Attachment #1450 for bug #1435

View | Details | Raw Unified | Return to bug 1435
Collapse All | Expand All

Lines 327-332 Link Here

(-)openssh-4.7p1/monitor.c (+4 lines)
327	{	327	{
328	struct mon_table *ent;	328	struct mon_table *ent;
329	int authenticated = 0;	329	int authenticated = 0;
		330	int num_required_auth_methods_remaining =
		331	options.num_required_auth_methods-1;
330		332
331	debug3("preauth child monitor started");	333	debug3("preauth child monitor started");
Lines 358-363 Link Here
358	if (authctxt->pw->pw_uid == 0 &&	360	if (authctxt->pw->pw_uid == 0 &&
359	!auth_root_allowed(auth_method))	361	!auth_root_allowed(auth_method))
360	authenticated = 0;	362	authenticated = 0;
		363	if (num_required_auth_methods_remaining--)
		364	authenticated = 0;
361	#ifdef USE_PAM	365	#ifdef USE_PAM
362	/* PAM needs to perform account checks after auth */	366	/* PAM needs to perform account checks after auth */
363	if (options.use_pam && authenticated) {	367	if (options.use_pam && authenticated) {

Lines 53-58 Link Here

(-)openssh-4.7p1/auth.h (+1 lines)
53	int valid; /* user exists and is allowed to login */	53	int valid; /* user exists and is allowed to login */
54	int attempt;	54	int attempt;
55	int failures;	55	int failures;
		56	int passed;
56	int force_pwchange;	57	int force_pwchange;
57	char user; / username sent by the client */	58	char user; / username sent by the client */
58	char *service;	59	char *service;





/* helper */
static Authmethod *authmethod_lookup(const char *);
static char *authmethods_get(int);
int user_key_allowed(struct passwd *, Key *);

/*

userauth_finish(Authctxt *authctxt, int authenticated, char *method)
{
	char *methods;
	int success = 0;

	if (!authctxt->valid && authenticated)
		fatal("INTERNAL ERROR: authenticated invalid user %s",

		return;

	/* XXX todo: check if multiple auth methods are needed */
	/* Check if enough multiple auth methods have passed */
	if (authenticated == 1) {
		int passed;
		int k;
		int j;

		for (j = 0, k = 1, passed = 0; authmethods[j] != NULL; j++, k <<= 1) {
		if (strncmp (method, authmethods[j]->name, strlen (authmethods[j]->name)) == 0)
				authctxt->passed |= k;
			if (authctxt->passed & k)
				++passed;
		}
		if (passed < options.num_required_auth_methods) {
			success = 1;
			authenticated = 0;
		}
	} else {
		if (authctxt->failures++ > options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
#endif
			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
		}
	}

	if (authenticated == 1) {
		/* turn off userauth */
		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);

		/* now we can break out */
		authctxt->success = 1;
	} else {
		methods = authmethods_get(authctxt->passed);
#ifdef SSH_AUDIT_EVENTS
			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
#endif
			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
		}
		methods = authmethods_get();
		packet_start(SSH2_MSG_USERAUTH_FAILURE);
		packet_put_cstring(methods);
		packet_put_char(success);
		packet_send();
		packet_write_wait();
		xfree(methods);

}

static char *
authmethods_get(int passed)
{
	Buffer b;
	char *list;
	int i;
	int k;

	buffer_init(&b);
	for (i = 0, k = 1; authmethods[i] != NULL; i++, k <<= 1) {
		if (strcmp(authmethods[i]->name, "none") == 0)
			continue;
		if (passed & k)
			continue;
		if (authmethods[i]->enabled != NULL &&
		    *(authmethods[i]->enabled) != 0) {
			if (buffer_len(&b) > 0)

Lines 92-97 Link Here

(-)openssh-4.7p1/servconf.h (+2 lines)
92	* authentication. */	92	* authentication. */
93	int kbd_interactive_authentication; /* If true, permit */	93	int kbd_interactive_authentication; /* If true, permit */
94	int challenge_response_authentication;	94	int challenge_response_authentication;
		95	int num_required_auth_methods; /* Minimum number of auth methods
		96	that must succeed. */
95	int permit_empty_passwd; /* If false, do not permit empty	97	int permit_empty_passwd; /* If false, do not permit empty
96	* passwords. */	98	* passwords. */
97	int permit_user_env; /* If true, read ~/.ssh/environment */	99	int permit_user_env; /* If true, read ~/.ssh/environment */

Lines 94-99 Link Here

(-)openssh-4.7p1/servconf.c (-2 / +10 lines)
94	options->password_authentication = -1;	94	options->password_authentication = -1;
95	options->kbd_interactive_authentication = -1;	95	options->kbd_interactive_authentication = -1;
96	options->challenge_response_authentication = -1;	96	options->challenge_response_authentication = -1;
		97	options->num_required_auth_methods = -1;
97	options->permit_empty_passwd = -1;	98	options->permit_empty_passwd = -1;
98	options->permit_user_env = -1;	99	options->permit_user_env = -1;
99	options->use_login = -1;	100	options->use_login = -1;
Lines 212-217 Link Here
212	options->kbd_interactive_authentication = 0;	213	options->kbd_interactive_authentication = 0;
213	if (options->challenge_response_authentication == -1)	214	if (options->challenge_response_authentication == -1)
214	options->challenge_response_authentication = 1;	215	options->challenge_response_authentication = 1;
		216	if (options->num_required_auth_methods == -1)
		217	options->num_required_auth_methods = 1;
215	if (options->permit_empty_passwd == -1)	218	if (options->permit_empty_passwd == -1)
216	options->permit_empty_passwd = 0;	219	options->permit_empty_passwd = 0;
217	if (options->permit_user_env == -1)	220	if (options->permit_user_env == -1)
Lines 275-282 Link Here
275	sPermitRootLogin, sLogFacility, sLogLevel,	278	sPermitRootLogin, sLogFacility, sLogLevel,
276	sRhostsRSAAuthentication, sRSAAuthentication,	279	sRhostsRSAAuthentication, sRSAAuthentication,
277	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,	280	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
278	sKerberosGetAFSToken,	281	sKerberosGetAFSToken, sKerberosTgtPassing,
279	sKerberosTgtPassing, sChallengeResponseAuthentication,	282	sNumRequiredAuthMethods, sChallengeResponseAuthentication,
280	sPasswordAuthentication, sKbdInteractiveAuthentication,	283	sPasswordAuthentication, sKbdInteractiveAuthentication,
281	sListenAddress, sAddressFamily,	284	sListenAddress, sAddressFamily,
282	sPrintMotd, sPrintLastLog, sIgnoreRhosts,	285	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
Lines 359-364 Link Here
359	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },	362	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
360	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },	363	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
361	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */	364	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
		365	{ "numrequiredauthmethods", sNumRequiredAuthMethods, SSHCFG_GLOBAL},
362	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },	366	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
363	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },	367	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
364	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },	368	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
Lines 887-892 Link Here
887	intptr = &options->challenge_response_authentication;	891	intptr = &options->challenge_response_authentication;
888	goto parse_flag;	892	goto parse_flag;
889		893
		894	case sNumRequiredAuthMethods:
		895	intptr = &options->num_required_auth_methods;
		896	goto parse_int;
		897
890	case sPrintMotd:	898	case sPrintMotd:
891	intptr = &options->print_motd;	899	intptr = &options->print_motd;
892	goto parse_flag;	900	goto parse_flag;




are refused if the number of unauthenticated connections reaches
.Dq full
(60).

.It Cm NumRequiredAuthMethods
Specifies how many authentication methods must succeed during ssh2
authentication. There are four potential methods: publickey, password,
keyboard-interactive, and hostbased. Setting this value to 2 or higher forces
the client to successfully authenticate in multiple ways, for example, using
both S/Key and publickey.

.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
.Dq yes .

.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.

Return to bug 1435

Lines 559-568 Link Here

(-)openssh-4.7p1/sshd_config.5 (+9 lines)
559	are refused if the number of unauthenticated connections reaches	559	are refused if the number of unauthenticated connections reaches
560	.Dq full	560	.Dq full
561	(60).	561	(60).
		562
		563	.It Cm NumRequiredAuthMethods
		564	Specifies how many authentication methods must succeed during ssh2
		565	authentication. There are four potential methods: publickey, password,
		566	keyboard-interactive, and hostbased. Setting this value to 2 or higher forces
		567	the client to successfully authenticate in multiple ways, for example, using
		568	both S/Key and publickey.
		569
562	.It Cm PasswordAuthentication	570	.It Cm PasswordAuthentication
563	Specifies whether password authentication is allowed.	571	Specifies whether password authentication is allowed.
564	The default is	572	The default is
565	.Dq yes .	573	.Dq yes .
		574
566	.It Cm PermitEmptyPasswords	575	.It Cm PermitEmptyPasswords
567	When password authentication is allowed, it specifies whether the	576	When password authentication is allowed, it specifies whether the
568	server allows login to accounts with empty password strings.	577	server allows login to accounts with empty password strings.

Lines 86-92 Link Here

(-)openssh-4.7p1/auth2.c (-11 / +34 lines)
86		86
87	/* helper */	87	/* helper */
88	static Authmethod authmethod_lookup(const char );	88	static Authmethod authmethod_lookup(const char );
89	static char *authmethods_get(void);	89	static char *authmethods_get(int);
90	int user_key_allowed(struct passwd , Key );	90	int user_key_allowed(struct passwd , Key );
91		91
92	/*	92	/*
Lines 213-218 Link Here
213	userauth_finish(Authctxt authctxt, int authenticated, char method)	213	userauth_finish(Authctxt authctxt, int authenticated, char method)
214	{	214	{
215	char *methods;	215	char *methods;
		216	int success = 0;
216		217
217	if (!authctxt->valid && authenticated)	218	if (!authctxt->valid && authenticated)
218	fatal("INTERNAL ERROR: authenticated invalid user %s",	219	fatal("INTERNAL ERROR: authenticated invalid user %s",
Lines 256-261 Link Here
256	return;	257	return;
257		258
258	/* XXX todo: check if multiple auth methods are needed */	259	/* XXX todo: check if multiple auth methods are needed */
		260	/* Check if enough multiple auth methods have passed */
		261	if (authenticated == 1) {
		262	int passed;
		263	int k;
		264	int j;
		265
		266	for (j = 0, k = 1, passed = 0; authmethods[j] != NULL; j++, k <<= 1) {
		267	if (strncmp (method, authmethods[j]->name, strlen (authmethods[j]->name)) == 0)
		268	authctxt->passed \|= k;
		269	if (authctxt->passed & k)
		270	++passed;
		271	}
		272	if (passed < options.num_required_auth_methods) {
		273	success = 1;
		274	authenticated = 0;
		275	}
		276	} else {
		277	if (authctxt->failures++ > options.max_authtries) {
		278	#ifdef SSH_AUDIT_EVENTS
		279	PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
		280	#endif
		281	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
		282	}
		283	}
		284
259	if (authenticated == 1) {	285	if (authenticated == 1) {
260	/* turn off userauth */	286	/* turn off userauth */
261	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);	287	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
Lines 265-280 Link Here
265	/* now we can break out */	291	/* now we can break out */
266	authctxt->success = 1;	292	authctxt->success = 1;
267	} else {	293	} else {
268	if (authctxt->failures++ > options.max_authtries) {	294	methods = authmethods_get(authctxt->passed);
269	#ifdef SSH_AUDIT_EVENTS
270	PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
271	#endif
272	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
273	}
274	methods = authmethods_get();
275	packet_start(SSH2_MSG_USERAUTH_FAILURE);	295	packet_start(SSH2_MSG_USERAUTH_FAILURE);
276	packet_put_cstring(methods);	296	packet_put_cstring(methods);
277	packet_put_char(0); /* XXX partial success, unused */	297	packet_put_char(success);
278	packet_send();	298	packet_send();
279	packet_write_wait();	299	packet_write_wait();
280	xfree(methods);	300	xfree(methods);
Lines 282-297 Link Here
282	}	302	}
283		303
284	static char *	304	static char *
285	authmethods_get(void)	305	authmethods_get(int passed)
286	{	306	{
287	Buffer b;	307	Buffer b;
288	char *list;	308	char *list;
289	int i;	309	int i;
		310	int k;
290		311
291	buffer_init(&b);	312	buffer_init(&b);
292	for (i = 0; authmethods[i] != NULL; i++) {	313	for (i = 0, k = 1; authmethods[i] != NULL; i++, k <<= 1) {
293	if (strcmp(authmethods[i]->name, "none") == 0)	314	if (strcmp(authmethods[i]->name, "none") == 0)
294	continue;	315	continue;
		316	if (passed & k)
		317	continue;
295	if (authmethods[i]->enabled != NULL &&	318	if (authmethods[i]->enabled != NULL &&
296	*(authmethods[i]->enabled) != 0) {	319	*(authmethods[i]->enabled) != 0) {
297	if (buffer_len(&b) > 0)	320	if (buffer_len(&b) > 0)