Attachment #1999 for bug #983

View | Details | Raw Unified | Return to bug 983 | Differences between

and this patch




}

void
auth_log(Authctxt *authctxt, int authenticated, const char *method,
    const char *submethod, const char *info)
{
	void (*authlog) (const char *fmt,...) = verbose;
	char *authmsg;

	else
		authmsg = authenticated ? "Accepted" : "Failed";

	authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
	    authmsg,
	    method,
	    submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
	    authctxt->valid ? "" : "invalid user ",
	    authctxt->user,
	    get_remote_ipaddr(),

 * Check whether root logins are disallowed.
 */
int
auth_root_allowed(const char *method)
{
	switch (options.permit_root_login) {
	case PERMIT_YES:

	fake.pw_shell = "/nonexist";

	return (&fake);
}

int
auth_method_in_list(const char *list, const char *method)
{
	char *cp;

	cp = match_list(method, list, NULL);
	if (cp != NULL) {
		xfree(cp);
		return 1;
	}

	return 0;
}

#define	DELIM	","
int
auth_remove_from_list(char **list, const char *method)
{
	char *oldlist, *cp, *newlist = NULL;
	u_int len = 0, ret = 0;

	if (list == NULL || *list == NULL)
		return (0);

	oldlist = *list;
	len = strlen(oldlist) + 1;
	newlist = xmalloc(len);
	memset(newlist, '\0', len);

	/* Remove method from list, if present */
	for (;;) {
		if ((cp = strsep(&oldlist, DELIM)) == NULL)
			break;
		if (*cp == '\0')
			continue;
		if (strcmp(cp, method) != 0) {
			if (*newlist != '\0')
				strlcat(newlist, DELIM, len);
			strlcat(newlist, cp, len);
		} else
			ret++;
	}

	/* Return NULL instead of empty list */
	if (*newlist == '\0') {
		xfree(newlist);
		newlist = NULL;
	}
	xfree(*list);
	*list = newlist;
	
	return (ret);
}

Lines 141-150 void disable_forwarding(void); Link Here

(-)auth.h (-3 / +9 lines)
141	void do_authentication(Authctxt *);	141	void do_authentication(Authctxt *);
142	void do_authentication2(Authctxt *);	142	void do_authentication2(Authctxt *);
143		143
144	void auth_log(Authctxt , int, char , char *);	144	void auth_log(Authctxt , int, const char , const char , const char );
145	void userauth_finish(Authctxt , int, char );	145	void userauth_finish(Authctxt , int, const char , const char *);
		146	int auth_root_allowed(const char *);
		147
146	void userauth_send_banner(const char *);	148	void userauth_send_banner(const char *);
147	int auth_root_allowed(char *);
148		149
149	char *auth2_read_banner(void);	150	char *auth2_read_banner(void);
150		151
Lines 192-197 void auth_debug_send(void); Link Here
192	void auth_debug_reset(void);	193	void auth_debug_reset(void);
193		194
194	struct passwd *fakepw(void);	195	struct passwd *fakepw(void);
		196	int auth_method_in_list(const char , const char );
		197	int auth_remove_from_list(char *, const char );
		198
		199	int auth1_check_required(const char *);
		200	int auth2_check_required(const char *);
195		201
196	int sys_auth_passwd(Authctxt , const char );	202	int sys_auth_passwd(Authctxt , const char );
197		203




	return (NULL);
}

static const struct AuthMethod1 *
lookup_authmethod1_by_name(const char *name)
{
	int i;

	for (i = 0; auth1_methods[i].name != NULL; i++)
		if (strcmp(auth1_methods[i].name, name) == 0)
			return (&(auth1_methods[i]));

	return NULL;
}

#define	DELIM	","
int
auth1_check_required(const char *list)
{
	char *orig_methods, *methods, *cp;
	static const struct AuthMethod1 *m;
	int ret = 0;

	orig_methods = methods = xstrdup(list);
	for(;;) { /* XXX maybe: while ((cp = ...) != NULL) ? */
		if ((cp = strsep(&methods, DELIM)) == NULL)
			break;
		debug2("auth1_check_required: method \"%s\"", cp);
		if (*cp == '\0') {
			debug("auth1_check_required: empty method");
			ret = -1;
		}
		if ((m = lookup_authmethod1_by_name(cp)) == NULL) {
			debug("auth1_check_required: unknown method "
			    "\"%s\"", cp);
			ret = -1;
		}
		if (*(m->enabled) == 0) {
			debug("auth1_check_required: method %s explicitly "
			    "disabled", cp);
			ret = -1;
		}
		/* Activate method if it isn't already */
		if (*(m->enabled) == -1)
			*(m->enabled) = 1;
        }
	xfree(orig_methods);
	return (ret);
}


static char *
get_authname(int type)
{

{
	int authenticated = 0;
	char info[1024];
	const char *meth_name;
	int prev = 0, type = 0;
	const struct AuthMethod1 *meth;


	    authctxt->valid ? "" : "invalid user ", authctxt->user);

	/* If the user has no password, accept authentication immediately. */
	if (options.permit_empty_passwd && options.password_authentication && options.password_authentication &&
#ifdef KRB5
	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif

		if (options.use_pam && (PRIVSEP(do_pam_account())))
#endif
		{
			auth_log(authctxt, 1, "without authentication", NULL, "");
			return;
		}
	}

		/* Get a packet from the client. */
		prev = type;
		type = packet_read();
		meth_name = get_authname(type);

		/*
		 * If we started challenge-response authentication but the

		if (authctxt->failures >= options.max_authtries)
			goto skip;
		if ((meth = lookup_authmethod1(type)) == NULL) {
			logit("Unknown message during authentication: type %d",
			    type);
			goto skip;
		}


			goto skip;
		}

		/*
		 * Skip methods not in required list, until all the required
		 * ones are done
		 */
		if (options.required_auth1 != NULL &&
		    !auth_method_in_list(options.required_auth1, meth_name)) {
			debug("Skipping method \"%s\" until required "
			    "authentication completed", meth_name);
			goto skip;
		}

		authenticated = meth->method(authctxt, info, sizeof(info));
		if (authenticated == -1)
			continue; /* "postponed" */


 skip:
		/* Log before sending the reply */
		auth_log(authctxt, authenticated, meth_name, NULL, info);

		/* Loop until the required authmethods are done */
		if (authenticated && options.required_auth1 != NULL) {
			if (auth_remove_from_list(&options.required_auth1,
			    meth_name) != 1)
				fatal("INTERNAL ERROR: authenticated method "
				    "\"%s\" not in required list \"%s\"",
				    meth_name, options.required_auth1);
			debug2("do_authloop: required list now: %s",
			    options.required_auth1 == NULL ?
			    "DONE" : options.required_auth1);
			if (options.required_auth1 == NULL)
				return;
			authenticated = 0;
			/*
			 * Disable method so client can't authenticate with it
			 * after the required authentications are complete.
			 */
			*(meth->enabled) = 0;
			packet_send_debug("Further authentication required");
			goto send_fail;
		}

		if (client_user != NULL) {
			xfree(client_user);

#endif
			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
		}
 send_fail:

		packet_start(SSH_SMSG_FAILURE);
		packet_send();

Lines 215-221 input_userauth_request(int type, u_int32 Link Here

(-)auth2.c (-12 / +94 lines)
215	{	215	{
216	Authctxt *authctxt = ctxt;	216	Authctxt *authctxt = ctxt;
217	Authmethod *m = NULL;	217	Authmethod *m = NULL;
218	char user, service, method, style = NULL;	218	char user, service, method, active_methods, *style = NULL;
219	int authenticated = 0;	219	int authenticated = 0;
220		220
221	if (authctxt == NULL)	221	if (authctxt == NULL)
Lines 276-297 input_userauth_request(int type, u_int32 Link Here
276	authctxt->postponed = 0;	276	authctxt->postponed = 0;
277		277
278	/* try to authenticate user */	278	/* try to authenticate user */
279	m = authmethod_lookup(method);	279	active_methods = authmethods_get();
280	if (m != NULL && authctxt->failures < options.max_authtries) {	280	if (strcmp(method, "none") == 0 \|\|
281	debug2("input_userauth_request: try method %s", method);	281	auth_method_in_list(active_methods, method)) {
282	authenticated = m->userauth(authctxt);	282	m = authmethod_lookup(method);
283	}	283	if (m != NULL) {
284	userauth_finish(authctxt, authenticated, method);	284	debug2("input_userauth_request: try method %s", method);
		285	authenticated = m->userauth(authctxt);
		286	}
285		287
		288	}
		289	xfree(active_methods);
		290	userauth_finish(authctxt, authenticated, method, NULL);
		291
286	xfree(service);	292	xfree(service);
287	xfree(user);	293	xfree(user);
288	xfree(method);	294	xfree(method);
289	}	295	}
290		296
291	void	297	void
292	userauth_finish(Authctxt authctxt, int authenticated, char method)	298	userauth_finish(Authctxt authctxt, int authenticated, const char method,
		299	const char *submethod)
293	{	300	{
294	char *methods;	301	char *methods;
		302	Authmethod *m = NULL;
		303	u_int partial = 0;
295		304
296	if (!authctxt->valid && authenticated)	305	if (!authctxt->valid && authenticated)
297	fatal("INTERNAL ERROR: authenticated invalid user %s",	306	fatal("INTERNAL ERROR: authenticated invalid user %s",
Lines 329-340 userauth_finish(Authctxt *authctxt, int Link Here
329	#endif /* _UNICOS */	338	#endif /* _UNICOS */
330		339
331	/* Log before sending the reply */	340	/* Log before sending the reply */
332	auth_log(authctxt, authenticated, method, " ssh2");	341	auth_log(authctxt, authenticated, method, submethod, " ssh2");
333		342
334	if (authctxt->postponed)	343	if (authctxt->postponed)
335	return;	344	return;
336		345
337	/* XXX todo: check if multiple auth methods are needed */	346	/* Handle RequiredAuthentications2: loop until required methods done */
		347	if (authenticated && options.required_auth2 != NULL) {
		348	if ((m = authmethod_lookup(method)) == NULL)
		349	fatal("INTERNAL ERROR: authenticated method "
		350	"\"%s\" unknown", method);
		351	if (auth_remove_from_list(&options.required_auth2, method) != 1)
		352	fatal("INTERNAL ERROR: authenticated method "
		353	"\"%s\" not in required list \"%s\"",
		354	method, options.required_auth2);
		355	debug2("userauth_finish: required list now: %s",
		356	options.required_auth2 == NULL ?
		357	"DONE" : options.required_auth2);
		358	/*
		359	* if authenticated and no more required methods
		360	* then declare success
		361	*/
		362	if ( authenticated && options.required_auth2 == NULL ) {
		363	debug2("userauth_finish: authenticated and no more required methods");
		364	} else {
		365	/*
		366	* Disable method so client can't authenticate with it after
		367	* the required authentications are complete.
		368	*/
		369	if (m->enabled != NULL)
		370	*(m->enabled) = 0;
		371	authenticated = 0;
		372	partial = 1;
		373	goto send_fail;
		374	}
		375	}
		376
338	if (authenticated == 1) {	377	if (authenticated == 1) {
339	/* turn off userauth */	378	/* turn off userauth */
340	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);	379	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
Lines 344-350 userauth_finish(Authctxt *authctxt, int Link Here
344	/* now we can break out */	383	/* now we can break out */
345	authctxt->success = 1;	384	authctxt->success = 1;
346	} else {	385	} else {
347
348	/* Allow initial try of "none" auth without failure penalty */	386	/* Allow initial try of "none" auth without failure penalty */
349	if (authctxt->attempt > 1 \|\| strcmp(method, "none") != 0)	387	if (authctxt->attempt > 1 \|\| strcmp(method, "none") != 0)
350	authctxt->failures++;	388	authctxt->failures++;
Lines 354-363 userauth_finish(Authctxt *authctxt, int Link Here
354	#endif	392	#endif
355	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);	393	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
356	}	394	}
		395	send_fail:
357	methods = authmethods_get();	396	methods = authmethods_get();
358	packet_start(SSH2_MSG_USERAUTH_FAILURE);	397	packet_start(SSH2_MSG_USERAUTH_FAILURE);
359	packet_put_cstring(methods);	398	packet_put_cstring(methods);
360	packet_put_char(0); /* XXX partial success, unused */	399	packet_put_char(partial);
361	packet_send();	400	packet_send();
362	packet_write_wait();	401	packet_write_wait();
363	xfree(methods);	402	xfree(methods);
Lines 371-376 authmethods_get(void) Link Here
371	char *list;	410	char *list;
372	int i;	411	int i;
373		412
		413	if (options.required_auth2 != NULL)
		414	return xstrdup(options.required_auth2);
		415
374	buffer_init(&b);	416	buffer_init(&b);
375	for (i = 0; authmethods[i] != NULL; i++) {	417	for (i = 0; authmethods[i] != NULL; i++) {
376	if (strcmp(authmethods[i]->name, "none") == 0)	418	if (strcmp(authmethods[i]->name, "none") == 0)
Lines 403-407 authmethod_lookup(const char *name) Link Here
403	debug2("Unrecognized authentication method name: %s",	445	debug2("Unrecognized authentication method name: %s",
404	name ? name : "NULL");	446	name ? name : "NULL");
405	return NULL;	447	return NULL;
		448	}
		449
		450	#define DELIM ","
		451
		452	int
		453	auth2_check_required(const char *list)
		454	{
		455	char orig_methods, methods, *cp;
		456	struct Authmethod *m;
		457	int i, ret = 0;
		458
		459	orig_methods = methods = xstrdup(list);
		460	for(;;) {
		461	if ((cp = strsep(&methods, DELIM)) == NULL)
		462	break;
		463	debug2("auth2_check_required: method \"%s\"", cp);
		464	if (*cp == '\0') {
		465	debug("auth2_check_required: empty method");
		466	ret = -1;
		467	}
		468	for (i = 0; authmethods[i] != NULL; i++)
		469	if (strcmp(cp, authmethods[i]->name) == 0)
		470	break;
		471	if ((m = authmethods[i]) == NULL) {
		472	debug("auth2_check_required: unknown method "
		473	"\"%s\"", cp);
		474	ret = -1;
		475	break;
		476	}
		477	if (m->enabled == NULL \|\| *(m->enabled) == 0) {
		478	debug("auth2_check_required: method %s explicitly "
		479	"disabled", cp);
		480	ret = -1;
		481	}
		482	/* Activate method if it isn't already */
		483	if (*(m->enabled) == -1)
		484	*(m->enabled) = 1;
		485	}
		486	xfree(orig_methods);
		487	return (ret);
406	}	488	}
407		489

Lines 61-67 userauth_none(Authctxt *authctxt) Link Here

(-)auth2-none.c (-1 / +1 lines)
61	{	61	{
62	none_enabled = 0;	62	none_enabled = 0;
63	packet_check_eom();	63	packet_check_eom();
64	if (options.permit_empty_passwd && options.password_authentication)	64	if (options.permit_empty_passwd && options.password_authentication && options.required_auth2 == NULL)
65	return (PRIVSEP(auth_password(authctxt, "")));	65	return (PRIVSEP(auth_password(authctxt, "")));
66	return (0);	66	return (0);
67	}	67	}

Lines 341-348 input_userauth_info_response(int type, u Link Here

(-)auth2-chall.c (-2 / +2 lines)
341	auth2_challenge_start(authctxt);	341	auth2_challenge_start(authctxt);
342	}	342	}
343	}	343	}
344	userauth_finish(authctxt, authenticated, method);	344	userauth_finish(authctxt, authenticated, "keyboard-interactive",
345	xfree(method);	345	kbdintctxt->device->name);
346	}	346	}
347		347
348	void	348	void




		}
		authctxt->postponed = 0;
		dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
		userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
	} else {
		if (send_tok.length != 0) {
			packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);

	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
}

static void

	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
}

Authmethod method_gssapi = {




monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
{
	struct mon_table *ent;
	int no_increment, authenticated = 0;
	char **req_auth;

	debug3("preauth child monitor started");



	if (compat20) {
		mon_dispatch = mon_dispatch_proto20;
		req_auth = &options.required_auth2;

		/* Permit requests for moduli and signatures */
		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
	} else {
		mon_dispatch = mon_dispatch_proto15;
		req_auth = &options.required_auth1;

		monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
	}

	/* The first few requests do not require asynchronous access */
	while (!authenticated) {
		auth_method = "unknown";
		no_increment = 1;
		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
		if (authenticated) {
			if (!(ent->flags & MON_AUTHDECIDE))

			}
#endif
		}
		/* Loop until the required authmethods are done */
		if (authenticated && *req_auth != NULL) {
			if (auth_remove_from_list(req_auth, auth_method) != 1)
				fatal("INTERNAL ERROR: authenticated method "
				    "\"%s\" not in required list \"%s\"",
				    auth_method, *req_auth);
			debug2("monitor_child_preauth: required list now: %s",
			    *req_auth == NULL ? "DONE" : *req_auth);
			if (*req_auth != NULL)
				authenticated = 0;
			no_increment = 1;
		}

		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
			auth_log(authctxt, authenticated, auth_method, NULL,
			    compat20 ? " ssh2" : "");
			if (!authenticated && !no_increment)
				authctxt->failures++;
		}
#ifdef JPAKE

		hostbased_chost = chost;
	} else {
		/* Log failed attempt */
		auth_log(authctxt, 0, auth_method, NULL,
		    compat20 ? " ssh2" : "");
		xfree(blob);
		xfree(cuser);
		xfree(chost);

Lines 42-47 Link Here

(-)servconf.c (+34 lines)
42	#include "key.h"	42	#include "key.h"
43	#include "kex.h"	43	#include "kex.h"
44	#include "mac.h"	44	#include "mac.h"
		45	#include "hostfile.h"
		46	#include "auth.h"
45	#include "match.h"	47	#include "match.h"
46	#include "channels.h"	48	#include "channels.h"
47	#include "groupaccess.h"	49	#include "groupaccess.h"
Lines 130-135 initialize_server_options(ServerOptions Link Here
130	options->authorized_keys_file2 = NULL;	132	options->authorized_keys_file2 = NULL;
131	options->num_accept_env = 0;	133	options->num_accept_env = 0;
132	options->permit_tun = -1;	134	options->permit_tun = -1;
		135	options->required_auth1 = NULL;
		136	options->required_auth2 = NULL;
133	options->num_permitted_opens = -1;	137	options->num_permitted_opens = -1;
134	options->adm_forced_command = NULL;	138	options->adm_forced_command = NULL;
135	options->chroot_directory = NULL;	139	options->chroot_directory = NULL;
Lines 323-328 typedef enum { Link Here
323	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	327	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
324	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,	328	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
325	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,	329	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
		330	sRequiredAuthentications1, sRequiredAuthentications2,
326	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,	331	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
327	sUsePrivilegeSeparation, sAllowAgentForwarding,	332	sUsePrivilegeSeparation, sAllowAgentForwarding,
328	sZeroKnowledgePasswordAuthentication, sHostCertificate,	333	sZeroKnowledgePasswordAuthentication, sHostCertificate,
Lines 451-456 static struct { Link Here
451	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },	456	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
452	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },	457	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
453	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },	458	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
		459	{ "requiredauthentications1", sRequiredAuthentications1 },
		460	{ "requiredauthentications2", sRequiredAuthentications2 },
454	{ "ipqos", sIPQoS, SSHCFG_ALL },	461	{ "ipqos", sIPQoS, SSHCFG_ALL },
455	{ NULL, sBadOption, 0 }	462	{ NULL, sBadOption, 0 }
456	};	463	};
Lines 1229-1234 process_server_config_line(ServerOptions Link Here
1229	filename, linenum);	1236	filename, linenum);
1230	else	1237	else
1231	options->max_startups = options->max_startups_begin;	1238	options->max_startups = options->max_startups_begin;
		1239	break;
		1240
		1241
		1242	case sRequiredAuthentications1:
		1243	charptr = &options->required_auth1;
		1244	arg = strdelim(&cp);
		1245	if (auth1_check_required(arg) != 0)
		1246	fatal("%.200s line %d: Invalid required authentication "
		1247	"list", filename, linenum);
		1248	if (!arg \|\| *arg == '\0')
		1249	fatal("%.200s line %d: Missing argument.",
		1250	filename, linenum);
		1251	if (*charptr == NULL)
		1252	*charptr = xstrdup(arg);
		1253	break;
		1254
		1255	case sRequiredAuthentications2:
		1256	charptr = &options->required_auth2;
		1257	arg = strdelim(&cp);
		1258	if (auth2_check_required(arg) != 0)
		1259	fatal("%.200s line %d: Invalid required authentication "
		1260	"list", filename, linenum);
		1261	if (!arg \|\| *arg == '\0')
		1262	fatal("%.200s line %d: Missing argument.",
		1263	filename, linenum);
		1264	if (*charptr == NULL)
		1265	*charptr = xstrdup(arg);
1232	break;	1266	break;
1233		1267
1234	case sMaxAuthTries:	1268	case sMaxAuthTries:

Lines 148-153 typedef struct { Link Here

(-)servconf.h (+3 lines)
148	char authorized_keys_file; / File containing public keys */	148	char authorized_keys_file; / File containing public keys */
149	char *authorized_keys_file2;	149	char *authorized_keys_file2;
150		150
		151	char required_auth1; / Required, but not sufficient */
		152	char *required_auth2;
		153
151	char *adm_forced_command;	154	char *adm_forced_command;
152		155
153	int use_pam; /* Enable auth via PAM */	156	int use_pam; /* Enable auth via PAM */




Available keywords are
.Cm AllowAgentForwarding ,
.Cm AllowTcpForwarding ,
.Cm AuthorizedKeysFile ,
.Cm AuthorizedPrincipalsFile ,
.Cm Banner ,
.Cm ChrootDirectory ,
.Cm ForceCommand ,
.Cm GatewayPorts ,
.Cm GSSAPIAuthentication ,
.Cm HostbasedAuthentication ,
.Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
.Cm MaxAuthTries ,

.Cm PermitEmptyPasswords ,
.Cm PermitOpen ,
.Cm PermitRootLogin ,
.Cm RequiredMethods1,
.Cm RequiredMethods2,
.Cm PubkeyAuthentication ,
.Cm RhostsRSAAuthentication ,
.Cm RSAAuthentication ,

.Cm X11Forwarding
and
.Cm X11UseLocalHost .
.It Cm RequiredMethods[12]
 Requires two authentication methods to succeed before authorizing the connection.
 (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)

 RequiredAuthentications1 method[,method...] 
 RequiredAuthentications2 method[,method...]

.Pp
Example 1:

 RequiredAuthentications2 password,hostbased

Example 2:
 RequiredAuthentications2 publickey,password

.It Cm MaxAuthTries
Specifies the maximum number of authentication attempts permitted per
connection.

Specifies whether public key authentication is allowed.
The default is
.Dq yes .
.It Cm RequiredMethods[12]
 Requires two authentication methods to succeed before authorizing the connection.
 (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)

 RequiredAuthentications1 method[,method...] 
 RequiredAuthentications2 method[,method...]

.Pp
Example 1:

 RequiredAuthentications2 password,hostbased

Example 2:
 RequiredAuthentications2 publickey,password

.It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed.

.Pp
To disable TCP keepalive messages, the value should be set to
.Dq no .
.It Cm TrustedUserCAKeys
Specifies a file containing public keys of certificate authorities that are
trusted to sign user certificates for authentication.
Keys are listed one per line; empty lines and comments starting with
.Ql #
are allowed.
If a certificate is presented for authentication and has its signing CA key
listed in this file, then it may be used for authentication for any user
listed in the certificate's principals list.
Note that certificates that lack a list of principals will not be permitted
for authentication using
.Cm TrustedUserCAKeys .
For more details on certificates, see the
.Sx CERTIFICATES
section in
.Xr ssh-keygen 1 .
.It Cm UseDNS
Specifies whether
.Xr sshd 8

Return to bug 983

Lines 702-716 keyword. Link Here

(-)sshd_config.5 (-26 / +32 lines)
702	Available keywords are	702	Available keywords are
703	.Cm AllowAgentForwarding ,	703	.Cm AllowAgentForwarding ,
704	.Cm AllowTcpForwarding ,	704	.Cm AllowTcpForwarding ,
705	.Cm AuthorizedKeysFile ,
706	.Cm AuthorizedPrincipalsFile ,
707	.Cm Banner ,	705	.Cm Banner ,
708	.Cm ChrootDirectory ,	706	.Cm ChrootDirectory ,
709	.Cm ForceCommand ,	707	.Cm ForceCommand ,
710	.Cm GatewayPorts ,	708	.Cm GatewayPorts ,
711	.Cm GSSAPIAuthentication ,	709	.Cm GSSAPIAuthentication ,
712	.Cm HostbasedAuthentication ,	710	.Cm HostbasedAuthentication ,
713	.Cm HostbasedUsesNameFromPacketOnly ,
714	.Cm KbdInteractiveAuthentication ,	711	.Cm KbdInteractiveAuthentication ,
715	.Cm KerberosAuthentication ,	712	.Cm KerberosAuthentication ,
716	.Cm MaxAuthTries ,	713	.Cm MaxAuthTries ,
Lines 719-725 Available keywords are Link Here
719	.Cm PermitEmptyPasswords ,	716	.Cm PermitEmptyPasswords ,
720	.Cm PermitOpen ,	717	.Cm PermitOpen ,
721	.Cm PermitRootLogin ,	718	.Cm PermitRootLogin ,
722	.Cm PermitTunnel ,	719	.Cm RequiredMethods1,
		720	.Cm RequiredMethods2,
723	.Cm PubkeyAuthentication ,	721	.Cm PubkeyAuthentication ,
724	.Cm RhostsRSAAuthentication ,	722	.Cm RhostsRSAAuthentication ,
725	.Cm RSAAuthentication ,	723	.Cm RSAAuthentication ,
Lines 727-732 Available keywords are Link Here
727	.Cm X11Forwarding	725	.Cm X11Forwarding
728	and	726	and
729	.Cm X11UseLocalHost .	727	.Cm X11UseLocalHost .
		728	.It Cm RequiredMethods[12]
		729	Requires two authentication methods to succeed before authorizing the connection.
		730	(RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
		731
		732	RequiredAuthentications1 method[,method...]
		733	RequiredAuthentications2 method[,method...]
		734
		735	.Pp
		736	Example 1:
		737
		738	RequiredAuthentications2 password,hostbased
		739
		740	Example 2:
		741	RequiredAuthentications2 publickey,password
		742
730	.It Cm MaxAuthTries	743	.It Cm MaxAuthTries
731	Specifies the maximum number of authentication attempts permitted per	744	Specifies the maximum number of authentication attempts permitted per
732	connection.	745	connection.
Lines 911-922 is identical to Link Here
911	Specifies whether public key authentication is allowed.	924	Specifies whether public key authentication is allowed.
912	The default is	925	The default is
913	.Dq yes .	926	.Dq yes .
914	Note that this option applies to protocol version 2 only.	927	.It Cm RequiredMethods[12]
915	.It Cm RevokedKeys	928	Requires two authentication methods to succeed before authorizing the connection.
916	Specifies a list of revoked public keys.	929	(RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
917	Keys listed in this file will be refused for public key authentication.	930
918	Note that if this file is not readable, then public key authentication will	931	RequiredAuthentications1 method[,method...]
919	be refused for all users.	932	RequiredAuthentications2 method[,method...]
		933
		934	.Pp
		935	Example 1:
		936
		937	RequiredAuthentications2 password,hostbased
		938
		939	Example 2:
		940	RequiredAuthentications2 publickey,password
		941
920	.It Cm RhostsRSAAuthentication	942	.It Cm RhostsRSAAuthentication
921	Specifies whether rhosts or /etc/hosts.equiv authentication together	943	Specifies whether rhosts or /etc/hosts.equiv authentication together
922	with successful RSA host authentication is allowed.	944	with successful RSA host authentication is allowed.
Lines 992-1013 This avoids infinitely hanging sessions. Link Here
992	.Pp	1014	.Pp
993	To disable TCP keepalive messages, the value should be set to	1015	To disable TCP keepalive messages, the value should be set to
994	.Dq no .	1016	.Dq no .
995	.It Cm TrustedUserCAKeys
996	Specifies a file containing public keys of certificate authorities that are
997	trusted to sign user certificates for authentication.
998	Keys are listed one per line; empty lines and comments starting with
999	.Ql #
1000	are allowed.
1001	If a certificate is presented for authentication and has its signing CA key
1002	listed in this file, then it may be used for authentication for any user
1003	listed in the certificate's principals list.
1004	Note that certificates that lack a list of principals will not be permitted
1005	for authentication using
1006	.Cm TrustedUserCAKeys .
1007	For more details on certificates, see the
1008	.Sx CERTIFICATES
1009	section in
1010	.Xr ssh-keygen 1 .
1011	.It Cm UseDNS	1017	.It Cm UseDNS
1012	Specifies whether	1018	Specifies whether
1013	.Xr sshd 8	1019	.Xr sshd 8

Lines 251-257 allowed_user(struct passwd * pw) Link Here

(-)auth.c (-3 / +59 lines)
251	}	251	}
252		252
253	void	253	void
254	auth_log(Authctxt authctxt, int authenticated, char method, char *info)	254	auth_log(Authctxt authctxt, int authenticated, const char method,
		255	const char submethod, const char info)
255	{	256	{
256	void (authlog) (const char fmt,...) = verbose;	257	void (authlog) (const char fmt,...) = verbose;
257	char *authmsg;	258	char *authmsg;
Lines 271-279 auth_log(Authctxt *authctxt, int authent Link Here
271	else	272	else
272	authmsg = authenticated ? "Accepted" : "Failed";	273	authmsg = authenticated ? "Accepted" : "Failed";
273		274
274	authlog("%s %s for %s%.100s from %.200s port %d%s",	275	authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
275	authmsg,	276	authmsg,
276	method,	277	method,
		278	submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
277	authctxt->valid ? "" : "invalid user ",	279	authctxt->valid ? "" : "invalid user ",
278	authctxt->user,	280	authctxt->user,
279	get_remote_ipaddr(),	281	get_remote_ipaddr(),
Lines 303-309 auth_log(Authctxt *authctxt, int authent Link Here
303	* Check whether root logins are disallowed.	305	* Check whether root logins are disallowed.
304	*/	306	*/
305	int	307	int
306	auth_root_allowed(char *method)	308	auth_root_allowed(const char *method)
307	{	309	{
308	switch (options.permit_root_login) {	310	switch (options.permit_root_login) {
309	case PERMIT_YES:	311	case PERMIT_YES:
Lines 707-710 fakepw(void) Link Here
707	fake.pw_shell = "/nonexist";	709	fake.pw_shell = "/nonexist";
708		710
709	return (&fake);	711	return (&fake);
		712	}
		713
		714	int
		715	auth_method_in_list(const char list, const char method)
		716	{
		717	char *cp;
		718
		719	cp = match_list(method, list, NULL);
		720	if (cp != NULL) {
		721	xfree(cp);
		722	return 1;
		723	}
		724
		725	return 0;
		726	}
		727
		728	#define DELIM ","
		729	int
		730	auth_remove_from_list(char *list, const char method)
		731	{
		732	char oldlist, cp, *newlist = NULL;
		733	u_int len = 0, ret = 0;
		734
		735	if (list == NULL \|\| *list == NULL)
		736	return (0);
		737
		738	oldlist = *list;
		739	len = strlen(oldlist) + 1;
		740	newlist = xmalloc(len);
		741	memset(newlist, '\0', len);
		742
		743	/* Remove method from list, if present */
		744	for (;;) {
		745	if ((cp = strsep(&oldlist, DELIM)) == NULL)
		746	break;
		747	if (*cp == '\0')
		748	continue;
		749	if (strcmp(cp, method) != 0) {
		750	if (*newlist != '\0')
		751	strlcat(newlist, DELIM, len);
		752	strlcat(newlist, cp, len);
		753	} else
		754	ret++;
		755	}
		756
		757	/* Return NULL instead of empty list */
		758	if (*newlist == '\0') {
		759	xfree(newlist);
		760	newlist = NULL;
		761	}
		762	xfree(*list);
		763	*list = newlist;
		764
		765	return (ret);
710	}	766	}

Lines 98-103 static const struct AuthMethod1 Link Here

(-)auth1.c (-5 / +89 lines)
98	return (NULL);	98	return (NULL);
99	}	99	}
100		100
		101	static const struct AuthMethod1 *
		102	lookup_authmethod1_by_name(const char *name)
		103	{
		104	int i;
		105
		106	for (i = 0; auth1_methods[i].name != NULL; i++)
		107	if (strcmp(auth1_methods[i].name, name) == 0)
		108	return (&(auth1_methods[i]));
		109
		110	return NULL;
		111	}
		112
		113	#define DELIM ","
		114	int
		115	auth1_check_required(const char *list)
		116	{
		117	char orig_methods, methods, *cp;
		118	static const struct AuthMethod1 *m;
		119	int ret = 0;
		120
		121	orig_methods = methods = xstrdup(list);
		122	for(;;) { /* XXX maybe: while ((cp = ...) != NULL) ? */
		123	if ((cp = strsep(&methods, DELIM)) == NULL)
		124	break;
		125	debug2("auth1_check_required: method \"%s\"", cp);
		126	if (*cp == '\0') {
		127	debug("auth1_check_required: empty method");
		128	ret = -1;
		129	}
		130	if ((m = lookup_authmethod1_by_name(cp)) == NULL) {
		131	debug("auth1_check_required: unknown method "
		132	"\"%s\"", cp);
		133	ret = -1;
		134	}
		135	if (*(m->enabled) == 0) {
		136	debug("auth1_check_required: method %s explicitly "
		137	"disabled", cp);
		138	ret = -1;
		139	}
		140	/* Activate method if it isn't already */
		141	if (*(m->enabled) == -1)
		142	*(m->enabled) = 1;
		143	}
		144	xfree(orig_methods);
		145	return (ret);
		146	}
		147
		148
101	static char *	149	static char *
102	get_authname(int type)	150	get_authname(int type)
103	{	151	{
Lines 237-242 do_authloop(Authctxt *authctxt) Link Here
237	{	285	{
238	int authenticated = 0;	286	int authenticated = 0;
239	char info[1024];	287	char info[1024];
		288	const char *meth_name;
240	int prev = 0, type = 0;	289	int prev = 0, type = 0;
241	const struct AuthMethod1 *meth;	290	const struct AuthMethod1 *meth;
242		291
Lines 244-250 do_authloop(Authctxt *authctxt) Link Here
244	authctxt->valid ? "" : "invalid user ", authctxt->user);	293	authctxt->valid ? "" : "invalid user ", authctxt->user);
245		294
246	/* If the user has no password, accept authentication immediately. */	295	/* If the user has no password, accept authentication immediately. */
247	if (options.permit_empty_passwd && options.password_authentication &&	296	if (options.permit_empty_passwd && options.password_authentication && options.password_authentication &&
248	#ifdef KRB5	297	#ifdef KRB5
249	(!options.kerberos_authentication \|\| options.kerberos_or_local_passwd) &&	298	(!options.kerberos_authentication \|\| options.kerberos_or_local_passwd) &&
250	#endif	299	#endif
Lines 253-259 do_authloop(Authctxt *authctxt) Link Here
253	if (options.use_pam && (PRIVSEP(do_pam_account())))	302	if (options.use_pam && (PRIVSEP(do_pam_account())))
254	#endif	303	#endif
255	{	304	{
256	auth_log(authctxt, 1, "without authentication", "");	305	auth_log(authctxt, 1, "without authentication", NULL, "");
257	return;	306	return;
258	}	307	}
259	}	308	}
Lines 272-277 do_authloop(Authctxt *authctxt) Link Here
272	/* Get a packet from the client. */	321	/* Get a packet from the client. */
273	prev = type;	322	prev = type;
274	type = packet_read();	323	type = packet_read();
		324	meth_name = get_authname(type);
275		325
276	/*	326	/*
277	* If we started challenge-response authentication but the	327	* If we started challenge-response authentication but the
Lines 287-294 do_authloop(Authctxt *authctxt) Link Here
287	if (authctxt->failures >= options.max_authtries)	337	if (authctxt->failures >= options.max_authtries)
288	goto skip;	338	goto skip;
289	if ((meth = lookup_authmethod1(type)) == NULL) {	339	if ((meth = lookup_authmethod1(type)) == NULL) {
290	logit("Unknown message during authentication: "	340	logit("Unknown message during authentication: type %d",
291	"type %d", type);	341	type);
292	goto skip;	342	goto skip;
293	}	343	}
294		344
Lines 297-302 do_authloop(Authctxt *authctxt) Link Here
297	goto skip;	347	goto skip;
298	}	348	}
299		349
		350	/*
		351	* Skip methods not in required list, until all the required
		352	* ones are done
		353	*/
		354	if (options.required_auth1 != NULL &&
		355	!auth_method_in_list(options.required_auth1, meth_name)) {
		356	debug("Skipping method \"%s\" until required "
		357	"authentication completed", meth_name);
		358	goto skip;
		359	}
		360
300	authenticated = meth->method(authctxt, info, sizeof(info));	361	authenticated = meth->method(authctxt, info, sizeof(info));
301	if (authenticated == -1)	362	if (authenticated == -1)
302	continue; /* "postponed" */	363	continue; /* "postponed" */
Lines 352-358 do_authloop(Authctxt *authctxt) Link Here
352		413
353	skip:	414	skip:
354	/* Log before sending the reply */	415	/* Log before sending the reply */
355	auth_log(authctxt, authenticated, get_authname(type), info);	416	auth_log(authctxt, authenticated, meth_name, NULL, info);
		417
		418	/* Loop until the required authmethods are done */
		419	if (authenticated && options.required_auth1 != NULL) {
		420	if (auth_remove_from_list(&options.required_auth1,
		421	meth_name) != 1)
		422	fatal("INTERNAL ERROR: authenticated method "
		423	"\"%s\" not in required list \"%s\"",
		424	meth_name, options.required_auth1);
		425	debug2("do_authloop: required list now: %s",
		426	options.required_auth1 == NULL ?
		427	"DONE" : options.required_auth1);
		428	if (options.required_auth1 == NULL)
		429	return;
		430	authenticated = 0;
		431	/*
		432	* Disable method so client can't authenticate with it
		433	* after the required authentications are complete.
		434	*/
		435	*(meth->enabled) = 0;
		436	packet_send_debug("Further authentication required");
		437	goto send_fail;
		438	}
356		439
357	if (client_user != NULL) {	440	if (client_user != NULL) {
358	xfree(client_user);	441	xfree(client_user);
Lines 368-373 do_authloop(Authctxt *authctxt) Link Here
368	#endif	451	#endif
369	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);	452	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
370	}	453	}
		454	send_fail:
371		455
372	packet_start(SSH_SMSG_FAILURE);	456	packet_start(SSH_SMSG_FAILURE);
373	packet_send();	457	packet_send();

Lines 161-167 input_gssapi_token(int type, u_int32_t p Link Here

(-)auth2-gss.c (-3 / +3 lines)
161	}	161	}
162	authctxt->postponed = 0;	162	authctxt->postponed = 0;
163	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);	163	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
164	userauth_finish(authctxt, 0, "gssapi-with-mic");	164	userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
165	} else {	165	} else {
166	if (send_tok.length != 0) {	166	if (send_tok.length != 0) {
167	packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);	167	packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
Lines 249-255 input_gssapi_exchange_complete(int type, Link Here
249	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);	249	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
250	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);	250	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
251	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);	251	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
252	userauth_finish(authctxt, authenticated, "gssapi-with-mic");	252	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
253	}	253	}
254		254
255	static void	255	static void
Lines 289-295 input_gssapi_mic(int type, u_int32_t ple Link Here
289	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);	289	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
290	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);	290	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
291	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);	291	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
292	userauth_finish(authctxt, authenticated, "gssapi-with-mic");	292	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
293	}	293	}
294		294
295	Authmethod method_gssapi = {	295	Authmethod method_gssapi = {

Lines 342-348 void Link Here

(-)monitor.c (-4 / +21 lines)
342	monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)	342	monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)
343	{	343	{
344	struct mon_table *ent;	344	struct mon_table *ent;
345	int authenticated = 0;	345	int no_increment, authenticated = 0;
		346	char **req_auth;
346		347
347	debug3("preauth child monitor started");	348	debug3("preauth child monitor started");
348		349
Lines 353-364 monitor_child_preauth(Authctxt *_authctx Link Here
353		354
354	if (compat20) {	355	if (compat20) {
355	mon_dispatch = mon_dispatch_proto20;	356	mon_dispatch = mon_dispatch_proto20;
		357	req_auth = &options.required_auth2;
356		358
357	/* Permit requests for moduli and signatures */	359	/* Permit requests for moduli and signatures */
358	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	360	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
359	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	361	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
360	} else {	362	} else {
361	mon_dispatch = mon_dispatch_proto15;	363	mon_dispatch = mon_dispatch_proto15;
		364	req_auth = &options.required_auth1;
362		365
363	monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);	366	monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
364	}	367	}
Lines 366-371 monitor_child_preauth(Authctxt *_authctx Link Here
366	/* The first few requests do not require asynchronous access */	369	/* The first few requests do not require asynchronous access */
367	while (!authenticated) {	370	while (!authenticated) {
368	auth_method = "unknown";	371	auth_method = "unknown";
		372	no_increment = 1;
369	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);	373	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
370	if (authenticated) {	374	if (authenticated) {
371	if (!(ent->flags & MON_AUTHDECIDE))	375	if (!(ent->flags & MON_AUTHDECIDE))
Lines 387-397 monitor_child_preauth(Authctxt *_authctx Link Here
387	}	391	}
388	#endif	392	#endif
389	}	393	}
		394	/* Loop until the required authmethods are done */
		395	if (authenticated && *req_auth != NULL) {
		396	if (auth_remove_from_list(req_auth, auth_method) != 1)
		397	fatal("INTERNAL ERROR: authenticated method "
		398	"\"%s\" not in required list \"%s\"",
		399	auth_method, *req_auth);
		400	debug2("monitor_child_preauth: required list now: %s",
		401	req_auth == NULL ? "DONE" : req_auth);
		402	if (*req_auth != NULL)
		403	authenticated = 0;
		404	no_increment = 1;
		405	}
390		406
391	if (ent->flags & (MON_AUTHDECIDE\|MON_ALOG)) {	407	if (ent->flags & (MON_AUTHDECIDE\|MON_ALOG)) {
392	auth_log(authctxt, authenticated, auth_method,	408	auth_log(authctxt, authenticated, auth_method, NULL,
393	compat20 ? " ssh2" : "");	409	compat20 ? " ssh2" : "");
394	if (!authenticated)	410	if (!authenticated && !no_increment)
395	authctxt->failures++;	411	authctxt->failures++;
396	}	412	}
397	#ifdef JPAKE	413	#ifdef JPAKE
Lines 1066-1072 mm_answer_keyallowed(int sock, Buffer *m Link Here
1066	hostbased_chost = chost;	1082	hostbased_chost = chost;
1067	} else {	1083	} else {
1068	/* Log failed attempt */	1084	/* Log failed attempt */
1069	auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : "");	1085	auth_log(authctxt, 0, auth_method, NULL,
		1086	compat20 ? " ssh2" : "");
1070	xfree(blob);	1087	xfree(blob);
1071	xfree(cuser);	1088	xfree(cuser);
1072	xfree(chost);	1089	xfree(chost);