Bugzilla – Attachment 1567 Details for
Bug 983
Required authentication
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Ports patch 1521 (BSD) to portable & -current
requiredauthentications.patch (text/plain), 22.50 KB, created by
Paul Sery
on 2008-09-03 15:53:43 AEST
(
hide
)
Description:
Ports patch 1521 (BSD) to portable & -current
Filename:
MIME Type:
Creator:
Paul Sery
Created:
2008-09-03 15:53:43 AEST
Size:
22.50 KB
patch
obsolete
>Index: auth.c >=================================================================== >RCS file: /cvs/openssh/auth.c,v >retrieving revision 1.131 >diff -u -p -r1.131 auth.c >--- auth.c 9 Jul 2008 10:54:51 -0000 1.131 >+++ auth.c 3 Sep 2008 05:26:10 -0000 >@@ -245,7 +245,8 @@ allowed_user(struct passwd * pw) > } > > void >-auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) >+auth_log(Authctxt *authctxt, int authenticated, const char *method, >+ const char *submethod, const char *info) > { > void (*authlog) (const char *fmt,...) = verbose; > char *authmsg; >@@ -265,9 +266,10 @@ auth_log(Authctxt *authctxt, int authent > else > authmsg = authenticated ? "Accepted" : "Failed"; > >- authlog("%s %s for %s%.100s from %.200s port %d%s", >+ authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", > authmsg, > method, >+ submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod, > authctxt->valid ? "" : "invalid user ", > authctxt->user, > get_remote_ipaddr(), >@@ -297,7 +299,7 @@ auth_log(Authctxt *authctxt, int authent > * Check whether root logins are disallowed. > */ > int >-auth_root_allowed(char *method) >+auth_root_allowed(const char *method) > { > switch (options.permit_root_login) { > case PERMIT_YES: >@@ -619,4 +621,58 @@ fakepw(void) > fake.pw_shell = "/nonexist"; > > return (&fake); >+} >+ >+int >+auth_method_in_list(const char *list, const char *method) >+{ >+ char *cp; >+ >+ cp = match_list(method, list, NULL); >+ if (cp != NULL) { >+ xfree(cp); >+ return 1; >+ } >+ >+ return 0; >+} >+ >+#define DELIM "," >+int >+auth_remove_from_list(char **list, const char *method) >+{ >+ char *oldlist, *cp, *newlist = NULL; >+ u_int len = 0, ret = 0; >+ >+ if (list == NULL || *list == NULL) >+ return (0); >+ >+ oldlist = *list; >+ len = strlen(oldlist) + 1; >+ newlist = xmalloc(len); >+ memset(newlist, '\0', len); >+ >+ /* Remove method from list, if present */ >+ for (;;) { >+ if ((cp = strsep(&oldlist, DELIM)) == NULL) >+ break; >+ if (*cp == '\0') >+ continue; >+ if (strcmp(cp, method) != 0) { >+ if (*newlist != '\0') >+ strlcat(newlist, DELIM, len); >+ strlcat(newlist, cp, len); >+ } else >+ ret++; >+ } >+ >+ /* Return NULL instead of empty list */ >+ if (*newlist == '\0') { >+ xfree(newlist); >+ newlist = NULL; >+ } >+ xfree(*list); >+ *list = newlist; >+ >+ return (ret); > } >Index: auth.h >=================================================================== >RCS file: /cvs/openssh/auth.h,v >retrieving revision 1.79 >diff -u -p -r1.79 auth.h >--- auth.h 2 Jul 2008 12:37:30 -0000 1.79 >+++ auth.h 3 Sep 2008 05:26:14 -0000 >@@ -140,10 +140,11 @@ void disable_forwarding(void); > void do_authentication(Authctxt *); > void do_authentication2(Authctxt *); > >-void auth_log(Authctxt *, int, char *, char *); >-void userauth_finish(Authctxt *, int, char *); >+void auth_log(Authctxt *, int, const char *, const char *, const char *); >+void userauth_finish(Authctxt *, int, const char *, const char *); >+int auth_root_allowed(const char *); >+ > void userauth_send_banner(const char *); >-int auth_root_allowed(char *); > > char *auth2_read_banner(void); > >@@ -184,6 +185,11 @@ void auth_debug_send(void); > void auth_debug_reset(void); > > struct passwd *fakepw(void); >+int auth_method_in_list(const char *, const char *); >+int auth_remove_from_list(char **, const char *); >+ >+int auth1_check_required(const char *); >+int auth2_check_required(const char *); > > int sys_auth_passwd(Authctxt *, const char *); > >Index: auth1.c >=================================================================== >RCS file: /cvs/openssh/auth1.c,v >retrieving revision 1.124 >diff -u -p -r1.124 auth1.c >--- auth1.c 9 Jul 2008 10:54:05 -0000 1.124 >+++ auth1.c 3 Sep 2008 05:26:18 -0000 >@@ -98,6 +98,54 @@ static const struct AuthMethod1 > return (NULL); > } > >+static const struct AuthMethod1 * >+lookup_authmethod1_by_name(const char *name) >+{ >+ int i; >+ >+ for (i = 0; auth1_methods[i].name != NULL; i++) >+ if (strcmp(auth1_methods[i].name, name) == 0) >+ return (&(auth1_methods[i])); >+ >+ return NULL; >+} >+ >+#define DELIM "," >+int >+auth1_check_required(const char *list) >+{ >+ char *orig_methods, *methods, *cp; >+ static const struct AuthMethod1 *m; >+ int ret = 0; >+ >+ orig_methods = methods = xstrdup(list); >+ for(;;) { /* XXX maybe: while ((cp = ...) != NULL) ? */ >+ if ((cp = strsep(&methods, DELIM)) == NULL) >+ break; >+ debug2("auth1_check_required: method \"%s\"", cp); >+ if (*cp == '\0') { >+ debug("auth1_check_required: empty method"); >+ ret = -1; >+ } >+ if ((m = lookup_authmethod1_by_name(cp)) == NULL) { >+ debug("auth1_check_required: unknown method " >+ "\"%s\"", cp); >+ ret = -1; >+ } >+ if (*(m->enabled) == 0) { >+ debug("auth1_check_required: method %s explicitly " >+ "disabled", cp); >+ ret = -1; >+ } >+ /* Activate method if it isn't already */ >+ if (*(m->enabled) == -1) >+ *(m->enabled) = 1; >+ } >+ xfree(orig_methods); >+ return (ret); >+} >+ >+ > static char * > get_authname(int type) > { >@@ -237,6 +285,7 @@ do_authloop(Authctxt *authctxt) > { > int authenticated = 0; > char info[1024]; >+ const char *meth_name; > int prev = 0, type = 0; > const struct AuthMethod1 *meth; > >@@ -244,7 +293,7 @@ do_authloop(Authctxt *authctxt) > authctxt->valid ? "" : "invalid user ", authctxt->user); > > /* If the user has no password, accept authentication immediately. */ >- if (options.password_authentication && >+ if (options.required_auth1 == NULL && options.password_authentication && > #ifdef KRB5 > (!options.kerberos_authentication || options.kerberos_or_local_passwd) && > #endif >@@ -253,7 +302,7 @@ do_authloop(Authctxt *authctxt) > if (options.use_pam && (PRIVSEP(do_pam_account()))) > #endif > { >- auth_log(authctxt, 1, "without authentication", ""); >+ auth_log(authctxt, 1, "without authentication", NULL, ""); > return; > } > } >@@ -272,6 +321,7 @@ do_authloop(Authctxt *authctxt) > /* Get a packet from the client. */ > prev = type; > type = packet_read(); >+ meth_name = get_authname(type); > > /* > * If we started challenge-response authentication but the >@@ -287,8 +337,8 @@ do_authloop(Authctxt *authctxt) > if (authctxt->failures >= options.max_authtries) > goto skip; > if ((meth = lookup_authmethod1(type)) == NULL) { >- logit("Unknown message during authentication: " >- "type %d", type); >+ logit("Unknown message during authentication: type %d", >+ type); > goto skip; > } > >@@ -297,6 +347,17 @@ do_authloop(Authctxt *authctxt) > goto skip; > } > >+ /* >+ * Skip methods not in required list, until all the required >+ * ones are done >+ */ >+ if (options.required_auth1 != NULL && >+ !auth_method_in_list(options.required_auth1, meth_name)) { >+ debug("Skipping method \"%s\" until required " >+ "authentication completed", meth_name); >+ goto skip; >+ } >+ > authenticated = meth->method(authctxt, info, sizeof(info)); > if (authenticated == -1) > continue; /* "postponed" */ >@@ -360,7 +421,29 @@ do_authloop(Authctxt *authctxt) > > skip: > /* Log before sending the reply */ >- auth_log(authctxt, authenticated, get_authname(type), info); >+ auth_log(authctxt, authenticated, meth_name, NULL, info); >+ >+ /* Loop until the required authmethods are done */ >+ if (authenticated && options.required_auth1 != NULL) { >+ if (auth_remove_from_list(&options.required_auth1, >+ meth_name) != 1) >+ fatal("INTERNAL ERROR: authenticated method " >+ "\"%s\" not in required list \"%s\"", >+ meth_name, options.required_auth1); >+ debug2("do_authloop: required list now: %s", >+ options.required_auth1 == NULL ? >+ "DONE" : options.required_auth1); >+ if (options.required_auth1 == NULL) >+ return; >+ authenticated = 0; >+ /* >+ * Disable method so client can't authenticate with it >+ * after the required authentications are complete. >+ */ >+ *(meth->enabled) = 0; >+ packet_send_debug("Further authentication required"); >+ goto send_fail; >+ } > > if (client_user != NULL) { > xfree(client_user); >@@ -376,6 +459,7 @@ do_authloop(Authctxt *authctxt) > #endif > packet_disconnect(AUTH_FAIL_MSG, authctxt->user); > } >+ send_fail: > > packet_start(SSH_SMSG_FAILURE); > packet_send(); >Index: auth2.c >=================================================================== >RCS file: /cvs/openssh/auth2.c,v >retrieving revision 1.148 >diff -u -p -r1.148 auth2.c >--- auth2.c 4 Jul 2008 23:44:53 -0000 1.148 >+++ auth2.c 3 Sep 2008 05:26:22 -0000 >@@ -209,7 +209,7 @@ input_userauth_request(int type, u_int32 > { > Authctxt *authctxt = ctxt; > Authmethod *m = NULL; >- char *user, *service, *method, *style = NULL; >+ char *user, *service, *method, *active_methods, *style = NULL; > int authenticated = 0; > > if (authctxt == NULL) >@@ -266,22 +266,31 @@ input_userauth_request(int type, u_int32 > authctxt->postponed = 0; > > /* try to authenticate user */ >- m = authmethod_lookup(method); >- if (m != NULL && authctxt->failures < options.max_authtries) { >- debug2("input_userauth_request: try method %s", method); >- authenticated = m->userauth(authctxt); >- } >- userauth_finish(authctxt, authenticated, method); >+ active_methods = authmethods_get(); >+ if (strcmp(method, "none") == 0 || >+ auth_method_in_list(active_methods, method)) { >+ m = authmethod_lookup(method); >+ if (m != NULL) { >+ debug2("input_userauth_request: try method %s", method); >+ authenticated = m->userauth(authctxt); >+ } > >+ } >+ xfree(active_methods); >+ userauth_finish(authctxt, authenticated, method, NULL); >+ > xfree(service); > xfree(user); > xfree(method); > } > > void >-userauth_finish(Authctxt *authctxt, int authenticated, char *method) >+userauth_finish(Authctxt *authctxt, int authenticated, const char *method, >+ const char *submethod) > { > char *methods; >+ Authmethod *m = NULL; >+ u_int partial = 0; > > if (!authctxt->valid && authenticated) > fatal("INTERNAL ERROR: authenticated invalid user %s", >@@ -319,12 +328,34 @@ userauth_finish(Authctxt *authctxt, int > #endif /* _UNICOS */ > > /* Log before sending the reply */ >- auth_log(authctxt, authenticated, method, " ssh2"); >+ auth_log(authctxt, authenticated, method, submethod, " ssh2"); > > if (authctxt->postponed) > return; > >- /* XXX todo: check if multiple auth methods are needed */ >+ /* Handle RequiredAuthentications2: loop until required methods done */ >+ if (authenticated && options.required_auth2 != NULL) { >+ if ((m = authmethod_lookup(method)) == NULL) >+ fatal("INTERNAL ERROR: authenticated method " >+ "\"%s\" unknown", method); >+ if (auth_remove_from_list(&options.required_auth2, method) != 1) >+ fatal("INTERNAL ERROR: authenticated method " >+ "\"%s\" not in required list \"%s\"", >+ method, options.required_auth2); >+ debug2("userauth_finish: required list now: %s", >+ options.required_auth2 == NULL ? >+ "DONE" : options.required_auth2); >+ /* >+ * Disable method so client can't authenticate with it after >+ * the required authentications are complete. >+ */ >+ if (m->enabled != NULL) >+ *(m->enabled) = 0; >+ authenticated = 0; >+ partial = 1; >+ goto send_fail; >+ } >+ > if (authenticated == 1) { > /* turn off userauth */ > dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); >@@ -344,10 +375,11 @@ userauth_finish(Authctxt *authctxt, int > #endif > packet_disconnect(AUTH_FAIL_MSG, authctxt->user); > } >+ send_fail: > methods = authmethods_get(); > packet_start(SSH2_MSG_USERAUTH_FAILURE); > packet_put_cstring(methods); >- packet_put_char(0); /* XXX partial success, unused */ >+ packet_put_char(partial); > packet_send(); > packet_write_wait(); > xfree(methods); >@@ -361,6 +393,9 @@ authmethods_get(void) > char *list; > int i; > >+ if (options.required_auth2 != NULL) >+ return xstrdup(options.required_auth2); >+ > buffer_init(&b); > for (i = 0; authmethods[i] != NULL; i++) { > if (strcmp(authmethods[i]->name, "none") == 0) >@@ -393,5 +428,45 @@ authmethod_lookup(const char *name) > debug2("Unrecognized authentication method name: %s", > name ? name : "NULL"); > return NULL; >+} >+ >+#define DELIM "," >+ >+int >+auth2_check_required(const char *list) >+{ >+ char *orig_methods, *methods, *cp; >+ struct Authmethod *m; >+ int i, ret = 0; >+ >+ orig_methods = methods = xstrdup(list); >+ for(;;) { >+ if ((cp = strsep(&methods, DELIM)) == NULL) >+ break; >+ debug2("auth2_check_required: method \"%s\"", cp); >+ if (*cp == '\0') { >+ debug("auth2_check_required: empty method"); >+ ret = -1; >+ } >+ for (i = 0; authmethods[i] != NULL; i++) >+ if (strcmp(cp, authmethods[i]->name) == 0) >+ break; >+ if ((m = authmethods[i]) == NULL) { >+ debug("auth2_check_required: unknown method " >+ "\"%s\"", cp); >+ ret = -1; >+ break; >+ } >+ if (m->enabled == NULL || *(m->enabled) == 0) { >+ debug("auth2_check_required: method %s explicitly " >+ "disabled", cp); >+ ret = -1; >+ } >+ /* Activate method if it isn't already */ >+ if (*(m->enabled) == -1) >+ *(m->enabled) = 1; >+ } >+ xfree(orig_methods); >+ return (ret); > } > >Index: auth2-none.c >=================================================================== >RCS file: /cvs/openssh/auth2-none.c,v >retrieving revision 1.19 >diff -u -p -r1.19 auth2-none.c >--- auth2-none.c 2 Jul 2008 12:56:09 -0000 1.19 >+++ auth2-none.c 3 Sep 2008 05:26:26 -0000 >@@ -65,7 +65,7 @@ userauth_none(Authctxt *authctxt) > if (check_nt_auth(1, authctxt->pw) == 0) > return (0); > #endif >- if (options.password_authentication) >+ if (options.password_authentication && options.required_auth2 == NULL) > return (PRIVSEP(auth_password(authctxt, ""))); > return (0); > } >Index: auth2-chall.c >=================================================================== >RCS file: /cvs/openssh/auth2-chall.c,v >retrieving revision 1.37 >diff -u -p -r1.37 auth2-chall.c >--- auth2-chall.c 26 Oct 2007 04:25:13 -0000 1.37 >+++ auth2-chall.c 3 Sep 2008 05:26:30 -0000 >@@ -281,9 +281,9 @@ input_userauth_info_response(int type, u > { > Authctxt *authctxt = ctxt; > KbdintAuthctxt *kbdintctxt; >- int authenticated = 0, res, len; >+ int authenticated = 0, res; > u_int i, nresp; >- char **response = NULL, *method; >+ char **response = NULL; > > if (authctxt == NULL) > fatal("input_userauth_info_response: no authctxt"); >@@ -330,12 +330,6 @@ input_userauth_info_response(int type, u > break; > } > >- len = strlen("keyboard-interactive") + 2 + >- strlen(kbdintctxt->device->name); >- method = xmalloc(len); >- snprintf(method, len, "keyboard-interactive/%s", >- kbdintctxt->device->name); >- > if (!authctxt->postponed) { > if (authenticated) { > auth2_challenge_stop(authctxt); >@@ -345,8 +339,8 @@ input_userauth_info_response(int type, u > auth2_challenge_start(authctxt); > } > } >- userauth_finish(authctxt, authenticated, method); >- xfree(method); >+ userauth_finish(authctxt, authenticated, "keyboard-interactive", >+ kbdintctxt->device->name); > } > > void >Index: auth2-gss.c >=================================================================== >RCS file: /cvs/openssh/auth2-gss.c,v >retrieving revision 1.19 >diff -u -p -r1.19 auth2-gss.c >--- auth2-gss.c 2 Dec 2007 11:59:45 -0000 1.19 >+++ auth2-gss.c 3 Sep 2008 05:26:35 -0000 >@@ -161,7 +161,7 @@ input_gssapi_token(int type, u_int32_t p > } > authctxt->postponed = 0; > dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); >- userauth_finish(authctxt, 0, "gssapi-with-mic"); >+ userauth_finish(authctxt, 0, "gssapi-with-mic", NULL); > } else { > if (send_tok.length != 0) { > packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); >@@ -249,7 +249,7 @@ input_gssapi_exchange_complete(int type, > dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); > dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); > dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); >- userauth_finish(authctxt, authenticated, "gssapi-with-mic"); >+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); > } > > static void >@@ -289,7 +289,7 @@ input_gssapi_mic(int type, u_int32_t ple > dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); > dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); > dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); >- userauth_finish(authctxt, authenticated, "gssapi-with-mic"); >+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); > } > > Authmethod method_gssapi = { >Index: monitor.c >=================================================================== >RCS file: /cvs/openssh/monitor.c,v >retrieving revision 1.132 >diff -u -p -r1.132 monitor.c >--- monitor.c 11 Jul 2008 07:36:48 -0000 1.132 >+++ monitor.c 3 Sep 2008 05:26:39 -0000 >@@ -327,7 +327,8 @@ void > monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) > { > struct mon_table *ent; >- int authenticated = 0; >+ int no_increment, authenticated = 0; >+ char **req_auth; > > debug3("preauth child monitor started"); > >@@ -338,12 +339,14 @@ monitor_child_preauth(Authctxt *_authctx > > if (compat20) { > mon_dispatch = mon_dispatch_proto20; >+ req_auth = &options.required_auth2; > > /* Permit requests for moduli and signatures */ > monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); > monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); > } else { > mon_dispatch = mon_dispatch_proto15; >+ req_auth = &options.required_auth1; > > monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1); > } >@@ -351,6 +354,7 @@ monitor_child_preauth(Authctxt *_authctx > /* The first few requests do not require asynchronous access */ > while (!authenticated) { > auth_method = "unknown"; >+ no_increment = 1; > authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); > if (authenticated) { > if (!(ent->flags & MON_AUTHDECIDE)) >@@ -372,11 +376,23 @@ monitor_child_preauth(Authctxt *_authctx > } > #endif > } >+ /* Loop until the required authmethods are done */ >+ if (authenticated && *req_auth != NULL) { >+ if (auth_remove_from_list(req_auth, auth_method) != 1) >+ fatal("INTERNAL ERROR: authenticated method " >+ "\"%s\" not in required list \"%s\"", >+ auth_method, *req_auth); >+ debug2("monitor_child_preauth: required list now: %s", >+ *req_auth == NULL ? "DONE" : *req_auth); >+ if (*req_auth != NULL) >+ authenticated = 0; >+ no_increment = 1; >+ } > > if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { >- auth_log(authctxt, authenticated, auth_method, >+ auth_log(authctxt, authenticated, auth_method, NULL, > compat20 ? " ssh2" : ""); >- if (!authenticated) >+ if (!authenticated && !no_increment) > authctxt->failures++; > } > } >@@ -1053,7 +1069,8 @@ mm_answer_keyallowed(int sock, Buffer *m > hostbased_chost = chost; > } else { > /* Log failed attempt */ >- auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); >+ auth_log(authctxt, 0, auth_method, NULL, >+ compat20 ? " ssh2" : ""); > xfree(blob); > xfree(cuser); > xfree(chost); >Index: servconf.c >=================================================================== >RCS file: /cvs/openssh/servconf.c,v >retrieving revision 1.179 >diff -u -p -r1.179 servconf.c >--- servconf.c 23 Jul 2008 07:42:29 -0000 1.179 >+++ servconf.c 3 Sep 2008 05:26:44 -0000 >@@ -38,6 +38,8 @@ > #include "key.h" > #include "kex.h" > #include "mac.h" >+#include "hostfile.h" >+#include "auth.h" > #include "match.h" > #include "channels.h" > #include "groupaccess.h" >@@ -124,6 +126,8 @@ initialize_server_options(ServerOptions > options->authorized_keys_file2 = NULL; > options->num_accept_env = 0; > options->permit_tun = -1; >+ options->required_auth1 = NULL; >+ options->required_auth2 = NULL; > options->num_permitted_opens = -1; > options->adm_forced_command = NULL; > options->chroot_directory = NULL; >@@ -300,6 +304,7 @@ typedef enum { > sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, > sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, > sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, >+ sRequiredAuthentications1, sRequiredAuthentications2, > sMatch, sPermitOpen, sForceCommand, sChrootDirectory, > sUsePrivilegeSeparation, sAllowAgentForwarding, > sDeprecated, sUnsupported >@@ -411,6 +416,8 @@ static struct { > { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL }, > { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL }, > { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL }, >+ { "requiredauthentications1", sRequiredAuthentications1 }, >+ { "requiredauthentications2", sRequiredAuthentications2 }, > { "match", sMatch, SSHCFG_ALL }, > { "permitopen", sPermitOpen, SSHCFG_ALL }, > { "forcecommand", sForceCommand, SSHCFG_ALL }, >@@ -1151,6 +1158,33 @@ process_server_config_line(ServerOptions > filename, linenum); > else > options->max_startups = options->max_startups_begin; >+ break; >+ >+ >+ case sRequiredAuthentications1: >+ charptr = &options->required_auth1; >+ arg = strdelim(&cp); >+ if (auth1_check_required(arg) != 0) >+ fatal("%.200s line %d: Invalid required authentication " >+ "list", filename, linenum); >+ if (!arg || *arg == '\0') >+ fatal("%.200s line %d: Missing argument.", >+ filename, linenum); >+ if (*charptr == NULL) >+ *charptr = xstrdup(arg); >+ break; >+ >+ case sRequiredAuthentications2: >+ charptr = &options->required_auth2; >+ arg = strdelim(&cp); >+ if (auth2_check_required(arg) != 0) >+ fatal("%.200s line %d: Invalid required authentication " >+ "list", filename, linenum); >+ if (!arg || *arg == '\0') >+ fatal("%.200s line %d: Missing argument.", >+ filename, linenum); >+ if (*charptr == NULL) >+ *charptr = xstrdup(arg); > break; > > case sMaxAuthTries: >Index: servconf.h >=================================================================== >RCS file: /cvs/openssh/servconf.h,v >retrieving revision 1.77 >diff -u -p -r1.77 servconf.h >--- servconf.h 10 Jun 2008 13:01:51 -0000 1.77 >+++ servconf.h 3 Sep 2008 05:26:48 -0000 >@@ -140,6 +140,9 @@ typedef struct { > char *authorized_keys_file; /* File containing public keys */ > char *authorized_keys_file2; > >+ char *required_auth1; /* Required, but not sufficient */ >+ char *required_auth2; >+ > char *adm_forced_command; > > int use_pam; /* Enable auth via PAM */ >Index: sshd_config.5 >=================================================================== >RCS file: /cvs/openssh/sshd_config.5,v >retrieving revision 1.102 >diff -u -p -r1.102 sshd_config.5 >--- sshd_config.5 2 Jul 2008 12:35:43 -0000 1.102 >+++ sshd_config.5 3 Sep 2008 05:26:52 -0000 >@@ -607,6 +607,8 @@ Available keywords are > .Cm PasswordAuthentication , > .Cm PermitOpen , > .Cm PermitRootLogin , >+.Cm RequiredMethods1, >+.Cm RequiredMethods2, > .Cm RhostsRSAAuthentication , > .Cm RSAAuthentication , > .Cm X11DisplayOffset , >@@ -798,6 +800,18 @@ Specifies whether public key authenticat > The default is > .Dq yes . > Note that this option applies to protocol version 2 only. >+.It Cm RequiredMethods[12] >+ Requires two authentication methods to succeed before authorizing the connection. >+ >+ RequiredAuthentications1 method[,method...] >+ RequiredAuthentications2 method[,method...] >+ >+.Pp >+Example: >+ >+ RequiredAuthentications1 password >+ RequiredAuthentications2 publickey >+ > .It Cm RhostsRSAAuthentication > Specifies whether rhosts or /etc/hosts.equiv authentication together > with successful RSA host authentication is allowed.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1567">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 983
:
807
|
941
|
1121
|
1122
|
1123
|
1455
|
1518
|
1521
|
1567
|
1667
|
1768
|
1955
|
1999
|
2079
|
2084
|
2096
|
2138
|
2177
|
2178
|
2192
|
2196