Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth-pam: Immediately report instructions to clients and fix handling in ssh client #452

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

auth-pam: Immediately report instructions to clients and fix handling in ssh client #452

wants to merge 6 commits into from

Commits on Sep 30, 2024

  1. auth: Add KbdintResult definition to define result values explicitly 

    kbdint result vfunc may return various values, so use an enum to make it
clearer what each result means without having to dig into the struct
documentation.
    @3v1n0
    3v1n0 committed Sep 30, 2024
    Configuration menu
    Copy the full SHA
    824d5b3 View commit details
    Browse the repository at this point in the history

  2. auth-pam: Add an enum to define the PAM done status 

    Makes things more readable and easier to extend
    @3v1n0
    3v1n0 committed Sep 30, 2024
    Configuration menu
    Copy the full SHA
    fd28146 View commit details
    Browse the repository at this point in the history

  3. auth-pam: Add debugging information when we receive PAM messages

    @3v1n0
    3v1n0 committed Sep 30, 2024
    Configuration menu
    Copy the full SHA
    f36415d View commit details
    Browse the repository at this point in the history

  4. auth-pam: Immediately report interactive instructions to clients 

    SSH keyboard-interactive authentication method supports instructions but
sshd didn't show them until an user prompt was requested.

This is quite inconvenient for various PAM modules that need to notify
an user without requiring for their explicit input.

So, properly implement RFC4256 making instructions to be shown to users
when they are requested from PAM.

Closes: https://bugzilla.mindrot.org/show_bug.cgi?id=2876
    @3v1n0
    3v1n0 committed Sep 30, 2024
    Configuration menu
    Copy the full SHA
    d2e0c05 View commit details
    Browse the repository at this point in the history

  5. sshconnect2: Write kbd-interactive service, info and instructions as … 

    …utf-8

As per the previous server change now the keyboard-interactive service
and instruction values could be reported as soon as they are available
and so they're not prompts anymore and not parsed like them.

While this was already supported by the SSH client, these messages were
not properly written as the escaped sequences they contained were not
correctly reported.

So for example a message containing "\" was represented as "\\" and
similarly for all the other C escape sequences.

This was leading to more problems when it come to utf-8 chars, as they
were only represented by their octal representation.

This was easily testable by adding a line like the one below to the
sshd PAM service:
  auth    requisite pam_echo.so Hello SSHD! Want some 🍕?

Which was causing this to be written instead:
  Hello SSHD! Want some \360\237\215\225?

To handle this, instead of simply using fmprintf, we're using the notifier
in a way can be exposed to users in the proper format and UI.
    @3v1n0
    3v1n0 committed Sep 30, 2024
    Configuration menu
    Copy the full SHA
    1997204 View commit details
    Browse the repository at this point in the history

  6. auth2-chall: Fix selection of the keyboard-interactive device 

    We were only checking if the prefix of a device name was matching what
we had in the devices list, so if the device list contained "pam", then
also the device "pam-foo" was matching.
    @3v1n0
    3v1n0 committed Sep 30, 2024
    Configuration menu
    Copy the full SHA
    541850b View commit details
    Browse the repository at this point in the history