BASH-2.04 patch for CryptoCard(R) support, (c) Tor Houghton Release date: 7th April, 2001. THIS CODE COMES WITH NO WARRANTY, EXPRESSED OR IMPLIED. IF YOUR DOG DIES, OR YOUR PALM PILOT FREEZES ("Um. Hi, Fabro."), I WON'T TAKE ANY RESPONSIBILITY FOR IT WHATSOEVER. DISTRIBUTE FREELY, BUT KEEP MY NAME (AND IGMAR PALSENBERG'S) IN THE DISTRIBUTION. THANKS. (I wrote that just to cover my ass; hope it is sufficient. In essence, the patch is probably GPL, so should follow the GNU licence.) ------- Hi, This is a patch for GNU "bash" (Bourne Again shell) version 2.04, in order for it to support CryptoCard(tm) tokens. You know, those little calculator things which are far too expensive (but that is a rant for another time), but really useful. I am sure the patch can be applied to "tcsh" as well, with some minor tweaking. Why bash? --------- Well, there is already a patch for SSH (2.1.1p4) which was written by Igmar Palsenberg(*) (my code was based on this, but is probably a lot messier?). The problem with that patch was that it is no good for people who are using SSH clients which can't be recompiled to support challenge/response authentication. How does it work? ----------------- First of all, the user will have to log in using username/password. And any other authentication mechanism (e.g. SSH can use RSA authentication). If the user's shell is [this patched version of] bash, the user is presented with an 8 digit "challenge" and an opportunity to write a response: Challenge: 17613241 Response: The patch reads a file, ".cryptokey" in the user's directory. This file holds the shared secret (stored on the token), and is (usually) 8 digits. E.g. if the card's key is (hex) 5353535353535353, the file should contain the following data: 0x5353535353535353 The value can also be entered as an octal value: 0123123123123123123123123 The key can also be stored as a decimal value. The file is required to be read(/write)able by the user only. If the file has the wrong permissions, the authentication sequence will be cancelled. BUGS ---- As it stands, things like "scp" won't work. I guess the "challenge/response" sequence screws things up. It is possible to circumvent this by only asking for a challenge when the user is required to log in, but then you are not protected against things such as ssh hostname mycommand So, maybe someone can come up with a fix to solve both these problems? How to apply the patch. ----------------------- Find version 2.04 of bash and untar it: tar zxvf bash-2.04.tar.gz Put the patch files in the directory where the "bash-2.04" directory is created, then apply them: patch -p0 < Makefile.in.patch patch -p0 < shell.c.patch Change into the bash directory, run configure, then make, then make install: cd bash-2.04 ./configure The patch assumes that OpenSSL is installed under /usr/local/ssl. If this is not the case, change the location of it in the Makefile (ssldir). make (You may wish to change the install path before you start the install.) make install -- (*) Igmar Palsenberg ; it would have taken me a little longer to write this patch without stealing glimpses at his code.