Attachment #1455 for bug #983

View | Details | Raw Unified | Return to bug 983 | Differences between

and this patch

Lines 72-81 Link Here

(-)openssh-4.7p1/auth2-passwd.c (+1 lines)
72	if (check_nt_auth(1, authctxt->pw) == 0)	72	if (check_nt_auth(1, authctxt->pw) == 0)
73	authenticated = 0;	73	authenticated = 0;
74	#endif	74	#endif
75	memset(password, 0, len);	75	memset(password, 0, len);
76	xfree(password);	76	xfree(password);
		77	auth2_multiple_auth("password", authctxt, &authenticated);
77	return authenticated;	78	return authenticated;
78	}	79	}
79		80
80	Authmethod method_passwd = {	81	Authmethod method_passwd = {
81	"password",	82	"password",

Lines 137-146 Link Here

(-)openssh-4.7p1/auth2-pubkey.c (+1 lines)
137	PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),	137	PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
138	buffer_len(&b))) == 1)	138	buffer_len(&b))) == 1)
139	authenticated = 1;	139	authenticated = 1;
140	buffer_free(&b);	140	buffer_free(&b);
141	xfree(sig);	141	xfree(sig);
		142	auth2_multiple_auth("publickey", authctxt, &authenticated);
142	} else {	143	} else {
143	debug("test whether pkalg/pkblob are acceptable");	144	debug("test whether pkalg/pkblob are acceptable");
144	packet_check_eom();	145	packet_check_eom();
145		146
146	/* XXX fake reply and always send PK_OK ? */	147	/* XXX fake reply and always send PK_OK ? */




#endif /* _UNICOS */

	/* Log before sending the reply */
	auth_log(authctxt, authenticated, method, " ssh2");

	if (authctxt->postponed) {
		if (!authctxt->multiple_auth_failure &&
			authctxt->multiple_auth.flags)
			goto fake_auth_failure;
		return;
	}

	/* XXX todo: check if multiple auth methods are needed */
	if (authenticated == 1) {
		/* turn off userauth */
		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);

#ifdef SSH_AUDIT_EVENTS
			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
#endif
			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
		}
fake_auth_failure:
		methods = authmethods_get();
		packet_start(SSH2_MSG_USERAUTH_FAILURE);
		packet_put_cstring(methods);
		packet_put_char(0);	/* XXX partial success, unused */
		packet_send();
		packet_write_wait();
		xfree(methods);
	}
}

void
auth2_multiple_auth(const char *method, Authctxt *authctxt, int *authenticated)
{
	debug3("%s[%d],entry,method %s,auth(%d,%d,%d),*auth %d,postponed %d",
		__func__, getpid(), method, authctxt->multiple_auth_failure,
		authctxt->multiple_auth.pubkey_passwd.passwd,
		authctxt->multiple_auth.pubkey_passwd.pubkey, *authenticated,
		authctxt->postponed);

	if (options.require_both_password_and_pub_key == 1 &&
		(!strcasecmp(method, "password") ||
		!strcasecmp(method, "publickey"))) {
		if (!*authenticated && !strcasecmp(method, "publickey"))
			authctxt->multiple_auth_failure = 1;
		else if (!authctxt->multiple_auth_failure) {
			if (!strcasecmp(method, "password"))
				authctxt->
					multiple_auth.pubkey_passwd.passwd = 1;
			else if (!strcasecmp(method, "publickey"))
				authctxt->
					multiple_auth.pubkey_passwd.pubkey = 1;

			if (!authctxt->multiple_auth.pubkey_passwd.passwd ||
				!authctxt->multiple_auth.pubkey_passwd.pubkey) {
				authctxt->postponed = 1;
				*authenticated = 0;
			}
		}
		else
			*authenticated = 0;
	}
	debug3("%s[%d],exit,multiple_auth (%d,%d,%d),*auth %d,postponed %d",
		__func__, getpid(), authctxt->multiple_auth_failure,
		authctxt->multiple_auth.pubkey_passwd.passwd,
		authctxt->multiple_auth.pubkey_passwd.pubkey, *authenticated,
		authctxt->postponed);
}

static char *
authmethods_get(void)
{
	Buffer b;
	char *list;

Lines 376-385 Link Here

(-)openssh-4.7p1/monitor.c (+3 lines)
376	auth_log(authctxt, authenticated, auth_method,	376	auth_log(authctxt, authenticated, auth_method,
377	compat20 ? " ssh2" : "");	377	compat20 ? " ssh2" : "");
378	if (!authenticated)	378	if (!authenticated)
379	authctxt->failures++;	379	authctxt->failures++;
380	}	380	}
		381	if ((ent->type == MONITOR_REQ_KEYVERIFY \|\|
		382	ent->type == MONITOR_REQ_AUTHPASSWORD))
		383	auth2_multiple_auth(auth_method, authctxt, &authenticated);
381	}	384	}
382		385
383	if (!authctxt->valid)	386	if (!authctxt->valid)
384	fatal("%s: authenticated invalid user", __func__);	387	fatal("%s: authenticated invalid user", __func__);
385	if (strcmp(auth_method, "unknown") == 0)	388	if (strcmp(auth_method, "unknown") == 0)




	options->client_alive_interval = -1;
	options->client_alive_count_max = -1;
	options->authorized_keys_file = NULL;
	options->authorized_keys_file2 = NULL;
	options->num_accept_env = 0;
	options->require_both_password_and_pub_key = -1;
	options->permit_tun = -1;
	options->num_permitted_opens = -1;
	options->adm_forced_command = NULL;
}


		else
			options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
	}
	if (options->authorized_keys_file == NULL)
		options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
	if (options->require_both_password_and_pub_key == -1)
		options->require_both_password_and_pub_key = 0;
	else if (options->require_both_password_and_pub_key == 1)
		options->password_authentication =
			options->pubkey_authentication = 1;
	if (options->permit_tun == -1)
		options->permit_tun = SSH_TUNMODE_NO;

	/* Turn privilege separation on by default */
	if (use_privsep == -1)

	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
	sMatch, sPermitOpen, sForceCommand,
	sUsePrivilegeSeparation,
	sRequireBothPasswordAndPubKey,
	sDeprecated, sUnsupported
} ServerOpCodes;

#define SSHCFG_GLOBAL	0x01	/* allowed in main section of sshd_config */
#define SSHCFG_MATCH	0x02	/* allowed inside a Match section */

	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
	{ "requirebothpasswordandpubkey", sRequireBothPasswordAndPubKey },
	{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
 	{ "match", sMatch, SSHCFG_ALL },
	{ "permitopen", sPermitOpen, SSHCFG_ALL },
	{ "forcecommand", sForceCommand, SSHCFG_ALL },
	{ NULL, sBadOption, 0 }

			    "argument: %s", filename, linenum, arg);
		if (*intptr == -1)
			*intptr = value;
		break;

	case sRequireBothPasswordAndPubKey:
		intptr = &options->require_both_password_and_pub_key;
		goto parse_flag;

	case sGatewayPorts:
		intptr = &options->gateway_ports;
		arg = strdelim(&cp);
		if (!arg || *arg == '\0')
			fatal("%s line %d: missing yes/no/clientspecified "

Lines 90-99 Link Here

(-)openssh-4.7p1/servconf.h (+1 lines)
90	int gss_cleanup_creds; /* If true, destroy cred cache on logout */	90	int gss_cleanup_creds; /* If true, destroy cred cache on logout */
91	int password_authentication; /* If true, permit password	91	int password_authentication; /* If true, permit password
92	* authentication. */	92	* authentication. */
93	int kbd_interactive_authentication; /* If true, permit */	93	int kbd_interactive_authentication; /* If true, permit */
94	int challenge_response_authentication;	94	int challenge_response_authentication;
		95	int require_both_password_and_pub_key;
95	int permit_empty_passwd; /* If false, do not permit empty	96	int permit_empty_passwd; /* If false, do not permit empty
96	* passwords. */	97	* passwords. */
97	int permit_user_env; /* If true, read ~/.ssh/environment */	98	int permit_user_env; /* If true, read ~/.ssh/environment */
98	int use_login; /* If true, login(1) is used */	99	int use_login; /* If true, login(1) is used */
99	int compression; /* If true, compression is allowed */	100	int compression; /* If true, compression is allowed */




	char		*krb5_ticket_file;
	char		*krb5_ccname;
#endif
	Buffer		*loginmsg;
	void		*methoddata;
	union {
		struct {
			unsigned passwd : 1;
			unsigned pubkey : 1;
		} pubkey_passwd;
		unsigned flags;
	} multiple_auth;
	unsigned multiple_auth_failure : 1; 
};
/*
 * Every authentication method has to handle authentication requests for
 * non-existing users, or for users that are not allowed to login. In this
 * case 'valid' is set to 0, but 'user' points to the username requested by


void	privsep_challenge_enable(void);

int	auth2_challenge(Authctxt *, char *);
void	auth2_challenge_stop(Authctxt *);
void	auth2_multiple_auth(const char *, Authctxt *, int *);
int	bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
int	bsdauth_respond(void *, u_int, char **);
int	skey_query(void *, char **, char **, u_int *, char ***, u_int **);
int	skey_respond(void *, u_int, char **);





.It Cm PubkeyAuthentication
Specifies whether public key authentication is allowed.
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
.It Cm RequireBothPasswordAndPubKey
Specifies whether both password and public key authentication must
be successful before authentication is allowed.  If 
.Dq yes ,
then this option performs both types of authentication, overriding any
values for the
.Cm PubkeyAuthentication
and
.Cm PasswordAuthentication
options, setting both implicitly to 
.Dq yes .
The default is
.Dq no .
This option applies to protocol version 2 only.
.It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed.
The default is
.Dq no .

Return to bug 983

Lines 250-261 Link Here

(-)openssh-4.7p1/auth2.c (-1 / +44 lines)
250	#endif /* _UNICOS */	250	#endif /* _UNICOS */
251		251
252	/* Log before sending the reply */	252	/* Log before sending the reply */
253	auth_log(authctxt, authenticated, method, " ssh2");	253	auth_log(authctxt, authenticated, method, " ssh2");
254		254
255	if (authctxt->postponed)	255	if (authctxt->postponed) {
		256	if (!authctxt->multiple_auth_failure &&
		257	authctxt->multiple_auth.flags)
		258	goto fake_auth_failure;
256	return;	259	return;
		260	}
257		261
258	/* XXX todo: check if multiple auth methods are needed */	262	/* XXX todo: check if multiple auth methods are needed */
259	if (authenticated == 1) {	263	if (authenticated == 1) {
260	/* turn off userauth */	264	/* turn off userauth */
261	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);	265	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
Lines 269-288 Link Here
269	#ifdef SSH_AUDIT_EVENTS	273	#ifdef SSH_AUDIT_EVENTS
270	PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));	274	PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
271	#endif	275	#endif
272	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);	276	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
273	}	277	}
		278	fake_auth_failure:
274	methods = authmethods_get();	279	methods = authmethods_get();
275	packet_start(SSH2_MSG_USERAUTH_FAILURE);	280	packet_start(SSH2_MSG_USERAUTH_FAILURE);
276	packet_put_cstring(methods);	281	packet_put_cstring(methods);
277	packet_put_char(0); /* XXX partial success, unused */	282	packet_put_char(0); /* XXX partial success, unused */
278	packet_send();	283	packet_send();
279	packet_write_wait();	284	packet_write_wait();
280	xfree(methods);	285	xfree(methods);
281	}	286	}
282	}	287	}
283		288
		289	void
		290	auth2_multiple_auth(const char method, Authctxt authctxt, int *authenticated)
		291	{
		292	debug3("%s[%d],entry,method %s,auth(%d,%d,%d),*auth %d,postponed %d",
		293	__func__, getpid(), method, authctxt->multiple_auth_failure,
		294	authctxt->multiple_auth.pubkey_passwd.passwd,
		295	authctxt->multiple_auth.pubkey_passwd.pubkey, *authenticated,
		296	authctxt->postponed);
		297
		298	if (options.require_both_password_and_pub_key == 1 &&
		299	(!strcasecmp(method, "password") \|\|
		300	!strcasecmp(method, "publickey"))) {
		301	if (!*authenticated && !strcasecmp(method, "publickey"))
		302	authctxt->multiple_auth_failure = 1;
		303	else if (!authctxt->multiple_auth_failure) {
		304	if (!strcasecmp(method, "password"))
		305	authctxt->
		306	multiple_auth.pubkey_passwd.passwd = 1;
		307	else if (!strcasecmp(method, "publickey"))
		308	authctxt->
		309	multiple_auth.pubkey_passwd.pubkey = 1;
		310
		311	if (!authctxt->multiple_auth.pubkey_passwd.passwd \|\|
		312	!authctxt->multiple_auth.pubkey_passwd.pubkey) {
		313	authctxt->postponed = 1;
		314	*authenticated = 0;
		315	}
		316	}
		317	else
		318	*authenticated = 0;
		319	}
		320	debug3("%s[%d],exit,multiple_auth (%d,%d,%d),*auth %d,postponed %d",
		321	__func__, getpid(), authctxt->multiple_auth_failure,
		322	authctxt->multiple_auth.pubkey_passwd.passwd,
		323	authctxt->multiple_auth.pubkey_passwd.pubkey, *authenticated,
		324	authctxt->postponed);
		325	}
		326
284	static char *	327	static char *
285	authmethods_get(void)	328	authmethods_get(void)
286	{	329	{
287	Buffer b;	330	Buffer b;
288	char *list;	331	char *list;

Lines 117-126 Link Here

(-)openssh-4.7p1/servconf.c (+12 lines)
117	options->client_alive_interval = -1;	117	options->client_alive_interval = -1;
118	options->client_alive_count_max = -1;	118	options->client_alive_count_max = -1;
119	options->authorized_keys_file = NULL;	119	options->authorized_keys_file = NULL;
120	options->authorized_keys_file2 = NULL;	120	options->authorized_keys_file2 = NULL;
121	options->num_accept_env = 0;	121	options->num_accept_env = 0;
		122	options->require_both_password_and_pub_key = -1;
122	options->permit_tun = -1;	123	options->permit_tun = -1;
123	options->num_permitted_opens = -1;	124	options->num_permitted_opens = -1;
124	options->adm_forced_command = NULL;	125	options->adm_forced_command = NULL;
125	}	126	}
126		127
Lines 245-254 Link Here
245	else	246	else
246	options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;	247	options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
247	}	248	}
248	if (options->authorized_keys_file == NULL)	249	if (options->authorized_keys_file == NULL)
249	options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;	250	options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
		251	if (options->require_both_password_and_pub_key == -1)
		252	options->require_both_password_and_pub_key = 0;
		253	else if (options->require_both_password_and_pub_key == 1)
		254	options->password_authentication =
		255	options->pubkey_authentication = 1;
250	if (options->permit_tun == -1)	256	if (options->permit_tun == -1)
251	options->permit_tun = SSH_TUNMODE_NO;	257	options->permit_tun = SSH_TUNMODE_NO;
252		258
253	/* Turn privilege separation on by default */	259	/* Turn privilege separation on by default */
254	if (use_privsep == -1)	260	if (use_privsep == -1)
Lines 291-300 Link Here
291	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	297	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
292	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,	298	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
293	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,	299	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
294	sMatch, sPermitOpen, sForceCommand,	300	sMatch, sPermitOpen, sForceCommand,
295	sUsePrivilegeSeparation,	301	sUsePrivilegeSeparation,
		302	sRequireBothPasswordAndPubKey,
296	sDeprecated, sUnsupported	303	sDeprecated, sUnsupported
297	} ServerOpCodes;	304	} ServerOpCodes;
298		305
299	#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */	306	#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
300	#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */	307	#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
Lines 397-406 Link Here
397	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },	404	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
398	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },	405	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
399	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },	406	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
400	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },	407	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
401	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },	408	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
		409	{ "requirebothpasswordandpubkey", sRequireBothPasswordAndPubKey },
402	{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },	410	{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
403	{ "match", sMatch, SSHCFG_ALL },	411	{ "match", sMatch, SSHCFG_ALL },
404	{ "permitopen", sPermitOpen, SSHCFG_ALL },	412	{ "permitopen", sPermitOpen, SSHCFG_ALL },
405	{ "forcecommand", sForceCommand, SSHCFG_ALL },	413	{ "forcecommand", sForceCommand, SSHCFG_ALL },
406	{ NULL, sBadOption, 0 }	414	{ NULL, sBadOption, 0 }
Lines 949-958 Link Here
949	"argument: %s", filename, linenum, arg);	957	"argument: %s", filename, linenum, arg);
950	if (*intptr == -1)	958	if (*intptr == -1)
951	*intptr = value;	959	*intptr = value;
952	break;	960	break;
953		961
		962	case sRequireBothPasswordAndPubKey:
		963	intptr = &options->require_both_password_and_pub_key;
		964	goto parse_flag;
		965
954	case sGatewayPorts:	966	case sGatewayPorts:
955	intptr = &options->gateway_ports;	967	intptr = &options->gateway_ports;
956	arg = strdelim(&cp);	968	arg = strdelim(&cp);
957	if (!arg \|\| *arg == '\0')	969	if (!arg \|\| *arg == '\0')
958	fatal("%s line %d: missing yes/no/clientspecified "	970	fatal("%s line %d: missing yes/no/clientspecified "

Lines 709-718 Link Here

(-)openssh-4.7p1/sshd_config.5 (+14 lines)
709	.It Cm PubkeyAuthentication	709	.It Cm PubkeyAuthentication
710	Specifies whether public key authentication is allowed.	710	Specifies whether public key authentication is allowed.
711	The default is	711	The default is
712	.Dq yes .	712	.Dq yes .
713	Note that this option applies to protocol version 2 only.	713	Note that this option applies to protocol version 2 only.
		714	.It Cm RequireBothPasswordAndPubKey
		715	Specifies whether both password and public key authentication must
		716	be successful before authentication is allowed. If
		717	.Dq yes ,
		718	then this option performs both types of authentication, overriding any
		719	values for the
		720	.Cm PubkeyAuthentication
		721	and
		722	.Cm PasswordAuthentication
		723	options, setting both implicitly to
		724	.Dq yes .
		725	The default is
		726	.Dq no .
		727	This option applies to protocol version 2 only.
714	.It Cm RhostsRSAAuthentication	728	.It Cm RhostsRSAAuthentication
715	Specifies whether rhosts or /etc/hosts.equiv authentication together	729	Specifies whether rhosts or /etc/hosts.equiv authentication together
716	with successful RSA host authentication is allowed.	730	with successful RSA host authentication is allowed.
717	The default is	731	The default is
718	.Dq no .	732	.Dq no .

Lines 69-78 Link Here

(-)openssh-4.7p1/auth.h (+9 lines)
69	char *krb5_ticket_file;	69	char *krb5_ticket_file;
70	char *krb5_ccname;	70	char *krb5_ccname;
71	#endif	71	#endif
72	Buffer *loginmsg;	72	Buffer *loginmsg;
73	void *methoddata;	73	void *methoddata;
		74	union {
		75	struct {
		76	unsigned passwd : 1;
		77	unsigned pubkey : 1;
		78	} pubkey_passwd;
		79	unsigned flags;
		80	} multiple_auth;
		81	unsigned multiple_auth_failure : 1;
74	};	82	};
75	/*	83	/*
76	* Every authentication method has to handle authentication requests for	84	* Every authentication method has to handle authentication requests for
77	* non-existing users, or for users that are not allowed to login. In this	85	* non-existing users, or for users that are not allowed to login. In this
78	* case 'valid' is set to 0, but 'user' points to the username requested by	86	* case 'valid' is set to 0, but 'user' points to the username requested by
Lines 149-158 Link Here
149		157
150	void privsep_challenge_enable(void);	158	void privsep_challenge_enable(void);
151		159
152	int auth2_challenge(Authctxt , char );	160	int auth2_challenge(Authctxt , char );
153	void auth2_challenge_stop(Authctxt *);	161	void auth2_challenge_stop(Authctxt *);
		162	void auth2_multiple_auth(const char , Authctxt , int *);
154	int bsdauth_query(void , char , char , u_int , char *, u_int );	163	int bsdauth_query(void , char , char , u_int , char *, u_int );
155	int bsdauth_respond(void , u_int, char *);	164	int bsdauth_respond(void , u_int, char *);
156	int skey_query(void , char , char , u_int , char *, u_int );	165	int skey_query(void , char , char , u_int , char *, u_int );
157	int skey_respond(void , u_int, char *);	166	int skey_respond(void , u_int, char *);
158		167