Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

auth-pam: Immediately report instructions to clients and fix handling in ssh client #452

Open
wants to merge 6 commits into
base: master
Choose a base branch
from

Commits on Sep 30, 2024

  1. auth: Add KbdintResult definition to define result values explicitly

    kbdint result vfunc may return various values, so use an enum to make it
    clearer what each result means without having to dig into the struct
    documentation.
    3v1n0 committed Sep 30, 2024
    Configuration menu
    Copy the full SHA
    824d5b3 View commit details
    Browse the repository at this point in the history
  2. auth-pam: Add an enum to define the PAM done status

    Makes things more readable and easier to extend
    3v1n0 committed Sep 30, 2024
    Configuration menu
    Copy the full SHA
    fd28146 View commit details
    Browse the repository at this point in the history
  3. Configuration menu
    Copy the full SHA
    f36415d View commit details
    Browse the repository at this point in the history
  4. auth-pam: Immediately report interactive instructions to clients

    SSH keyboard-interactive authentication method supports instructions but
    sshd didn't show them until an user prompt was requested.
    
    This is quite inconvenient for various PAM modules that need to notify
    an user without requiring for their explicit input.
    
    So, properly implement RFC4256 making instructions to be shown to users
    when they are requested from PAM.
    
    Closes: https://bugzilla.mindrot.org/show_bug.cgi?id=2876
    3v1n0 committed Sep 30, 2024
    Configuration menu
    Copy the full SHA
    d2e0c05 View commit details
    Browse the repository at this point in the history
  5. sshconnect2: Write kbd-interactive service, info and instructions as …

    …utf-8
    
    As per the previous server change now the keyboard-interactive service
    and instruction values could be reported as soon as they are available
    and so they're not prompts anymore and not parsed like them.
    
    While this was already supported by the SSH client, these messages were
    not properly written as the escaped sequences they contained were not
    correctly reported.
    
    So for example a message containing "\" was represented as "\\" and
    similarly for all the other C escape sequences.
    
    This was leading to more problems when it come to utf-8 chars, as they
    were only represented by their octal representation.
    
    This was easily testable by adding a line like the one below to the
    sshd PAM service:
      auth    requisite pam_echo.so Hello SSHD! Want some 🍕?
    
    Which was causing this to be written instead:
      Hello SSHD! Want some \360\237\215\225?
    
    To handle this, instead of simply using fmprintf, we're using the notifier
    in a way can be exposed to users in the proper format and UI.
    3v1n0 committed Sep 30, 2024
    Configuration menu
    Copy the full SHA
    1997204 View commit details
    Browse the repository at this point in the history
  6. auth2-chall: Fix selection of the keyboard-interactive device

    We were only checking if the prefix of a device name was matching what
    we had in the devices list, so if the device list contained "pam", then
    also the device "pam-foo" was matching.
    3v1n0 committed Sep 30, 2024
    Configuration menu
    Copy the full SHA
    541850b View commit details
    Browse the repository at this point in the history