Remove S/Key. PAM can do its job. Well, not quite - there is an issue

with the conversation function and challenges which needs to be
revisited, so in the interim a hack is introduced to provide
an OPIE challenge (which is random if OPIE does not apply)
at all non-anonymnous logins.

4 files changed, 19 insertions, 63 deletions

diff --git a/libexec/ftpd/Makefile b/libexec/ftpd/Makefile
index 6d81aee..4d1f301 100644
--- a/libexec/ftpd/Makefile
+++ b/libexec/ftpd/Makefile
@@ -3,15 +3,19 @@
 
 PROG=	ftpd
 MAN=	ftpd.8
-SRCS=	ftpd.c ftpcmd.y logwtmp.c popen.c skey-stuff.c
+SRCS=	ftpd.c ftpcmd.y logwtmp.c popen.c
 
-CFLAGS+=-DSETPROCTITLE -DSKEY -DLOGIN_CAP -DVIRTUAL_HOSTING -Wall
+CFLAGS+=-DSETPROCTITLE -DLOGIN_CAP -DVIRTUAL_HOSTING -Wall
 CFLAGS+=-DINET6
 CFLAGS+=-I${.CURDIR}
 YFLAGS=
 
-LDADD=	-lskey -lmd -lcrypt -lutil
-DPADD=	${LIBSKEY} ${LIBMD} ${LIBCRYPT} ${LIBUTIL}
+LDADD=	-lmd -lcrypt -lutil
+DPADD=	${LIBMD} ${LIBCRYPT} ${LIBUTIL}
+
+# XXX Kluge! Conversation mechanism needs to be fixed.
+LDADD+=	-lopie
+DPADD+=	${LIBOPIE}
 
 LSDIR=	../../bin/ls
 .PATH:	${.CURDIR}/${LSDIR}
diff --git a/libexec/ftpd/extern.h b/libexec/ftpd/extern.h
index a490826..9e0562e 100644
--- a/libexec/ftpd/extern.h
+++ b/libexec/ftpd/extern.h
@@ -68,9 +68,6 @@ void	upper __P((char *));
 void	user __P((char *));
 void	yyerror __P((char *));
 int	yyparse __P((void));
-#if defined(SKEY) && defined(_PWD_H_) /* XXX evil */
-char   *skey_challenge __P((char *, struct passwd *, int));
-#endif
 int	ls_main __P((int, char **));
 
 struct sockaddr_in;
diff --git a/libexec/ftpd/ftpd.c b/libexec/ftpd/ftpd.c
index bd57cee..be02623 100644
--- a/libexec/ftpd/ftpd.c
+++ b/libexec/ftpd/ftpd.c
@@ -78,6 +78,9 @@ static const char rcsid[] =
 #include <netdb.h>
 #include <pwd.h>
 #include <grp.h>
+#ifdef USE_PAM
+#include <opie.h>	/* XXX */
+#endif
 #include <setjmp.h>
 #include <signal.h>
 #include <stdio.h>
@@ -91,10 +94,6 @@ static const char rcsid[] =
 #include <login_cap.h>
 #endif
 
-#ifdef	SKEY
-#include <skey.h>
-#endif
-
 #ifdef USE_PAM
 #include <security/pam_appl.h>
 #endif
@@ -185,6 +184,10 @@ char	*tty = ttyline;		/* for klogin */
 #ifdef USE_PAM
 static int	auth_pam __P((struct passwd**, const char*));
 pam_handle_t *pamh = NULL;
+
+/* Kluge because the conversation mechanism has not been threshed out */
+static struct opie opiedata;
+static char opieprompt[OPIE_CHALLENGE_MAX+1];
 #endif
 
 char	*pid_file = NULL;
@@ -215,10 +218,6 @@ char	*LastArgv = NULL;	/* end of argv */
 char	proctitle[LINE_MAX];	/* initial part of title */
 #endif /* SETPROCTITLE */
 
-#ifdef SKEY
-int	pwok = 0;
-#endif
-
 #define LOGCMD(cmd, file) \
 	if (logging > 1) \
 	    syslog(LOG_INFO,"%s %s%s", cmd, \
@@ -960,9 +959,10 @@ user(name)
 	}
 	if (logging)
 		strncpy(curname, name, sizeof(curname)-1);
-#ifdef SKEY
-	pwok = skeyaccess(name, NULL, remotehost, remotehost);
-	reply(331, "%s", skey_challenge(name, pw, pwok));
+#ifdef USE_PAM
+	/* XXX Kluge! The conversation mechanism needs to be fixed. */
+	opiechallenge(&opiedata, name, opieprompt);
+	reply(331, "[ %s ] Password required for %s.", opieprompt, name);
 #else
 	reply(331, "Password required for %s.", name);
 #endif
@@ -1236,16 +1236,7 @@ pass(passwd)
 		if (rval >= 0)
 			goto skip;
 #endif
-#ifdef SKEY
-		if (pwok)
-			rval = strcmp(pw->pw_passwd,
-			    crypt(passwd, pw->pw_passwd));
-		if (rval)
-			rval = strcmp(pw->pw_passwd,
-			    skey_crypt(passwd, pw->pw_passwd, pw, pwok));
-#else
 		rval = strcmp(pw->pw_passwd, crypt(passwd, pw->pw_passwd));
-#endif
 		/* The strcmp does not catch null passwords! */
 		if (*pw->pw_passwd == '\0' ||
 		    (pw->pw_expire && time(NULL) >= pw->pw_expire))
@@ -1272,9 +1263,6 @@ skip:
 			return;
 		}
 	}
-#ifdef SKEY
-	pwok = 0;
-#endif
 	login_attempts = 0;		/* this time successful */
 	if (setegid((gid_t)pw->pw_gid) < 0) {
 		reply(550, "Can't set gid.");
diff --git a/libexec/ftpd/skey-stuff.c b/libexec/ftpd/skey-stuff.c
deleted file mode 100644
index f06a415..0000000
--- a/libexec/ftpd/skey-stuff.c
+++ /dev/null
@@ -1,33 +0,0 @@
-/* Author: Wietse Venema, Eindhoven University of Technology. 
- */
-
-#ifndef lint
-static const char rcsid[] =
-  "$FreeBSD$";
-#endif /* not lint */
-
-#include <stdio.h>
-#include <string.h>
-#include <pwd.h>
-
-#include <skey.h>
-
-/* skey_challenge - additional password prompt stuff */
-
-char   *skey_challenge(name, pwd, pwok)
-char   *name;
-struct passwd *pwd;
-int    pwok;
-{
-    static char buf[128];
-    struct skey skey;
-
-    /* Display s/key challenge where appropriate. */
-
-    *buf = '\0';
-    if (pwd == NULL || skeychallenge(&skey, pwd->pw_name, buf))
-	snprintf(buf, sizeof(buf), "Password required for %s.", name);
-    else if (!pwok)
-	strcat(buf, " (s/key required)");
-    return (buf);
-}