| 1 |
/* |
|---|
| 2 |
* Author: Theo Schlossnagle <jesus@omniti.com> |
|---|
| 3 |
* Copyright (c) 2000-2002 Theo Schlossnagle <jesus@omniti.com> |
|---|
| 4 |
* All rights reserved |
|---|
| 5 |
* |
|---|
| 6 |
* Created: September 21, 2000 |
|---|
| 7 |
* License: OpenSSH License. See the license for OpenSSH for more details. |
|---|
| 8 |
* |
|---|
| 9 |
* Update for ACE 5.X by Jim Matthews -- j.w.matthews@cox.net |
|---|
| 10 |
* Patch works only for OpenSSH version v4.1p1 |
|---|
| 11 |
* |
|---|
| 12 |
* June 16, 2005: -- j.w.matthews@cox.net |
|---|
| 13 |
* Updated to support openssh v4.1p1 |
|---|
| 14 |
* |
|---|
| 15 |
* March 15, 2005: -- j.w.matthews@cox.net |
|---|
| 16 |
* Updated to support openssh v4.0p1 |
|---|
| 17 |
* |
|---|
| 18 |
* Aug 18, 2004: -- j.w.matthews@cox.net |
|---|
| 19 |
* Updated to support openssh v3.9p1 |
|---|
| 20 |
* Added #ifdef SECURID in a comple of places it wasn't used and should have been |
|---|
| 21 |
* for consistency in monitor.c and monitor.h |
|---|
| 22 |
* |
|---|
| 23 |
* Aug 15, 2004: -- j.w.matthews@cox.net |
|---|
| 24 |
* Updated to support openssh v3.8.1p1 |
|---|
| 25 |
* |
|---|
| 26 |
* March 1, 2004: -- j.w.matthews@cox.net |
|---|
| 27 |
* Updated to support openssh v3.8p1 |
|---|
| 28 |
* |
|---|
| 29 |
* September 27, 2003: -- j.w.matthews@cox.net |
|---|
| 30 |
* Updated to support openssh v3.7.1p2 |
|---|
| 31 |
* Re-added SecurID man page entries previously included in the v3.6.1p2 patch. |
|---|
| 32 |
* Changed "plen" from type int to type u_int in function mm_answer_authsecurid in |
|---|
| 33 |
* monitor.c to conform with openssh. |
|---|
| 34 |
* |
|---|
| 35 |
* September 17, 2003: -- j.w.matthews@cox.net |
|---|
| 36 |
* Updated to support openssh v3.7.1p1. |
|---|
| 37 |
* |
|---|
| 38 |
* September 16, 2003: -- j.w.matthews@cox.net |
|---|
| 39 |
* Updated to support openssh v3.7p1. |
|---|
| 40 |
* In auth-securid.c log has changed to logit since it changed in v3.7p1. |
|---|
| 41 |
* In pam-auth.c securid auth function is no longer needed. v3.7p1 completely |
|---|
| 42 |
* changed the way PAM is handled. |
|---|
| 43 |
* |
|---|
| 44 |
* June 4th, 2003: -- Nicolas Lidzborski <cpc@freeshell.org> |
|---|
| 45 |
* Updated to support openssh v3.6.1p2 |
|---|
| 46 |
* |
|---|
| 47 |
* April 5th, 2003: -- j.w.matthews@cox.net |
|---|
| 48 |
* Updated to support openssh v3.6.1p1. |
|---|
| 49 |
* Modified to support both new (5.X+) and old (<= 4.X) securid client API libraries. |
|---|
| 50 |
* Added --with-securid-old for <= 4.X support, --with-securid is for new API support. |
|---|
| 51 |
* Added sd_close for ACE server disconnect at the end of authentication for old API support. |
|---|
| 52 |
* |
|---|
| 53 |
* March 3rd, 2003: -- j.w.matthews@cox.net |
|---|
| 54 |
* Changed "user not in [securid] allow", "user in [securid] deny" SecurID messages from |
|---|
| 55 |
* type "error" to type "log" in auth-securid.c. |
|---|
| 56 |
* |
|---|
| 57 |
* March 1st, 2003: -- j.w.matthews@cox.net |
|---|
| 58 |
* Rewrote functions in auth-securid.c to support the ACE server version 5.X API. |
|---|
| 59 |
* Modified configure script to check for new libaceclnt.a and acexport.h. |
|---|
| 60 |
* Fixed AllowNonSecurid option in monitor.c and servconf.c so it actually works now. |
|---|
| 61 |
* Fixed potential memory leak in auth-securid.c for SecurID shell assignment variable. |
|---|
| 62 |
* |
|---|
| 63 |
* October 22nd, 2002: |
|---|
| 64 |
* Updated to 3.5p1 -- jesus@omniti.com |
|---|
| 65 |
* incorporated a few minor fixes for the auth phase. |
|---|
| 66 |
* |
|---|
| 67 |
* June 26th, 2002: |
|---|
| 68 |
* Updated to 3.4p1 -- jesus@omniti.com |
|---|
| 69 |
* Revamped the auth mechanism to use the new privilege separation code. |
|---|
| 70 |
* Updated man pages in their new locations. |
|---|
| 71 |
* |
|---|
| 72 |
* March 15th, 2002: |
|---|
| 73 |
* Updated to 3.1p1 -- jesus@omniti.com |
|---|
| 74 |
* Added beeter support for auth2-pam. Added NegateSecurIDUsers option to |
|---|
| 75 |
* negate the meaning of the SecureIDUsersFile option. |
|---|
| 76 |
* |
|---|
| 77 |
* December 11th, 2001: |
|---|
| 78 |
* Updated to 3.0.2p1 -- jesus@omniti.com |
|---|
| 79 |
* no new features |
|---|
| 80 |
* |
|---|
| 81 |
* December 3rd, 2001: |
|---|
| 82 |
* Updated to 3.0.1p1 -- jesus@omniti.com |
|---|
| 83 |
* no new features |
|---|
| 84 |
* |
|---|
| 85 |
* November 8th, 2001: |
|---|
| 86 |
* Updated to 3.0p1 -- jesus@omniti.com |
|---|
| 87 |
* no new features |
|---|
| 88 |
* |
|---|
| 89 |
* September 30th, 2001: |
|---|
| 90 |
* Updated to 2.9.9p2 -- jesus@omniti.com |
|---|
| 91 |
* no new features |
|---|
| 92 |
* |
|---|
| 93 |
* June 28, 2001: |
|---|
| 94 |
* Updated to 2.9p2 -- jesus@omniti.com |
|---|
| 95 |
* no new features |
|---|
| 96 |
* |
|---|
| 97 |
* April 24, 2001: |
|---|
| 98 |
* Updated to 2.9p1 -- jesus@omniti.com |
|---|
| 99 |
* added autoconf clauses to fault if sdiclient.a and headers aren't there. |
|---|
| 100 |
* |
|---|
| 101 |
* April 21, 2001: |
|---|
| 102 |
* Updated to 2.5.2p2 -- jesus@omniti.com |
|---|
| 103 |
* Incorporated some bug fixes from Anders Olsen to fix next-token code. |
|---|
| 104 |
* |
|---|
| 105 |
* March 19, 2001: |
|---|
| 106 |
* Updated to 2.5.2p1 -- jesus@omniti.com |
|---|
| 107 |
* |
|---|
| 108 |
* December 20, 2000: |
|---|
| 109 |
* Updated to 2.3.0p1 -- jesus@omniti.com |
|---|
| 110 |
* |
|---|
| 111 |
* Jan 9th, 2001: |
|---|
| 112 |
* Added SecurIDUsersFile, SecurIDIgnoreShell, AllowNonSecurID directives |
|---|
| 113 |
* to the sshd_config file. These parameters are documented in the man page. |
|---|
| 114 |
* This provides a more logical seperationg between fail-through due to system |
|---|
| 115 |
* failure and fall-through by configuration. (fall-through vs. fail-through) |
|---|
| 116 |
* -- jesus@omniti.com |
|---|
| 117 |
*/ |
|---|
| 118 |
|
|---|
| 119 |
Seems like a few people are interested. So here is the patch. |
|---|
| 120 |
|
|---|
| 121 |
This has only been tested on UNICIES that support PAM. There is untested |
|---|
| 122 |
(only 5 lines) code in auth-passwd.c that should provide the same |
|---|
| 123 |
functionality for normal (non-PAM) password verifications. |
|---|
| 124 |
|
|---|
| 125 |
The patch is logical quite small, the physical patch bulky because it contains |
|---|
| 126 |
all the line number changes in "configure" after running autoconf on the |
|---|
| 127 |
modified configure.in file (in which I changed maybe 10 lines -- Yuk.) |
|---|
| 128 |
|
|---|
| 129 |
The sshd man page has been patched too :-) Read it for the two new options |
|---|
| 130 |
relating to SecurID. |
|---|
| 131 |
|
|---|
| 132 |
How it works: |
|---|
| 133 |
|
|---|
| 134 |
0) apply patch ;-) You must use GNU patch (get it from ftp.gnu.org, it free.) |
|---|
| 135 |
1) copy ACE headers (in SecurID inc directory) into either a standard |
|---|
| 136 |
include place (like /usr/local/include) or into the openssh source tree or add |
|---|
| 137 |
the --with-cflags=-I/path/to/ace/inc (where the include files are located) |
|---|
| 138 |
2) copy the libaceclnt.a (for ACE 5.X) or sdiclient.a (for ACE <= 4.X) for your |
|---|
| 139 |
OS (from /path/to/ace/lib/<arch>) into the openssh source tree. |
|---|
| 140 |
|
|---|
| 141 |
Make sure that /var/ace contains your sdconf.rec, etc. If you installed |
|---|
| 142 |
SecurID client or server on a machine it should be this way already. If you |
|---|
| 143 |
used a non-standard install location do a "ln -s /path/to/ace/data /var/ace" |
|---|
| 144 |
|
|---|
| 145 |
3) add --with-securid to the configure flags for new ACE 5.X support. Use |
|---|
| 146 |
--with-securid-old for ACE API version 4.X and older. |
|---|
| 147 |
|
|---|
| 148 |
It will trigger if a user has a shell in /etc/passwd that ends with "sdshell" |
|---|
| 149 |
and it snags your shell the same way sdshell does. Users with other shells |
|---|
| 150 |
will log in as if SecurID didn't exist. |
|---|
| 151 |
|
|---|
| 152 |
Done: |
|---|
| 153 |
o Normal passcode verification |
|---|
| 154 |
o Enter next token for verification |
|---|
| 155 |
(use ssh -v to see the *useful* debgging messages) |
|---|
| 156 |
|
|---|
| 157 |
ssh -v will let you know if: |
|---|
| 158 |
o your code was accepted. |
|---|
| 159 |
o your code was rejected. |
|---|
| 160 |
o you are required to wait for the next token and enter that. |
|---|
| 161 |
|
|---|
| 162 |
TODO: |
|---|
| 163 |
o Handle PIN creation and changing (as their are by default three log in |
|---|
| 164 |
attempts, it should be straight forward to integrate in these additions -- |
|---|
| 165 |
both of these operations require exactly three user inputs.) |
|---|
| 166 |
o Add sshd_config parameter to specify the VAR_ACE location (forced to |
|---|
| 167 |
/var/ace OR VAR_ACE environment variable now.) |
|---|
| 168 |
|
|---|
| 169 |
DISCLAIMER: |
|---|
| 170 |
I works for me (yes, in production). If you get locked out of a production |
|---|
| 171 |
system becuase you replaced your sshd with this one, feeling really dumb is |
|---|
| 172 |
YOUR responsibility NOT mine. It is not my fault :-D |
|---|
| 173 |
|
|---|
| 174 |
Hope this is useful! scp (and all other tools that can use ssh like rsync and |
|---|
| 175 |
cvs) will work now!!!! Hooray! |
|---|
| 176 |
|
|---|
