* Move password authentication handling into sshd/auth (fixes#394).
Password authentication is now completely handeled in Auth. The normal
keyboard-interactive handler checks if passwords are supported and asks
for them, removing the need to override the callbacks.
Brute force throttling is removed; I'd like to base it on IP address
banning, which requires changes to the checks.
I'm not sure, but I think timing attacks against the password are fixed:
- The hashing of the real password happens only at startup.
- The hashing of a provided password is something an attacker can do
themselves; It doesn't leak anything about the real password.
- The hash comparison is constant-time.
* refactor checks, IP-ban incorrect passphrases, renames
- s/assword/assphrase/, typo fixes
- bans are checked separately from public keys
- an incorrect passphrase results in a one-minute IP ban
- whitelists no longer override bans (i.e. you can get banned if you're
whitelisted)
* (hopefully) final changes
* Swap out gopass dependency
Remove github.com/mewbak/gopass in favor of github.com/howeyc/gopass
* Add Windows to Makefile and build_release
Added Windows/386 and Windows/amd64 to the Makefile. Some minor changes
needed to be made to build_release to give the windows binary the ".exe"
extension.
* Makefile: remove windows/amd64
