- diff -ruN openssh-6.0p1/Makefile.in openssh-6.0p1-secuireid/Makefile.in
- --- openssh-6.0p1/Makefile.in 2012-04-04 10:27:57.000000000 +0900
- +++ openssh-6.0p1-secuireid/Makefile.in 2012-08-05 15:37:07.000000000 +0900
- @@ -84,6 +84,7 @@
- auth-chall.o auth2-chall.o groupaccess.o \
- auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
- auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
- + auth2-securid.o \
- monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
- auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
- diff -ruN openssh-6.0p1/auth.h openssh-6.0p1-secuireid/auth.h
- --- openssh-6.0p1/auth.h 2011-05-29 20:39:38.000000000 +0900
- +++ openssh-6.0p1-secuireid/auth.h 2012-08-05 15:37:07.000000000 +0900
- @@ -73,6 +73,12 @@
- #endif
- Buffer *loginmsg;
- void *methoddata;
- +#if defined (SECURID) || defined (SECURID_OLD)
- + int securid_state;
- + void *securid_data;
- + char *securid_pin;
- + char *securid_real_user;
- +#endif
- };
- /*
- * Every authentication method has to handle authentication requests for
- diff -ruN openssh-6.0p1/auth2-chall.c openssh-6.0p1-secuireid/auth2-chall.c
- --- openssh-6.0p1/auth2-chall.c 2009-01-28 14:13:39.000000000 +0900
- +++ openssh-6.0p1-secuireid/auth2-chall.c 2012-08-05 15:37:07.000000000 +0900
- @@ -53,6 +53,9 @@
- #ifdef BSD_AUTH
- extern KbdintDevice bsdauth_device;
- #else
- +#if defined (SECURID) || defined (SECURID_OLD)
- +extern KbdintDevice securid_device;
- +#endif
- #ifdef USE_PAM
- extern KbdintDevice sshpam_device;
- #endif
- @@ -65,6 +68,9 @@
- #ifdef BSD_AUTH
- &bsdauth_device,
- #else
- +#if defined (SECURID) || defined (SECURID_OLD)
- + &securid_device,
- +#endif
- #ifdef USE_PAM
- &sshpam_device,
- #endif
- @@ -221,6 +227,7 @@
- debug2("auth2_challenge_start: devices %s",
- kbdintctxt->devices ? kbdintctxt->devices : "<empty>");
- + kbd_next_device:
- if (kbdint_next_device(kbdintctxt) == 0) {
- auth2_challenge_stop(authctxt);
- return 0;
- @@ -228,10 +235,9 @@
- debug("auth2_challenge_start: trying authentication method '%s'",
- kbdintctxt->device->name);
- - if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) {
- - auth2_challenge_stop(authctxt);
- - return 0;
- - }
- + if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL)
- + goto kbd_next_device;
- +
- if (send_userauth_info_request(authctxt) == 0) {
- auth2_challenge_stop(authctxt);
- return 0;
- @@ -348,12 +354,16 @@
- void
- privsep_challenge_enable(void)
- {
- -#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY)
- +#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY) || \
- +defined (SECURID) || defined (SECURID_OLD)
- int n = 0;
- #endif
- #ifdef BSD_AUTH
- extern KbdintDevice mm_bsdauth_device;
- #endif
- +#if defined (SECURID) || defined (SECURID_OLD)
- + extern KbdintDevice mm_securid_device;
- +#endif
- #ifdef USE_PAM
- extern KbdintDevice mm_sshpam_device;
- #endif
- @@ -364,6 +374,9 @@
- #ifdef BSD_AUTH
- devices[n++] = &mm_bsdauth_device;
- #else
- +#if defined (SECURID) || defined (SECURID_OLD)
- + devices[n++] = &mm_securid_device;
- +#endif
- #ifdef USE_PAM
- devices[n++] = &mm_sshpam_device;
- #endif
- diff -ruN openssh-6.0p1/config.h.in openssh-6.0p1-secuireid/config.h.in
- --- openssh-6.0p1/config.h.in 2012-04-20 14:03:32.000000000 +0900
- +++ openssh-6.0p1-secuireid/config.h.in 2012-08-05 15:37:07.000000000 +0900
- @@ -1353,6 +1353,12 @@
- /* must supply username to passwd */
- #undef PASSWD_NEEDS_USERNAME
- +/* Support for ACE/Server 5.x */
- +#undef SECURID
- +
- +/* Support for ACE/Agent 3.x, which can comunicate with ACE/Server 3.x and 5.x too */
- +#undef SECURID_OLD
- +
- /* Port number of PRNGD/EGD random number socket */
- #undef PRNGD_PORT
- diff -ruN openssh-6.0p1/configure openssh-6.0p1-secuireid/configure
- --- openssh-6.0p1/configure 2012-04-20 14:03:38.000000000 +0900
- +++ openssh-6.0p1-secuireid/configure 2012-08-05 15:37:07.000000000 +0900
- @@ -1411,6 +1411,8 @@
- --with-zlib=PATH Use zlib in PATH
- --without-zlib-version-check Disable zlib version check
- --with-skey[=PATH] Enable S/Key support (optionally in PATH)
- + --with-securid[=PATH] Enable ACE/Server (SecurID) support
- + (optionally in PATH)
- --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
- --with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH)
- --with-libedit[=PATH] Enable libedit support for sftp
- @@ -9002,6 +9004,91 @@
- fi
- +
- +
- +
- +# Check whether user wants SecurID support
- +SECURID_MSG="no"
- +
- +# Check whether --with-securid or --without-securid was given.
- +if test "${with_securid+set}" = set; then
- + withval="$with_securid"
- +
- + if test "$withval" != "no" ; then
- + if test -n "$withval"; then
- + if test "$withval" = "yes"; then
- + # default location
- + withval="/var/ace"
- + fi
- +
- + # new client for ACE/Server version 5.x
- + echo "$as_me:$LINENO: checking for ACE/Agent libs version 5.x" >&5
- +echo $ECHO_N "checking for ACE/Agent libs version 5.x... $ECHO_C" >&6
- + if test -f "$withval/inc/acclnt.h"; then
- + case "$host" in
- + *-*-aix*)
- + PLATFORM="aix"
- + THREAD_LIBS="-lpthreads -lc_r"
- + ;;
- + *-*-hpux10*)
- + PLATFORM="hp"
- + THREAD_LIBS="-ldce"
- + ;;
- + *-*-hpux11*)
- + PLATFORM="hp11"
- + THREAD_LIBS="-lpthread"
- + ;;
- + *-*-linux*)
- + PLATFORM="lnx"
- + THREAD_LIBS="-lpthread"
- + ;;
- + *-*-solaris*)
- + PLATFORM="sol"
- + THREAD_LIBS="-lthread"
- + ;;
- + esac
- + if test -f "$withval/lib/$PLATFORM/libaceclnt.a"; then
- + echo "$as_me:$LINENO: result: found" >&5
- +echo "${ECHO_T}found" >&6
- + cat >>confdefs.h <<\_ACEOF
- +#define SECURID 1
- +_ACEOF
- +
- + SECURID_MSG="yes (for 5.x)"
- + CFLAGS="$CFLAGS -I$withval/inc"
- + LIBS="$LIBS $withval/lib/$PLATFORM/libaceclnt.a $THREAD_LIBS"
- + fi
- + else
- + echo "$as_me:$LINENO: result: not found" >&5
- +echo "${ECHO_T}not found" >&6
- + # old client for ACE/server version 3.x
- + echo "$as_me:$LINENO: checking for ACE/Agent libs version 3.x" >&5
- +echo $ECHO_N "checking for ACE/Agent libs version 3.x... $ECHO_C" >&6
- + if test -f "$withval/sdiclient.a"; then
- + # sdiclient.a found in $withval
- + echo "$as_me:$LINENO: result: found" >&5
- +echo "${ECHO_T}found" >&6
- + cat >>confdefs.h <<\_ACEOF
- +#define SECURID_OLD 1
- +_ACEOF
- +
- + SECURID_MSG="yes (for 3.x)"
- + CFLAGS="$CFLAGS -I$withval"
- + LIBS="$withval/sdiclient.a $LIBS"
- + else
- + echo "$as_me:$LINENO: result: not found" >&5
- +echo "${ECHO_T}not found" >&6
- + { { echo "$as_me:$LINENO: error: no ACE libs found !!" >&5
- +echo "$as_me: error: no ACE libs found !!" >&2;}
- + { (exit 1); exit 1; }; }
- + fi
- + fi
- + fi
- + fi
- +
- +
- +fi;
- +
- # Check whether user wants TCP wrappers support
- TCPW_MSG="no"
- @@ -17925,6 +18012,7 @@
- echo " SELinux support: $SELINUX_MSG"
- echo " Smartcard support: $SCARD_MSG"
- echo " S/KEY support: $SKEY_MSG"
- +echo " SecurID support: $SECURID_MSG"
- echo " TCP Wrappers support: $TCPW_MSG"
- echo " MD5 password support: $MD5_MSG"
- echo " libedit support: $LIBEDIT_MSG"
- diff -ruN openssh-6.0p1/configure.ac openssh-6.0p1-secuireid/configure.ac
- --- openssh-6.0p1/configure.ac 2012-04-19 20:46:38.000000000 +0900
- +++ openssh-6.0p1-secuireid/configure.ac 2012-08-05 15:37:07.000000000 +0900
- @@ -1313,6 +1313,75 @@
- ]
- )
- +AH_TEMPLATE([SECURID], [Support for ACE/Server 5.x])
- +AH_TEMPLATE([SECURID_OLD], [Support for ACE/Agent 3.x, which can comunicate
- + with ACE/Server 3.x and 5.x too])
- +# Check whether user wants SecurID support
- +SECURID_MSG="no"
- +AC_ARG_WITH(securid,
- + [ --with-securid[[=PATH]] Enable ACE/Server (SecurID) support
- + (optionally in PATH)],
- + [
- + if test "$withval" != "no" ; then
- + if test -n "$withval"; then
- + if test "$withval" = "yes"; then
- + # default location
- + withval="/var/ace"
- + fi
- +
- + # new client for ACE/Server version 5.x
- + AC_MSG_CHECKING([for ACE/Agent libs version 5.x])
- + if test -f "$withval/inc/acclnt.h"; then
- + case "$host" in
- + *-*-aix*)
- + PLATFORM="aix"
- + THREAD_LIBS="-lpthreads -lc_r"
- + ;;
- + *-*-hpux10*)
- + PLATFORM="hp"
- + THREAD_LIBS="-ldce"
- + ;;
- + *-*-hpux11*)
- + PLATFORM="hp11"
- + THREAD_LIBS="-lpthread"
- + ;;
- + *-*-linux*)
- + PLATFORM="lnx"
- + THREAD_LIBS="-lpthread"
- + ;;
- + *-*-solaris*)
- + PLATFORM="sol"
- + THREAD_LIBS="-lthread"
- + ;;
- + esac
- + if test -f "$withval/lib/$PLATFORM/libaceclnt.a"; then
- + AC_MSG_RESULT(found)
- + AC_DEFINE(SECURID)
- + SECURID_MSG="yes (for 5.x)"
- + CFLAGS="$CFLAGS -I$withval/inc"
- + LIBS="$LIBS $withval/lib/$PLATFORM/libaceclnt.a $THREAD_LIBS"
- + fi
- + else
- + AC_MSG_RESULT(not found)
- + # old client for ACE/server version 3.x
- + AC_MSG_CHECKING([for ACE/Agent libs version 3.x])
- + if test -f "$withval/sdiclient.a"; then
- + # sdiclient.a found in $withval
- + AC_MSG_RESULT(found)
- + AC_DEFINE(SECURID_OLD)
- + SECURID_MSG="yes (for 3.x)"
- + CFLAGS="$CFLAGS -I$withval"
- + LIBS="$withval/sdiclient.a $LIBS"
- + else
- + AC_MSG_RESULT(not found)
- + AC_MSG_ERROR([no ACE libs found !!])
- + fi
- + fi
- + fi
- + fi
- + ]
- +)
- +
- # Check whether user wants TCP wrappers support
- TCPW_MSG="no"
- AC_ARG_WITH([tcp-wrappers],
- diff -ruN openssh-6.0p1/monitor.c openssh-6.0p1-secuireid/monitor.c
- --- openssh-6.0p1/monitor.c 2012-02-11 06:16:09.000000000 +0900
- +++ openssh-6.0p1-secuireid/monitor.c 2012-08-05 15:37:07.000000000 +0900
- @@ -102,6 +102,10 @@
- static Gssctxt *gsscontext = NULL;
- #endif
- +#if defined (SECURID) || defined (SECURID_OLD)
- +#include "auth2-securid.h"
- +#endif
- +
- /* Imports */
- extern ServerOptions options;
- extern u_int utmp_len;
- @@ -182,6 +186,12 @@
- int mm_answer_gss_checkmic(int, Buffer *);
- #endif
- +#if defined (SECURID) || defined (SECURID_OLD)
- +int mm_answer_securid_init_ctx(int, Buffer *);
- +int mm_answer_securid_query(int, Buffer *);
- +int mm_answer_securid_respond(int, Buffer *);
- +#endif
- +
- #ifdef SSH_AUDIT_EVENTS
- int mm_answer_audit_event(int, Buffer *);
- int mm_answer_audit_command(int, Buffer *);
- @@ -252,6 +262,11 @@
- {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
- {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
- #endif
- +#if defined (SECURID) || defined (SECURID_OLD)
- + {MONITOR_REQ_SECURID_INIT_CTX, MON_ISAUTH, mm_answer_securid_init_ctx},
- + {MONITOR_REQ_SECURID_QUERY, MON_ISAUTH, mm_answer_securid_query},
- + {MONITOR_REQ_SECURID_RESPOND, MON_AUTH, mm_answer_securid_respond},
- +#endif
- #ifdef JPAKE
- {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
- {MONITOR_REQ_JPAKE_STEP1, MON_ISAUTH, mm_answer_jpake_step1},
- @@ -2105,6 +2120,96 @@
- }
- #endif /* GSSAPI */
- +#if defined (SECURID) || defined (SECURID_OLD)
- +int
- +mm_answer_securid_init_ctx(int socket, Buffer *m)
- +{
- + u_int success;
- +
- + debug3("%s entering", __func__);
- +
- + success = securid_init_ctx(authctxt) == NULL ? 0 : 1;
- +
- + buffer_clear(m);
- + buffer_put_int(m, success);
- +
- + auth_method = "securid";
- + mm_request_send(socket, MONITOR_ANS_SECURID_INIT_CTX, m);
- + return 0;
- +}
- +
- +int
- +mm_answer_securid_query(int socket, Buffer *m)
- +{
- + char *name, *infotxt;
- + u_int numprompts;
- + u_int *echo_on;
- + char **prompts;
- + u_int success;
- +
- + success = securid_query(authctxt, &name, &infotxt, &numprompts,
- + &prompts, &echo_on) < 0 ? 0 : 1;
- +
- + buffer_clear(m);
- + buffer_put_int(m, success);
- + if (success) {
- + buffer_put_cstring(m, prompts[0]);
- + buffer_put_int(m, echo_on[0]);
- + }
- +
- + debug3("%s: sending challenge success: %u", __func__, success);
- + mm_request_send(socket, MONITOR_ANS_SECURID_QUERY, m);
- +
- + if (success) {
- + xfree(name);
- + xfree(infotxt);
- + xfree(prompts);
- + xfree(echo_on);
- + }
- +
- + return 0;
- +}
- +
- +/*
- + * respond returns: 0 - success, 1 - need further interaction,
- + */
- +int
- +mm_answer_securid_respond(int socket, Buffer *m)
- +{
- + char **responses;
- + int authok, rlen;
- +
- + responses = xmalloc(sizeof(char *));
- + responses[0] = buffer_get_string(m, &rlen);
- +
- + authok = securid_respond(authctxt, 1, responses);
- +
- + memset(responses[0], 0, rlen);
- + xfree(responses[0]);
- + xfree(responses);
- +
- + if (authok < 0)
- + authok = 100;
- +
- + /*
- + * kdyz jednou vratim 1, tak je to povazovano za uspesnou autentizaci
- + * a monitor se rozjede dal a neni radno do nej zasahovat, proto
- + * je securid_free_ctx zde
- + */
- + if (authok != 1)
- + securid_free_ctx(authctxt);
- +
- + buffer_clear(m);
- + buffer_put_int(m, authok);
- +
- + mm_request_send(socket, MONITOR_ANS_SECURID_RESPOND, m);
- +
- + auth_method = "securid";
- +
- + return (authok == 0);
- +}
- +#endif /* SECURID || SECURID_OLD */
- +
- #ifdef JPAKE
- int
- mm_answer_jpake_step1(int sock, Buffer *m)
- diff -ruN openssh-6.0p1/monitor.h openssh-6.0p1-secuireid/monitor.h
- --- openssh-6.0p1/monitor.h 2011-06-20 13:42:23.000000000 +0900
- +++ openssh-6.0p1-secuireid/monitor.h 2012-08-05 15:37:07.000000000 +0900
- @@ -59,6 +59,11 @@
- MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY,
- MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
- MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
- +#if defined (SECURID) || defined (SECURID_OLD)
- + MONITOR_REQ_SECURID_INIT_CTX, MONITOR_ANS_SECURID_INIT_CTX,
- + MONITOR_REQ_SECURID_QUERY, MONITOR_ANS_SECURID_QUERY,
- + MONITOR_REQ_SECURID_RESPOND, MONITOR_ANS_SECURID_RESPOND,
- +#endif
- MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
- MONITOR_REQ_TERM,
- MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
- diff -ruN openssh-6.0p1/monitor_wrap.c openssh-6.0p1-secuireid/monitor_wrap.c
- --- openssh-6.0p1/monitor_wrap.c 2011-06-20 13:42:23.000000000 +0900
- +++ openssh-6.0p1-secuireid/monitor_wrap.c 2012-08-05 15:37:07.000000000 +0900
- @@ -67,6 +67,9 @@
- #ifdef GSSAPI
- #include "ssh-gss.h"
- #endif
- +#if defined (SECURID) || defined (SECURID_OLD)
- +#include "auth2-securid.h"
- +#endif
- #include "monitor_wrap.h"
- #include "atomicio.h"
- #include "monitor_fdpass.h"
- @@ -1288,6 +1291,82 @@
- return (authenticated);
- }
- #endif /* GSSAPI */
- +#if defined (SECURID) || defined (SECURID_OLD)
- +void *
- +mm_securid_init_ctx(struct Authctxt *authctxt)
- +{
- + Buffer m;
- + u_int success;
- +
- + debug3("%s entering", __func__);
- +
- + buffer_init(&m);
- +
- + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SECURID_INIT_CTX, &m);
- + debug3("%s: waiting for MONITOR_ANS_SECURID_INIT_CTX (%d)", __func__, MONITOR_ANS_SECURID_INIT_CTX);
- + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SECURID_INIT_CTX, &m);
- +
- + success = buffer_get_int(&m);
- + buffer_free(&m);
- +
- + return ((success == 0) ? NULL : authctxt);
- +}
- +
- +int
- +mm_securid_query(void *ctx, char **name, char **infotxt,
- + u_int *numprompts, char ***prompts, u_int **echo_on)
- +{
- + Buffer m;
- + u_int success;
- +
- + debug3("%s: entering", __func__);
- +
- + buffer_init(&m);
- + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SECURID_QUERY, &m);
- + debug3("%s: waiting for MONITOR_ANS_SECURID_QUERY (%d)", __func__, MONITOR_ANS_SECURID_QUERY);
- + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SECURID_QUERY, &m);
- +
- + success = buffer_get_int(&m);
- + if (success == 0) {
- + debug3("%s: no challenge", __func__);
- + buffer_free(&m);
- + return (-1);
- + }
- +
- + mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
- + (*prompts)[0] = buffer_get_string(&m, NULL);
- + (*echo_on)[0] = buffer_get_int(&m);
- +
- + buffer_free(&m);
- +
- + return (0);
- +}
- +
- +/*
- + * respond returns: 0 - success, 1 - need further interaction,
- + */
- +int
- +mm_securid_respond(void *ctx, u_int numresponses, char **responses)
- +{
- + Buffer m;
- + int authok;
- +
- + debug3("%s: entering", __func__);
- + if (numresponses != 1)
- + return (-1);
- +
- + buffer_init(&m);
- + buffer_put_cstring(&m, responses[0]);
- + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SECURID_RESPOND, &m);
- +
- + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SECURID_RESPOND, &m);
- +
- + authok = buffer_get_int(&m);
- + buffer_free(&m);
- +
- + return authok;
- +}
- +#endif /* SECURID || SECURID_OLD */
- #ifdef JPAKE
- void
- diff -ruN openssh-6.0p1/monitor_wrap.h openssh-6.0p1-secuireid/monitor_wrap.h
- --- openssh-6.0p1/monitor_wrap.h 2011-06-20 13:42:23.000000000 +0900
- +++ openssh-6.0p1-secuireid/monitor_wrap.h 2012-08-05 15:37:07.000000000 +0900
- @@ -102,6 +102,13 @@
- int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
- int mm_skey_respond(void *, u_int, char **);
- +/* securid */
- +#if defined (SECURID) || defined (SECURID_OLD)
- +void *mm_securid_init_ctx(struct Authctxt *);
- +int mm_securid_query(void *, char **, char **, u_int *, char ***, u_int **);
- +int mm_securid_respond(void *, u_int, char **);
- +#endif
- +
- /* jpake */
- struct modp_group;
- void mm_auth2_jpake_get_pwdata(struct Authctxt *, BIGNUM **, char **, char **);
- diff -ruN openssh-6.0p1/servconf.c openssh-6.0p1-secuireid/servconf.c
- --- openssh-6.0p1/servconf.c 2011-10-02 16:57:38.000000000 +0900
- +++ openssh-6.0p1-secuireid/servconf.c 2012-08-05 15:37:07.000000000 +0900
- @@ -98,6 +98,11 @@
- options->kerberos_get_afs_token = -1;
- options->gss_authentication=-1;
- options->gss_cleanup_creds = -1;
- +#if defined (SECURID) || defined (SECURID_OLD)
- + options->sdconf_rec_dir = NULL;
- + options->negate_securid_users = -1;
- + options->securid_user_env_var = NULL;
- +#endif
- options->password_authentication = -1;
- options->kbd_interactive_authentication = -1;
- options->challenge_response_authentication = -1;
- @@ -227,6 +232,10 @@
- options->gss_authentication = 0;
- if (options->gss_cleanup_creds == -1)
- options->gss_cleanup_creds = 1;
- +#if defined (SECURID) || defined (SECURID_OLD)
- + if (options->negate_securid_users == -1)
- + options->negate_securid_users = 0;
- +#endif
- if (options->password_authentication == -1)
- options->password_authentication = 1;
- if (options->kbd_interactive_authentication == -1)
- @@ -298,6 +307,11 @@
- sBadOption, /* == unknown option */
- /* Portable-specific options */
- sUsePAM,
- +#if defined (SECURID) || defined (SECURID_OLD)
- + sSDConfRecDir,
- + sNegateSecurIDUsers,
- + sSecurIDUserEnvVar,
- +#endif
- /* Standard Options */
- sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
- sPermitRootLogin, sLogFacility, sLogLevel,
- @@ -344,6 +358,11 @@
- { "usepam", sUnsupported, SSHCFG_GLOBAL },
- #endif
- { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
- +#if defined (SECURID) || defined (SECURID_OLD)
- + { "sdconfrecdir", sSDConfRecDir },
- + { "negatesecuridusers", sNegateSecurIDUsers },
- + { "securiduserenvvar", sSecurIDUserEnvVar },
- +#endif
- /* Standard Options */
- { "port", sPort, SSHCFG_GLOBAL },
- { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
- @@ -966,6 +985,24 @@
- intptr = &options->gss_cleanup_creds;
- goto parse_flag;
- +#if defined (SECURID) || defined (SECURID_OLD)
- + case sSDConfRecDir:
- + charptr = &options->sdconf_rec_dir;
- + goto parse_filename;
- +
- + case sNegateSecurIDUsers:
- + intptr = &options->negate_securid_users;
- + goto parse_flag;
- +
- + case sSecurIDUserEnvVar:
- + charptr = &options->securid_user_env_var;
- +//parse_string:
- + arg = strdelim(&cp);
- + if (arg != NULL && *arg != '\0' && *charptr == NULL)
- + *charptr = xstrdup(arg);
- + break;
- +#endif
- +
- case sPasswordAuthentication:
- intptr = &options->password_authentication;
- goto parse_flag;
- diff -ruN openssh-6.0p1/servconf.h openssh-6.0p1-secuireid/servconf.h
- --- openssh-6.0p1/servconf.h 2011-06-23 07:30:03.000000000 +0900
- +++ openssh-6.0p1-secuireid/servconf.h 2012-08-05 15:37:07.000000000 +0900
- @@ -104,6 +104,13 @@
- * authenticated with Kerberos. */
- int gss_authentication; /* If true, permit GSSAPI authentication */
- int gss_cleanup_creds; /* If true, destroy cred cache on logout */
- +#if defined (SECURID) || defined (SECURID_OLD)
- + char *sdconf_rec_dir;
- + int negate_securid_users; /* If set, securid_users file is used
- + * to determine who _doesn't_ get
- + * authed via SecurID */
- + char *securid_user_env_var;
- +#endif
- int password_authentication; /* If true, permit password
- * authentication. */
- int kbd_interactive_authentication; /* If true, permit */
- diff -ruN openssh-6.0p1/session.c openssh-6.0p1-secuireid/session.c
- --- openssh-6.0p1/session.c 2011-11-04 08:55:24.000000000 +0900
- +++ openssh-6.0p1-secuireid/session.c 2012-08-05 15:37:07.000000000 +0900
- @@ -1273,6 +1273,16 @@
- child_set_env(&env, &envsize, "KRB5CCNAME",
- s->authctxt->krb5_ccname);
- #endif
- +
- +#if defined (SECURID) || defined (SECURID_OLD)
- + if (s->authctxt->securid_real_user) {
- + if (options.securid_user_env_var != NULL)
- + child_set_env(&env, &envsize, options.securid_user_env_var,
- + s->authctxt->securid_real_user);
- + xfree(s->authctxt->securid_real_user);
- + }
- +#endif
- +
- #ifdef USE_PAM
- /*
- * Pull in any environment variables that may have
- diff -ruN openssh-6.0p1/sshd_config openssh-6.0p1-secuireid/sshd_config
- --- openssh-6.0p1/sshd_config 2011-05-29 20:39:39.000000000 +0900
- +++ openssh-6.0p1-secuireid/sshd_config 2012-08-05 15:37:07.000000000 +0900
- @@ -66,6 +66,16 @@
- # Change to no to disable s/key passwords
- #ChallengeResponseAuthentication yes
- +# Directory where sdconf.rec file is located
- +#SDConfRecDir /...
- +#NegateSecurIDUsers no
- +
- +# for shared login in securid authentication you can specify ENV variable,
- +# which is set to login name of user, which was successfully authenticated
- +# against to ACE/Server
- +# WARNING: this is env variable and user can set it to different value
- +#SecurIDUserEnvVar SECURIDUSER
- +
- # Kerberos options
- #KerberosAuthentication no
- #KerberosOrLocalPasswd yes
- diff -ruN openssh-6.0p1/sshd_config.0 openssh-6.0p1-secuireid/sshd_config.0
- --- openssh-6.0p1/sshd_config.0 2012-04-20 14:03:39.000000000 +0900
- +++ openssh-6.0p1-secuireid/sshd_config.0 2012-08-05 15:37:07.000000000 +0900
- @@ -434,6 +434,11 @@
- increases linearly and all connection attempts are refused if the
- number of unauthenticated connections reaches ``full'' (60).
- + NegateSecurIDUsers
- + Negates the meaning of the /etc/ssh/securid_users file. Users in
- + this file will not require SecurID auth, but all others will. The
- + default is ``no''.
- +
- PasswordAuthentication
- Specifies whether password authentication is allowed. The
- default is ``yes''.
- @@ -534,6 +539,9 @@
- default is ``yes''. This option applies to protocol version 1
- only.
- + SDConfRecDir
- + Specifies the directory where the file sdconf.rec is located.
- +
- ServerKeyBits
- Defines the number of bits in the ephemeral protocol version 1
- server key. The minimum value is 512, and the default is 1024.
- diff -ruN openssh-6.0p1/sshd_config.5 openssh-6.0p1-secuireid/sshd_config.5
- --- openssh-6.0p1/sshd_config.5 2011-09-22 20:37:13.000000000 +0900
- +++ openssh-6.0p1-secuireid/sshd_config.5 2012-08-05 15:37:07.000000000 +0900
- @@ -763,6 +763,11 @@
- are refused if the number of unauthenticated connections reaches
- .Dq full
- (60).
- +.It Cm NegateSecurIDUsers
- +Negates the meaning of the /etc/ssh/securid_users file. Users in
- +this file will not require SecurID auth, but all others will.
- +The default is
- +.Dq no .
- .It Cm PasswordAuthentication
- Specifies whether password authentication is allowed.
- The default is
- @@ -915,6 +920,8 @@
- The default is
- .Dq yes .
- Note that this option applies to protocol version 2 only.
- +.It Cm SDConfRecDir
- +Specifies the directory where the file sdconf.rec is located.
- .It Cm RevokedKeys
- Specifies a list of revoked public keys.
- Keys listed in this file will be refused for public key authentication.
- @@ -926,6 +933,7 @@
- The default is
- .Dq no .
- This option applies to protocol version 1 only.
- +
- .It Cm RSAAuthentication
- Specifies whether pure RSA authentication is allowed.
- The default is
Don't like ads? PRO users don't see any ads ;-)
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
create a new version of this paste
RAW Paste Data