Bugzilla – Attachment 1450 Details for
Bug 1435
Multiple authentication methods patch
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Adds multiple authentication methods option to sshd
openssh-4.7p1-multiauth.patch (text/plain), 7.13 KB, created by
Paul Sery
on 2008-02-03 08:20:28 AEDT
(
hide
)
Description:
Adds multiple authentication methods option to sshd
Filename:
MIME Type:
Creator:
Paul Sery
Created:
2008-02-03 08:20:28 AEDT
Size:
7.13 KB
patch
obsolete
>--- openssh-4.7p1/monitor.c 2007-05-19 23:10:16.000000000 -0600 >+++ openssh-4.7p1-multiauth/monitor.c 2008-02-02 13:01:45.000000000 -0700 >@@ -327,6 +327,8 @@ > { > struct mon_table *ent; > int authenticated = 0; >+ int num_required_auth_methods_remaining = >+ options.num_required_auth_methods-1; > > debug3("preauth child monitor started"); > >@@ -358,6 +360,8 @@ > if (authctxt->pw->pw_uid == 0 && > !auth_root_allowed(auth_method)) > authenticated = 0; >+ if (num_required_auth_methods_remaining--) >+ authenticated = 0; > #ifdef USE_PAM > /* PAM needs to perform account checks after auth */ > if (options.use_pam && authenticated) { >--- openssh-4.7p1/auth.h 2006-08-18 08:32:46.000000000 -0600 >+++ openssh-4.7p1-multiauth/auth.h 2008-02-02 13:01:45.000000000 -0700 >@@ -53,6 +53,7 @@ > int valid; /* user exists and is allowed to login */ > int attempt; > int failures; >+ int passed; > int force_pwchange; > char *user; /* username sent by the client */ > char *service; >--- openssh-4.7p1/auth2.c 2007-05-19 22:58:41.000000000 -0600 >+++ openssh-4.7p1-multiauth/auth2.c 2008-02-02 13:01:45.000000000 -0700 >@@ -86,7 +86,7 @@ > > /* helper */ > static Authmethod *authmethod_lookup(const char *); >-static char *authmethods_get(void); >+static char *authmethods_get(int); > int user_key_allowed(struct passwd *, Key *); > > /* >@@ -213,6 +213,7 @@ > userauth_finish(Authctxt *authctxt, int authenticated, char *method) > { > char *methods; >+ int success = 0; > > if (!authctxt->valid && authenticated) > fatal("INTERNAL ERROR: authenticated invalid user %s", >@@ -256,6 +257,31 @@ > return; > > /* XXX todo: check if multiple auth methods are needed */ >+ /* Check if enough multiple auth methods have passed */ >+ if (authenticated == 1) { >+ int passed; >+ int k; >+ int j; >+ >+ for (j = 0, k = 1, passed = 0; authmethods[j] != NULL; j++, k <<= 1) { >+ if (strncmp (method, authmethods[j]->name, strlen (authmethods[j]->name)) == 0) >+ authctxt->passed |= k; >+ if (authctxt->passed & k) >+ ++passed; >+ } >+ if (passed < options.num_required_auth_methods) { >+ success = 1; >+ authenticated = 0; >+ } >+ } else { >+ if (authctxt->failures++ > options.max_authtries) { >+#ifdef SSH_AUDIT_EVENTS >+ PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); >+#endif >+ packet_disconnect(AUTH_FAIL_MSG, authctxt->user); >+ } >+ } >+ > if (authenticated == 1) { > /* turn off userauth */ > dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); >@@ -265,16 +291,10 @@ > /* now we can break out */ > authctxt->success = 1; > } else { >- if (authctxt->failures++ > options.max_authtries) { >-#ifdef SSH_AUDIT_EVENTS >- PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); >-#endif >- packet_disconnect(AUTH_FAIL_MSG, authctxt->user); >- } >- methods = authmethods_get(); >+ methods = authmethods_get(authctxt->passed); > packet_start(SSH2_MSG_USERAUTH_FAILURE); > packet_put_cstring(methods); >- packet_put_char(0); /* XXX partial success, unused */ >+ packet_put_char(success); > packet_send(); > packet_write_wait(); > xfree(methods); >@@ -282,16 +302,19 @@ > } > > static char * >-authmethods_get(void) >+authmethods_get(int passed) > { > Buffer b; > char *list; > int i; >+ int k; > > buffer_init(&b); >- for (i = 0; authmethods[i] != NULL; i++) { >+ for (i = 0, k = 1; authmethods[i] != NULL; i++, k <<= 1) { > if (strcmp(authmethods[i]->name, "none") == 0) > continue; >+ if (passed & k) >+ continue; > if (authmethods[i]->enabled != NULL && > *(authmethods[i]->enabled) != 0) { > if (buffer_len(&b) > 0) >--- openssh-4.7p1/servconf.h 2007-02-19 04:25:38.000000000 -0700 >+++ openssh-4.7p1-multiauth/servconf.h 2008-02-02 13:01:45.000000000 -0700 >@@ -92,6 +92,8 @@ > * authentication. */ > int kbd_interactive_authentication; /* If true, permit */ > int challenge_response_authentication; >+ int num_required_auth_methods; /* Minimum number of auth methods >+ that must succeed. */ > int permit_empty_passwd; /* If false, do not permit empty > * passwords. */ > int permit_user_env; /* If true, read ~/.ssh/environment */ >--- openssh-4.7p1/servconf.c 2007-05-19 23:03:16.000000000 -0600 >+++ openssh-4.7p1-multiauth/servconf.c 2008-02-02 13:01:45.000000000 -0700 >@@ -94,6 +94,7 @@ > options->password_authentication = -1; > options->kbd_interactive_authentication = -1; > options->challenge_response_authentication = -1; >+ options->num_required_auth_methods = -1; > options->permit_empty_passwd = -1; > options->permit_user_env = -1; > options->use_login = -1; >@@ -212,6 +213,8 @@ > options->kbd_interactive_authentication = 0; > if (options->challenge_response_authentication == -1) > options->challenge_response_authentication = 1; >+ if (options->num_required_auth_methods == -1) >+ options->num_required_auth_methods = 1; > if (options->permit_empty_passwd == -1) > options->permit_empty_passwd = 0; > if (options->permit_user_env == -1) >@@ -275,8 +278,8 @@ > sPermitRootLogin, sLogFacility, sLogLevel, > sRhostsRSAAuthentication, sRSAAuthentication, > sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, >- sKerberosGetAFSToken, >- sKerberosTgtPassing, sChallengeResponseAuthentication, >+ sKerberosGetAFSToken, sKerberosTgtPassing, >+ sNumRequiredAuthMethods, sChallengeResponseAuthentication, > sPasswordAuthentication, sKbdInteractiveAuthentication, > sListenAddress, sAddressFamily, > sPrintMotd, sPrintLastLog, sIgnoreRhosts, >@@ -359,6 +362,7 @@ > { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, > { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, > { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ >+ { "numrequiredauthmethods", sNumRequiredAuthMethods, SSHCFG_GLOBAL}, > { "checkmail", sDeprecated, SSHCFG_GLOBAL }, > { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, > { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, >@@ -887,6 +891,10 @@ > intptr = &options->challenge_response_authentication; > goto parse_flag; > >+ case sNumRequiredAuthMethods: >+ intptr = &options->num_required_auth_methods; >+ goto parse_int; >+ > case sPrintMotd: > intptr = &options->print_motd; > goto parse_flag; >--- openssh-4.7p1/sshd_config.5 2007-06-10 22:07:13.000000000 -0600 >+++ openssh-4.7p1-multiauth/sshd_config.5 2008-02-02 13:04:13.000000000 -0700 >@@ -559,10 +559,19 @@ > are refused if the number of unauthenticated connections reaches > .Dq full > (60). >+ >+.It Cm NumRequiredAuthMethods >+Specifies how many authentication methods must succeed during ssh2 >+authentication. There are four potential methods: publickey, password, >+keyboard-interactive, and hostbased. Setting this value to 2 or higher forces >+the client to successfully authenticate in multiple ways, for example, using >+both S/Key and publickey. >+ > .It Cm PasswordAuthentication > Specifies whether password authentication is allowed. > The default is > .Dq yes . >+ > .It Cm PermitEmptyPasswords > When password authentication is allowed, it specifies whether the > server allows login to accounts with empty password strings.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1450">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1435
: 1450