Attachment 643648 Details for Bug 869903 – fixed required authentications patch

[patch] fixed required authentications patch

openssh-5.3p1-required-authentications.patch (text/plain), 28.14 KB, created by Petr Lautrbach on 2012-11-12 17:49:28 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Petr Lautrbach

Created: 2012-11-12 17:49:28 UTC

Size: 28.14 KB

patch

obsolete

>diff -up openssh-5.3p1/auth1.c.required-authentication openssh-5.3p1/auth1.c
>--- openssh-5.3p1/auth1.c.required-authentication	2012-10-04 15:50:17.169197419 +0200
>+++ openssh-5.3p1/auth1.c	2012-10-04 15:50:17.459196149 +0200
>@@ -98,6 +98,55 @@ static const struct AuthMethod1
> 	return (NULL);
> }
> 
>+static const struct AuthMethod1 *
>+lookup_authmethod1_by_name(const char *name)
>+{
>+	int i;
>+
>+	for (i = 0; auth1_methods[i].name != NULL; i++)
>+		if (strcmp(auth1_methods[i].name, name) == 0)
>+			return (&(auth1_methods[i]));
>+
>+	return NULL;
>+}
>+
>+#define	DELIM	","
>+int
>+auth1_check_required(const char *list)
>+{
>+	char *orig_methods, *methods, *cp;
>+	static const struct AuthMethod1 *m;
>+	int ret = 0;
>+
>+	orig_methods = methods = xstrdup(list);
>+	for(;;) { /* XXX maybe: while ((cp = ...) != NULL) ? */
>+		if ((cp = strsep(&methods, DELIM)) == NULL)
>+			break;
>+		debug2("auth1_check_required: method \"%s\"", cp);
>+		if (*cp == '\0') {
>+			debug("auth1_check_required: empty method");
>+			ret = -1;
>+		}
>+		if ((m = lookup_authmethod1_by_name(cp)) == NULL) {
>+			debug("auth1_check_required: unknown method "
>+			    "\"%s\"", cp);
>+			ret = -1;
>+			break;
>+		}
>+		if (*(m->enabled) == 0) {
>+			debug("auth1_check_required: method %s explicitly "
>+			    "disabled", cp);
>+			ret = -1;
>+		}
>+		/* Activate method if it isn't already */
>+		if (*(m->enabled) == -1)
>+			*(m->enabled) = 1;
>+        }
>+	xfree(orig_methods);
>+	return (ret);
>+}
>+
>+
> static char *
> get_authname(int type)
> {
>@@ -237,6 +286,7 @@ do_authloop(Authctxt *authctxt)
> {
> 	int authenticated = 0;
> 	char info[1024];
>+	const char *meth_name;
> 	int prev = 0, type = 0;
> 	const struct AuthMethod1 *meth;
> 
>@@ -244,7 +294,7 @@ do_authloop(Authctxt *authctxt)
> 	    authctxt->valid ? "" : "invalid user ", authctxt->user);
> 
> 	/* If the user has no password, accept authentication immediately. */
>-	if (options.permit_empty_passwd && options.password_authentication &&
>+	if (options.permit_empty_passwd && options.password_authentication && options.password_authentication &&
> #ifdef KRB5
> 	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
> #endif
>@@ -253,7 +303,7 @@ do_authloop(Authctxt *authctxt)
> 		if (options.use_pam && (PRIVSEP(do_pam_account())))
> #endif
> 		{
>-			auth_log(authctxt, 1, "without authentication", "");
>+			auth_log(authctxt, 1, "without authentication", NULL, "");
> 			return;
> 		}
> 	}
>@@ -272,6 +322,7 @@ do_authloop(Authctxt *authctxt)
> 		/* Get a packet from the client. */
> 		prev = type;
> 		type = packet_read();
>+		meth_name = get_authname(type);
> 
> 		/*
> 		 * If we started challenge-response authentication but the
>@@ -287,8 +338,8 @@ do_authloop(Authctxt *authctxt)
> 		if (authctxt->failures >= options.max_authtries)
> 			goto skip;
> 		if ((meth = lookup_authmethod1(type)) == NULL) {
>-			logit("Unknown message during authentication: "
>-			    "type %d", type);
>+			logit("Unknown message during authentication: type %d",
>+			    type);
> 			goto skip;
> 		}
> 
>@@ -297,6 +348,17 @@ do_authloop(Authctxt *authctxt)
> 			goto skip;
> 		}
> 
>+		/*
>+		 * Skip methods not in required list, until all the required
>+		 * ones are done
>+		 */
>+		if (options.required_auth1 != NULL &&
>+		    !auth_method_in_list(options.required_auth1, meth_name)) {
>+			debug("Skipping method \"%s\" until required "
>+			    "authentication completed", meth_name);
>+			goto skip;
>+		}
>+
> 		authenticated = meth->method(authctxt, info, sizeof(info));
> 		if (authenticated == -1)
> 			continue; /* "postponed" */
>@@ -352,7 +414,29 @@ do_authloop(Authctxt *authctxt)
> 
>  skip:
> 		/* Log before sending the reply */
>-		auth_log(authctxt, authenticated, get_authname(type), info);
>+		auth_log(authctxt, authenticated, meth_name, NULL, info);
>+
>+		/* Loop until the required authmethods are done */
>+		if (authenticated && options.required_auth1 != NULL) {
>+			if (auth_remove_from_list(&options.required_auth1,
>+			    meth_name) == 0)
>+				fatal("INTERNAL ERROR: authenticated method "
>+				    "\"%s\" not in required list \"%s\"",
>+				    meth_name, options.required_auth1);
>+			debug2("do_authloop: required list now: %s",
>+			    options.required_auth1 == NULL ?
>+			    "DONE" : options.required_auth1);
>+			if (options.required_auth1 == NULL)
>+				return;
>+			authenticated = 0;
>+			/*
>+			 * Disable method so client can't authenticate with it
>+			 * after the required authentications are complete.
>+			 */
>+			*(meth->enabled) = 0;
>+			packet_send_debug("Further authentication required");
>+			goto send_fail;
>+		}
> 
> 		if (client_user != NULL) {
> 			xfree(client_user);
>@@ -368,6 +452,7 @@ do_authloop(Authctxt *authctxt)
> #endif
> 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
> 		}
>+ send_fail:
> 
> 		packet_start(SSH_SMSG_FAILURE);
> 		packet_send();
>diff -up openssh-5.3p1/auth2-chall.c.required-authentication openssh-5.3p1/auth2-chall.c
>--- openssh-5.3p1/auth2-chall.c.required-authentication	2009-01-28 06:13:39.000000000 +0100
>+++ openssh-5.3p1/auth2-chall.c	2012-10-04 15:50:17.459196149 +0200
>@@ -341,7 +341,8 @@ input_userauth_info_response(int type, u
> 			auth2_challenge_start(authctxt);
> 		}
> 	}
>-	userauth_finish(authctxt, authenticated, method);
>+	userauth_finish(authctxt, authenticated, "keyboard-interactive",
>+	    authctxt->kbdintctxt != NULL ? kbdintctxt->device->name : NULL);
> 	xfree(method);
> }
> 
>diff -up openssh-5.3p1/auth2.c.required-authentication openssh-5.3p1/auth2.c
>--- openssh-5.3p1/auth2.c.required-authentication	2012-10-04 15:50:17.367196552 +0200
>+++ openssh-5.3p1/auth2.c	2012-10-04 15:50:17.460196145 +0200
>@@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32
> {
> 	Authctxt *authctxt = ctxt;
> 	Authmethod *m = NULL;
>-	char *user, *service, *method, *style = NULL;
>+	char *user, *service, *method, *active_methods, *style = NULL;
> #ifdef WITH_SELINUX
> 	char *role = NULL;
> #endif
>@@ -291,22 +291,31 @@ input_userauth_request(int type, u_int32
> 	authctxt->server_caused_failure = 0;
> 
> 	/* try to authenticate user */
>-	m = authmethod_lookup(method);
>-	if (m != NULL && authctxt->failures < options.max_authtries) {
>-		debug2("input_userauth_request: try method %s", method);
>-		authenticated =	m->userauth(authctxt);
>-	}
>-	userauth_finish(authctxt, authenticated, method);
>+	active_methods = authmethods_get();
>+	if (strcmp(method, "none") == 0 || 
>+	    auth_method_in_list(active_methods, method)) {
>+		m = authmethod_lookup(method);
>+		if (m != NULL) {
>+			debug2("input_userauth_request: try method %s", method);
>+			authenticated =	m->userauth(authctxt);
>+		}
> 
>+	}
>+	xfree(active_methods);
>+	userauth_finish(authctxt, authenticated, method, NULL);
>+ 
> 	xfree(service);
> 	xfree(user);
> 	xfree(method);
> }
> 
> void
>-userauth_finish(Authctxt *authctxt, int authenticated, char *method)
>+userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
>+    const char *submethod)
> {
> 	char *methods;
>+	Authmethod *m = NULL;
>+	u_int partial = 0;
> 
> 	if (!authctxt->valid && authenticated)
> 		fatal("INTERNAL ERROR: authenticated invalid user %s",
>@@ -344,12 +353,42 @@ userauth_finish(Authctxt *authctxt, int
> #endif /* _UNICOS */
> 
> 	/* Log before sending the reply */
>-	auth_log(authctxt, authenticated, method, " ssh2");
>+	auth_log(authctxt, authenticated, method, submethod, " ssh2");
> 
> 	if (authctxt->postponed)
> 		return;
> 
>-	/* XXX todo: check if multiple auth methods are needed */
>+	/* Handle RequiredAuthentications2: loop until required methods done */
>+	if (authenticated && options.required_auth2 != NULL) {
>+		if ((m = authmethod_lookup(method)) == NULL)
>+			fatal("INTERNAL ERROR: authenticated method "
>+			    "\"%s\" unknown", method);
>+		if (auth_remove_from_list(&options.required_auth2, method) == 0)
>+			fatal("INTERNAL ERROR: authenticated method "
>+			    "\"%s\" not in required list \"%s\"", 
>+			    method, options.required_auth2);
>+		debug2("userauth_finish: required list now: %s",
>+		    options.required_auth2 == NULL ?
>+		    "DONE" : options.required_auth2);
>+		/*
>+		 * if authenticated and no more required methods 
>+		 * then declare success
>+		 */
>+		if ( authenticated && options.required_auth2 == NULL ) {
>+			debug2("userauth_finish: authenticated and no more required methods");
>+		} else {
>+			/*
>+			 * Disable method so client can't authenticate with it after
>+			 * the required authentications are complete.
>+			 */
>+			if (m->enabled != NULL)
>+			*(m->enabled) = 0;
>+			authenticated = 0;
>+			partial = 1;
>+			goto send_fail;
>+		}
>+	}
>+
> 	if (authenticated == 1) {
> 		/* turn off userauth */
> 		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
>@@ -359,7 +398,6 @@ userauth_finish(Authctxt *authctxt, int
> 		/* now we can break out */
> 		authctxt->success = 1;
> 	} else {
>-
> 		/* Allow initial try of "none" auth without failure penalty */
> 		if (!authctxt->server_caused_failure &&
> 		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
>@@ -370,10 +408,11 @@ userauth_finish(Authctxt *authctxt, int
> #endif
> 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
> 		}
>+ send_fail:
> 		methods = authmethods_get();
> 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
> 		packet_put_cstring(methods);
>-		packet_put_char(0);	/* XXX partial success, unused */
>+		packet_put_char(partial);
> 		packet_send();
> 		packet_write_wait();
> 		xfree(methods);
>@@ -387,6 +426,9 @@ authmethods_get(void)
> 	char *list;
> 	int i;
> 
>+	if (options.required_auth2 != NULL)
>+		return xstrdup(options.required_auth2);
>+
> 	buffer_init(&b);
> 	for (i = 0; authmethods[i] != NULL; i++) {
> 		if (strcmp(authmethods[i]->name, "none") == 0)
>@@ -421,3 +463,43 @@ authmethod_lookup(const char *name)
> 	return NULL;
> }
> 
>+#define DELIM ","
>+
>+int
>+auth2_check_required(const char *list)
>+{
>+	char *orig_methods, *methods, *cp;
>+	struct Authmethod *m;
>+	int i, ret = 0;
>+
>+	orig_methods = methods = xstrdup(list);
>+	for(;;) {
>+		if ((cp = strsep(&methods, DELIM)) == NULL)
>+			break;
>+		debug2("auth2_check_required: method \"%s\"", cp);
>+		if (*cp == '\0') {
>+			debug("auth2_check_required: empty method");
>+			ret = -1;
>+		}
>+		for (i = 0; authmethods[i] != NULL; i++)
>+			if (strcmp(cp, authmethods[i]->name) == 0)
>+				break;
>+		if ((m = authmethods[i]) == NULL) {
>+			debug("auth2_check_required: unknown method "
>+			    "\"%s\"", cp);
>+			ret = -1;
>+			break;
>+		}
>+		if (m->enabled == NULL || *(m->enabled) == 0) {
>+			debug("auth2_check_required: method %s explicitly "
>+			    "disabled", cp);
>+			ret = -1;
>+		}
>+		/* Activate method if it isn't already */
>+		if (m->enabled != NULL && *(m->enabled) == -1)
>+			*(m->enabled) = 1;
>+	}
>+	xfree(orig_methods);
>+	return (ret);
>+}
>+
>diff -up openssh-5.3p1/auth2-gss.c.required-authentication openssh-5.3p1/auth2-gss.c
>--- openssh-5.3p1/auth2-gss.c.required-authentication	2012-10-04 15:50:17.294196872 +0200
>+++ openssh-5.3p1/auth2-gss.c	2012-10-04 15:50:17.460196145 +0200
>@@ -197,7 +197,7 @@ input_gssapi_token(int type, u_int32_t p
> 		}
> 		authctxt->postponed = 0;
> 		dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
>-		userauth_finish(authctxt, 0, "gssapi-with-mic");
>+		userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
> 	} else {
> 		if (send_tok.length != 0) {
> 			packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
>@@ -286,7 +286,7 @@ input_gssapi_exchange_complete(int type,
> 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
> 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
> 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
>-	userauth_finish(authctxt, authenticated, "gssapi-with-mic");
>+	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
> }
> 
> static void
>@@ -336,7 +336,7 @@ input_gssapi_mic(int type, u_int32_t ple
> 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
> 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
> 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
>-	userauth_finish(authctxt, authenticated, "gssapi-with-mic");
>+	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
> }
> 
> Authmethod method_gsskeyex = {
>diff -up openssh-5.3p1/auth2-none.c.required-authentication openssh-5.3p1/auth2-none.c
>--- openssh-5.3p1/auth2-none.c.required-authentication	2012-10-04 15:50:17.153197489 +0200
>+++ openssh-5.3p1/auth2-none.c	2012-10-04 15:50:17.461196141 +0200
>@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
> {
> 	none_enabled = 0;
> 	packet_check_eom();
>-	if (options.permit_empty_passwd && options.password_authentication)
>+	if (options.permit_empty_passwd && options.password_authentication && options.required_auth2 == NULL)
> 		return (PRIVSEP(auth_password(authctxt, "")));
> 	return (0);
> }
>diff -up openssh-5.3p1/auth.c.required-authentication openssh-5.3p1/auth.c
>--- openssh-5.3p1/auth.c.required-authentication	2008-11-05 06:12:54.000000000 +0100
>+++ openssh-5.3p1/auth.c	2012-10-04 15:50:17.461196141 +0200
>@@ -245,7 +245,8 @@ allowed_user(struct passwd * pw)
> }
> 
> void
>-auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
>+auth_log(Authctxt *authctxt, int authenticated, const char *method,
>+    const char *submethod, const char *info)
> {
> 	void (*authlog) (const char *fmt,...) = verbose;
> 	char *authmsg;
>@@ -265,9 +266,10 @@ auth_log(Authctxt *authctxt, int authent
> 	else
> 		authmsg = authenticated ? "Accepted" : "Failed";
> 
>-	authlog("%s %s for %s%.100s from %.200s port %d%s",
>+	authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
> 	    authmsg,
> 	    method,
>+	    submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
> 	    authctxt->valid ? "" : "invalid user ",
> 	    authctxt->user,
> 	    get_remote_ipaddr(),
>@@ -297,7 +299,7 @@ auth_log(Authctxt *authctxt, int authent
>  * Check whether root logins are disallowed.
>  */
> int
>-auth_root_allowed(char *method)
>+auth_root_allowed(const char *method)
> {
> 	switch (options.permit_root_login) {
> 	case PERMIT_YES:
>@@ -620,3 +622,57 @@ fakepw(void)
> 
> 	return (&fake);
> }
>+
>+int
>+auth_method_in_list(const char *list, const char *method)
>+{
>+	char *cp;
>+
>+	cp = match_list(method, list, NULL);
>+	if (cp != NULL) {
>+		xfree(cp);
>+		return 1;
>+	}
>+
>+	return 0;
>+}
>+
>+#define	DELIM	","
>+int
>+auth_remove_from_list(char **list, const char *method)
>+{
>+	char *oldlist, *cp, *newlist = NULL;
>+	u_int len = 0, ret = 0;
>+
>+	if (list == NULL || *list == NULL)
>+		return (0);
>+
>+	oldlist = *list;
>+	len = strlen(oldlist) + 1;
>+	newlist = xmalloc(len);
>+	memset(newlist, '\0', len);
>+
>+	/* Remove method from list, if present */
>+	for (;;) {
>+		if ((cp = strsep(&oldlist, DELIM)) == NULL)
>+			break;
>+		if (*cp == '\0')
>+			continue;
>+		if (strcmp(cp, method) != 0) {
>+			if (*newlist != '\0')
>+				strlcat(newlist, DELIM, len);
>+			strlcat(newlist, cp, len);
>+		} else
>+			ret++;
>+	}
>+
>+	/* Return NULL instead of empty list */
>+	if (*newlist == '\0') {
>+		xfree(newlist);
>+		newlist = NULL;
>+	}
>+	xfree(*list);
>+	*list = newlist;
>+	
>+	return (ret);
>+}
>diff -up openssh-5.3p1/auth.h.required-authentication openssh-5.3p1/auth.h
>--- openssh-5.3p1/auth.h.required-authentication	2012-10-04 15:50:17.369196542 +0200
>+++ openssh-5.3p1/auth.h	2012-10-04 15:50:17.462196136 +0200
>@@ -145,10 +145,11 @@ void disable_forwarding(void);
> void	do_authentication(Authctxt *);
> void	do_authentication2(Authctxt *);
> 
>-void	auth_log(Authctxt *, int, char *, char *);
>-void	userauth_finish(Authctxt *, int, char *);
>+void	auth_log(Authctxt *, int, const char *, const char *, const char *);
>+void	userauth_finish(Authctxt *, int, const char *, const char *);
>+int	auth_root_allowed(const char *);
>+
> void	userauth_send_banner(const char *);
>-int	auth_root_allowed(char *);
> 
> char	*auth2_read_banner(void);
> 
>@@ -194,6 +195,11 @@ void	 auth_debug_send(void);
> void	 auth_debug_reset(void);
> 
> struct passwd *fakepw(void);
>+int	 auth_method_in_list(const char *, const char *);
>+int	 auth_remove_from_list(char **, const char *);
>+
>+int	 auth1_check_required(const char *);
>+int	 auth2_check_required(const char *);
> 
> int	 sys_auth_passwd(Authctxt *, const char *);
> 
>diff -up openssh-5.3p1/monitor.c.required-authentication openssh-5.3p1/monitor.c
>--- openssh-5.3p1/monitor.c.required-authentication	2012-10-04 15:50:17.377196507 +0200
>+++ openssh-5.3p1/monitor.c	2012-10-04 15:50:17.463196131 +0200
>@@ -202,6 +202,7 @@ static int key_blobtype = MM_NOKEY;
> static char *hostbased_cuser = NULL;
> static char *hostbased_chost = NULL;
> static char *auth_method = "unknown";
>+static char *auth_submethod = NULL;
> static u_int session_id2_len = 0;
> static u_char *session_id2 = NULL;
> static pid_t monitor_child_pid;
>@@ -384,6 +385,7 @@ monitor_child_preauth(Authctxt *_authctx
> {
> 	struct mon_table *ent;
> 	int authenticated = 0;
>+	char **req_auth;
> 
> 	debug3("preauth child monitor started");
> 
>@@ -394,6 +396,7 @@ monitor_child_preauth(Authctxt *_authctx
> 
> 	if (compat20) {
> 		mon_dispatch = mon_dispatch_proto20;
>+		req_auth = &options.required_auth2;
> 
> 		/* Permit requests for moduli and signatures */
> 		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
>@@ -404,6 +407,7 @@ monitor_child_preauth(Authctxt *_authctx
> #endif
> 	} else {
> 		mon_dispatch = mon_dispatch_proto15;
>+		req_auth = &options.required_auth1;
> 
> 		monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
> 	}
>@@ -411,6 +415,7 @@ monitor_child_preauth(Authctxt *_authctx
> 	/* The first few requests do not require asynchronous access */
> 	while (!authenticated) {
> 		auth_method = "unknown";
>+		auth_submethod = NULL;
> 		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
> 		if (authenticated) {
> 			if (!(ent->flags & MON_AUTHDECIDE))
>@@ -432,10 +437,19 @@ monitor_child_preauth(Authctxt *_authctx
> 			}
> #endif
> 		}
>+		/* Loop until the required authmethods are done */
>+		if (authenticated && *req_auth != NULL) {
>+			if (auth_remove_from_list(req_auth, auth_method) == 0)
>+				fatal("INTERNAL ERROR: authenticated method "
>+				    "\"%s\" not in required list \"%s\"",
>+				    auth_method, *req_auth);
>+			debug2("monitor_child_preauth: required list now: %s",
>+			    *req_auth == NULL ? "DONE" : *req_auth);
>+		}
> 
> 		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
> 			auth_log(authctxt, authenticated, auth_method,
>-			    compat20 ? " ssh2" : "");
>+				 auth_submethod, compat20 ? " ssh2" : "");
> 			if (!authenticated)
> 				authctxt->failures++;
> 		}
>@@ -448,6 +462,8 @@ monitor_child_preauth(Authctxt *_authctx
> 			}
> 		}
> #endif
>+		if (*req_auth != NULL)
>+			authenticated = 0;
> 	}
> 
> 	if (!authctxt->valid)
>@@ -722,6 +738,10 @@ mm_answer_pwnamallow(int sock, Buffer *m
> 	buffer_put_string(m, &options, sizeof(options));
> 	if (options.banner != NULL)
> 		buffer_put_cstring(m, options.banner);
>+	if (options.required_auth1 != NULL)
>+		buffer_put_cstring(m, options.required_auth1);
>+	if (options.required_auth2 != NULL)
>+		buffer_put_cstring(m, options.required_auth2);
> 	debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
> 	mm_request_send(sock, MONITOR_ANS_PWNAM, m);
> 
>@@ -823,6 +843,7 @@ mm_answer_authpassword(int sock, Buffer 
> 		auth_method = "none";
> 	else
> 		auth_method = "password";
>+	auth_submethod = NULL;
> 
> 	/* Causes monitor loop to terminate if authenticated */
> 	return (authenticated);
>@@ -882,6 +903,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
> 	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
> 
> 	auth_method = "bsdauth";
>+	auth_submethod = NULL;
> 
> 	return (authok != 0);
> }
>@@ -931,6 +953,7 @@ mm_answer_skeyrespond(int sock, Buffer *
> 	mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
> 
> 	auth_method = "skey";
>+	auth_submethod = NULL;
> 
> 	return (authok != 0);
> }
>@@ -1020,7 +1043,8 @@ mm_answer_pam_query(int sock, Buffer *m)
> 		xfree(prompts);
> 	if (echo_on != NULL)
> 		xfree(echo_on);
>-	auth_method = "keyboard-interactive/pam";
>+	auth_method = "keyboard-interactive";
>+	auth_submethod = "pam";
> 	mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
> 	return (0);
> }
>@@ -1049,7 +1073,8 @@ mm_answer_pam_respond(int sock, Buffer *
> 	buffer_clear(m);
> 	buffer_put_int(m, ret);
> 	mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
>-	auth_method = "keyboard-interactive/pam";
>+	auth_method = "keyboard-interactive";
>+	auth_submethod = "pam";
> 	if (ret == 0)
> 		sshpam_authok = sshpam_ctxt;
> 	return (0);
>@@ -1063,7 +1088,8 @@ mm_answer_pam_free_ctx(int sock, Buffer 
> 	(sshpam_device.free_ctx)(sshpam_ctxt);
> 	buffer_clear(m);
> 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
>-	auth_method = "keyboard-interactive/pam";
>+	auth_method = "keyboard-interactive";
>+	auth_submethod = "pam";
> 	return (sshpam_authok == sshpam_ctxt);
> }
> #endif
>@@ -1110,6 +1136,7 @@ mm_answer_keyallowed(int sock, Buffer *m
> 			allowed = options.pubkey_authentication &&
> 			    user_key_allowed(authctxt->pw, key);
> 			auth_method = "publickey";
>+			auth_submethod = NULL;
> 			if (options.pubkey_authentication && allowed != 1)
> 				auth_clear_options();
> 			break;
>@@ -1118,6 +1145,7 @@ mm_answer_keyallowed(int sock, Buffer *m
> 			    hostbased_key_allowed(authctxt->pw,
> 			    cuser, chost, key);
> 			auth_method = "hostbased";
>+			auth_submethod = NULL;
> 			break;
> 		case MM_RSAHOSTKEY:
> 			key->type = KEY_RSA1; /* XXX */
>@@ -1127,6 +1155,7 @@ mm_answer_keyallowed(int sock, Buffer *m
> 			if (options.rhosts_rsa_authentication && allowed != 1)
> 				auth_clear_options();
> 			auth_method = "rsa";
>+			auth_submethod = NULL;
> 			break;
> 		default:
> 			fatal("%s: unknown key type %d", __func__, type);
>@@ -1148,7 +1177,8 @@ mm_answer_keyallowed(int sock, Buffer *m
> 		hostbased_chost = chost;
> 	} else {
> 		/* Log failed attempt */
>-		auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : "");
>+		auth_log(authctxt, 0, auth_method, auth_submethod,
>+		    compat20 ? " ssh2" : "");
> 		xfree(blob);
> 		xfree(cuser);
> 		xfree(chost);
>@@ -1347,6 +1377,7 @@ mm_answer_keyverify(int sock, Buffer *m)
> 	xfree(data);
> 
> 	auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
>+	auth_submethod = NULL;
> 
> 	monitor_reset_key_state();
> 
>@@ -1542,6 +1573,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
> 	debug3("%s entering", __func__);
> 
> 	auth_method = "rsa";
>+	auth_submethod = NULL;
> 	if (options.rsa_authentication && authctxt->valid) {
> 		if ((client_n = BN_new()) == NULL)
> 			fatal("%s: BN_new", __func__);
>@@ -1649,6 +1681,7 @@ mm_answer_rsa_response(int sock, Buffer 
> 	xfree(response);
> 
> 	auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
>+	auth_submethod = NULL;
> 
> 	/* reset state */
> 	BN_clear_free(ssh1_challenge);
>@@ -2164,6 +2197,7 @@ mm_answer_gss_userok(int sock, Buffer *m
> 	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
> 
> 	auth_method = "gssapi-with-mic";
>+	auth_submethod = NULL;
> 
> 	/* Monitor loop will terminate if authenticated */
> 	return (authenticated);
>@@ -2436,6 +2470,7 @@ mm_answer_jpake_check_confirm(int sock, 
> 	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
> 
> 	auth_method = "jpake-01@openssh.com";
>+	auth_submethod = NULL;
> 	return authenticated;
> }
> 
>diff -up openssh-5.3p1/monitor_wrap.c.required-authentication openssh-5.3p1/monitor_wrap.c
>--- openssh-5.3p1/monitor_wrap.c.required-authentication	2012-11-12 17:44:55.733377744 +0100
>+++ openssh-5.3p1/monitor_wrap.c	2012-11-12 17:44:59.371360820 +0100
>@@ -246,6 +246,10 @@ out:
> 		fatal("%s: option block size mismatch", __func__);
> 	if (newopts->banner != NULL)
> 		newopts->banner = buffer_get_string(&m, NULL);
>+	if (newopts->required_auth1 != NULL)
>+		newopts->required_auth1 = buffer_get_string(&m, NULL);
>+	if (newopts->required_auth2 != NULL)
>+		newopts->required_auth2 = buffer_get_string(&m, NULL);
> 	copy_set_server_options(&options, newopts, 1);
> 	xfree(newopts);
> 
>diff -up openssh-5.3p1/servconf.c.required-authentication openssh-5.3p1/servconf.c
>--- openssh-5.3p1/servconf.c.required-authentication	2012-10-04 15:50:17.388196460 +0200
>+++ openssh-5.3p1/servconf.c	2012-10-04 15:50:17.464196126 +0200
>@@ -38,6 +38,8 @@
> #include "key.h"
> #include "kex.h"
> #include "mac.h"
>+#include "hostfile.h"
>+#include "auth.h"
> #include "match.h"
> #include "channels.h"
> #include "groupaccess.h"
>@@ -128,6 +130,8 @@ initialize_server_options(ServerOptions
> 	options->authorized_keys_file2 = NULL;
> 	options->num_accept_env = 0;
> 	options->permit_tun = -1;
>+	options->required_auth1 = NULL;
>+	options->required_auth2 = NULL;
> 	options->num_permitted_opens = -1;
> 	options->adm_forced_command = NULL;
> 	options->chroot_directory = NULL;
>@@ -323,6 +327,7 @@ typedef enum {
> 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
> 	sGssKeyEx, sGssStoreRekey,
> 	sAcceptEnv, sPermitTunnel,
>+	sRequiredAuthentications1, sRequiredAuthentications2,
> 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
> 	sUsePrivilegeSeparation, sAllowAgentForwarding,
> 	sZeroKnowledgePasswordAuthentication,
>@@ -461,6 +466,8 @@ static struct {
> 	{ "authorizedkeyscommand", sUnsupported, SSHCFG_ALL },
> 	{ "authorizedkeyscommandrunas", sUnsupported, SSHCFG_ALL },
> #endif
>+	{ "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
>+	{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
> 	{ NULL, sBadOption, 0 }
> };
> 
>@@ -1219,6 +1226,37 @@ process_server_config_line(ServerOptions
> 			options->max_startups = options->max_startups_begin;
> 		break;
> 
>+
>+	case sRequiredAuthentications1:
>+		if (*activep && options->required_auth1 == NULL) {
>+			charptr = &options->required_auth1;
>+			arg = strdelim(&cp);
>+			if (!arg || *arg == '\0')
>+				fatal("%.200s line %d: Missing argument.",
>+				    filename, linenum);
>+			if (auth1_check_required(arg) != 0)
>+				fatal("%.200s line %d: Invalid required authentication "
>+				    "list", filename, linenum);
>+			if (*charptr == NULL)
>+				*charptr = xstrdup(arg);
>+		}
>+		return 0;
>+
>+	case sRequiredAuthentications2:
>+		if (*activep && options->required_auth2 == NULL) {
>+			charptr = &options->required_auth2;
>+			arg = strdelim(&cp);
>+			if (!arg || *arg == '\0')
>+				fatal("%.200s line %d: Missing argument.",
>+				    filename, linenum);
>+			if (auth2_check_required(arg) != 0)
>+				fatal("%.200s line %d: Invalid required authentication "
>+				    "list", filename, linenum);
>+			if (*charptr == NULL)
>+				*charptr = xstrdup(arg);
>+		}
>+		return 0;
>+
> 	case sMaxAuthTries:
> 		intptr = &options->max_authtries;
> 		goto parse_int;
>@@ -1488,6 +1526,9 @@ copy_set_server_options(ServerOptions *d
> 	M_CP_INTOPT(use_kuserok);
> 
> 	M_CP_STROPT(banner);
>+	M_CP_STROPT(required_auth1);
>+	M_CP_STROPT(required_auth2);
>+
> 	if (preauth)
> 		return;
> 	M_CP_STROPT(adm_forced_command);
>@@ -1727,6 +1768,7 @@ dump_config(ServerOptions *o)
> 	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
> 	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
> 	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
>+	dump_cfg_string(sRequiredAuthentications2, o->required_auth2);
> 
> 	/* other arguments */
> 	for (i = 0; i < o->num_subsystems; i++)
>diff -up openssh-5.3p1/servconf.h.required-authentication openssh-5.3p1/servconf.h
>--- openssh-5.3p1/servconf.h.required-authentication	2012-10-04 15:50:17.388196460 +0200
>+++ openssh-5.3p1/servconf.h	2012-10-04 15:50:17.464196126 +0200
>@@ -146,6 +146,9 @@ typedef struct {
> 	char   *authorized_keys_file;	/* File containing public keys */
> 	char   *authorized_keys_file2;
> 
>+	char   *required_auth1;
>+	char   *required_auth2;
>+
> 	char   *adm_forced_command;
> 
> 	int	use_pam;		/* Enable auth via PAM */
>diff -up openssh-5.3p1/sshd_config.5.required-authentication openssh-5.3p1/sshd_config.5
>--- openssh-5.3p1/sshd_config.5.required-authentication	2012-10-04 15:50:17.389196456 +0200
>+++ openssh-5.3p1/sshd_config.5	2012-10-04 16:52:14.550988892 +0200
>@@ -650,6 +650,8 @@ Available keywords are
> .Cm PermitEmptyPasswords ,
> .Cm PermitOpen ,
> .Cm PermitRootLogin ,
>+.Cm RequiredAuthentications1,
>+.Cm RequiredAuthentications2,
> .Cm RhostsRSAAuthentication ,
> .Cm RSAAuthentication ,
> .Cm X11DisplayOffset ,
>@@ -854,7 +856,28 @@ only with PubkeyAuthentication turned on
> .It Cm AuthorizedKeysCommandRunAs
> Specifies the user under whose account the AuthorizedKeysCommand is run. Empty
> string (the default value) means the user being authorized is used.
>-.Dq 
>+.It Cm RequiredAuthentications[12]
>+Specifies required methods of authentications that has to succeed before authorizing the connection.
>+(RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
>+.Bd -literal -offset 3n
>+ RequiredAuthentications1 method[,method...] 
>+ RequiredAuthentications2 method[,method...]
>+.Ed
>+.Pp
>+Example 1:
>+.Bd -literal -offset 3n
>+ RequiredAuthentications2 password,hostbased
>+.Ed
>+.Pp
>+Example 2:
>+.Bd -literal -offset 3n
>+ RequiredAuthentications2 publickey,password
>+.Ed
>+.Pp
>+Available methods:
>+.Bd -literal -offset 3n
>+password, keyboard-interactive, publickey, hostbased, gssapi-keyex, gssapi-with-mic
>+.Ed
> .It Cm RhostsRSAAuthentication
> Specifies whether rhosts or /etc/hosts.equiv authentication together
> with successful RSA host authentication is allowed.

Actions: View | Diff

Attachments on bug 869903: 643648