mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-25 01:02:24 +00:00
Uppity: support SSH-2 password change request.
This is the first time I've _ever_ been able to test that feature of the client userauth code personally, and pleasingly, it seems to work fine.
This commit is contained in:
Simon Tatham
parent
730af28b99
commit
23e98b0afb
@ -280,7 +280,7 @@ static void ssh1_login_server_process_queue(PacketProtocolLayer *ppl)
|
|||||||
if (nul)
|
if (nul)
|
||||||
password.len = (const char *)nul - (const char *)password.ptr;
|
password.len = (const char *)nul - (const char *)password.ptr;
|
||||||
|
|
||||||
if (auth_password(s->authpolicy, s->username, password))
|
if (auth_password(s->authpolicy, s->username, password, NULL))
|
||||||
goto auth_success;
|
goto auth_success;
|
||||||
} else if (pktin->type == SSH1_CMSG_AUTH_RSA) {
|
} else if (pktin->type == SSH1_CMSG_AUTH_RSA) {
|
||||||
s->current_method = AUTHMETHOD_PUBLICKEY;
|
s->current_method = AUTHMETHOD_PUBLICKEY;
|
||||||
|
|||||||
@ -163,20 +163,34 @@ static void ssh2_userauth_server_process_queue(PacketProtocolLayer *ppl)
|
|||||||
goto failure;
|
goto failure;
|
||||||
} else if (ptrlen_eq_string(s->method, "password")) {
|
} else if (ptrlen_eq_string(s->method, "password")) {
|
||||||
int changing;
|
int changing;
|
||||||
ptrlen password;
|
ptrlen password, new_password, *new_password_ptr;
|
||||||
|
|
||||||
s->this_method = AUTHMETHOD_PASSWORD;
|
s->this_method = AUTHMETHOD_PASSWORD;
|
||||||
if (!(s->methods & s->this_method))
|
if (!(s->methods & s->this_method))
|
||||||
goto failure;
|
goto failure;
|
||||||
|
|
||||||
changing = get_bool(pktin);
|
changing = get_bool(pktin);
|
||||||
if (changing)
|
|
||||||
goto failure; /* FIXME: not yet supported */
|
|
||||||
|
|
||||||
password = get_string(pktin);
|
password = get_string(pktin);
|
||||||
|
|
||||||
if (!auth_password(s->authpolicy, s->username, password))
|
if (changing) {
|
||||||
|
new_password = get_string(pktin);
|
||||||
|
new_password_ptr = &new_password;
|
||||||
|
} else {
|
||||||
|
new_password_ptr = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
int result = auth_password(s->authpolicy, s->username,
|
||||||
|
password, new_password_ptr);
|
||||||
|
if (result == 2) {
|
||||||
|
pktout = ssh_bpp_new_pktout(
|
||||||
|
s->ppl.bpp, SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ);
|
||||||
|
put_stringz(pktout, "Please change your password");
|
||||||
|
put_stringz(pktout, ""); /* language tag */
|
||||||
|
pq_push(s->ppl.out_pq, pktout);
|
||||||
|
continue; /* skip USERAUTH_{SUCCESS,FAILURE} epilogue */
|
||||||
|
} else if (result != 1) {
|
||||||
goto failure;
|
goto failure;
|
||||||
|
}
|
||||||
} else if (ptrlen_eq_string(s->method, "publickey")) {
|
} else if (ptrlen_eq_string(s->method, "publickey")) {
|
||||||
int has_signature, success;
|
int has_signature, success;
|
||||||
ptrlen algorithm, blob, signature;
|
ptrlen algorithm, blob, signature;
|
||||||
|
|||||||
@ -38,7 +38,12 @@ struct AuthKbdIntPrompt {
|
|||||||
|
|
||||||
unsigned auth_methods(AuthPolicy *);
|
unsigned auth_methods(AuthPolicy *);
|
||||||
int auth_none(AuthPolicy *, ptrlen username);
|
int auth_none(AuthPolicy *, ptrlen username);
|
||||||
int auth_password(AuthPolicy *, ptrlen username, ptrlen password);
|
|
||||||
|
int auth_password(AuthPolicy *, ptrlen username, ptrlen password,
|
||||||
|
ptrlen *opt_new_password);
|
||||||
|
/* auth_password returns 1 for 'accepted', 0 for 'rejected', and 2 for
|
||||||
|
* 'ok but now you need to change your password' */
|
||||||
|
|
||||||
int auth_publickey(AuthPolicy *, ptrlen username, ptrlen public_blob);
|
int auth_publickey(AuthPolicy *, ptrlen username, ptrlen public_blob);
|
||||||
/* auth_publickey_ssh1 must return the whole public key given the modulus,
|
/* auth_publickey_ssh1 must return the whole public key given the modulus,
|
||||||
* because the SSH-1 client never transmits the exponent over the wire.
|
* because the SSH-1 client never transmits the exponent over the wire.
|
||||||
|
|||||||
@ -175,9 +175,36 @@ int auth_none(AuthPolicy *ap, ptrlen username)
|
|||||||
{
|
{
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
int auth_password(AuthPolicy *ap, ptrlen username, ptrlen password)
|
int auth_password(AuthPolicy *ap, ptrlen username, ptrlen password,
|
||||||
|
ptrlen *new_password_opt)
|
||||||
{
|
{
|
||||||
return ptrlen_eq_string(password, "weasel");
|
const char *PHONY_GOOD_PASSWORD = "weasel";
|
||||||
|
const char *PHONY_BAD_PASSWORD = "ferret";
|
||||||
|
|
||||||
|
if (!new_password_opt) {
|
||||||
|
/* Accept login with our preconfigured good password */
|
||||||
|
if (ptrlen_eq_string(password, PHONY_GOOD_PASSWORD))
|
||||||
|
return 1;
|
||||||
|
/* Don't outright reject the bad password, but insist on a change */
|
||||||
|
if (ptrlen_eq_string(password, PHONY_BAD_PASSWORD))
|
||||||
|
return 2;
|
||||||
|
/* Reject anything else */
|
||||||
|
return 0;
|
||||||
|
} else {
|
||||||
|
/* In a password-change request, expect the bad password as input */
|
||||||
|
if (!ptrlen_eq_string(password, PHONY_BAD_PASSWORD))
|
||||||
|
return 0;
|
||||||
|
/* Accept a request to change it to the good password */
|
||||||
|
if (ptrlen_eq_string(*new_password_opt, PHONY_GOOD_PASSWORD))
|
||||||
|
return 1;
|
||||||
|
/* Outright reject a request to change it to the same password
|
||||||
|
* as it already 'was' */
|
||||||
|
if (ptrlen_eq_string(*new_password_opt, PHONY_BAD_PASSWORD))
|
||||||
|
return 0;
|
||||||
|
/* Anything else, pretend the new pw wasn't good enough, and
|
||||||
|
* re-request a change */
|
||||||
|
return 2;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
int auth_publickey(AuthPolicy *ap, ptrlen username, ptrlen public_blob)
|
int auth_publickey(AuthPolicy *ap, ptrlen username, ptrlen public_blob)
|
||||||
{
|
{
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user