                        debug3("[obc_connect] can't open socket %d", sock);
                        close(sock);
                        continue;
                }
                if ( (result = connect(sock, ip->ai_addr, ip->ai_addrlen)) < 0) 
                        debug3("[obc_connect] %s", gai_strerror(result));
                else 
                        break;
        }

        if (ip == NULL) {
                debug3("[obc_connect]Could not connect");
                return(-1);
        }

        return(sock);
}
#endif

Lines 99-108 Link Here

(-)openssh-4.7p1/monitor_wrap.h (+4 lines)
99		99
100	/* skey */	100	/* skey */
101	int mm_skey_query(void , char , char , u_int , char *, u_int );	101	int mm_skey_query(void , char , char , u_int , char *, u_int );
102	int mm_skey_respond(void , u_int, char *);	102	int mm_skey_respond(void , u_int, char *);
103		103
		104	/* obc */
		105	int mm_obc_query(void , char , char , u_int , char *, u_int );
		106	int mm_obc_respond(void , u_int, char *);
		107
104	/* zlib allocation hooks */	108	/* zlib allocation hooks */
105		109
106	void mm_zalloc(struct mm_master , u_int, u_int);	110	void mm_zalloc(struct mm_master , u_int, u_int);
107	void mm_zfree(struct mm_master , void );	111	void mm_zfree(struct mm_master , void );
108	void mm_init_compression(struct mm_master *);	112	void mm_init_compression(struct mm_master *);

Lines 120-129 Link Here

(-)openssh-4.7p1/servconf.c (-1 / +29 lines)
120	options->authorized_keys_file2 = NULL;	120	options->authorized_keys_file2 = NULL;
121	options->num_accept_env = 0;	121	options->num_accept_env = 0;
122	options->permit_tun = -1;	122	options->permit_tun = -1;
123	options->num_permitted_opens = -1;	123	options->num_permitted_opens = -1;
124	options->adm_forced_command = NULL;	124	options->adm_forced_command = NULL;
		125	options->obc_authentication = -1;
		126	options->max_challenge_users = 0;
125	}	127	}
126		128
127	void	129	void
128	fill_default_server_options(ServerOptions *options)	130	fill_default_server_options(ServerOptions *options)
129	{	131	{
Lines 261-270 Link Here
261	error("Compression disabled");	263	error("Compression disabled");
262	options->compression = 0;	264	options->compression = 0;
263	}	265	}
264	#endif	266	#endif
265		267
		268	if (options->obc_authentication == -1)
		269	options->obc_authentication = 1;
		270
266	}	271	}
267		272
268	/* Keyword tokens. */	273	/* Keyword tokens. */
269	typedef enum {	274	typedef enum {
270	sBadOption, /* == unknown option */	275	sBadOption, /* == unknown option */
Lines 290-301 Link Here
290	sBanner, sUseDNS, sHostbasedAuthentication,	295	sBanner, sUseDNS, sHostbasedAuthentication,
291	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	296	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
292	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,	297	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
293	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,	298	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
294	sMatch, sPermitOpen, sForceCommand,	299	sMatch, sPermitOpen, sForceCommand,
295	sUsePrivilegeSeparation,	300	sUsePrivilegeSeparation, sChallengeUsers, sChallengeSMTPServer,
296	sDeprecated, sUnsupported	301	sDeprecated, sUnsupported
		302
297	} ServerOpCodes;	303	} ServerOpCodes;
298		304
299	#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */	305	#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
300	#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */	306	#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
301	#define SSHCFG_ALL (SSHCFG_GLOBAL\|SSHCFG_MATCH)	307	#define SSHCFG_ALL (SSHCFG_GLOBAL\|SSHCFG_MATCH)
Lines 401-410 Link Here
401	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },	407	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
402	{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },	408	{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
403	{ "match", sMatch, SSHCFG_ALL },	409	{ "match", sMatch, SSHCFG_ALL },
404	{ "permitopen", sPermitOpen, SSHCFG_ALL },	410	{ "permitopen", sPermitOpen, SSHCFG_ALL },
405	{ "forcecommand", sForceCommand, SSHCFG_ALL },	411	{ "forcecommand", sForceCommand, SSHCFG_ALL },
		412	{ "challengeusers", sChallengeUsers, SSHCFG_GLOBAL },
		413	{ "challengesmtpserver", sChallengeSMTPServer, SSHCFG_GLOBAL },
406	{ NULL, sBadOption, 0 }	414	{ NULL, sBadOption, 0 }
407	};	415	};
408		416
409	/*	417	/*
410	* Returns the number of the token pointed to by cp or sBadOption.	418	* Returns the number of the token pointed to by cp or sBadOption.
Lines 1265-1274 Link Here
1265	filename, linenum, arg);	1273	filename, linenum, arg);
1266	while (arg)	1274	while (arg)
1267	arg = strdelim(&cp);	1275	arg = strdelim(&cp);
1268	break;	1276	break;
1269		1277
		1278	case sChallengeUsers:
		1279	while ((arg = strdelim(&cp)) && *arg != '\0') {
		1280	if (options->max_challenge_users >= MAX_CHALLENGE_USERS)
		1281	fatal("%s line %d: too many challenge users.",
		1282	filename, linenum);
		1283	options->challenge_users[options->max_challenge_users++] =
		1284	xstrdup(arg);
		1285	}
		1286	break;
		1287
		1288	case sChallengeSMTPServer:
		1289	while ((arg = strdelim(&cp)) && *arg != '\0') {
		1290	if (options->challengesmtpserver >= 1)
		1291	fatal("%s line %d: too many challenge smtp servers.",
		1292	filename, linenum);
		1293	options->challengesmtpserver =
		1294	xstrdup(arg);
		1295	}
		1296	break;
		1297
1270	default:	1298	default:
1271	fatal("%s line %d: Missing handler for opcode %s (%d)",	1299	fatal("%s line %d: Missing handler for opcode %s (%d)",
1272	filename, linenum, arg, opcode);	1300	filename, linenum, arg, opcode);
1273	}	1301	}
1274	if ((arg = strdelim(&cp)) != NULL && *arg != '\0')	1302	if ((arg = strdelim(&cp)) != NULL && *arg != '\0')




#define MAX_DENY_GROUPS		256	/* Max # groups on deny list. */
#define MAX_SUBSYSTEMS		256	/* Max # subsystems. */
#define MAX_HOSTKEYS		256	/* Max # hostkeys. */
#define MAX_ACCEPT_ENV		256	/* Max # of env vars. */
#define MAX_MATCH_GROUPS	256	/* Max # of groups for Match. */
#define MAX_CHALLENGE_USERS    256     /* Max # of groups for Match. */

/* permit_root_login */
#define	PERMIT_NOT_SET		-1
#define	PERMIT_NO		0
#define	PERMIT_FORCED_ONLY	1

	int	use_pam;		/* Enable auth via PAM */

	int	permit_tun;

	int	num_permitted_opens;

	int     obc_authentication;     /* Permit out-of-band challenge if true */
	int     max_challenge_users;
	char    *challenge_users[MAX_CHALLENGE_USERS];
	char    *challengesmtpserver;
}       ServerOptions;

void	 initialize_server_options(ServerOptions *);
void	 fill_default_server_options(ServerOptions *);
int	 process_server_config_line(ServerOptions *, char *, const char *, int,




#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Configure the smtp server for sending out-of-band (obc) challenges 
#ChallengeSMTPServer host.some.domain

# Configure user to receive out-of-band (obc) challenges
#ChallengeUsers alias:user@some.domain

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no




All authentication styles from
.Xr login.conf 5
are supported.
The default is
.Dq yes .
.It Cm ChallengeSMTPServer
Specifies the SMTP server to send OBC challenges through. Use the format:

ChallengeSMTPServer     name/IP address

You can specify the domain name or IP address; specify an IP address when
using privilege separation. You can also specify localhost if your computer
is configured to configured to send mail.

.It Cm ChallengeUsers
Specifies the user(s) and their e-mail addresses who can receive out-of-band
challenges (OBC). OBC provides server-side authentication by generating and
e-mailing a random password. The user is authenticated by correctly entering
the challenge when prompted.

Use the format:

ChallengeUsers  alias:user@someaddr

ChallengeResponseAuthentication must be set for ChallengeUsers to work.
.It Cm Ciphers
Specifies the ciphers allowed for protocol version 2.
Multiple ciphers must be comma-separated.
The supported ciphers are
.Dq 3des-cbc ,




How to authenticate using an Out-of-Band Challenge (OBC)

Overview:

The out-of-band challenge (OBC) patch adds a new kbdint device that provides a challenge-based authentication mechanism. The server generates and emails you a random string when you attempt to login. You're authenticated if you can correctly answer the challenge.

You can use a regular email account, a pager, cell phone or other email capable device to receive the challenge. However, by using a physical device you can completely separate your authentication credential from your workstation.

OBC can be used in conjunction with the "Multiauth" patch (https://bugzilla.mindrot.org/show_bug.cgi?id=1435), which allows you to require two or more authentications for a successful login. By combining OBC with Multiauth, you can create two physically separate authentication factors equivalent to a commercial token. For instance, combine public key and OBC authentications.

Configuration:

The user's OBC email address is stored in the sshd_config file using the format username:emailaddr@somedomain. For instance, if your user name and email address are paul and paul@swcp.com, add the following line to sshd_config:

ChallengeUsers paul:paul@swcp.com

If your alias is paul and email address is pgsery@swcp.com, then add the line:

ChallengeUsers paul:pgsery@swcp.com

You must also specify the outgoing SMTP email server to use. If your SMTP server is mail.swcp.com and you're not using privilege separation, add the line:

ChallengeSMTPServer	mail.swcp.com

OBC currently doesn't perform DNS name resolution with privilege separation. When using privilege separation, you must specify your SMTP server's IP address:

ChallengeSMTPServer	216.184.2.128

Compilation:

Install and compile the OBC patch:

authconf
./configure --with-obc
make install

Return to bug 1438

Lines 1091-1100 Link Here

(-)openssh-4.7p1/configure.ac (+16 lines)
1091	)	1091	)
1092	fi	1092	fi
1093	]	1093	]
1094	)	1094	)
1095		1095
		1096	# Check whether user wants OBC support
		1097	OBC_MSG="no"
		1098	AC_ARG_WITH(obc,
		1099	[ --with-obc Enable out-of-band challenge support],
		1100	[
		1101	if test "x$withval" != "xno" ; then
		1102
		1103	AC_DEFINE(USE_OBC, 1, [Define if you want OBC support])
		1104	OBC_MSG="yes"
		1105
		1106	AC_MSG_CHECKING([for out-of-band (obc) support])
		1107	fi
		1108	]
		1109	)
		1110
1096	# Check whether user wants TCP wrappers support	1111	# Check whether user wants TCP wrappers support
1097	TCPW_MSG="no"	1112	TCPW_MSG="no"
1098	AC_ARG_WITH(tcp-wrappers,	1113	AC_ARG_WITH(tcp-wrappers,
1099	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],	1114	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1100	[	1115	[
Lines 4029-4038 Link Here
4029	echo " OSF SIA support: $SIA_MSG"	4044	echo " OSF SIA support: $SIA_MSG"
4030	echo " KerberosV support: $KRB5_MSG"	4045	echo " KerberosV support: $KRB5_MSG"
4031	echo " SELinux support: $SELINUX_MSG"	4046	echo " SELinux support: $SELINUX_MSG"
4032	echo " Smartcard support: $SCARD_MSG"	4047	echo " Smartcard support: $SCARD_MSG"
4033	echo " S/KEY support: $SKEY_MSG"	4048	echo " S/KEY support: $SKEY_MSG"
		4049	echo " OBC support: $OBC_MSG"
4034	echo " TCP Wrappers support: $TCPW_MSG"	4050	echo " TCP Wrappers support: $TCPW_MSG"
4035	echo " MD5 password support: $MD5_MSG"	4051	echo " MD5 password support: $MD5_MSG"
4036	echo " libedit support: $LIBEDIT_MSG"	4052	echo " libedit support: $LIBEDIT_MSG"
4037	echo " Solaris process contract support: $SPC_MSG"	4053	echo " Solaris process contract support: $SPC_MSG"
4038	echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"	4054	echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"

Lines 69-78 Link Here

(-)openssh-4.7p1/auth.h (+4 lines)
69	char *krb5_ticket_file;	69	char *krb5_ticket_file;
70	char *krb5_ccname;	70	char *krb5_ccname;
71	#endif	71	#endif
72	Buffer *loginmsg;	72	Buffer *loginmsg;
73	void *methoddata;	73	void *methoddata;
		74	char *obc;
74	};	75	};
75	/*	76	/*
76	* Every authentication method has to handle authentication requests for	77	* Every authentication method has to handle authentication requests for
77	* non-existing users, or for users that are not allowed to login. In this	78	* non-existing users, or for users that are not allowed to login. In this
78	* case 'valid' is set to 0, but 'user' points to the username requested by	79	* case 'valid' is set to 0, but 'user' points to the username requested by
Lines 153-162 Link Here
153	void auth2_challenge_stop(Authctxt *);	154	void auth2_challenge_stop(Authctxt *);
154	int bsdauth_query(void , char , char , u_int , char *, u_int );	155	int bsdauth_query(void , char , char , u_int , char *, u_int );
155	int bsdauth_respond(void , u_int, char *);	156	int bsdauth_respond(void , u_int, char *);
156	int skey_query(void , char , char , u_int , char *, u_int );	157	int skey_query(void , char , char , u_int , char *, u_int );
157	int skey_respond(void , u_int, char *);	158	int skey_respond(void , u_int, char *);
		159	int obc_challenge(Authctxt *);
		160	int obc_auth(Authctxt *);
		161	int obc_send(char , char , char *);
158		162
159	int allowed_user(struct passwd *);	163	int allowed_user(struct passwd *);
160	struct passwd * getpwnamallow(const char *user);	164	struct passwd * getpwnamallow(const char *user);
161		165
162	char get_challenge(Authctxt );	166	char get_challenge(Authctxt );

Line 0 Link Here

(-)openssh-4.7p1/auth-obc.c (+370 lines)
		1	/* $OpenBSD: auth-obc.c,v 0.5 2008/02/04 07:55:00 pgsery Exp $ */
		2	/*
		3	* Copyright (c) 2008 Paul Sery. All rights reserved.
		4	*
		5	* Redistribution and use in source and binary forms, with or without
		6	* modification, are permitted provided that the following conditions
		7	* are met:
		8	* 1. Redistributions of source code must retain the above copyright
		9	* notice, this list of conditions and the following disclaimer.
		10	* 2. Redistributions in binary form must reproduce the above copyright
		11	* notice, this list of conditions and the following disclaimer in the
		12	* documentation and/or other materials provided with the distribution.
		13	*
		14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		15	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		16	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		17	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		18	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		19	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		20	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		21	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		22	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		23	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		24	*/
		25
		26	/* This code was derived from Markus Friedl's auth-skey.c and
		27	Daniel B. Cid's Ossec/sendmail.c */
		28
		29	#include "includes.h"
		30
		31	#include <sys/types.h>
		32
		33	#include <string.h>
		34	#include <stdarg.h>
		35
		36	#include "xmalloc.h"
		37	#include "packet.h"
		38	#include "log.h"
		39	#include "key.h"
		40	#include "hostfile.h"
		41	#include "auth.h"
		42	#include "buffer.h"
		43	#ifdef GSSAPI
		44	#include "ssh-gss.h"
		45	#endif
		46	#include "monitor_wrap.h"
		47	#include "servconf.h"
		48	#include "uidswap.h"
		49
		50	#include <netinet/in.h>
		51	#include <netdb.h>
		52	#include <arpa/inet.h>
		53	#include <sys/socket.h>
		54	#include <sys/types.h>
		55	#include <string.h>
		56	#include <stdarg.h>
		57	#include <unistd.h>
		58	#include "includes.h"
		59	#include "log.h"
		60
		61	/* import */
		62	extern ServerOptions options;
		63
		64	#define OS_SIZE_1024 1024
65
66	#define OS_SUCCESS 0 /* Success */
67	#define OS_INVALID -1 /* Invalid entry */
68	#define OS_NOTFOUND -2 /* Entry not found */
69	#define OS_FILERR -3 /* Error in the file */
70	#define OS_SIZELIM -4 /* Size limit problem */
71	#define OS_CFGERR -5 /* Configuration error */
72	#define OS_SOCKTERR -6 /* Socket error */
73	#define OS_MISVALUE -7 /* There are values missing */
74	#define OS_CONNERR -8 /* Connection failed */
75	#define OS_UNDEF -9 /* Uknown error */
76	#define OS_MEMERR -10 /* Memory Error */
77	#define OS_SOCKBUSY -11 /* Busy socket -- try again */
78
79	#define OS_ENDFILE -20 /* End of file */
80	#define OS_FINISH -21 /* Finished this task */
81
82
83	/* Return codes (from SMTP server) */
84	#define VALIDBANNER "220"
85	#define VALIDMAIL "250"
86	#define VALIDDATA "354"
87
88	/* Default values use to connect */
89	#define SMTP_DEFAULT_PORT "25"
90	#define HELOMSG "Helo openssh\r\n"
91	#define MAILFROM "Mail From: <%s>\r\n"
92	#define RCPTTO "Rcpt To: <%s>\r\n"
93	#define DATAMSG "DATA\r\n"
94	#define FROM "From: <%s>\r\n"
95	#define TO "To: <%s>\r\n"
96	#define CC "Cc: <%s>\r\n"
97	#define SUBJECT "Subject: %s\r\n"
98	#define ENDDATA "\r\n.\r\n"
99	#define QUITMSG "QUIT\r\n"
100
101	void
102	display_ip(struct addrinfo *ip)
103	{
104	struct sockaddr_in sa = (struct sockaddr_in ) ip->ai_addr;
105	struct in_addr inadr = (struct in_addr ) &sa->sin_addr.s_addr;
106	debug3("challenge smtp server ip: %-16s", inet_ntoa(*inadr));
107	if (ip->ai_canonname && *ip->ai_canonname)
108	debug3("canonical name: %s", ip->ai_canonname);
109	}
110
111	char *
112	obc_recv_tcp(int socket, int sizet)
113	{
114	char *ret;
115	int retsize=0;
116
117	ret = (char *) calloc((sizet), sizeof(char));
118	if(ret == NULL)
119	return(NULL);
120
121	if((retsize = recv(socket, ret, sizet-1,0)) <= 0)
122	return(NULL);
123
124	return(ret);
125	}
126
127	void
128	obc_send_tcp(int socket, char type, char msg, int size)
129	{
130	int result;
131	char snd_msg[128];
132
133	if (size) {
134	memset(snd_msg,'\0',size);
135	snprintf(snd_msg,size+1, type, msg);
136	result = send(socket, snd_msg, strlen(snd_msg),0);
137	} else {
138	result = send(socket, type, strlen(type),0);
139	}
140
141	if (result == -1)
142	error("obc send tcp: %d",OS_SOCKTERR);
143	}
144
145	int
146	obc_connect_smtp(char smtp_server, char port)
147	{
148	int err, sock, result;
149	struct addrinfo hints, ip_info, ip;
150
151	memset(&hints, 0, sizeof(struct addrinfo));
152	hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */
153	hints.ai_socktype = SOCK_DGRAM; /* Datagram socket */
154	hints.ai_flags = 0;
155	hints.ai_protocol = 0; /* Any protocol */
156
157	if ( (err = getaddrinfo(smtp_server, "25", &hints, &ip_info) != 0) ) {
158	debug3("%s: getaddrinfo %s\n", __func__, gai_strerror(err));
159	return(-1);
160	}
161
162	for (ip = ip_info; ip != NULL; ip = ip->ai_next) {
163	display_ip(ip);
164	if ( (sock = socket(PF_INET,SOCK_STREAM,IPPROTO_TCP)) < 0) {
165	debug3("%s: can't open socket %d", __func__, sock);
166	close(sock);
167	continue;
168	}
169	if ( (result = connect(sock, ip->ai_addr, ip->ai_addrlen)) < 0)
170	debug3("%s: %s", __func__, gai_strerror(result));
171	else
172	break;
173	}
174
175	if (ip == NULL) {
176	debug3("%s: Could not connect",__func__);
177	return(-1);
178	}
179
180	return(sock);
181	}
182
183	void
184	check_msg(int socket,char msg,char type, char *res)
185	{
186	if((msg == NULL)\|\|(!strcmp(res, msg)))
187	{
188	if(msg)
189	free(msg);
190	close(socket);
191	}
192	free(msg);
193	}
194
195	int
196	obc_send(char obc, char email_addr, char *smtp_server)
197	{
198	int socket;
199	char *msg;
200	char final_to[512];
201
202	if(obc == NULL)
203	debug3("%s: no message to send",__func__);
204
205	/* Connecting to the smtp server */
206	socket = obc_connect_smtp(smtp_server, SMTP_DEFAULT_PORT);
207	if(socket < 0)
208	return(socket);
209
210	msg = obc_recv_tcp(socket, OS_SIZE_1024);
211	check_msg(socket,msg,"returned banner",VALIDBANNER);
212
213	obc_send_tcp(socket,HELOMSG,NULL,0);
214	msg = obc_recv_tcp(socket, OS_SIZE_1024);
215	check_msg(socket,msg,HELOMSG,VALIDMAIL);
216
217	obc_send_tcp(socket, MAILFROM, email_addr, 128);
218	msg = obc_recv_tcp(socket, OS_SIZE_1024);
219	check_msg(socket,msg,MAILFROM,VALIDMAIL);
220
221	obc_send_tcp(socket,RCPTTO,email_addr,128);
222	msg = obc_recv_tcp(socket, OS_SIZE_1024);
223	check_msg(socket,msg,RCPTTO,VALIDMAIL);
224
225	obc_send_tcp(socket,DATAMSG,NULL,0);
226	msg = obc_recv_tcp(socket, OS_SIZE_1024);
227	check_msg(socket,msg,DATAMSG,VALIDMAIL);
228
229	/* Building "From" and "To" in the e-mail header */
230	final_to[0] = '\0';
231	obc_send_tcp(socket,final_to,NULL,0);
232	obc_send_tcp(socket, TO,email_addr,128);
233	obc_send_tcp(socket, FROM, email_addr, 128);
234	obc_send_tcp(socket, SUBJECT,"Out-of-band challenge",128);
235	obc_send_tcp(socket, obc, NULL, 0);
236
237	/* Sending end of data \r\n.\r\n */
238	obc_send_tcp(socket,ENDDATA,NULL,0);
239	msg = obc_recv_tcp(socket, OS_SIZE_1024);
240
241	/* quitting and closing socket */
242	obc_send_tcp(socket,QUITMSG,NULL,0);
243	msg = obc_recv_tcp(socket, OS_SIZE_1024);
244
245	/* Returning 0 (success) */
246	close(socket);
247
248	return(0);
249	}
250
251	int
252	obc_gen(struct Authctxt *authctxt)
253	{
254	int i,ran,obc_length=4;
255	char *obc,cpool[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
256	size_t nchars = sizeof(cpool) - 1;
257
258	/* generate out-of-bound challenge (obc) */
259	obc=malloc(obc_length+1);
260	if (obc == NULL)
261	exit(-1);
262
263	for (i=0;i<obc_length;i++) {
264	ran = arc4random();
265	obc[i] = cpool[ran%nchars];
266	}
267	obc[obc_length] = '\0';
268
269	authctxt->obc = obc;
270
271	return 1;
272	}
273
274	int
275	obc_challenge(Authctxt *authctxt)
276	{
277	int i, result=0;
278	char alias=NULL,email_addr=NULL;
279
280	for (i=0; options.challenge_users[i] != NULL; i++) {
281	alias=strtok(options.challenge_users[i],":");
282	email_addr=strtok(NULL,":");
283	if (strcmp(authctxt->user,alias) == 0)
284	obc_gen(authctxt);
285	result = obc_send(authctxt->obc,email_addr,
286	options.challengesmtpserver);
287	}
288	debug2("%s: challenge sent to %s at %s via %s",
289	__func__, alias ,email_addr,options.challengesmtpserver);
290
291	return(result);
292	}
293
294	int
295	obc_haskey(char *pw_name)
296	{
297	if (pw_name != NULL)
298	return 0;
299	else
300	return 1;
301	}
302
303	int
304	obc_passcheck(char obc_local, char obc_remote)
305	{
306	if (strcmp(obc_local, obc_remote) == 0)
307	return 1;
308
309	return 0;
310	}
311
312	static void *
313	obc_init_ctx(Authctxt *authctxt)
314	{
315	int result;
316	result=obc_challenge(authctxt);
317	return authctxt;
318	}
319
320	int
321	obc_query(void ctx, char name, char *infotxt,
322	u_int* numprompts, char *prompts, u_int echo_on)
323	{
324	*name = xstrdup("");
325	*infotxt = xstrdup("");
326	*numprompts = 1;
327	prompts = xcalloc(numprompts, sizeof(char *));
328	echo_on = xcalloc(numprompts, sizeof(u_int));
329
330	xasprintf(*prompts, "Enter out-of-band challenge:");
331
332	return 0;
333	}
334
335	int
336	obc_respond(void ctx, u_int numresponses, char *responses)
337	{
338	Authctxt *authctxt = ctx;
339
340	if (authctxt->valid &&
341	numresponses == 1 &&
342	obc_haskey(authctxt->obc) == 0 &&
343	obc_passcheck(authctxt->obc, responses[0]) == 1)
344	return 0;
345	return -1;
346	}
347
348	static void
349	obc_free_ctx(void *ctx)
350	{
351	Authctxt *authctx = ctx;
352
353	authctx->obc = NULL;
354	}
355
356	KbdintDevice obc_device = {
357	"obc",
358	obc_init_ctx,
359	obc_query,
360	obc_respond,
361	obc_free_ctx
362	};
363
364	KbdintDevice mm_obc_device = {
365	"obc",
366	obc_init_ctx,
367	mm_obc_query,
368	mm_obc_respond,
369	obc_free_ctx
370	};

Lines 817-836 Link Here

(-)openssh-4.7p1/monitor_wrap.c (-3 / +114 lines)
817	{	817	{
818	Buffer m;	818	Buffer m;
819	u_int i;	819	u_int i;
820	int ret;	820	int ret;
821		821
822	debug3("%s", __func__);	822	debug2("%s", __func__);
823	buffer_init(&m);	823	buffer_init(&m);
824	buffer_put_int(&m, num);	824	buffer_put_int(&m, num);
825	for (i = 0; i < num; ++i)	825	for (i = 0; i < num; ++i)
826	buffer_put_cstring(&m, resp[i]);	826	buffer_put_cstring(&m, resp[i]);
827	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m);	827	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m);
828	debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__);	828	debug2("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__);
829	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m);	829	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m);
830	ret = buffer_get_int(&m);	830	ret = buffer_get_int(&m);
831	debug3("%s: pam_respond returned %d", __func__, ret);	831	debug2("%s: pam_respond returned %d", __func__, ret);
832	buffer_free(&m);	832	buffer_free(&m);
833	return (ret);	833	return (ret);
834	}	834	}
835		835
836	void	836	void
Lines 1007-1016 Link Here
1007		1007
1008	return ((authok == 0) ? -1 : 0);	1008	return ((authok == 0) ? -1 : 0);
1009	}	1009	}
1010	#endif /* SKEY */	1010	#endif /* SKEY */
1011		1011
		1012	#ifdef USE_OBC
		1013	int
		1014	mm_obc_query(void ctx, char name, char *infotxt,
		1015	u_int numprompts, char prompts, u_int echo_on)
		1016	{
		1017	Buffer m;
		1018	u_int success;
		1019	char *challenge;
		1020
		1021	buffer_init(&m);
		1022	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_OBCQUERY, &m);
		1023
		1024	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_OBCQUERY,
		1025	&m);
		1026	success = buffer_get_int(&m);
		1027	if (success == 0) {
		1028	debug3("%s: no challenge", __func__);
		1029	buffer_free(&m);
		1030	return (-1);
		1031	}
		1032
		1033	/* Get the challenge, and format the response */
		1034	challenge = buffer_get_string(&m, NULL);
		1035	buffer_free(&m);
		1036
		1037	debug2("%s: received challenge: %s", __func__, challenge);
		1038
		1039	mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
		1040
		1041	xasprintf(*prompts, "%s%s", challenge, "Out-of-band challenge: ");
		1042	xfree(challenge);
		1043
		1044	return (0);
		1045	}
		1046
		1047	int
		1048	mm_obc_respond(void ctx, u_int numresponses, char *responses)
		1049	{
		1050	Buffer m;
		1051	int authok;
		1052	Authctxt *authctxt = ctx;
		1053
		1054	debug3("%s entering", __func__);
		1055	if (numresponses != 1)
		1056	return (-1);
		1057
		1058	buffer_init(&m);
		1059	buffer_put_cstring(&m, responses[0]);
		1060	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_OBCRESPOND, &m);
		1061
		1062	mm_request_receive_expect(pmonitor->m_recvfd,
		1063	MONITOR_ANS_OBCRESPOND, &m);
		1064
		1065	authok = buffer_get_int(&m);
		1066	buffer_free(&m);
		1067	authctxt->postponed = 0;
		1068
		1069	if (authctxt->valid &&
		1070	numresponses == 1 &&
		1071	obc_haskey(authctxt->obc) == 0 &&
		1072	obc_passcheck(authctxt->obc, responses[0]) == 1) {
		1073	return 0;
		1074	}
		1075	return -1;
1076	}
1077	#endif /* USE_OBC */
1078
1079
1012	void	1080	void
1013	mm_ssh1_session_id(u_char session_id[16])	1081	mm_ssh1_session_id(u_char session_id[16])
1014	{	1082	{
1015	Buffer m;	1083	Buffer m;
1016	int i;	1084	int i;
Lines 1235-1239 Link Here
1235	buffer_free(&m);	1303	buffer_free(&m);
1236	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");	1304	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
1237	return (authenticated);	1305	return (authenticated);
1238	}	1306	}
1239	#endif /* GSSAPI */	1307	#endif /* GSSAPI */
		1308
		1309	#ifdef USE_OBC
		1310	int
		1311	mm_obc_connect_smtp(char smtp_server, char port)
		1312	{
		1313	int err, sock, result;
		1314	struct addrinfo hints, ip_info, ip;
		1315
		1316	debug3("[obc_connect] host %s, port %s",smtp_server,port);
		1317
		1318	memset(&hints, 0, sizeof(struct addrinfo));
		1319	hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */
		1320	hints.ai_socktype = SOCK_DGRAM; /* Datagram socket */
		1321	hints.ai_flags = 0;
		1322	hints.ai_protocol = 0; /* Any protocol */
		1323
		1324	if ( (err = getaddrinfo(smtp_server, "25", &hints, &ip_info) != 0) ) {
		1325	/* if ( (err = getaddrinfo("76.96.30.117", "25", &hints, &ip_info) != 0) ) {*/
		1326	debug3("[obc_connect]getaddrinfo: %s\n", gai_strerror(err));
		1327	return(-1);
		1328	}
		1329
		1330	for (ip = ip_info; ip != NULL; ip = ip->ai_next) {
		1331	display_ip(ip);
		1332	if ( (sock = socket(PF_INET,SOCK_STREAM,IPPROTO_TCP)) < 0) {
		1333	debug3("[obc_connect] can't open socket %d", sock);
		1334	close(sock);
		1335	continue;
		1336	}
		1337	if ( (result = connect(sock, ip->ai_addr, ip->ai_addrlen)) < 0)
		1338	debug3("[obc_connect] %s", gai_strerror(result));
		1339	else
		1340	break;
		1341	}
		1342
		1343	if (ip == NULL) {
		1344	debug3("[obc_connect]Could not connect");
		1345	return(-1);
		1346	}
		1347
		1348	return(sock);
		1349	}
		1350	#endif

Lines 24-33 Link Here

(-)openssh-4.7p1/servconf.h (+6 lines)
24	#define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */	24	#define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */
25	#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */	25	#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */
26	#define MAX_HOSTKEYS 256 /* Max # hostkeys. */	26	#define MAX_HOSTKEYS 256 /* Max # hostkeys. */
27	#define MAX_ACCEPT_ENV 256 /* Max # of env vars. */	27	#define MAX_ACCEPT_ENV 256 /* Max # of env vars. */
28	#define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */	28	#define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */
		29	#define MAX_CHALLENGE_USERS 256 /* Max # of groups for Match. */
29		30
30	/* permit_root_login */	31	/* permit_root_login */
31	#define PERMIT_NOT_SET -1	32	#define PERMIT_NOT_SET -1
32	#define PERMIT_NO 0	33	#define PERMIT_NO 0
33	#define PERMIT_FORCED_ONLY 1	34	#define PERMIT_FORCED_ONLY 1
Lines 139-148 Link Here
139	int use_pam; /* Enable auth via PAM */	140	int use_pam; /* Enable auth via PAM */
140		141
141	int permit_tun;	142	int permit_tun;
142		143
143	int num_permitted_opens;	144	int num_permitted_opens;
		145
		146	int obc_authentication; /* Permit out-of-band challenge if true */
		147	int max_challenge_users;
		148	char *challenge_users[MAX_CHALLENGE_USERS];
		149	char *challengesmtpserver;
144	} ServerOptions;	150	} ServerOptions;
145		151
146	void initialize_server_options(ServerOptions *);	152	void initialize_server_options(ServerOptions *);
147	void fill_default_server_options(ServerOptions *);	153	void fill_default_server_options(ServerOptions *);
148	int process_server_config_line(ServerOptions , char , const char *, int,	154	int process_server_config_line(ServerOptions , char , const char *, int,

Lines 61-70 Link Here

(-)openssh-4.7p1/sshd_config (+6 lines)
61	#PermitEmptyPasswords no	61	#PermitEmptyPasswords no
62		62
63	# Change to no to disable s/key passwords	63	# Change to no to disable s/key passwords
64	#ChallengeResponseAuthentication yes	64	#ChallengeResponseAuthentication yes
65		65
		66	# Configure the smtp server for sending out-of-band (obc) challenges
		67	#ChallengeSMTPServer host.some.domain
		68
		69	# Configure user to receive out-of-band (obc) challenges
		70	#ChallengeUsers alias:user@some.domain
		71
66	# Kerberos options	72	# Kerberos options
67	#KerberosAuthentication no	73	#KerberosAuthentication no
68	#KerberosOrLocalPasswd yes	74	#KerberosOrLocalPasswd yes
69	#KerberosTicketCleanup yes	75	#KerberosTicketCleanup yes
70	#KerberosGetAFSToken no	76	#KerberosGetAFSToken no

Lines 170-179 Link Here

(-)openssh-4.7p1/sshd_config.5 (+20 lines)
170	All authentication styles from	170	All authentication styles from
171	.Xr login.conf 5	171	.Xr login.conf 5
172	are supported.	172	are supported.
173	The default is	173	The default is
174	.Dq yes .	174	.Dq yes .
		175	.It Cm ChallengeSMTPServer
		176	Specifies the SMTP server to send OBC challenges through. Use the format:
		177
		178	ChallengeSMTPServer name/IP address
		179
		180	You can specify the domain name or IP address; specify an IP address when
		181	using privilege separation. You can also specify localhost if your computer
		182	is configured to configured to send mail.
		183
		184	.It Cm ChallengeUsers
		185	Specifies the user(s) and their e-mail addresses who can receive out-of-band
		186	challenges (OBC). OBC provides server-side authentication by generating and
		187	e-mailing a random password. The user is authenticated by correctly entering
		188	the challenge when prompted.
		189
		190	Use the format:
		191
		192	ChallengeUsers alias:user@someaddr
		193
		194	ChallengeResponseAuthentication must be set for ChallengeUsers to work.
175	.It Cm Ciphers	195	.It Cm Ciphers
176	Specifies the ciphers allowed for protocol version 2.	196	Specifies the ciphers allowed for protocol version 2.
177	Multiple ciphers must be comma-separated.	197	Multiple ciphers must be comma-separated.
178	The supported ciphers are	198	The supported ciphers are
179	.Dq 3des-cbc ,	199	.Dq 3des-cbc ,

Line 0 Link Here

(-)openssh-4.7p1/README.obc (+35 lines)
	1	How to authenticate using an Out-of-Band Challenge (OBC)
	2
	3	Overview:
	4
	5	The out-of-band challenge (OBC) patch adds a new kbdint device that provides a challenge-based authentication mechanism. The server generates and emails you a random string when you attempt to login. You're authenticated if you can correctly answer the challenge.
	6
	7	You can use a regular email account, a pager, cell phone or other email capable device to receive the challenge. However, by using a physical device you can completely separate your authentication credential from your workstation.
	8
	9	OBC can be used in conjunction with the "Multiauth" patch (https://bugzilla.mindrot.org/show_bug.cgi?id=1435), which allows you to require two or more authentications for a successful login. By combining OBC with Multiauth, you can create two physically separate authentication factors equivalent to a commercial token. For instance, combine public key and OBC authentications.
	10
	11	Configuration:
	12
	13	The user's OBC email address is stored in the sshd_config file using the format username:emailaddr@somedomain. For instance, if your user name and email address are paul and paul@swcp.com, add the following line to sshd_config:
	14
	15	ChallengeUsers paul:paul@swcp.com
	16
	17	If your alias is paul and email address is pgsery@swcp.com, then add the line:
	18
	19	ChallengeUsers paul:pgsery@swcp.com
	20
	21	You must also specify the outgoing SMTP email server to use. If your SMTP server is mail.swcp.com and you're not using privilege separation, add the line:
	22
	23	ChallengeSMTPServer mail.swcp.com
	24
	25	OBC currently doesn't perform DNS name resolution with privilege separation. When using privilege separation, you must specify your SMTP server's IP address:
	26
	27	ChallengeSMTPServer 216.184.2.128
	28
	29	Compilation:
	30
	31	Install and compile the OBC patch:
	32
	33	authconf
	34	./configure --with-obc
	35	make install