Attachment 1455 Details for Bug 983 – Updates the RequireBothPasswordAndPubKey patch to 4.7p1

[patch] Updates the RequireBothPasswordAndPubKey patch to 4.7p1

require-both-pubkey-pwd.patch (text/plain), 9.21 KB, created by Paul Sery on 2008-02-16 06:02:30 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Paul Sery

Created: 2008-02-16 06:02:30 AEDT

Size: 9.21 KB

patch

obsolete

>--- openssh-4.7p1/auth2-passwd.c	2006-08-04 20:39:39.000000000 -0600
>+++ openssh-both-pubkeypwd/auth2-passwd.c	2008-02-15 11:32:03.000000000 -0700
>@@ -72,10 +72,11 @@
> 	if (check_nt_auth(1, authctxt->pw) == 0)
> 		authenticated = 0;
> #endif
> 	memset(password, 0, len);
> 	xfree(password);
>+	auth2_multiple_auth("password", authctxt, &authenticated);
> 	return authenticated;
> }
> 
> Authmethod method_passwd = {
> 	"password",
>--- openssh-4.7p1/auth2-pubkey.c	2006-08-04 20:39:39.000000000 -0600
>+++ openssh-both-pubkeypwd/auth2-pubkey.c	2008-02-15 11:32:03.000000000 -0700
>@@ -137,10 +137,11 @@
> 		    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
> 		    buffer_len(&b))) == 1)
> 			authenticated = 1;
> 		buffer_free(&b);
> 		xfree(sig);
>+		auth2_multiple_auth("publickey", authctxt, &authenticated);
> 	} else {
> 		debug("test whether pkalg/pkblob are acceptable");
> 		packet_check_eom();
> 
> 		/* XXX fake reply and always send PK_OK ? */
>--- openssh-4.7p1/auth2.c	2007-05-19 22:58:41.000000000 -0600
>+++ openssh-both-pubkeypwd/auth2.c	2008-02-15 11:32:03.000000000 -0700
>@@ -250,12 +250,16 @@
> #endif /* _UNICOS */
> 
> 	/* Log before sending the reply */
> 	auth_log(authctxt, authenticated, method, " ssh2");
> 
>-	if (authctxt->postponed)
>+	if (authctxt->postponed) {
>+		if (!authctxt->multiple_auth_failure &&
>+			authctxt->multiple_auth.flags)
>+			goto fake_auth_failure;
> 		return;
>+	}
> 
> 	/* XXX todo: check if multiple auth methods are needed */
> 	if (authenticated == 1) {
> 		/* turn off userauth */
> 		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
>@@ -269,20 +273,59 @@
> #ifdef SSH_AUDIT_EVENTS
> 			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
> #endif
> 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
> 		}
>+fake_auth_failure:
> 		methods = authmethods_get();
> 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
> 		packet_put_cstring(methods);
> 		packet_put_char(0);	/* XXX partial success, unused */
> 		packet_send();
> 		packet_write_wait();
> 		xfree(methods);
> 	}
> }
> 
>+void
>+auth2_multiple_auth(const char *method, Authctxt *authctxt, int *authenticated)
>+{
>+	debug3("%s[%d],entry,method %s,auth(%d,%d,%d),*auth %d,postponed %d",
>+		__func__, getpid(), method, authctxt->multiple_auth_failure,
>+		authctxt->multiple_auth.pubkey_passwd.passwd,
>+		authctxt->multiple_auth.pubkey_passwd.pubkey, *authenticated,
>+		authctxt->postponed);
>+
>+	if (options.require_both_password_and_pub_key == 1 &&
>+		(!strcasecmp(method, "password") ||
>+		!strcasecmp(method, "publickey"))) {
>+		if (!*authenticated && !strcasecmp(method, "publickey"))
>+			authctxt->multiple_auth_failure = 1;
>+		else if (!authctxt->multiple_auth_failure) {
>+			if (!strcasecmp(method, "password"))
>+				authctxt->
>+					multiple_auth.pubkey_passwd.passwd = 1;
>+			else if (!strcasecmp(method, "publickey"))
>+				authctxt->
>+					multiple_auth.pubkey_passwd.pubkey = 1;
>+
>+			if (!authctxt->multiple_auth.pubkey_passwd.passwd ||
>+				!authctxt->multiple_auth.pubkey_passwd.pubkey) {
>+				authctxt->postponed = 1;
>+				*authenticated = 0;
>+			}
>+		}
>+		else
>+			*authenticated = 0;
>+	}
>+	debug3("%s[%d],exit,multiple_auth (%d,%d,%d),*auth %d,postponed %d",
>+		__func__, getpid(), authctxt->multiple_auth_failure,
>+		authctxt->multiple_auth.pubkey_passwd.passwd,
>+		authctxt->multiple_auth.pubkey_passwd.pubkey, *authenticated,
>+		authctxt->postponed);
>+}
>+
> static char *
> authmethods_get(void)
> {
> 	Buffer b;
> 	char *list;
>--- openssh-4.7p1/monitor.c	2007-05-19 23:10:16.000000000 -0600
>+++ openssh-both-pubkeypwd/monitor.c	2008-02-15 11:32:03.000000000 -0700
>@@ -376,10 +376,13 @@
> 			auth_log(authctxt, authenticated, auth_method,
> 			    compat20 ? " ssh2" : "");
> 			if (!authenticated)
> 				authctxt->failures++;
> 		}
>+		if ((ent->type == MONITOR_REQ_KEYVERIFY ||
>+			ent->type == MONITOR_REQ_AUTHPASSWORD))
>+			auth2_multiple_auth(auth_method, authctxt, &authenticated);
> 	}
> 
> 	if (!authctxt->valid)
> 		fatal("%s: authenticated invalid user", __func__);
> 	if (strcmp(auth_method, "unknown") == 0)
>--- openssh-4.7p1/servconf.c	2007-05-19 23:03:16.000000000 -0600
>+++ openssh-both-pubkeypwd/servconf.c	2008-02-15 11:32:03.000000000 -0700
>@@ -117,10 +117,11 @@
> 	options->client_alive_interval = -1;
> 	options->client_alive_count_max = -1;
> 	options->authorized_keys_file = NULL;
> 	options->authorized_keys_file2 = NULL;
> 	options->num_accept_env = 0;
>+	options->require_both_password_and_pub_key = -1;
> 	options->permit_tun = -1;
> 	options->num_permitted_opens = -1;
> 	options->adm_forced_command = NULL;
> }
> 
>@@ -245,10 +246,15 @@
> 		else
> 			options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
> 	}
> 	if (options->authorized_keys_file == NULL)
> 		options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
>+	if (options->require_both_password_and_pub_key == -1)
>+		options->require_both_password_and_pub_key = 0;
>+	else if (options->require_both_password_and_pub_key == 1)
>+		options->password_authentication =
>+			options->pubkey_authentication = 1;
> 	if (options->permit_tun == -1)
> 		options->permit_tun = SSH_TUNMODE_NO;
> 
> 	/* Turn privilege separation on by default */
> 	if (use_privsep == -1)
>@@ -291,10 +297,11 @@
> 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
> 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
> 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
> 	sMatch, sPermitOpen, sForceCommand,
> 	sUsePrivilegeSeparation,
>+	sRequireBothPasswordAndPubKey,
> 	sDeprecated, sUnsupported
> } ServerOpCodes;
> 
> #define SSHCFG_GLOBAL	0x01	/* allowed in main section of sshd_config */
> #define SSHCFG_MATCH	0x02	/* allowed inside a Match section */
>@@ -397,10 +404,11 @@
> 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
> 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
> 	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
> 	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
> 	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
>+	{ "requirebothpasswordandpubkey", sRequireBothPasswordAndPubKey },
> 	{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
>  	{ "match", sMatch, SSHCFG_ALL },
> 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
> 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
> 	{ NULL, sBadOption, 0 }
>@@ -949,10 +957,14 @@
> 			    "argument: %s", filename, linenum, arg);
> 		if (*intptr == -1)
> 			*intptr = value;
> 		break;
> 
>+	case sRequireBothPasswordAndPubKey:
>+		intptr = &options->require_both_password_and_pub_key;
>+		goto parse_flag;
>+
> 	case sGatewayPorts:
> 		intptr = &options->gateway_ports;
> 		arg = strdelim(&cp);
> 		if (!arg || *arg == '\0')
> 			fatal("%s line %d: missing yes/no/clientspecified "
>--- openssh-4.7p1/servconf.h	2007-02-19 04:25:38.000000000 -0700
>+++ openssh-both-pubkeypwd/servconf.h	2008-02-15 11:32:03.000000000 -0700
>@@ -90,10 +90,11 @@
> 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
> 	int     password_authentication;	/* If true, permit password
> 						 * authentication. */
> 	int     kbd_interactive_authentication;	/* If true, permit */
> 	int     challenge_response_authentication;
>+	int	require_both_password_and_pub_key;
> 	int     permit_empty_passwd;	/* If false, do not permit empty
> 					 * passwords. */
> 	int     permit_user_env;	/* If true, read ~/.ssh/environment */
> 	int     use_login;	/* If true, login(1) is used */
> 	int     compression;	/* If true, compression is allowed */
>--- openssh-4.7p1/auth.h	2006-08-18 08:32:46.000000000 -0600
>+++ openssh-both-pubkeypwd/auth.h	2008-02-15 11:32:03.000000000 -0700
>@@ -69,10 +69,18 @@
> 	char		*krb5_ticket_file;
> 	char		*krb5_ccname;
> #endif
> 	Buffer		*loginmsg;
> 	void		*methoddata;
>+	union {
>+		struct {
>+			unsigned passwd : 1;
>+			unsigned pubkey : 1;
>+		} pubkey_passwd;
>+		unsigned flags;
>+	} multiple_auth;
>+	unsigned multiple_auth_failure : 1; 
> };
> /*
>  * Every authentication method has to handle authentication requests for
>  * non-existing users, or for users that are not allowed to login. In this
>  * case 'valid' is set to 0, but 'user' points to the username requested by
>@@ -149,10 +157,11 @@
> 
> void	privsep_challenge_enable(void);
> 
> int	auth2_challenge(Authctxt *, char *);
> void	auth2_challenge_stop(Authctxt *);
>+void	auth2_multiple_auth(const char *, Authctxt *, int *);
> int	bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
> int	bsdauth_respond(void *, u_int, char **);
> int	skey_query(void *, char **, char **, u_int *, char ***, u_int **);
> int	skey_respond(void *, u_int, char **);
> 
>--- openssh-4.7p1/sshd_config.5	2007-06-10 22:07:13.000000000 -0600
>+++ openssh-both-pubkeypwd/sshd_config.5	2008-02-15 11:32:03.000000000 -0700
>@@ -709,10 +709,24 @@
> .It Cm PubkeyAuthentication
> Specifies whether public key authentication is allowed.
> The default is
> .Dq yes .
> Note that this option applies to protocol version 2 only.
>+.It Cm RequireBothPasswordAndPubKey
>+Specifies whether both password and public key authentication must
>+be successful before authentication is allowed.  If 
>+.Dq yes ,
>+then this option performs both types of authentication, overriding any
>+values for the
>+.Cm PubkeyAuthentication
>+and
>+.Cm PasswordAuthentication
>+options, setting both implicitly to 
>+.Dq yes .
>+The default is
>+.Dq no .
>+This option applies to protocol version 2 only.
> .It Cm RhostsRSAAuthentication
> Specifies whether rhosts or /etc/hosts.equiv authentication together
> with successful RSA host authentication is allowed.
> The default is
> .Dq no .

Actions: View | Diff

Attachments on bug 983: 807 | 941 | 1121 | 1122 | 1123 | 1455 | 1518 | 1521 | 1567 | 1667 | 1768 | 1955 | 1999 | 2079 | 2084 | 2096 | 2138 | 2177 | 2178 | 2192 | 2196