diff options
author | des <des@FreeBSD.org> | 2002-06-23 16:09:08 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2002-06-23 16:09:08 +0000 |
commit | fa8aa6dfe7e9aaab9f8fa1e3290e7242fc12d83d (patch) | |
tree | cc93abce4a81ab84afa26d861b756d5c77818afa /crypto/openssh/authfd.c | |
parent | e9f3540c66a76052e51a348bdd05a068d0855d3d (diff) | |
download | FreeBSD-src-fa8aa6dfe7e9aaab9f8fa1e3290e7242fc12d83d.zip FreeBSD-src-fa8aa6dfe7e9aaab9f8fa1e3290e7242fc12d83d.tar.gz |
Resolve conflicts. Known issues:
- sshd fails to set TERM correctly.
- privilege separation may break PAM and is currently turned off.
- man pages have not yet been updated
I will have these issues resolved, and privilege separation turned on by
default, in time for DP2.
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'crypto/openssh/authfd.c')
-rw-r--r-- | crypto/openssh/authfd.c | 56 |
1 files changed, 47 insertions, 9 deletions
diff --git a/crypto/openssh/authfd.c b/crypto/openssh/authfd.c index 35a6a3f..69fa660 100644 --- a/crypto/openssh/authfd.c +++ b/crypto/openssh/authfd.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfd.c,v 1.48 2002/02/24 19:14:59 markus Exp $"); +RCSID("$OpenBSD: authfd.c,v 1.55 2002/06/19 00:27:55 deraadt Exp $"); RCSID("$FreeBSD$"); #include <openssl/evp.h> @@ -60,7 +60,7 @@ int decode_reply(int type); /* macro to check for "agent failure" message */ #define agent_failed(x) \ ((x == SSH_AGENT_FAILURE) || (x == SSH_COM_AGENT2_FAILURE) || \ - (x == SSH2_AGENT_FAILURE)) + (x == SSH2_AGENT_FAILURE)) /* Returns the number of the authentication fd, or -1 if there is none. */ @@ -208,6 +208,26 @@ ssh_close_authentication_connection(AuthenticationConnection *auth) xfree(auth); } +/* Lock/unlock agent */ +int +ssh_lock_agent(AuthenticationConnection *auth, int lock, const char *password) +{ + int type; + Buffer msg; + + buffer_init(&msg); + buffer_put_char(&msg, lock ? SSH_AGENTC_LOCK : SSH_AGENTC_UNLOCK); + buffer_put_cstring(&msg, password); + + if (ssh_request_reply(auth, &msg, &msg) == 0) { + buffer_free(&msg); + return 0; + } + type = buffer_get_char(&msg); + buffer_free(&msg); + return decode_reply(type); +} + /* * Returns the first authentication identity held by the agent. */ @@ -420,8 +440,6 @@ ssh_agent_sign(AuthenticationConnection *auth, static void ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment) { - buffer_clear(b); - buffer_put_char(b, SSH_AGENTC_ADD_RSA_IDENTITY); buffer_put_int(b, BN_num_bits(key->n)); buffer_put_bignum(b, key->n); buffer_put_bignum(b, key->e); @@ -436,8 +454,6 @@ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment) static void ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) { - buffer_clear(b); - buffer_put_char(b, SSH2_AGENTC_ADD_IDENTITY); buffer_put_cstring(b, key_ssh_name(key)); switch (key->type) { case KEY_RSA: @@ -465,19 +481,28 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) */ int -ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) +ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key, + const char *comment, u_int life) { Buffer msg; - int type; + int type, constrained = (life != 0); buffer_init(&msg); switch (key->type) { case KEY_RSA1: + type = constrained ? + SSH_AGENTC_ADD_RSA_ID_CONSTRAINED : + SSH_AGENTC_ADD_RSA_IDENTITY; + buffer_put_char(&msg, type); ssh_encode_identity_rsa1(&msg, key->rsa, comment); break; case KEY_RSA: case KEY_DSA: + type = constrained ? + SSH2_AGENTC_ADD_ID_CONSTRAINED : + SSH2_AGENTC_ADD_IDENTITY; + buffer_put_char(&msg, type); ssh_encode_identity_ssh2(&msg, key, comment); break; default: @@ -485,6 +510,12 @@ ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) return 0; break; } + if (constrained) { + if (life != 0) { + buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME); + buffer_put_int(&msg, life); + } + } if (ssh_request_reply(auth, &msg, &msg) == 0) { buffer_free(&msg); return 0; @@ -494,6 +525,12 @@ ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) return decode_reply(type); } +int +ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) +{ + return ssh_add_identity_constrained(auth, key, comment, 0); +} + /* * Removes an identity from the authentication server. This call is not * meant to be used by normal applications. @@ -533,7 +570,7 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key) } int -ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id) +ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id, const char *pin) { Buffer msg; int type; @@ -542,6 +579,7 @@ ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id) buffer_put_char(&msg, add ? SSH_AGENTC_ADD_SMARTCARD_KEY : SSH_AGENTC_REMOVE_SMARTCARD_KEY); buffer_put_cstring(&msg, reader_id); + buffer_put_cstring(&msg, pin); if (ssh_request_reply(auth, &msg, &msg) == 0) { buffer_free(&msg); return 0; |