diff options
| -rw-r--r-- | ChangeLog | 10 | ||||
| -rw-r--r-- | auth-bsdauth.c | 5 | ||||
| -rw-r--r-- | auth2-chall.c | 11 |
3 files changed, 16 insertions, 10 deletions
@@ -22,6 +22,14 @@ - dtucker@cvs.openbsd.org 2005/01/17 22:48:39 [sshd.c] Make debugging output continue after reexec; ok djm@ + - dtucker@cvs.openbsd.org 2005/01/19 13:11:47 + [auth-bsdauth.c auth2-chall.c] + Have keyboard-interactive code call the drivers even for responses for + invalid logins. This allows the drivers themselves to decide how to + handle them and prevent leaking information where possible. Existing + behaviour for bsdauth is maintained by checking authctxt->valid in the + bsdauth driver. Note that any third-party kbdint drivers will now need + to be able to handle responses for invalid logins. ok markus@ 20050118 - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement @@ -1994,4 +2002,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3615 2005/01/20 00:03:08 dtucker Exp $ +$Id: ChangeLog,v 1.3616 2005/01/20 00:05:34 dtucker Exp $ diff --git a/auth-bsdauth.c b/auth-bsdauth.c index 2ac27a7a..920c977d 100644 --- a/auth-bsdauth.c +++ b/auth-bsdauth.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: auth-bsdauth.c,v 1.5 2002/06/30 21:59:45 deraadt Exp $"); +RCSID("$OpenBSD: auth-bsdauth.c,v 1.6 2005/01/19 13:11:47 dtucker Exp $"); #ifdef BSD_AUTH #include "xmalloc.h" @@ -83,6 +83,9 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses) Authctxt *authctxt = ctx; int authok; + if (!authctxt->valid) + return -1; + if (authctxt->as == 0) error("bsdauth_respond: no bsd auth session"); diff --git a/auth2-chall.c b/auth2-chall.c index 486baaaa..29234439 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -23,7 +23,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: auth2-chall.c,v 1.21 2004/06/01 14:20:45 dtucker Exp $"); +RCSID("$OpenBSD: auth2-chall.c,v 1.22 2005/01/19 13:11:47 dtucker Exp $"); #include "ssh2.h" #include "auth.h" @@ -274,12 +274,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) } packet_check_eom(); - if (authctxt->valid) { - res = kbdintctxt->device->respond(kbdintctxt->ctxt, - nresp, response); - } else { - res = -1; - } + res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response); for (i = 0; i < nresp; i++) { memset(response[i], 'r', strlen(response[i])); @@ -291,7 +286,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) switch (res) { case 0: /* Success! */ - authenticated = 1; + authenticated = authctxt->valid ? 1 : 0; break; case 1: /* Authentication needs further interaction */ |