diff -ruN openssh-4.4p1/Makefile.in openssh-4.4p1-securid/Makefile.in --- openssh-4.4p1/Makefile.in Tue Sep 12 07:54:10 2006 +++ openssh-4.4p1-securid/Makefile.in Sun Oct 8 00:38:25 2006 @@ -87,7 +87,7 @@ monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ - loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ + loginrec.o auth-pam.o auth-shadow.o auth-sia.o auth-securid.o md5crypt.o \ audit.o audit-bsm.o platform.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out diff -ruN openssh-4.4p1/README.SecurID openssh-4.4p1-securid/README.SecurID --- openssh-4.4p1/README.SecurID +++ openssh-4.4p1-securid/README.SecurID Sun Oct 8 02:42:12 2006 @@ -0,0 +1,188 @@ +/* + * Author: Theo Schlossnagle + * Copyright (c) 2000-2002 Theo Schlossnagle + * All rights reserved + * + * Created: September 21, 2000 + * License: OpenSSH License. See the license for OpenSSH for more details. + * + * Update for ACE 5.X by Jim Matthews -- Jim.W.Matthews@gmail.com + * Patch works only for OpenSSH version v4.4p1 + * + * October 04, 2006: -- Jim.W.Matthews@gmail.com + * Updated to support openssh v4.4p1 + * Updated auth-securid.c with additional includes which are now required. + * + * February 11, 2006: -- j.w.matthews@cox.net + * Updated to support openssh v4.3p1 + * + * September 10, 2005: -- j.w.matthews@cox.net + * Updated to support openssh v4.2p1 + * Fixed bug in auth-securid.c where securid_usersfile_find is used even if + * SECURID is undefined at config time - found by Mike Frysinger. + * + * June 16, 2005: -- j.w.matthews@cox.net + * Updated to support openssh v4.1p1 + * + * March 15, 2005: -- j.w.matthews@cox.net + * Updated to support openssh v4.0p1 + * + * Aug 18, 2004: -- j.w.matthews@cox.net + * Updated to support openssh v3.9p1 + * Added #ifdef SECURID in a comple of places it wasn't used and should have been + * for consistency in monitor.c and monitor.h + * + * Aug 15, 2004: -- j.w.matthews@cox.net + * Updated to support openssh v3.8.1p1 + * + * March 1, 2004: -- j.w.matthews@cox.net + * Updated to support openssh v3.8p1 + * + * September 27, 2003: -- j.w.matthews@cox.net + * Updated to support openssh v3.7.1p2 + * Re-added SecurID man page entries previously included in the v3.6.1p2 patch. + * Changed "plen" from type int to type u_int in function mm_answer_authsecurid in + * monitor.c to conform with openssh. + * + * September 17, 2003: -- j.w.matthews@cox.net + * Updated to support openssh v3.7.1p1. + * + * September 16, 2003: -- j.w.matthews@cox.net + * Updated to support openssh v3.7p1. + * In auth-securid.c log has changed to logit since it changed in v3.7p1. + * In pam-auth.c securid auth function is no longer needed. v3.7p1 completely + * changed the way PAM is handled. + * + * June 4th, 2003: -- Nicolas Lidzborski + * Updated to support openssh v3.6.1p2 + * + * April 5th, 2003: -- j.w.matthews@cox.net + * Updated to support openssh v3.6.1p1. + * Modified to support both new (5.X+) and old (<= 4.X) securid client API libraries. + * Added --with-securid-old for <= 4.X support, --with-securid is for new API support. + * Added sd_close for ACE server disconnect at the end of authentication for old API support. + * + * March 3rd, 2003: -- j.w.matthews@cox.net + * Changed "user not in [securid] allow", "user in [securid] deny" SecurID messages from + * type "error" to type "log" in auth-securid.c. + * + * March 1st, 2003: -- j.w.matthews@cox.net + * Rewrote functions in auth-securid.c to support the ACE server version 5.X API. + * Modified configure script to check for new libaceclnt.a and acexport.h. + * Fixed AllowNonSecurid option in monitor.c and servconf.c so it actually works now. + * Fixed potential memory leak in auth-securid.c for SecurID shell assignment variable. + * + * October 22nd, 2002: + * Updated to 3.5p1 -- jesus@omniti.com + * incorporated a few minor fixes for the auth phase. + * + * June 26th, 2002: + * Updated to 3.4p1 -- jesus@omniti.com + * Revamped the auth mechanism to use the new privilege separation code. + * Updated man pages in their new locations. + * + * March 15th, 2002: + * Updated to 3.1p1 -- jesus@omniti.com + * Added beeter support for auth2-pam. Added NegateSecurIDUsers option to + * negate the meaning of the SecureIDUsersFile option. + * + * December 11th, 2001: + * Updated to 3.0.2p1 -- jesus@omniti.com + * no new features + * + * December 3rd, 2001: + * Updated to 3.0.1p1 -- jesus@omniti.com + * no new features + * + * November 8th, 2001: + * Updated to 3.0p1 -- jesus@omniti.com + * no new features + * + * September 30th, 2001: + * Updated to 2.9.9p2 -- jesus@omniti.com + * no new features + * + * June 28, 2001: + * Updated to 2.9p2 -- jesus@omniti.com + * no new features + * + * April 24, 2001: + * Updated to 2.9p1 -- jesus@omniti.com + * added autoconf clauses to fault if sdiclient.a and headers aren't there. + * + * April 21, 2001: + * Updated to 2.5.2p2 -- jesus@omniti.com + * Incorporated some bug fixes from Anders Olsen to fix next-token code. + * + * March 19, 2001: + * Updated to 2.5.2p1 -- jesus@omniti.com + * + * December 20, 2000: + * Updated to 2.3.0p1 -- jesus@omniti.com + * + * Jan 9th, 2001: + * Added SecurIDUsersFile, SecurIDIgnoreShell, AllowNonSecurID directives + * to the sshd_config file. These parameters are documented in the man page. + * This provides a more logical seperationg between fail-through due to system + * failure and fall-through by configuration. (fall-through vs. fail-through) + * -- jesus@omniti.com + */ + +Seems like a few people are interested. So here is the patch. + +This has only been tested on UNICIES that support PAM. There is untested +(only 5 lines) code in auth-passwd.c that should provide the same +functionality for normal (non-PAM) password verifications. + +The patch is logical quite small, the physical patch bulky because it contains +all the line number changes in "configure" after running autoconf on the +modified configure.in file (in which I changed maybe 10 lines -- Yuk.) + +The sshd man page has been patched too :-) Read it for the two new options +relating to SecurID. + +How it works: + +0) apply patch ;-) You must use GNU patch (get it from ftp.gnu.org, it free.) +1) copy ACE headers (in SecurID inc directory) into either a standard + include place (like /usr/local/include) or into the openssh source tree or add + the --with-cflags=-I/path/to/ace/inc (where the include files are located) +2) copy the libaceclnt.a (for ACE 5.X) or sdiclient.a (for ACE <= 4.X) for your + OS (from /path/to/ace/lib/) into the openssh source tree. + +Make sure that /var/ace contains your sdconf.rec, etc. If you installed +SecurID client or server on a machine it should be this way already. If you +used a non-standard install location do a "ln -s /path/to/ace/data /var/ace" + +3) add --with-securid to the configure flags for new ACE 5.X support. Use + --with-securid-old for ACE API version 4.X and older. + +It will trigger if a user has a shell in /etc/passwd that ends with "sdshell" +and it snags your shell the same way sdshell does. Users with other shells +will log in as if SecurID didn't exist. + +Done: + o Normal passcode verification + o Enter next token for verification + (use ssh -v to see the *useful* debgging messages) + +ssh -v will let you know if: + o your code was accepted. + o your code was rejected. + o you are required to wait for the next token and enter that. + +TODO: + o Handle PIN creation and changing (as their are by default three log in +attempts, it should be straight forward to integrate in these additions -- +both of these operations require exactly three user inputs.) + o Add sshd_config parameter to specify the VAR_ACE location (forced to +/var/ace OR VAR_ACE environment variable now.) + +DISCLAIMER: + I works for me (yes, in production). If you get locked out of a production +system becuase you replaced your sshd with this one, feeling really dumb is +YOUR responsibility NOT mine. It is not my fault :-D + +Hope this is useful! scp (and all other tools that can use ssh like rsync and +cvs) will work now!!!! Hooray! + diff -ruN openssh-4.4p1/auth-passwd.c openssh-4.4p1-securid/auth-passwd.c --- openssh-4.4p1/auth-passwd.c Fri Aug 4 22:39:39 2006 +++ openssh-4.4p1-securid/auth-passwd.c Sun Oct 8 00:42:15 2006 @@ -101,6 +101,18 @@ /* Fall back to ordinary passwd authentication. */ } #endif +#ifdef SECURID + if (options.securid_authentication == 1) { + int ret = auth_securid(authctxt, password); + if (ret >= 0) + return ret; + /* Only returns < 0 if the account is not a SecurID account */ + /* Fall back to ordinary passwd authentication. */ + if(ret<0 && !options.allow_nonsecurid) { + return 0; + } + } +#endif #ifdef HAVE_CYGWIN if (is_winnt) { HANDLE hToken = cygwin_logon_user(pw, password); diff -ruN openssh-4.4p1/auth-securid.c openssh-4.4p1-securid/auth-securid.c --- openssh-4.4p1/auth-securid.c +++ openssh-4.4p1-securid/auth-securid.c Sun Oct 8 02:59:31 2006 @@ -0,0 +1,318 @@ +/* + * Author: Theo Schlossnagle + * Copyright (c) 2000 Theo Schlossnagle + * All rights reserved + * Created: September 21, 2000 + * This file contains the code to process a SecurID authentication + * including the "next token" request. + */ + +/* + * Added ACE Server API version 5.X Support + * Jim Matthews (JWM) + * + */ + +#include "includes.h" + +/* RCSID("$OpenBSD: auth-securid.c,v 1.0 2000/09/21 01:39:38 jesus Exp $"); */ +/* $Id: auth-securid.c,v 1.3.1 2006/10/04 23:22:12 jmatthew Exp jmatthew $ */ + +#include "packet.h" +#include "ssh.h" +#include "log.h" +#include "servconf.h" +#include "xmalloc.h" +#include "key.h" +#include "hostfile.h" +#include "auth.h" + +#include +#include + +#ifdef WITH_AIXAUTHENTICATE +# include +#endif +#ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW +# include +# include +#endif +#ifdef HAVE_SHADOW_H +# include +#endif +#ifdef HAVE_GETPWANAM +# include +# include +# include +#endif +#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) +# include "md5crypt.h" +#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ + +#ifdef SECURID +#ifdef SECURID_NEW +/* Only need acexport.h for 5.0 API JWM */ +# include "acexport.h" + +#else + +# include "sdi_athd.h" +# include "sdconf.h" +# include "sdacmvls.h" + +union config_record configure; +#endif +#endif + +/* + * Tries to authenticate the user using password. Returns true if + * authentication succeeds. + */ +#define INBUFFLEN 256 + +/* Added ifdef 09102005 JWM */ +#ifdef SECURID +int +securid_usersfile_find(const char *pw_name) +{ + extern ServerOptions options; + FILE *inf; + char inbuff[INBUFFLEN]; + struct stat fileinfo; + int retval = 0; + + if(!options.securid_usersfile) { + error("In securid_usersfile_find() with NULL filename!"); + return -1; + } + if(lstat(options.securid_usersfile, &fileinfo)) { + error("Cannot open %s: %s", + options.securid_usersfile, strerror(errno)); + return -1; + } + if(fileinfo.st_mode & (S_IWOTH|S_IWGRP)) { + error("SecurIDUsersFile is writeable by group and other"); + return -1; + } + if(!(inf = fopen(options.securid_usersfile, "r"))) { + error("Cannot open %s: %s", + options.securid_usersfile, strerror(errno)); + return -1; + } + while(fgets(inbuff,INBUFFLEN-1,inf) != NULL) { + if(inbuff[strlen(inbuff) - 1] == '\n') + inbuff[strlen(inbuff) - 1] = '\0'; + retval = !strcmp(inbuff,pw_name); + if(retval) break; + } + fclose(inf); + if(retval) return 1; + debug2("Failed to find %s in %s", + pw_name, options.securid_usersfile); + return 0; +} +#endif + +int +auth_securid(Authctxt *authctxt, const char *password) +{ + static int state = 0; /* This tells us where we expect a + 0 "PIN" + 1 "Next Token" + */ + int doauth; + char *ecp; + /* Changed this to static, since pw->shell does not get redefined, prevents mem leak JWM */ + /* Allocate 256 chars for shell JWM */ + static char shell[256]; + extern ServerOptions options; + struct passwd *pw; +#ifndef SECURID + return -1; +#else + /* Add static for the nexttoken case -- Anders Olsen 20010409 */ + /* API Change for ACE version 5.03 JWM */ +#ifdef SECURID_NEW + static SDI_HANDLE sd_dat; +#else + static struct SD_CLIENT sd_dat, *sd; +#endif + + pw = authctxt->pw; + /* Check for users with no sdshell and pass them by. */ + if(options.securid_usersfile) { + doauth = securid_usersfile_find(pw->pw_name); + if(!options.negate_securid_users && doauth == 0) { + /* file is there, user is not, option respected */ + /* log instead of error JWM */ + logit("User Not In SecurID Users Allow File"); + if(options.allow_nonsecurid) return -1; + return 0; + } else if(options.negate_securid_users && doauth == 1) { + /* file is there, user is, option negated */ + /* log instead of error JWM */ + logit("User In SecurID Users Deny File"); + if(options.allow_nonsecurid) return -1; + return 0; + } else if(doauth < 0) { /* File not there or bad perms! */ + error("Failing SecurID login attempt"); + return 0; /* Fail */ + } + } else { + /* No users securid_usersfile + so use shells that end in sdshell */ + if (!((ecp = strstr(pw->pw_shell, "sdshell")) && + (*(ecp+7)=='\0'))) { + if(options.allow_nonsecurid) { + return -1; + } else { + return 0; + } + } + } + /* sd_check on with an empty password causes segfault against some + versions of sdiclient -- Anders Olsen 20010409 */ + if (*password == '\0') { + debug2("auth_securid: empty password, skipping"); + return 0; + } + /* Don't reopen session to securid-server is nexttoken + -- Adres Olsen 20010410 */ + if (state == 0) { + int ret; +#ifdef SECURID_NEW + /* API Change for ACE version 5.03 JWM */ + /* Initialize the ace client, test for sdconf.rec and other setup */ + if(AceInitialize() == SD_FALSE) { + error("SecurID: Failed to initialize ACE API library."); + if(options.securid_fallback) return -1; + return 0; + } + /* API Change for ACE version 5.03 JWM */ + /* Initialize communication, check connection to server, etc */ + ret = SD_Init(&sd_dat); + if(ret != ACM_OK) { + if(ret == ACE_INIT_NO_RESOURCE) { + error("SecurID: Couldn't allocate memory."); + } + if(ret == ACE_INIT_SOCKET_FAIL) { + error("SecurID: Couldn't create socket."); + } + error("SecurID: Couldn't establish client/server communications."); + if(options.securid_fallback) return -1; + return 0; + } + /* API addition for ACE version 5.03 JWM */ + /* Lock Server */ + if(SD_Lock(sd_dat,pw->pw_name) == ACM_OK) { + debug("SecurID: Locked Server"); + } else { + error("SecurID: Failed to lock server."); + return 0; + } + /* API Change for version 5.03 JWM */ + /* Check for valid authentication */ + ret = SD_Check(sd_dat, (char *)password, pw->pw_name); + if(ret == ACM_OK) { + goto success; + } else { + if(ret == ACM_ACCESS_DENIED) { + error("SecurID: authentication failed."); + } + if(ret == ACM_NEXT_CODE_REQUIRED) { + error("SecurID: needs next token."); + state = 1; /* Process next try as sd_next */ + } + if(ret == ACE_UNDEFINED_PASSCODE) { + error("SecurID: passcode invalid length or null"); + } + if(ret == ACE_UNDEFINED_USERNAME) { + error("SecurID: username invalid length or null"); + } + if(ret == ACE_ERR_INVALID_HANDLE) { + error("SecurID: handle value invalid"); + } + if(ret == ACM_NEW_PIN_REQUIRED) { + error("SecurID: new pin required"); + } + return 0; /* Failed! */ + } +#else /* else old securid */ + memset(&sd_dat, 0, sizeof(sd_dat)); /* clear struct */ + sd = &sd_dat; + + if(creadcfg()) { + /* Can't read sdconf.rec! Gotta bail */ + error("SecurID: Couldn't read sdconf.rec."); + if(options.securid_fallback) return -1; + return 0; + } + if(sd_init(sd)) { + /* Can't establish client/server comms! Gotta bail */ + error("SecurID: Couldn't establish client/server communications."); + if(options.securid_fallback) return -1; + return 0; + } + /* Auth PIN... */ + ret = sd_check((char *)password, pw->pw_name, sd); + if(ret == ACM_OK) { + goto success; + } + if(ret == ACM_ACCESS_DENIED) { + error("SecurID: passcode rejected."); + return 0; /* Failed! */ + } + if(ret == ACM_NEXT_CODE_REQUIRED) { + error("SecurID: needs next token."); + state = 1; /* Process next try as sd_next */ + return 0; /* Fail, so ssh will prmpt again */ + } +#endif + } else { + /* Auth next token... */ + int ret; + state = 0; /* Set back to PIN mode */ +#ifdef SECURID_NEW + /* API Change for version 5.03 JWM */ + ret = SD_Next(sd_dat, (char *)password); +#else + ret = sd_next((char *)password, sd); +#endif + if(ret == ACM_OK) { + goto success; + } + error("SecurID: passcode rejected."); + return 0; /* Failed */ + } + error("SecurID: unhandled sdcheck() return code."); + return 0; /* Failed! */ + +success: +#ifdef SECURID_NEW + /* Clear mem for shell */ + memset(shell, 0, sizeof(shell)); +#endif + if(!options.securid_ignore_shell) { +#ifdef SECURID_NEW + /* Changed for ACE 5.0 API JWM */ + if(!AceGetShell(sd_dat,shell)) { + error("SecurID: Failed to get user's shell from server."); + return 0; + } +#else + strcpy(shell,sd->shell); +#endif + pw->pw_shell = shell; + } +#ifdef SECURID_NEW + if(SD_Close(sd_dat) != ACM_OK) { + error("SecurID: SD_Close - Handle invalid."); + } +#else + if(!sd_close()) { + error("SecurID: sd_close failed."); + } +#endif + return 1; /* Success */ +#endif +} diff -ruN openssh-4.4p1/auth.h openssh-4.4p1-securid/auth.h --- openssh-4.4p1/auth.h Fri Aug 18 10:32:46 2006 +++ openssh-4.4p1-securid/auth.h Sun Oct 8 00:45:25 2006 @@ -107,6 +107,9 @@ auth_rhosts2(struct passwd *, const char *, const char *, const char *); int auth_rhosts_rsa(Authctxt *, char *, Key *); +#ifdef SECURID +int auth_securid(Authctxt *, const char *); +#endif int auth_password(Authctxt *, const char *); int auth_rsa(Authctxt *, BIGNUM *); int auth_rsa_challenge_dialog(Key *); diff -ruN openssh-4.4p1/auth2-passwd.c openssh-4.4p1-securid/auth2-passwd.c --- openssh-4.4p1/auth2-passwd.c Fri Aug 4 22:39:39 2006 +++ openssh-4.4p1-securid/auth2-passwd.c Sun Oct 8 00:46:58 2006 @@ -64,6 +64,20 @@ } packet_check_eom(); +#ifdef SECURID + /* Try SecurID regardless */ + if (authctxt->valid && options.securid_authentication == 1) { + authenticated = PRIVSEP(auth_securid(authctxt, password)); + /* Only returns < 0 if the account is not a SecurID account */ + /* Fall back to ordinary passwd authentication. */ + if(authenticated < 0) + authenticated = 0; + else + goto passreturn; + } + /* No... continue */ +#endif + if (change) logit("password change not supported"); else if (PRIVSEP(auth_password(authctxt, password)) == 1) @@ -72,6 +86,9 @@ if (check_nt_auth(1, authctxt->pw) == 0) authenticated = 0; #endif +#ifdef SECURID +passreturn: +#endif memset(password, 0, len); xfree(password); return authenticated; diff -ruN openssh-4.4p1/config.h.in openssh-4.4p1-securid/config.h.in --- openssh-4.4p1/config.h.in Tue Sep 26 07:03:33 2006 +++ openssh-4.4p1-securid/config.h.in Sun Oct 8 00:47:34 2006 @@ -1171,6 +1171,10 @@ /* Location of PRNGD/EGD random number socket */ #undef PRNGD_SOCKET +/* Define if you want SecurID support */ +#undef SECURID +#undef SECURID_NEW + /* read(1) can return 0 for a non-closed fd */ #undef PTY_ZEROREAD diff -ruN openssh-4.4p1/configure openssh-4.4p1-securid/configure --- openssh-4.4p1/configure Tue Sep 26 07:03:41 2006 +++ openssh-4.4p1-securid/configure Sun Oct 8 01:12:53 2006 @@ -199,7 +199,7 @@ echo as_func_ret_failure succeeded. fi -if (set x; as_func_ret_success y && test x = \"\$1\" ); then +if ( set x; as_func_ret_success y && test x = \"\$1\" ); then : else exitcode=1 @@ -401,7 +401,7 @@ echo as_func_ret_failure succeeded. fi -if (set x; as_func_ret_success y && test x = \"\$1\" ); then +if ( set x; as_func_ret_success y && test x = \"\$1\" ); then : else exitcode=1 @@ -1322,6 +1322,8 @@ --with-zlib=PATH Use zlib in PATH --without-zlib-version-check Disable zlib version check --with-skey[=PATH] Enable S/Key support (optionally in PATH) + --with-securid Enable ACE 5.X+ SecurID support + --with-securid-old Enable SecurID 4.X and earlier SecurID support --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH) --with-libedit[=PATH] Enable libedit support for sftp --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm) @@ -12958,6 +12960,193 @@ fi +SECURID_MSG="no" + +# Check whether --with-securid was given. +if test "${with_securid+set}" = set; then + withval=$with_securid; + if test "x$withval" != "xno" ; then + saved_LIBS="$LIBS" + LIBS="$LIBS libaceclnt.a -lpthread" + { echo "$as_me:$LINENO: checking for libaceclnt.a and includes" >&5 +echo $ECHO_N "checking for libaceclnt.a and includes... $ECHO_C" >&6; } + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#include "acexport.h" + SDI_HANDLE sd_dat; + +int +main () +{ +AceInitialize(); SD_Init(&sd_dat); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + + { echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6; } + cat >>confdefs.h <<\_ACEOF +#define SECURID 1 +_ACEOF + + cat >>confdefs.h <<\_ACEOF +#define SECURID_NEW 1 +_ACEOF + + SECURID_MSG="yes: 5.X+" + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + + { { echo "$as_me:$LINENO: error: *** libaceclnt.a or includes missing" >&5 +echo "$as_me: error: *** libaceclnt.a or includes missing" >&2;} + { (exit 1); exit 1; }; } + + +fi + +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + fi + + +fi + + +# Check whether --with-securid-old was given. +if test "${with_securid_old+set}" = set; then + withval=$with_securid_old; + if test "x$withval" != "xno" ; then + saved_LIBS="$LIBS" + LIBS="$LIBS sdiclient.a" + { echo "$as_me:$LINENO: checking for sdiclient.a and includes" >&5 +echo $ECHO_N "checking for sdiclient.a and includes... $ECHO_C" >&6; } + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#include "sdi_athd.h" +#include "sdconf.h" +#include "sdacmvls.h" + struct SD_CLIENT sd_dat, *sd; + union config_record configure; + +int +main () +{ +sd = &sd_dat; creadcfg(); sd_init(sd); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + + { echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6; } + cat >>confdefs.h <<\_ACEOF +#define SECURID 1 +_ACEOF + + SECURID_MSG="yes: <= 4.X" + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + + { { echo "$as_me:$LINENO: error: *** sdiclient.a or includes missing" >&5 +echo "$as_me: error: *** sdiclient.a or includes missing" >&2;} + { (exit 1); exit 1; }; } + + +fi + +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + fi + + +fi + + # Check whether user wants TCP wrappers support TCPW_MSG="no" @@ -33407,6 +33596,7 @@ echo " SELinux support: $SELINUX_MSG" echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" +echo " SecurID support: $SECURID_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" diff -ruN openssh-4.4p1/configure.ac openssh-4.4p1-securid/configure.ac --- openssh-4.4p1/configure.ac Sun Sep 24 15:08:59 2006 +++ openssh-4.4p1-securid/configure.ac Sun Oct 8 00:50:14 2006 @@ -1079,6 +1079,62 @@ ] ) +SECURID_MSG="no" +AC_ARG_WITH(securid, + [ --with-securid Enable ACE 5.X+ SecurID support], + [ + if test "x$withval" != "xno" ; then + saved_LIBS="$LIBS" + LIBS="$LIBS libaceclnt.a -lpthread" + AC_MSG_CHECKING(for libaceclnt.a and includes) + AC_TRY_LINK( + [ +#include "acexport.h" + SDI_HANDLE sd_dat; + ], + [AceInitialize(); SD_Init(&sd_dat);], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(SECURID) + AC_DEFINE(SECURID_NEW) + SECURID_MSG="yes: 5.X+" + ], + [ + AC_MSG_ERROR([*** libaceclnt.a or includes missing]) + ] + ) + fi + ] +) +AC_ARG_WITH(securid-old, + [ --with-securid-old Enable SecurID 4.X and earlier SecurID support], + [ + if test "x$withval" != "xno" ; then + saved_LIBS="$LIBS" + LIBS="$LIBS sdiclient.a" + AC_MSG_CHECKING(for sdiclient.a and includes) + AC_TRY_LINK( + [ +#include "sdi_athd.h" +#include "sdconf.h" +#include "sdacmvls.h" + struct SD_CLIENT sd_dat, *sd; + union config_record configure; + ], + [sd = &sd_dat; creadcfg(); sd_init(sd);], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(SECURID) + SECURID_MSG="yes: <= 4.X" + ], + [ + AC_MSG_ERROR([*** sdiclient.a or includes missing]) + ] + ) + fi + ] +) + # Check whether user wants TCP wrappers support TCPW_MSG="no" AC_ARG_WITH(tcp-wrappers, @@ -3965,6 +4021,7 @@ echo " SELinux support: $SELINUX_MSG" echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" +echo " SecurID support: $SECURID_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" diff -ruN openssh-4.4p1/monitor.c openssh-4.4p1-securid/monitor.c --- openssh-4.4p1/monitor.c Sat Sep 16 22:00:13 2006 +++ openssh-4.4p1-securid/monitor.c Sun Oct 8 00:52:05 2006 @@ -133,6 +133,9 @@ int mm_answer_pwnamallow(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); +#ifdef SECURID +int mm_answer_authsecurid(int, Buffer *); +#endif int mm_answer_authpassword(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); @@ -206,6 +209,9 @@ {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, +#ifdef SECURID + {MONITOR_REQ_AUTHSECURID, MON_AUTH, mm_answer_authsecurid}, +#endif #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, @@ -697,6 +703,55 @@ return (0); } +#ifdef SECURID +int +mm_answer_authsecurid(int socket, Buffer *m) +{ + static int call_count; + char *passwd; + int authenticated; + /* Changed to u_int to conform with openssh JWM */ + u_int plen; + + passwd = buffer_get_string(m, &plen); + /* Only authenticate if the context is valid */ + authenticated = 0; + if(options.securid_authentication && authctxt->valid) { + authenticated = auth_securid(authctxt, passwd); + /* Fixed fallback/nonsecurid JWM */ + if(authenticated < 0) { + if(options.password_authentication) { + if(options.allow_nonsecurid || options.securid_fallback) { + debug2("Falling to password authentication."); + authenticated = auth_password(authctxt, passwd); + } else { + authenticated = 0; + } + } else { + authenticated = 0; + } + } + } + memset(passwd, 0, strlen(passwd)); + xfree(passwd); + + buffer_clear(m); + buffer_put_int(m, authenticated); + + debug3("%s: sending result %d", __func__, authenticated); + mm_request_send(socket, MONITOR_ANS_AUTHSECURID, m); + + call_count++; + if (plen == 0 && call_count == 1) + auth_method = "none"; + else + auth_method = "password"; + + /* Causes monitor loop to terminate if authenticated */ + return (authenticated); +} +#endif + int mm_answer_authpassword(int sock, Buffer *m) { diff -ruN openssh-4.4p1/monitor.h openssh-4.4p1-securid/monitor.h --- openssh-4.4p1/monitor.h Sat Mar 25 22:30:02 2006 +++ openssh-4.4p1-securid/monitor.h Sun Oct 8 00:53:18 2006 @@ -35,6 +35,9 @@ MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD, +#ifdef SECURID + MONITOR_REQ_AUTHSECURID, MONITOR_ANS_AUTHSECURID, +#endif MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY, MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY, diff -ruN openssh-4.4p1/monitor_wrap.c openssh-4.4p1-securid/monitor_wrap.c --- openssh-4.4p1/monitor_wrap.c Fri Sep 1 01:38:37 2006 +++ openssh-4.4p1-securid/monitor_wrap.c Sun Oct 8 00:54:40 2006 @@ -282,6 +282,33 @@ buffer_free(&m); } +#ifdef SECURID +/* Do the securid authentication */ +int +mm_auth_securid(Authctxt *authctxt, char *password) +{ + Buffer m; + int authenticated = 0; + + debug3("%s entering", __func__); + + buffer_init(&m); + buffer_put_cstring(&m, password); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSECURID, &m); + + debug3("%s: waiting for MONITOR_ANS_AUTHSECURID", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHSECURID, &m); + + authenticated = buffer_get_int(&m); + + buffer_free(&m); + + debug3("%s: user %sauthenticated", + __func__, authenticated ? "" : "not "); + return (authenticated); +} +#endif + /* Do the password authentication */ int mm_auth_password(Authctxt *authctxt, char *password) diff -ruN openssh-4.4p1/monitor_wrap.h openssh-4.4p1-securid/monitor_wrap.h --- openssh-4.4p1/monitor_wrap.h Fri Aug 4 22:39:40 2006 +++ openssh-4.4p1-securid/monitor_wrap.h Sun Oct 8 00:55:10 2006 @@ -43,6 +43,9 @@ void mm_inform_authserv(char *, char *); struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); +#ifdef SECURID +int mm_auth_securid(struct Authctxt *, char *); +#endif int mm_auth_password(struct Authctxt *, char *); int mm_key_allowed(enum mm_keytype, char *, char *, Key *); int mm_user_key_allowed(struct passwd *, Key *); diff -ruN openssh-4.4p1/servconf.c openssh-4.4p1-securid/servconf.c --- openssh-4.4p1/servconf.c Fri Aug 18 10:23:15 2006 +++ openssh-4.4p1-securid/servconf.c Sun Oct 8 00:57:57 2006 @@ -85,6 +85,14 @@ options->hostbased_uses_name_from_packet_only = -1; options->rsa_authentication = -1; options->pubkey_authentication = -1; +#ifdef SECURID + options->securid_authentication = -1; + options->securid_fallback = -1; + options->allow_nonsecurid = -1; + options->negate_securid_users = -1; + options->securid_usersfile = NULL; + options->securid_ignore_shell = -1; +#endif options->kerberos_authentication = -1; options->kerberos_or_local_passwd = -1; options->kerberos_ticket_cleanup = -1; @@ -194,6 +202,19 @@ options->rsa_authentication = 1; if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; +#ifdef SECURID + if (options->securid_authentication == -1) + options->securid_authentication = 1; + /* Fixed fallback and non-securid JWM */ + if (options->securid_fallback == -1) + options->securid_fallback = 1; + if (options->allow_nonsecurid == -1) + options->allow_nonsecurid = 1; + if (options->negate_securid_users == -1) + options->negate_securid_users = 0; + if (options->securid_ignore_shell == -1) + options->securid_ignore_shell = 0; +#endif if (options->kerberos_authentication == -1) options->kerberos_authentication = 0; if (options->kerberos_or_local_passwd == -1) @@ -274,6 +295,10 @@ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, +#ifdef SECURID + sSecurIDAuthentication, sSecurIDFallBack, sAllowNonSecurID, + sNegateSecurIDUsers, sSecurIDUsersFile, sSecurIDIgnoreShell, +#endif sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosGetAFSToken, sKerberosTgtPassing, sChallengeResponseAuthentication, @@ -323,6 +348,14 @@ { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, { "permitrootlogin", sPermitRootLogin, SSHCFG_GLOBAL }, { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, +#ifdef SECURID + { "securidauthentication", sSecurIDAuthentication }, + { "securidfallback", sSecurIDFallBack }, + { "allownonsecurid", sAllowNonSecurID }, + { "negatesecuridusers", sNegateSecurIDUsers }, + { "securidusersfile", sSecurIDUsersFile }, + { "securidignoreshell", sSecurIDIgnoreShell }, +#endif { "loglevel", sLogLevel, SSHCFG_GLOBAL }, { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL }, @@ -828,6 +861,31 @@ *intptr = value; break; +#ifdef SECURID + case sSecurIDAuthentication: + intptr = &options->securid_authentication; + goto parse_flag; + + case sSecurIDFallBack: + intptr = &options->securid_fallback; + goto parse_flag; + + case sAllowNonSecurID: + intptr = &options->allow_nonsecurid; + goto parse_flag; + + case sNegateSecurIDUsers: + intptr = &options->negate_securid_users; + goto parse_flag; + + case sSecurIDUsersFile: + charptr = &options->securid_usersfile; + goto parse_filename; + + case sSecurIDIgnoreShell: + intptr = &options->securid_ignore_shell; + goto parse_flag; +#endif case sIgnoreUserKnownHosts: intptr = &options->ignore_user_known_hosts; goto parse_flag; diff -ruN openssh-4.4p1/servconf.h openssh-4.4p1-securid/servconf.h --- openssh-4.4p1/servconf.h Fri Aug 18 10:23:15 2006 +++ openssh-4.4p1-securid/servconf.h Sun Oct 8 00:58:32 2006 @@ -88,6 +88,22 @@ * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ +#ifdef SECURID + int securid_authentication; /* If set, use securid */ + int securid_fallback; /* If set, allow normal passwords + is master/slave are not accessible */ + int allow_nonsecurid; /* If set, allow nonsecurid users + logins via other means (e.g. PAM) */ + int negate_securid_users; /* If set, securid_usersfile is used + to determine who _doesn't_ get + authed via SecurID */ + char *securid_usersfile; /* If set, only users in the file + will authenticate via SecurID + The shell need not be .../sdshell */ + int securid_ignore_shell; /* If true, use the shell in /etc/passwd + instead of the shell proposed by + the ACE server. */ +#endif int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ diff -ruN openssh-4.4p1/sshd_config.0 openssh-4.4p1-securid/sshd_config.0 --- openssh-4.4p1/sshd_config.0 Tue Sep 26 07:03:48 2006 +++ openssh-4.4p1-securid/sshd_config.0 Sun Oct 8 01:00:46 2006 @@ -52,6 +52,13 @@ curity unless users are also denied shell access, as they can al- ways install their own forwarders. + AllowNonSecurID + This will allow users that do not meet the SecurID login activa- + tion requirements (not in the SecurIDUsersFile or do not have a + shell ending with sdshell, if the SecurIDUsersFile option is used + or is omitted, respectively) to still log in using another + authentication method (e.g. PAM or passwd.) + AllowUsers This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for us- @@ -315,6 +322,11 @@ creases linearly and all connection attempts are refused if the number of unauthenticated connections reaches ``full'' (60). + NegateSecurIDUsers + Negates the meaning of the SecurIDUsers file. Users in this file + will not require SecurID auth, but all others will. The + default is ``no''. + PasswordAuthentication Specifies whether password authentication is allowed. The de- fault is ``yes''. @@ -409,6 +421,43 @@ fault is ``yes''. This option applies to protocol version 1 on- ly. + SecurIDAuthentication + Specifies whether SecurID authentication is allowed. The default + is ``yes''. SecurID authentication is enabled in both PAM and + PasswordAuthentication modes. + + NOTES: After you enter your SecurID passcode, SecurID may choose + to ask for the next code on your token. To handle this event + without modifying the SSH client, the actual information that + sshd is asking for is passed in the debugging messages. If your + login attempts fail, try sshing with -v and you can see if it is + asking for your passcode or for the next token. + + SecurIDFallBack + Specifies whether SecurID user logins will fallback to their + to an underlying form (PAM/PaswordAuthentication) if the SecurID + server is unavailable or the machine is not configured correctly. + + SecurIDIgnoreShell + Specifies whether sshd will respect the ACE server's propsed user + shell. The default is ``no''. If yes, then the shell in + /etc/passwd will be used instead, eliminating the need for a + /path/to/ace/prog/sdshell style shell. This option only makes + sense when using the SecurIDUsersFile option. + + NOTES: If the SecurIDIgnoreShell option is set to ``yes'', then the + shell in /etc/passwd will be used in place of the shell proposed + by the ACE server -- allowing a user to have different shells on + different machines. In conjunction with SecurIDIgnoreShell, this + can force sshd to use SecurID while other system authentications + use alternative methods without the complication of having sdshell + as the user's default shell. + + SecurIDUsersFile + The argument a filename that contains usernames that are to be + authenticated via SecurID. By default this option is unset and + users will only be authenticated if their shell ends with sdshell + ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 768. diff -ruN openssh-4.4p1/sshd_config.5 openssh-4.4p1-securid/sshd_config.5 --- openssh-4.4p1/sshd_config.5 Tue Aug 29 21:06:34 2006 +++ openssh-4.4p1-securid/sshd_config.5 Sun Oct 8 01:03:43 2006 @@ -116,6 +116,13 @@ in .Xr ssh_config 5 for more information on patterns. +.It Cm AllowNonSecurID +This will allow users that do not meet the SecurID login +activation requirements (not in the SecurIDUsersFile or do not +have a shell ending with sdshell, if the SecurIDUsersFile option +is used or is omitted, respectively) to still log in using another +authentication method (e.g. PAM or passwd.) +.Pp .It Cm AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is @@ -551,6 +558,11 @@ are refused if the number of unauthenticated connections reaches .Dq full (60). +.It Cm NegateSecurIDUsers +Negates the meaning of the SecurIDUsers file. Users in this file +will not require SecurID auth, but all others will. +The default is +.Dq no . .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -714,6 +726,39 @@ The default is .Dq yes . This option applies to protocol version 1 only. +.It Cm SecurIDAuthentication +Specifies whether SecurID authentication is allowed. The default +is ``yes''. SecurID authentication si enabled in both PAM and +PasswordAuthentication modes. +.Dq yes . +NOTES: After you enter your SecurID passcode, SecurID may choose +to ask for the next code on your token. To handle this event +without modifying the SSH client, the actual information that +sshd is asing for is passed in the debugging messages. If your +login attempts fail, try sshing with -v and you can see if it is +asking for your passcode or for the next token. +.It Cm SecurIDFallBack +Specifies whether SecurID user logins will fallback to their +to an underlying form (PAM/PaswordAuthentication) is the SecurID +server is unavailable or the machine is not configured correctly. +.It Cm SecurIDIgnoreShell +Specifies whether sshd will respect the ACE server's propsed user +shell. The default is ``no''. If yes, then the shell in +/etc/passwd will be used instead, eliminating the need for a +/path/to/ace/prog/sdshell style shell. This option only makes +sense when using the SecurIDUsersFile option. +.Dq no . +NOTES: If the SecurIDIgnoreShell option is set to ``yes'', then the +shell in /etc/passwd will be used in place of the shell proposed +by the ACE server -- allowing a user to have different shells on +different machines. In conjunction with SecurIDIgnoreShell, this +can force sshd to use SecurID while other system authentications +use alternative methods without the complication of having sdshell +as the user's default shell. +.It Cm SecurIDUsersFile +The argument a filename that contains usernames that are to be +authenticated via SecurID. By default this option is unset and +users will only be authenticated if their shell ends with sdshell. .It Cm ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 768.