Remove S/Key. PAM can do its job. Well, not quite - there is an issue

with the conversation function and challenges which needs to be revisited, so in the interim a hack is introduced to provide an OPIE challenge (which is random if OPIE does not apply) at all non-anonymnous logins.
2026-05-28 04:12:45 -04:00 · 2001-07-09 17:46:24 +00:00 · 2001-07-09 17:46:24 +00:00 · fa1746c93c
commit fa1746c93c
parent 8509234471
4 changed files with 19 additions and 63 deletions
--- a/libexec/ftpd/Makefile
+++ b/libexec/ftpd/Makefile
@ -3,15 +3,19 @@

 PROG=	ftpd
 MAN=	ftpd.8
-SRCS=	ftpd.c ftpcmd.y logwtmp.c popen.c skey-stuff.c
+SRCS=	ftpd.c ftpcmd.y logwtmp.c popen.c

-CFLAGS+=-DSETPROCTITLE -DSKEY -DLOGIN_CAP -DVIRTUAL_HOSTING -Wall
+CFLAGS+=-DSETPROCTITLE -DLOGIN_CAP -DVIRTUAL_HOSTING -Wall
 CFLAGS+=-DINET6
 CFLAGS+=-I${.CURDIR}
 YFLAGS=

-LDADD=	-lskey -lmd -lcrypt -lutil
-DPADD=	${LIBSKEY} ${LIBMD} ${LIBCRYPT} ${LIBUTIL}
+LDADD=	-lmd -lcrypt -lutil
+DPADD=	${LIBMD} ${LIBCRYPT} ${LIBUTIL}
+
+# XXX Kluge! Conversation mechanism needs to be fixed.
+LDADD+=	-lopie
+DPADD+=	${LIBOPIE}

 LSDIR=	../../bin/ls
 .PATH:	${.CURDIR}/${LSDIR}
--- a/libexec/ftpd/extern.h
+++ b/libexec/ftpd/extern.h
@ -68,9 +68,6 @@ void	upper __P((char *));
 void	user __P((char *));
 void	yyerror __P((char *));
 int	yyparse __P((void));
-#if defined(SKEY) && defined(_PWD_H_) /* XXX evil */
-char   *skey_challenge __P((char *, struct passwd *, int));
-#endif
 int	ls_main __P((int, char **));

 struct sockaddr_in;
--- a/libexec/ftpd/ftpd.c
+++ b/libexec/ftpd/ftpd.c
@ -78,6 +78,9 @@ static const char rcsid[] =
 #include <netdb.h>
 #include <pwd.h>
 #include <grp.h>
+#ifdef USE_PAM
+#include <opie.h>	/* XXX */
+#endif
 #include <setjmp.h>
 #include <signal.h>
 #include <stdio.h>
@ -91,10 +94,6 @@ static const char rcsid[] =
 #include <login_cap.h>
 #endif

-#ifdef	SKEY
-#include <skey.h>
-#endif
-
 #ifdef USE_PAM
 #include <security/pam_appl.h>
 #endif
@ -185,6 +184,10 @@ char	*tty = ttyline;		/* for klogin */
 #ifdef USE_PAM
 static int	auth_pam __P((struct passwd**, const char*));
 pam_handle_t *pamh = NULL;
+
+/* Kluge because the conversation mechanism has not been threshed out */
+static struct opie opiedata;
+static char opieprompt[OPIE_CHALLENGE_MAX+1];
 #endif

 char	*pid_file = NULL;
@ -215,10 +218,6 @@ char	*LastArgv = NULL;	/* end of argv */
 char	proctitle[LINE_MAX];	/* initial part of title */
 #endif /* SETPROCTITLE */

-#ifdef SKEY
-int	pwok = 0;
-#endif
-
 #define LOGCMD(cmd, file) \
 	if (logging > 1) \
 	    syslog(LOG_INFO,"%s %s%s", cmd, \
@ -960,9 +959,10 @@ user(name)
 	}
 	if (logging)
 		strncpy(curname, name, sizeof(curname)-1);
-#ifdef SKEY
-	pwok = skeyaccess(name, NULL, remotehost, remotehost);
-	reply(331, "%s", skey_challenge(name, pw, pwok));
+#ifdef USE_PAM
+	/* XXX Kluge! The conversation mechanism needs to be fixed. */
+	opiechallenge(&opiedata, name, opieprompt);
+	reply(331, "[ %s ] Password required for %s.", opieprompt, name);
 #else
 	reply(331, "Password required for %s.", name);
 #endif
@ -1236,16 +1236,7 @@ pass(passwd)
 		if (rval >= 0)
 			goto skip;
 #endif
-#ifdef SKEY
-		if (pwok)
-			rval = strcmp(pw->pw_passwd,
-			    crypt(passwd, pw->pw_passwd));
-		if (rval)
-			rval = strcmp(pw->pw_passwd,
-			    skey_crypt(passwd, pw->pw_passwd, pw, pwok));
-#else
 		rval = strcmp(pw->pw_passwd, crypt(passwd, pw->pw_passwd));
-#endif
 		/* The strcmp does not catch null passwords! */
 		if (*pw->pw_passwd == '\0' ||
 		    (pw->pw_expire && time(NULL) >= pw->pw_expire))
@ -1272,9 +1263,6 @@ skip:
 			return;
 		}
 	}
-#ifdef SKEY
-	pwok = 0;
-#endif
 	login_attempts = 0;		/* this time successful */
 	if (setegid((gid_t)pw->pw_gid) < 0) {
 		reply(550, "Can't set gid.");
--- a/libexec/ftpd/skey-stuff.c
+++ b/libexec/ftpd/skey-stuff.c
@ -1,33 +0,0 @@
-/* Author: Wietse Venema, Eindhoven University of Technology. 
- */
-
-#ifndef lint
-static const char rcsid[] =
-  "$FreeBSD$";
-#endif /* not lint */
-
-#include <stdio.h>
-#include <string.h>
-#include <pwd.h>
-
-#include <skey.h>
-
-/* skey_challenge - additional password prompt stuff */
-
-char   *skey_challenge(name, pwd, pwok)
-char   *name;
-struct passwd *pwd;
-int    pwok;
-{
-    static char buf[128];
-    struct skey skey;
-
-    /* Display s/key challenge where appropriate. */
-
-    *buf = '\0';
-    if (pwd == NULL || skeychallenge(&skey, pwd->pw_name, buf))
-	snprintf(buf, sizeof(buf), "Password required for %s.", name);
-    else if (!pwok)
-	strcat(buf, " (s/key required)");
-    return (buf);
-}