Attachment #2079 for bug #983

View | Details | Raw Unified | Return to bug 983 | Differences between

and this patch

Lines 149-154 int auth_root_allowed(char *); Link Here

(-)openssh-5.9p0/auth.h.2auth (+2 lines)
149		149
150	char *auth2_read_banner(void);	150	char *auth2_read_banner(void);
151		151
		152	void userauth_restart(const char *);
		153
152	void privsep_challenge_enable(void);	154	void privsep_challenge_enable(void);
153		155
154	int auth2_challenge(Authctxt , char );	156	int auth2_challenge(Authctxt , char );




}

void
userauth_restart(const char *method)
{
	options.two_factor_authentication = 0;

	options.pubkey_authentication = options.second_pubkey_authentication && strcmp(method, method_pubkey.name);
#ifdef GSSAPI
	options.gss_authentication = options.second_gss_authentication && strcmp(method, method_gssapi.name);
#endif
#ifdef JPAKE
	options.zero_knowledge_password_authentication = options.second_zero_knowledge_password_authentication && strcmp(method, method_jpake.name);
#endif
	options.password_authentication = options.second_password_authentication && strcmp(method, method_passwd.name);
	options.kbd_interactive_authentication = options.second_kbd_interactive_authentication && strcmp(method, method_kbdint.name);
	options.hostbased_authentication = options.second_hostbased_authentication && strcmp(method, method_hostbased.name);
}

void
userauth_finish(Authctxt *authctxt, int authenticated, char *method)
{
	char *methods;


	/* XXX todo: check if multiple auth methods are needed */
	if (authenticated == 1) {
		if (options.two_factor_authentication) {
			userauth_restart(method);
			if (use_privsep) 
				PRIVSEP(userauth_restart(method));

			debug("1st factor authentication done go to 2nd factor");
			goto ask_methods;
		}

		/* turn off userauth */
		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
		packet_start(SSH2_MSG_USERAUTH_SUCCESS);

#endif
			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
		}
ask_methods:
		methods = authmethods_get();
		packet_start(SSH2_MSG_USERAUTH_FAILURE);
		packet_put_cstring(methods);




int mm_answer_jpake_step2(int, Buffer *);
int mm_answer_jpake_key_confirm(int, Buffer *);
int mm_answer_jpake_check_confirm(int, Buffer *);
int mm_answer_userauth_restart(int, Buffer *);

#ifdef USE_PAM
int mm_answer_pam_start(int, Buffer *);

    {MONITOR_REQ_JPAKE_KEY_CONFIRM, MON_ONCE, mm_answer_jpake_key_confirm},
    {MONITOR_REQ_JPAKE_CHECK_CONFIRM, MON_AUTH, mm_answer_jpake_check_confirm},
#endif
    {MONITOR_REQ_USERAUTH_RESTART, MON_PERMIT, mm_answer_userauth_restart},
    {0, 0, NULL}
};


	}

	/* The first few requests do not require asynchronous access */
	while (!authenticated || options.two_factor_authentication) {
		auth_method = "unknown";
		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
		if (authenticated) {
			if (!(ent->flags & MON_AUTHDECIDE))
				fatal("%s: unexpected authentication from %d",

				authenticated = 0;
#ifdef USE_PAM
			/* PAM needs to perform account checks after auth */
			if (options.use_pam && authenticated && !options.two_factor_authentication) {
				Buffer m;

				buffer_init(&m);

	monitor_openfds(mon, 0);
}

int
mm_answer_userauth_restart(int sock, Buffer *m)
{
	char *method;
	u_int method_len;

	method = buffer_get_string(m, &method_len);

	userauth_restart(method);

	mm_request_send(sock, MONITOR_ANS_USERAUTH_RESTART, m);
}

#ifdef GSSAPI
int
mm_answer_gss_setup_ctx(int sock, Buffer *m)

Lines 66-71 enum monitor_reqtype { Link Here

(-)openssh-5.9p0/monitor.h.2auth (+1 lines)
66	MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,	66	MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
67	MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,	67	MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
68	MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,	68	MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
		69	MONITOR_REQ_USERAUTH_RESTART, MONITOR_ANS_USERAUTH_RESTART,
69	};	70	};
70		71
71	struct mm_master;	72	struct mm_master;




	return (success);
}

void
mm_userauth_restart(const char *monitor)
{
	Buffer m;

	debug3("%s entering", __func__);

	buffer_init(&m);

	buffer_put_cstring(&m, monitor);

	mm_request_send(pmonitor->m_recvfd,
	    MONITOR_REQ_USERAUTH_RESTART, &m);
	debug3("%s: waiting for MONITOR_ANS_USERAUTH_RESTART", __func__);
	mm_request_receive_expect(pmonitor->m_recvfd,
	    MONITOR_ANS_USERAUTH_RESTART, &m);

	buffer_free(&m);
}

#ifdef SSH_AUDIT_EVENTS
void
mm_audit_event(ssh_audit_event_t event)

Lines 53-58 int mm_key_verify(Key , u_char , u_int Link Here

(-)openssh-5.9p0/monitor_wrap.h.2auth (+1 lines)
53	int mm_auth_rsa_key_allowed(struct passwd , BIGNUM , Key **);	53	int mm_auth_rsa_key_allowed(struct passwd , BIGNUM , Key **);
54	int mm_auth_rsa_verify_response(Key , BIGNUM , u_char *);	54	int mm_auth_rsa_verify_response(Key , BIGNUM , u_char *);
55	BIGNUM mm_auth_rsa_generate_challenge(Key );	55	BIGNUM mm_auth_rsa_generate_challenge(Key );
		56	void mm_userauth_restart(const char *);
56		57
57	#ifdef GSSAPI	58	#ifdef GSSAPI
58	OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);	59	OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);

Lines 92-97 initialize_server_options(ServerOptions Link Here

(-)openssh-5.9p0/servconf.c.2auth (-2 / +83 lines)
92	options->hostbased_uses_name_from_packet_only = -1;	92	options->hostbased_uses_name_from_packet_only = -1;
93	options->rsa_authentication = -1;	93	options->rsa_authentication = -1;
94	options->pubkey_authentication = -1;	94	options->pubkey_authentication = -1;
		95	options->two_factor_authentication = -1;
		96	options->second_pubkey_authentication = -1;
		97	options->second_gss_authentication = -1;
		98	options->second_password_authentication = -1;
		99	options->second_kbd_interactive_authentication = -1;
		100	options->second_zero_knowledge_password_authentication = -1;
		101	options->second_hostbased_authentication = -1;
95	options->kerberos_authentication = -1;	102	options->kerberos_authentication = -1;
96	options->kerberos_or_local_passwd = -1;	103	options->kerberos_or_local_passwd = -1;
97	options->kerberos_ticket_cleanup = -1;	104	options->kerberos_ticket_cleanup = -1;
Lines 237-242 fill_default_server_options(ServerOption Link Here
237	options->permit_empty_passwd = 0;	244	options->permit_empty_passwd = 0;
238	if (options->permit_user_env == -1)	245	if (options->permit_user_env == -1)
239	options->permit_user_env = 0;	246	options->permit_user_env = 0;
		247	if (options->two_factor_authentication == -1)
		248	options->two_factor_authentication = 0;
		249	if (options->second_pubkey_authentication == -1)
		250	options->second_pubkey_authentication = 1;
		251	if (options->second_gss_authentication == -1)
		252	options->second_gss_authentication = 0;
		253	if (options->second_password_authentication == -1)
		254	options->second_password_authentication = 1;
		255	if (options->second_kbd_interactive_authentication == -1)
		256	options->second_kbd_interactive_authentication = 0;
		257	if (options->second_zero_knowledge_password_authentication == -1)
		258	options->second_zero_knowledge_password_authentication = 0;
		259	if (options->second_hostbased_authentication == -1)
		260	options->second_hostbased_authentication = 0;
240	if (options->use_login == -1)	261	if (options->use_login == -1)
241	options->use_login = 0;	262	options->use_login = 0;
242	if (options->compression == -1)	263	if (options->compression == -1)
Lines 316-323 typedef enum { Link Here
316	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,	337	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
317	sMaxStartups, sMaxAuthTries, sMaxSessions,	338	sMaxStartups, sMaxAuthTries, sMaxSessions,
318	sBanner, sUseDNS, sHostbasedAuthentication,	339	sBanner, sUseDNS, sHostbasedAuthentication,
319	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	340	sHostbasedUsesNameFromPacketOnly, sTwoFactorAuthentication,
320	sClientAliveCountMax, sAuthorizedKeysFile,	341	sSecondPubkeyAuthentication, sSecondGssAuthentication,
		342	sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication,
		343	sSecondZeroKnowledgePasswordAuthentication, sSecondHostbasedAuthentication,
		344	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
321	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,	345	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
322	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,	346	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
323	sUsePrivilegeSeparation, sAllowAgentForwarding,	347	sUsePrivilegeSeparation, sAllowAgentForwarding,
Lines 395-400 static struct { Link Here
395	#else	419	#else
396	{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },	420	{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
397	#endif	421	#endif
		422	{ "twofactorauthentication", sTwoFactorAuthentication, SSHCFG_ALL },
		423	{ "secondpubkeyauthentication", sSecondPubkeyAuthentication, SSHCFG_ALL },
		424	#ifdef GSSAPI
		425	{ "secondgssapiauthentication", sSecondGssAuthentication, SSHCFG_ALL },
		426	#else
		427	{ "secondgssapiauthentication", sUnsupported, SSHCFG_ALL },
		428	#endif
		429	{ "secondpasswordauthentication", sSecondPasswordAuthentication, SSHCFG_ALL },
		430	{ "secondkbdinteractiveauthentication", sSecondKbdInteractiveAuthentication, SSHCFG_ALL },
		431	#ifdef JPAKE
		432	{ "secondzeroknowledgepasswordauthentication", sSecondZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
		433	#else
		434	{ "secondzeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
		435	#endif
		436	{ "secondhostbasedauthentication", sSecondHostbasedAuthentication, SSHCFG_ALL },
398	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },	437	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
399	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },	438	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
400	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },	439	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
Lines 982-987 process_server_config_line(ServerOptions Link Here
982	intptr = &options->challenge_response_authentication;	1021	intptr = &options->challenge_response_authentication;
983	goto parse_flag;	1022	goto parse_flag;
984		1023
		1024	case sTwoFactorAuthentication:
		1025	intptr = &options->two_factor_authentication;
		1026	goto parse_flag;
		1027
		1028	case sSecondPubkeyAuthentication:
		1029	intptr = &options->second_pubkey_authentication;
		1030	goto parse_flag;
		1031
		1032	case sSecondGssAuthentication:
		1033	intptr = &options->second_gss_authentication;
		1034	goto parse_flag;
		1035
		1036	case sSecondPasswordAuthentication:
		1037	intptr = &options->second_password_authentication;
		1038	goto parse_flag;
		1039
		1040	case sSecondKbdInteractiveAuthentication:
		1041	intptr = &options->second_kbd_interactive_authentication;
		1042	goto parse_flag;
		1043
		1044	case sSecondZeroKnowledgePasswordAuthentication:
		1045	intptr = &options->second_zero_knowledge_password_authentication;
		1046	goto parse_flag;
		1047
		1048	case sSecondHostbasedAuthentication:
		1049	intptr = &options->second_hostbased_authentication;
		1050	goto parse_flag;
		1051
985	case sPrintMotd:	1052	case sPrintMotd:
986	intptr = &options->print_motd;	1053	intptr = &options->print_motd;
987	goto parse_flag;	1054	goto parse_flag;
Lines 1491-1504 void Link Here
1491	copy_set_server_options(ServerOptions dst, ServerOptions src, int preauth)	1558	copy_set_server_options(ServerOptions dst, ServerOptions src, int preauth)
1492	{	1559	{
1493	M_CP_INTOPT(password_authentication);	1560	M_CP_INTOPT(password_authentication);
		1561	M_CP_INTOPT(second_password_authentication);
1494	M_CP_INTOPT(gss_authentication);	1562	M_CP_INTOPT(gss_authentication);
		1563	M_CP_INTOPT(second_gss_authentication);
1495	M_CP_INTOPT(rsa_authentication);	1564	M_CP_INTOPT(rsa_authentication);
1496	M_CP_INTOPT(pubkey_authentication);	1565	M_CP_INTOPT(pubkey_authentication);
		1566	M_CP_INTOPT(second_pubkey_authentication);
1497	M_CP_INTOPT(kerberos_authentication);	1567	M_CP_INTOPT(kerberos_authentication);
1498	M_CP_INTOPT(hostbased_authentication);	1568	M_CP_INTOPT(hostbased_authentication);
		1569	M_CP_INTOPT(second_hostbased_authentication);
1499	M_CP_INTOPT(hostbased_uses_name_from_packet_only);	1570	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1500	M_CP_INTOPT(kbd_interactive_authentication);	1571	M_CP_INTOPT(kbd_interactive_authentication);
		1572	M_CP_INTOPT(second_kbd_interactive_authentication);
1501	M_CP_INTOPT(zero_knowledge_password_authentication);	1573	M_CP_INTOPT(zero_knowledge_password_authentication);
		1574	M_CP_INTOPT(second_zero_knowledge_password_authentication);
		1575	M_CP_INTOPT(two_factor_authentication);
1502	M_CP_INTOPT(permit_root_login);	1576	M_CP_INTOPT(permit_root_login);
1503	M_CP_INTOPT(permit_empty_passwd);	1577	M_CP_INTOPT(permit_empty_passwd);
1504		1578
Lines 1720-1736 dump_config(ServerOptions *o) Link Here
1720	#endif	1794	#endif
1721	#ifdef GSSAPI	1795	#ifdef GSSAPI
1722	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);	1796	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
		1797	dump_cfg_fmtint(sSecondGssAuthentication, o->second_gss_authentication);
1723	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);	1798	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1724	#endif	1799	#endif
1725	#ifdef JPAKE	1800	#ifdef JPAKE
1726	dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,	1801	dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1727	o->zero_knowledge_password_authentication);	1802	o->zero_knowledge_password_authentication);
		1803	dump_cfg_fmtint(sSecondZeroKnowledgePasswordAuthentication,
		1804	o->second_zero_knowledge_password_authentication);
1728	#endif	1805	#endif
1729	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);	1806	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
		1807	dump_cfg_fmtint(sSecondPasswordAuthentication, o->second_password_authentication);
1730	dump_cfg_fmtint(sKbdInteractiveAuthentication,	1808	dump_cfg_fmtint(sKbdInteractiveAuthentication,
1731	o->kbd_interactive_authentication);	1809	o->kbd_interactive_authentication);
		1810	dump_cfg_fmtint(sSecondKbdInteractiveAuthentication,
		1811	o->second_kbd_interactive_authentication);
1732	dump_cfg_fmtint(sChallengeResponseAuthentication,	1812	dump_cfg_fmtint(sChallengeResponseAuthentication,
1733	o->challenge_response_authentication);	1813	o->challenge_response_authentication);
		1814	dump_cfg_fmtint(sTwoFactorAuthentication, o->two_factor_authentication);
1734	dump_cfg_fmtint(sPrintMotd, o->print_motd);	1815	dump_cfg_fmtint(sPrintMotd, o->print_motd);
1735	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);	1816	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1736	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);	1817	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);

Lines 112-117 typedef struct { Link Here

(-)openssh-5.9p0/servconf.h.2auth (+8 lines)
112	/* If true, permit jpake auth */	112	/* If true, permit jpake auth */
113	int permit_empty_passwd; /* If false, do not permit empty	113	int permit_empty_passwd; /* If false, do not permit empty
114	* passwords. */	114	* passwords. */
		115	int two_factor_authentication; /* If true, the first sucessful authentication
		116	* will be followed by the second one from anorher set */
		117	int second_pubkey_authentication; /* second set of authentications */
		118	int second_gss_authentication;
		119	int second_password_authentication;
		120	int second_kbd_interactive_authentication;
		121	int second_zero_knowledge_password_authentication;
		122	int second_hostbased_authentication;
115	int permit_user_env; /* If true, read ~/.ssh/environment */	123	int permit_user_env; /* If true, read ~/.ssh/environment */
116	int use_login; /* If true, login(1) is used */	124	int use_login; /* If true, login(1) is used */
117	int compression; /* If true, compression is allowed */	125	int compression; /* If true, compression is allowed */

Lines 87-92 AuthorizedKeysFile .ssh/authorized_keys Link Here

(-)openssh-5.9p0/sshd_config.2auth (+7 lines)
87	# and ChallengeResponseAuthentication to 'no'.	87	# and ChallengeResponseAuthentication to 'no'.
88	#UsePAM no	88	#UsePAM no
89		89
		90	#TwoFactorAuthentication no
		91	#SecondPubkeyAuthentication yes
		92	#SecondHostbasedAuthentication no
		93	#SecondPasswordAuthentication yes
		94	#SecondChallengeResponseAuthentication yes
		95	#SecondGSSAPIAuthentication no
		96
90	#AllowAgentForwarding yes	97	#AllowAgentForwarding yes
91	#AllowTcpForwarding yes	98	#AllowTcpForwarding yes
92	#GatewayPorts no	99	#GatewayPorts no

Lines 726-731 Available keywords are Link Here

(-)openssh-5.9p0/sshd_config.5.2auth (+57 lines)
726	.Cm PubkeyAuthentication ,	726	.Cm PubkeyAuthentication ,
727	.Cm RhostsRSAAuthentication ,	727	.Cm RhostsRSAAuthentication ,
728	.Cm RSAAuthentication ,	728	.Cm RSAAuthentication ,
		729	.Cm SecondGSSAPIAuthentication ,
		730	.Cm SecondHostbasedAuthentication ,
		731	.Cm SecondKbdInteractiveAuthentication ,
		732	.Cm SecondPasswordAuthentication ,
		733	.Cm SecondPubkeyAuthentication ,
		734	.Cm TwoFactorAuthentication ,
729	.Cm X11DisplayOffset ,	735	.Cm X11DisplayOffset ,
730	.Cm X11Forwarding	736	.Cm X11Forwarding
731	and	737	and
Lines 931-936 Specifies whether pure RSA authenticatio Link Here
931	The default is	937	The default is
932	.Dq yes .	938	.Dq yes .
933	This option applies to protocol version 1 only.	939	This option applies to protocol version 1 only.
		940	.It Cm SecondGSSAPIAuthentication
		941	Specifies whether the
		942	.Cm GSSAPIAuthentication
		943	may be used on the second authentication while
		944	.Cm TwoFactorAuthentication
		945	is set.
		946	The argument must be “yes” or “no”. The default is “no”.
		947	.It Cm SecondHostbasedAuthentication
		948	Specifies whether the
		949	.Cm HostbasedAuthentication
		950	may be used on the second authentication while
		951	.Cm TwoFactorAuthentication
		952	is set.
		953	The argument must be “yes” or “no”. The default is “no”.
		954	.It Cm SecondKbdInteractiveAuthentication
		955	Specifies whether the
		956	.Cm KbdInteractiveAuthentication
		957	may be used on the second authentication while
		958	.Cm TwoFactorAuthentication
		959	is set.
		960	The argument must be “yes” or “no”. The default is “no”.
		961	.It Cm SecondPasswordAuthentication
		962	Specifies whether the
		963	.Cm PasswordAuthentication
		964	may be used on the second authentication while
		965	.Cm TwoFactorAuthentication
		966	is set.
		967	The argument must be “yes” or “no”. The default is “yes”.
		968	.It Cm SecondPubkeyAuthentication
		969	Specifies whether the
		970	.Cm PubkeyAuthentication
		971	may be used on the second authentication while
		972	.Cm TwoFactorAuthentication
		973	is set.
		974	The argument must be “yes” or “no”. The default is “yes”.
934	.It Cm ServerKeyBits	975	.It Cm ServerKeyBits
935	Defines the number of bits in the ephemeral protocol version 1 server key.	976	Defines the number of bits in the ephemeral protocol version 1 server key.
936	The minimum value is 512, and the default is 1024.	977	The minimum value is 512, and the default is 1024.
Lines 1011-1016 For more details on certificates, see th Link Here
1011	.Sx CERTIFICATES	1052	.Sx CERTIFICATES
1012	section in	1053	section in
1013	.Xr ssh-keygen 1 .	1054	.Xr ssh-keygen 1 .
		1055	.It Cm TwoFactorAuthentication
		1056	Specifies whether for a successful login is necessary to meet two independent authentications.
		1057	If select the first method is selected from the set of allowed methods from
		1058	.Cm GSSAPIAuthentication ,
		1059	.Cm HostbasedAuthentication ,
		1060	.Cm KbdInteractiveAuthentication ,
		1061	.Cm PasswordAuthentication ,
		1062	.Cm PubkeyAuthentication .
		1063	And the second method is selected from the set of allowed methods from
		1064	.Cm SecondGSSAPIAuthentication ,
		1065	.Cm SecondHostbasedAuthentication ,
		1066	.Cm SecondKbdInteractiveAuthentication ,
		1067	.Cm SecondPasswordAuthentication ,
		1068	.Cm SecondPubkeyAuthentication
		1069	without the method used for the first authentication.
		1070	The argument must be “yes” or “no”. The default is “no”.
1014	.It Cm UseDNS	1071	.It Cm UseDNS
1015	Specifies whether	1072	Specifies whether
1016	.Xr sshd 8	1073	.Xr sshd 8

Return to bug 983

Lines 290-295 input_userauth_request(int type, u_int32 Link Here

(-)openssh-5.9p0/auth2.c.2auth (+27 lines)
290	}	290	}
291		291
292	void	292	void
		293	userauth_restart(const char *method)
		294	{
		295	options.two_factor_authentication = 0;
		296
		297	options.pubkey_authentication = options.second_pubkey_authentication && strcmp(method, method_pubkey.name);
		298	#ifdef GSSAPI
		299	options.gss_authentication = options.second_gss_authentication && strcmp(method, method_gssapi.name);
		300	#endif
		301	#ifdef JPAKE
		302	options.zero_knowledge_password_authentication = options.second_zero_knowledge_password_authentication && strcmp(method, method_jpake.name);
		303	#endif
		304	options.password_authentication = options.second_password_authentication && strcmp(method, method_passwd.name);
		305	options.kbd_interactive_authentication = options.second_kbd_interactive_authentication && strcmp(method, method_kbdint.name);
		306	options.hostbased_authentication = options.second_hostbased_authentication && strcmp(method, method_hostbased.name);
		307	}
		308
		309	void
293	userauth_finish(Authctxt authctxt, int authenticated, char method)	310	userauth_finish(Authctxt authctxt, int authenticated, char method)
294	{	311	{
295	char *methods;	312	char *methods;
Lines 337-342 userauth_finish(Authctxt *authctxt, int Link Here
337		354
338	/* XXX todo: check if multiple auth methods are needed */	355	/* XXX todo: check if multiple auth methods are needed */
339	if (authenticated == 1) {	356	if (authenticated == 1) {
		357	if (options.two_factor_authentication) {
		358	userauth_restart(method);
		359	if (use_privsep)
		360	PRIVSEP(userauth_restart(method));
		361
		362	debug("1st factor authentication done go to 2nd factor");
		363	goto ask_methods;
		364	}
		365
340	/* turn off userauth */	366	/* turn off userauth */
341	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);	367	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
342	packet_start(SSH2_MSG_USERAUTH_SUCCESS);	368	packet_start(SSH2_MSG_USERAUTH_SUCCESS);
Lines 356-361 userauth_finish(Authctxt *authctxt, int Link Here
356	#endif	382	#endif
357	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);	383	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
358	}	384	}
		385	ask_methods:
359	methods = authmethods_get();	386	methods = authmethods_get();
360	packet_start(SSH2_MSG_USERAUTH_FAILURE);	387	packet_start(SSH2_MSG_USERAUTH_FAILURE);
361	packet_put_cstring(methods);	388	packet_put_cstring(methods);

Lines 1173-1178 mm_auth_rsa_verify_response(Key *key, BI Link Here

(-)openssh-5.9p0/monitor_wrap.c.2auth (+20 lines)
1173	return (success);	1173	return (success);
1174	}	1174	}
1175		1175
		1176	void
		1177	mm_userauth_restart(const char *monitor)
		1178	{
		1179	Buffer m;
		1180
		1181	debug3("%s entering", __func__);
		1182
		1183	buffer_init(&m);
		1184
		1185	buffer_put_cstring(&m, monitor);
		1186
		1187	mm_request_send(pmonitor->m_recvfd,
		1188	MONITOR_REQ_USERAUTH_RESTART, &m);
		1189	debug3("%s: waiting for MONITOR_ANS_USERAUTH_RESTART", __func__);
		1190	mm_request_receive_expect(pmonitor->m_recvfd,
		1191	MONITOR_ANS_USERAUTH_RESTART, &m);
		1192
		1193	buffer_free(&m);
		1194	}
		1195
1176	#ifdef SSH_AUDIT_EVENTS	1196	#ifdef SSH_AUDIT_EVENTS
1177	void	1197	void
1178	mm_audit_event(ssh_audit_event_t event)	1198	mm_audit_event(ssh_audit_event_t event)

Lines 165-170 int mm_answer_jpake_step1(int, Buffer *) Link Here

(-)openssh-5.9p0/monitor.c.2auth (-2 / +17 lines)
165	int mm_answer_jpake_step2(int, Buffer *);	165	int mm_answer_jpake_step2(int, Buffer *);
166	int mm_answer_jpake_key_confirm(int, Buffer *);	166	int mm_answer_jpake_key_confirm(int, Buffer *);
167	int mm_answer_jpake_check_confirm(int, Buffer *);	167	int mm_answer_jpake_check_confirm(int, Buffer *);
		168	int mm_answer_userauth_restart(int, Buffer *);
168		169
169	#ifdef USE_PAM	170	#ifdef USE_PAM
170	int mm_answer_pam_start(int, Buffer *);	171	int mm_answer_pam_start(int, Buffer *);
Lines 259-264 struct mon_table mon_dispatch_proto20[] Link Here
259	{MONITOR_REQ_JPAKE_KEY_CONFIRM, MON_ONCE, mm_answer_jpake_key_confirm},	260	{MONITOR_REQ_JPAKE_KEY_CONFIRM, MON_ONCE, mm_answer_jpake_key_confirm},
260	{MONITOR_REQ_JPAKE_CHECK_CONFIRM, MON_AUTH, mm_answer_jpake_check_confirm},	261	{MONITOR_REQ_JPAKE_CHECK_CONFIRM, MON_AUTH, mm_answer_jpake_check_confirm},
261	#endif	262	#endif
		263	{MONITOR_REQ_USERAUTH_RESTART, MON_PERMIT, mm_answer_userauth_restart},
262	{0, 0, NULL}	264	{0, 0, NULL}
263	};	265	};
264		266
Lines 378-386 monitor_child_preauth(Authctxt *_authctx Link Here
378	}	380	}
379		381
380	/* The first few requests do not require asynchronous access */	382	/* The first few requests do not require asynchronous access */
381	while (!authenticated) {	383	while (!authenticated \|\| options.two_factor_authentication) {
382	auth_method = "unknown";	384	auth_method = "unknown";
383	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);	385	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
384	if (authenticated) {	386	if (authenticated) {
385	if (!(ent->flags & MON_AUTHDECIDE))	387	if (!(ent->flags & MON_AUTHDECIDE))
386	fatal("%s: unexpected authentication from %d",	388	fatal("%s: unexpected authentication from %d",
Lines 390-396 monitor_child_preauth(Authctxt *_authctx Link Here
390	authenticated = 0;	393	authenticated = 0;
391	#ifdef USE_PAM	394	#ifdef USE_PAM
392	/* PAM needs to perform account checks after auth */	395	/* PAM needs to perform account checks after auth */
393	if (options.use_pam && authenticated) {	396	if (options.use_pam && authenticated && !options.two_factor_authentication) {
394	Buffer m;	397	Buffer m;
395		398
396	buffer_init(&m);	399	buffer_init(&m);
Lines 2000-2005 monitor_reinit(struct monitor *mon) Link Here
2000	monitor_openfds(mon, 0);	2006	monitor_openfds(mon, 0);
2001	}	2007	}
2002		2008
		2009	int
		2010	mm_answer_userauth_restart(int sock, Buffer *m)
		2011	{
		2012	char *method;
		2013	u_int method_len;
		2014
		2015	method = buffer_get_string(m, &method_len);
		2016
		2017	userauth_restart(method);
		2018
		2019	mm_request_send(sock, MONITOR_ANS_USERAUTH_RESTART, m);
		2020	}
		2021
2003	#ifdef GSSAPI	2022	#ifdef GSSAPI
2004	int	2023	int
2005	mm_answer_gss_setup_ctx(int sock, Buffer *m)	2024	mm_answer_gss_setup_ctx(int sock, Buffer *m)