Attachment #2192 for bug #983

View | Details | Raw Unified | Return to bug 983 | Differences between

and this patch

Lines 57-62 struct Authctxt { Link Here

(-)auth.h (+5 lines)
57	void *kbdintctxt;	57	void *kbdintctxt;
58	void *jpake_ctx;	58	void *jpake_ctx;
59	auth_session_t *as;	59	auth_session_t *as;
		60	char *auth_methods; / modified from server config */
		61	u_int num_auth_methods;
60	#ifdef KRB5	62	#ifdef KRB5
61	krb5_context krb5_ctx;	63	krb5_context krb5_ctx;
62	krb5_ccache krb5_fwd_ccache;	64	krb5_ccache krb5_fwd_ccache;
Lines 130-135 void userauth_finish(Authctxt , int, char ); Link Here
130	int auth_root_allowed(char *);	132	int auth_root_allowed(char *);
131		133
132	char *auth2_read_banner(void);	134	char *auth2_read_banner(void);
		135	int auth2_methods_valid(const char *, int);
		136	int auth2_update_methods_lists(Authctxt , const char );
		137	int auth2_setup_methods_lists(Authctxt *);
133		138
134	void privsep_challenge_enable(void);	139	void privsep_challenge_enable(void);
135		140

Lines 338-343 do_authentication(Authctxt *authctxt) Link Here

(-)auth1.c (+5 lines)
338	authctxt->pw = fakepw();	338	authctxt->pw = fakepw();
339	}	339	}
340		340
		341	/* Configuration may have changed as a result of Match */
		342	if (options.num_auth_methods != 0)
		343	fatal("AuthenticationMethods is not supported with SSH "
		344	"protocol 1");
		345
341	setproctitle("%s%s", authctxt->valid ? user : "unknown",	346	setproctitle("%s%s", authctxt->valid ? user : "unknown",
342	use_privsep ? " [net]" : "");	347	use_privsep ? " [net]" : "");
343		348

Lines 92-99 static void input_service_request(int, u_int32_t, void *); Link Here

(-)auth2.c (-17 / +195 lines)
92	static void input_userauth_request(int, u_int32_t, void *);	92	static void input_userauth_request(int, u_int32_t, void *);
93		93
94	/* helper */	94	/* helper */
95	static Authmethod authmethod_lookup(const char );	95	static Authmethod authmethod_lookup(Authctxt , const char *);
96	static char *authmethods_get(void);	96	static char authmethods_get(Authctxt authctxt);
		97	static int method_allowed(Authctxt , const char );
		98	static int list_starts_with(const char , const char );
97		99
98	char *	100	char *
99	auth2_read_banner(void)	101	auth2_read_banner(void)
Lines 235-240 input_userauth_request(int type, u_int32_t seq, void *ctxt) Link Here
235	if (use_privsep)	237	if (use_privsep)
236	mm_inform_authserv(service, style);	238	mm_inform_authserv(service, style);
237	userauth_banner();	239	userauth_banner();
		240	if (auth2_setup_methods_lists(authctxt) != 0)
		241	packet_disconnect("no authentication methods enabled");
238	} else if (strcmp(user, authctxt->user) != 0 \|\|	242	} else if (strcmp(user, authctxt->user) != 0 \|\|
239	strcmp(service, authctxt->service) != 0) {	243	strcmp(service, authctxt->service) != 0) {
240	packet_disconnect("Change of username or service not allowed: "	244	packet_disconnect("Change of username or service not allowed: "
Lines 257-263 input_userauth_request(int type, u_int32_t seq, void *ctxt) Link Here
257	authctxt->server_caused_failure = 0;	261	authctxt->server_caused_failure = 0;
258		262
259	/* try to authenticate user */	263	/* try to authenticate user */
260	m = authmethod_lookup(method);	264	m = authmethod_lookup(authctxt, method);
261	if (m != NULL && authctxt->failures < options.max_authtries) {	265	if (m != NULL && authctxt->failures < options.max_authtries) {
262	debug2("input_userauth_request: try method %s", method);	266	debug2("input_userauth_request: try method %s", method);
263	authenticated = m->userauth(authctxt);	267	authenticated = m->userauth(authctxt);
Lines 273-278 void Link Here
273	userauth_finish(Authctxt authctxt, int authenticated, char method)	277	userauth_finish(Authctxt authctxt, int authenticated, char method)
274	{	278	{
275	char *methods;	279	char *methods;
		280	int partial = 0;
276		281
277	if (!authctxt->valid && authenticated)	282	if (!authctxt->valid && authenticated)
278	fatal("INTERNAL ERROR: authenticated invalid user %s",	283	fatal("INTERNAL ERROR: authenticated invalid user %s",
Lines 289-295 userauth_finish(Authctxt authctxt, int authenticated, char method) Link Here
289	if (authctxt->postponed)	294	if (authctxt->postponed)
290	return;	295	return;
291		296
292	/* XXX todo: check if multiple auth methods are needed */	297	if (authenticated && options.num_auth_methods != 0) {
		298	if (!auth2_update_methods_lists(authctxt, method)) {
		299	authenticated = 0;
		300	partial = 1;
		301	}
		302	}
		303
293	if (authenticated == 1) {	304	if (authenticated == 1) {
294	/* turn off userauth */	305	/* turn off userauth */
295	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);	306	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
Lines 305-338 userauth_finish(Authctxt authctxt, int authenticated, char method) Link Here
305	authctxt->failures++;	316	authctxt->failures++;
306	if (authctxt->failures >= options.max_authtries)	317	if (authctxt->failures >= options.max_authtries)
307	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);	318	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
308	methods = authmethods_get();	319	methods = authmethods_get(authctxt);
		320	debug3("%s: failure partial=%d next methods=\"%s\"", __func__,
		321	partial, methods);
309	packet_start(SSH2_MSG_USERAUTH_FAILURE);	322	packet_start(SSH2_MSG_USERAUTH_FAILURE);
310	packet_put_cstring(methods);	323	packet_put_cstring(methods);
311	packet_put_char(0); /* XXX partial success, unused */	324	packet_put_char(partial);
312	packet_send();	325	packet_send();
313	packet_write_wait();	326	packet_write_wait();
314	xfree(methods);	327	xfree(methods);
315	}	328	}
316	}	329	}
317		330
		331	/*
		332	* Checks whether method is allowed by at least one AuthenticationMethods
		333	* methods list. Returns 1 if allowed, or no methods lists configured.
		334	* 0 otherwise.
		335	*/
		336	static int
		337	method_allowed(Authctxt authctxt, const char method)
		338	{
		339	u_int i;
		340
		341	if (options.num_auth_methods == 0)
		342	return 1;
		343	for (i = 0; i < authctxt->num_auth_methods; i++) {
		344	if (list_starts_with(authctxt->auth_methods[i], method))
		345	return 1;
		346	}
		347	return 0;
		348	}
		349
318	static char *	350	static char *
319	authmethods_get(void)	351	authmethods_get(Authctxt *authctxt)
320	{	352	{
321	Buffer b;	353	Buffer b;
322	char *list;	354	char *list;
323	int i;	355	u_int i;
324		356
325	buffer_init(&b);	357	buffer_init(&b);
326	for (i = 0; authmethods[i] != NULL; i++) {	358	for (i = 0; authmethods[i] != NULL; i++) {
327	if (strcmp(authmethods[i]->name, "none") == 0)	359	if (strcmp(authmethods[i]->name, "none") == 0)
328	continue;	360	continue;
329	if (authmethods[i]->enabled != NULL &&	361	if (authmethods[i]->enabled == NULL \|\|
330	*(authmethods[i]->enabled) != 0) {	362	*(authmethods[i]->enabled) == 0)
331	if (buffer_len(&b) > 0)	363	continue;
332	buffer_append(&b, ",", 1);	364	if (!method_allowed(authctxt, authmethods[i]->name))
333	buffer_append(&b, authmethods[i]->name,	365	continue;
334	strlen(authmethods[i]->name));	366	if (buffer_len(&b) > 0)
335	}	367	buffer_append(&b, ",", 1);
		368	buffer_append(&b, authmethods[i]->name,
		369	strlen(authmethods[i]->name));
336	}	370	}
337	buffer_append(&b, "\0", 1);	371	buffer_append(&b, "\0", 1);
338	list = xstrdup(buffer_ptr(&b));	372	list = xstrdup(buffer_ptr(&b));
Lines 341-347 authmethods_get(void) Link Here
341	}	375	}
342		376
343	static Authmethod *	377	static Authmethod *
344	authmethod_lookup(const char *name)	378	authmethod_lookup(Authctxt authctxt, const char name)
345	{	379	{
346	int i;	380	int i;
347		381
Lines 349-358 authmethod_lookup(const char *name) Link Here
349	for (i = 0; authmethods[i] != NULL; i++)	383	for (i = 0; authmethods[i] != NULL; i++)
350	if (authmethods[i]->enabled != NULL &&	384	if (authmethods[i]->enabled != NULL &&
351	*(authmethods[i]->enabled) != 0 &&	385	*(authmethods[i]->enabled) != 0 &&
352	strcmp(name, authmethods[i]->name) == 0)	386	strcmp(name, authmethods[i]->name) == 0 &&
		387	method_allowed(authctxt, authmethods[i]->name))
353	return authmethods[i];	388	return authmethods[i];
354	debug2("Unrecognized authentication method name: %s",	389	debug2("Unrecognized authentication method name: %s",
355	name ? name : "NULL");	390	name ? name : "NULL");
356	return NULL;	391	return NULL;
357	}	392	}
358		393
		394	/*
		395	* Check a comma-separated list of methods for validity. Is need_enable is
		396	* non-zero, then also require that the methods are enabled.
		397	* Returns 0 on success or -1 if the methods list is invalid.
		398	*/
		399	int
		400	auth2_methods_valid(const char *_methods, int need_enable)
		401	{
		402	char methods, omethods, *method;
		403	u_int i, found;
		404	int ret = -1;
		405
		406	if (*_methods == '\0') {
		407	error("empty authentication method list");
		408	return -1;
		409	}
		410	omethods = methods = xstrdup(_methods);
		411	while ((method = strsep(&methods, ",")) != NULL) {
		412	for (found = i = 0; !found && authmethods[i] != NULL; i++) {
		413	if (strcmp(method, authmethods[i]->name) != 0)
		414	continue;
		415	if (need_enable) {
		416	if (authmethods[i]->enabled == NULL \|\|
		417	*(authmethods[i]->enabled) == 0) {
		418	error("Disabled method \"%s\" in "
		419	"AuthenticationMethods list \"%s\"",
		420	method, _methods);
		421	goto out;
		422	}
		423	}
		424	found = 1;
		425	break;
		426	}
		427	if (!found) {
		428	error("Unknown authentication method \"%s\" in list",
		429	method);
		430	goto out;
		431	}
		432	}
		433	ret = 0;
		434	out:
		435	free(omethods);
		436	return ret;
		437	}
		438
		439	/*
		440	* Prune the AuthenticationMethods supplied in the configuration, removing
		441	* any methods lists that include disabled methods. Note that this might
		442	* leave authctxt->num_auth_methods == 0, even when multiple required auth
		443	* has been requested. For this reason, all tests for whether multiple is
		444	* enabled should consult options.num_auth_methods directly.
		445	*/
		446	int
		447	auth2_setup_methods_lists(Authctxt *authctxt)
		448	{
		449	u_int i;
		450
		451	if (options.num_auth_methods == 0)
		452	return 0;
		453	debug3("%s: checking methods", __func__);
		454	authctxt->auth_methods = xcalloc(options.num_auth_methods,
		455	sizeof(*authctxt->auth_methods));
		456	authctxt->num_auth_methods = 0;
		457	for (i = 0; i < options.num_auth_methods; i++) {
458	if (auth2_methods_valid(options.auth_methods[i], 1) != 0) {
459	logit("Authentication methods list \"%s\" contains "
460	"disabled method, skipping",
461	options.auth_methods[i]);
462	continue;
463	}
464	debug("authentication methods list %d: %s",
465	authctxt->num_auth_methods, options.auth_methods[i]);
466	authctxt->auth_methods[authctxt->num_auth_methods++] =
467	xstrdup(options.auth_methods[i]);
468	}
469	if (authctxt->num_auth_methods == 0) {
470	error("No AuthenticationMethods left after eliminating "
471	"disabled methods");
472	return -1;
473	}
474	return 0;
475	}
476
477	static int
478	list_starts_with(const char methods, const char method)
479	{
480	size_t l = strlen(method);
481
482	if (strncmp(methods, method, l) != 0)
483	return 0;
484	if (methods[l] != ',' && methods[l] != '\0')
485	return 0;
486	return 1;
487	}
488
489	/*
490	* Remove method from the start of a comma-separated list of methods.
491	* Returns 0 if the list of methods did not start with that method or 1
492	* if it did.
493	*/
494	static int
495	remove_method(char *methods, const char method)
496	{
497	char omethods = methods;
498	size_t l = strlen(method);
499
500	if (!list_starts_with(omethods, method))
501	return 0;
502	*methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0));
503	free(omethods);
504	return 1;
505	}
506
507	/*
508	* Called after successful authentication. Will remove the successful method
509	* from the start of each list in which it occurs. If it was the last method
510	* in any list, then authentication is deemed successful.
511	* Returns 1 if the method completed any authentication list or 0 otherwise.
512	*/
513	int
514	auth2_update_methods_lists(Authctxt authctxt, const char method)
515	{
516	u_int i, found = 0;
517
518	debug3("%s: updating methods list after \"%s\"", __func__, method);
519	for (i = 0; i < authctxt->num_auth_methods; i++) {
520	if (!remove_method(&(authctxt->auth_methods[i]), method))
521	continue;
522	found = 1;
523	if (*authctxt->auth_methods[i] == '\0') {
524	debug2("authentication methods list %d complete", i);
525	return 1;
526	}
527	debug3("authentication methods list %d remaining: \"%s\"",
528	i, authctxt->auth_methods[i]);
529	}
530	/* This should not happen, but would be bad if it did */
531	if (!found)
532	fatal("%s: method not in AuthenticationMethods", __func__);
533	return 0;
534	}
535
536




	while (!authenticated) {
		auth_method = "unknown";
		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);

		/* Special handling for multiple required authentications */
		if (options.num_auth_methods != 0) {
			if (!compat20)
				fatal("AuthenticationMethods is not supported"
				    "with SSH protocol 1");
			if (authenticated &&
			    !auth2_update_methods_lists(authctxt,
			    auth_method)) {
				debug3("%s: method %s: partial", __func__,
				    auth_method);
				authenticated = 0;
			}
		}

		if (authenticated) {
			if (!(ent->flags & MON_AUTHDECIDE))
				fatal("%s: unexpected authentication from %d",

			    !auth_root_allowed(auth_method))
				authenticated = 0;
		}

		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
			auth_log(authctxt, authenticated, auth_method,
			    compat20 ? " ssh2" : "");

	COPY_MATCH_STRING_OPTS();
#undef M_CP_STROPT
#undef M_CP_STRARRAYOPT

	/* Create valid auth method lists */
	if (compat20 && auth2_setup_methods_lists(authctxt) != 0) {
		/*
		 * The monitor will continue long enough to let the child
		 * run to it's packet_disconnect(), but it must not allow any
		 * authentication to succeed.
		 */
		debug("%s: no valid authentication method lists", __func__);
	}

	debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
	mm_request_send(sock, MONITOR_ANS_PWNAM, m);


	debug3("%s: sending authenticated: %d", __func__, authok);
	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);

	if (compat20)
		auth_method = "keyboard-interactive";
	else
		auth_method = "bsdauth";

	return (authok != 0);
}

Lines 46-51 Link Here

(-)servconf.c (+24 lines)
46	#include "groupaccess.h"	46	#include "groupaccess.h"
47	#include "canohost.h"	47	#include "canohost.h"
48	#include "packet.h"	48	#include "packet.h"
		49	#include "hostfile.h"
		50	#include "auth.h"
49		51
50	static void add_listen_addr(ServerOptions , char , int);	52	static void add_listen_addr(ServerOptions , char , int);
51	static void add_one_listen_addr(ServerOptions , char , int);	53	static void add_one_listen_addr(ServerOptions , char , int);
Lines 305-310 typedef enum { Link Here
305	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,	307	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
306	sKexAlgorithms, sIPQoS, sVersionAddendum,	308	sKexAlgorithms, sIPQoS, sVersionAddendum,
307	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,	309	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
		310	sAuthenticationMethods,
308	sDeprecated, sUnsupported	311	sDeprecated, sUnsupported
309	} ServerOpCodes;	312	} ServerOpCodes;
310		313
Lines 420-425 static struct { Link Here
420	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },	423	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
421	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },	424	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
422	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },	425	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
		426	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
423	{ NULL, sBadOption, 0 }	427	{ NULL, sBadOption, 0 }
424	};	428	};
425		429
Lines 1477-1482 process_server_config_line(ServerOptions options, char line, Link Here
1477	*charptr = xstrdup(arg);	1481	*charptr = xstrdup(arg);
1478	break;	1482	break;
1479		1483
		1484	case sAuthenticationMethods:
		1485	if (*activep && options->num_auth_methods == 0) {
		1486	while ((arg = strdelim(&cp)) && *arg != '\0') {
		1487	if (options->num_auth_methods >=
		1488	MAX_AUTH_METHODS)
		1489	fatal("%s line %d: "
		1490	"too many authentication methods.",
		1491	filename, linenum);
		1492	if (auth2_methods_valid(arg, 0) != 0)
		1493	fatal("%s line %d: invalid "
		1494	"authentication method list.",
		1495	filename, linenum);
		1496	options->auth_methods[
		1497	options->num_auth_methods++] = xstrdup(arg);
		1498	}
		1499	}
		1500	return 0;
		1501
1480	case sDeprecated:	1502	case sDeprecated:
1481	logit("%s line %d: Deprecated option %s",	1503	logit("%s line %d: Deprecated option %s",
1482	filename, linenum, arg);	1504	filename, linenum, arg);
Lines 1903-1908 dump_config(ServerOptions *o) Link Here
1903	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);	1925	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1904	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);	1926	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1905	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);	1927	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
		1928	dump_cfg_strarray_oneline(sAuthenticationMethods,
		1929	o->num_auth_methods, o->auth_methods);
1906		1930
1907	/* other arguments */	1931	/* other arguments */
1908	for (i = 0; i < o->num_subsystems; i++)	1932	for (i = 0; i < o->num_subsystems; i++)

Lines 28-33 Link Here

(-)servconf.h (+5 lines)
28	#define MAX_ACCEPT_ENV 256 /* Max # of env vars. */	28	#define MAX_ACCEPT_ENV 256 /* Max # of env vars. */
29	#define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */	29	#define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */
30	#define MAX_AUTHKEYS_FILES 256 /* Max # of authorized_keys files. */	30	#define MAX_AUTHKEYS_FILES 256 /* Max # of authorized_keys files. */
		31	#define MAX_AUTH_METHODS 256 /* Max # of AuthenticationMethods. */
31		32
32	/* permit_root_login */	33	/* permit_root_login */
33	#define PERMIT_NOT_SET -1	34	#define PERMIT_NOT_SET -1
Lines 168-173 typedef struct { Link Here
168	char *authorized_keys_command_user;	169	char *authorized_keys_command_user;
169		170
170	char version_addendum; / Appended to SSH banner */	171	char version_addendum; / Appended to SSH banner */
		172
		173	u_int num_auth_methods;
		174	char *auth_methods[MAX_AUTH_METHODS];
171	} ServerOptions;	175	} ServerOptions;
172		176
173	/* Information about the incoming connection as used by Match */	177	/* Information about the incoming connection as used by Match */
Lines 197-202 struct connection_info { Link Here
197	M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \	201	M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \
198	M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \	202	M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \
199	M_CP_STRARRAYOPT(accept_env, num_accept_env); \	203	M_CP_STRARRAYOPT(accept_env, num_accept_env); \
		204	M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
200	} while (0)	205	} while (0)
201		206
202	struct connection_info *get_connection_info(int, int);	207	struct connection_info *get_connection_info(int, int);




	int remote_port;
	char *line;
	int config_s[2] = { -1 , -1 };
	u_int n;
	u_int64_t ibytes, obytes;
	mode_t new_umask;
	Key *key;

	if (options.challenge_response_authentication)
		options.kbd_interactive_authentication = 1;

	/*
	 * Check whether there is any path through configured auth methods.
	 * Unfortunately it is not possible to verify this generally before
	 * daemonisation in the presence of Match block, but this catches
	 * and warns for trivial misconfigurations that could break login.
	 */
	if (options.num_auth_methods != 0) {
		if ((options.protocol & SSH_PROTO_1))
			fatal("AuthenticationMethods is not supported with "
			    "SSH protocol 1");
		for (n = 0; n < options.num_auth_methods; n++) {
			if (auth2_methods_valid(options.auth_methods[n],
			    1) == 0)
				break;
		}
		if (n >= options.num_auth_methods)
			fatal("AuthenticationMethods cannot be satisfied by "
			    "enabled authentication methods");
	}

	/* set default channel AF */
	channel_set_af(options.address_family);


Return to bug 983

Lines 301-306 monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor) Link Here

(-)monitor.c (-3 / +30 lines)
301	while (!authenticated) {	301	while (!authenticated) {
302	auth_method = "unknown";	302	auth_method = "unknown";
303	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);	303	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
		304
		305	/* Special handling for multiple required authentications */
		306	if (options.num_auth_methods != 0) {
		307	if (!compat20)
		308	fatal("AuthenticationMethods is not supported"
		309	"with SSH protocol 1");
		310	if (authenticated &&
		311	!auth2_update_methods_lists(authctxt,
		312	auth_method)) {
		313	debug3("%s: method %s: partial", __func__,
		314	auth_method);
		315	authenticated = 0;
		316	}
		317	}
		318
304	if (authenticated) {	319	if (authenticated) {
305	if (!(ent->flags & MON_AUTHDECIDE))	320	if (!(ent->flags & MON_AUTHDECIDE))
306	fatal("%s: unexpected authentication from %d",	321	fatal("%s: unexpected authentication from %d",
Lines 309-315 monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor) Link Here
309	!auth_root_allowed(auth_method))	324	!auth_root_allowed(auth_method))
310	authenticated = 0;	325	authenticated = 0;
311	}	326	}
312
313	if (ent->flags & (MON_AUTHDECIDE\|MON_ALOG)) {	327	if (ent->flags & (MON_AUTHDECIDE\|MON_ALOG)) {
314	auth_log(authctxt, authenticated, auth_method,	328	auth_log(authctxt, authenticated, auth_method,
315	compat20 ? " ssh2" : "");	329	compat20 ? " ssh2" : "");
Lines 687-693 mm_answer_pwnamallow(int sock, Buffer *m) Link Here
687	COPY_MATCH_STRING_OPTS();	701	COPY_MATCH_STRING_OPTS();
688	#undef M_CP_STROPT	702	#undef M_CP_STROPT
689	#undef M_CP_STRARRAYOPT	703	#undef M_CP_STRARRAYOPT
690		704
		705	/* Create valid auth method lists */
		706	if (compat20 && auth2_setup_methods_lists(authctxt) != 0) {
		707	/*
		708	* The monitor will continue long enough to let the child
		709	* run to it's packet_disconnect(), but it must not allow any
		710	* authentication to succeed.
		711	*/
		712	debug("%s: no valid authentication method lists", __func__);
		713	}
		714
691	debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);	715	debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
692	mm_request_send(sock, MONITOR_ANS_PWNAM, m);	716	mm_request_send(sock, MONITOR_ANS_PWNAM, m);
693		717
Lines 819-825 mm_answer_bsdauthrespond(int sock, Buffer *m) Link Here
819	debug3("%s: sending authenticated: %d", __func__, authok);	843	debug3("%s: sending authenticated: %d", __func__, authok);
820	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);	844	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
821		845
822	auth_method = "bsdauth";	846	if (compat20)
		847	auth_method = "keyboard-interactive";
		848	else
		849	auth_method = "bsdauth";
823		850
824	return (authok != 0);	851	return (authok != 0);
825	}	852	}

Lines 1302-1307 main(int ac, char **av) Link Here

(-)sshd.c (+21 lines)
1302	int remote_port;	1302	int remote_port;
1303	char *line;	1303	char *line;
1304	int config_s[2] = { -1 , -1 };	1304	int config_s[2] = { -1 , -1 };
		1305	u_int n;
1305	u_int64_t ibytes, obytes;	1306	u_int64_t ibytes, obytes;
1306	mode_t new_umask;	1307	mode_t new_umask;
1307	Key *key;	1308	Key *key;
Lines 1490-1495 main(int ac, char **av) Link Here
1490	if (options.challenge_response_authentication)	1491	if (options.challenge_response_authentication)
1491	options.kbd_interactive_authentication = 1;	1492	options.kbd_interactive_authentication = 1;
1492		1493
		1494	/*
		1495	* Check whether there is any path through configured auth methods.
		1496	* Unfortunately it is not possible to verify this generally before
		1497	* daemonisation in the presence of Match block, but this catches
		1498	* and warns for trivial misconfigurations that could break login.
		1499	*/
		1500	if (options.num_auth_methods != 0) {
		1501	if ((options.protocol & SSH_PROTO_1))
		1502	fatal("AuthenticationMethods is not supported with "
		1503	"SSH protocol 1");
		1504	for (n = 0; n < options.num_auth_methods; n++) {
		1505	if (auth2_methods_valid(options.auth_methods[n],
		1506	1) == 0)
		1507	break;
		1508	}
		1509	if (n >= options.num_auth_methods)
		1510	fatal("AuthenticationMethods cannot be satisfied by "
		1511	"enabled authentication methods");
		1512	}
		1513
1493	/* set default channel AF */	1514	/* set default channel AF */
1494	channel_set_af(options.address_family);	1515	channel_set_af(options.address_family);
1495		1516