Attachment #2084 for bug #983

View | Details | Raw Unified | Return to bug 983 | Differences between

and this patch

Lines 149-154 int auth_root_allowed(char *); Link Here

(-)openssh-5.9p1/auth.h.2auth (+2 lines)
149		149
150	char *auth2_read_banner(void);	150	char *auth2_read_banner(void);
151		151
		152	void userauth_restart(const char *);
		153
152	void privsep_challenge_enable(void);	154	void privsep_challenge_enable(void);
153		155
154	int auth2_challenge(Authctxt , char );	156	int auth2_challenge(Authctxt , char );




}

void
userauth_restart(const char *method)
{
	options.two_factor_authentication = 0;

	debug2("userauth restart, method = %s", method);
	options.pubkey_authentication = options.second_pubkey_authentication && strcmp(method, method_pubkey.name);
#ifdef GSSAPI
	options.gss_authentication = options.second_gss_authentication && strcmp(method, method_gssapi.name);
#endif
#ifdef JPAKE
	options.zero_knowledge_password_authentication = options.second_zero_knowledge_password_authentication && strcmp(method, method_jpake.name);
#endif
	options.password_authentication = options.second_password_authentication && strcmp(method, method_passwd.name);
	options.kbd_interactive_authentication = options.second_kbd_interactive_authentication && strcmp(method, method_kbdint.name);
	options.hostbased_authentication = options.second_hostbased_authentication && strcmp(method, method_hostbased.name);
}

void
userauth_finish(Authctxt *authctxt, int authenticated, char *method)
{
	char *methods;


	/* XXX todo: check if multiple auth methods are needed */
	if (authenticated == 1) {
		if (options.two_factor_authentication) {
			userauth_restart(method);
			debug("1st factor authentication done go to 2nd factor");
			goto ask_methods;
		}

		/* turn off userauth */
		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
		packet_start(SSH2_MSG_USERAUTH_SUCCESS);

#endif
			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
		}
ask_methods:
		methods = authmethods_get();
		debug2("next auth methods = %s", methods);
		packet_start(SSH2_MSG_USERAUTH_FAILURE);
		packet_put_cstring(methods);
		packet_put_char(0);	/* XXX partial success, unused */

Lines 417-422 monitor_child_preauth(Authctxt *_authctx Link Here

(-)openssh-5.9p1/monitor.c.2auth (+4 lines)
417	}	417	}
418	}	418	}
419	#endif	419	#endif
		420	if (authenticated && options.two_factor_authentication) {
		421	userauth_restart(auth_method);
		422	authenticated = 0;
		423	}
420	}	424	}
421		425
422	/* Drain any buffered messages from the child */	426	/* Drain any buffered messages from the child */

Lines 92-97 initialize_server_options(ServerOptions Link Here

(-)openssh-5.9p1/servconf.c.2auth (-2 / +83 lines)
92	options->hostbased_uses_name_from_packet_only = -1;	92	options->hostbased_uses_name_from_packet_only = -1;
93	options->rsa_authentication = -1;	93	options->rsa_authentication = -1;
94	options->pubkey_authentication = -1;	94	options->pubkey_authentication = -1;
		95	options->two_factor_authentication = -1;
		96	options->second_pubkey_authentication = -1;
		97	options->second_gss_authentication = -1;
		98	options->second_password_authentication = -1;
		99	options->second_kbd_interactive_authentication = -1;
		100	options->second_zero_knowledge_password_authentication = -1;
		101	options->second_hostbased_authentication = -1;
95	options->kerberos_authentication = -1;	102	options->kerberos_authentication = -1;
96	options->kerberos_or_local_passwd = -1;	103	options->kerberos_or_local_passwd = -1;
97	options->kerberos_ticket_cleanup = -1;	104	options->kerberos_ticket_cleanup = -1;
Lines 237-242 fill_default_server_options(ServerOption Link Here
237	options->permit_empty_passwd = 0;	244	options->permit_empty_passwd = 0;
238	if (options->permit_user_env == -1)	245	if (options->permit_user_env == -1)
239	options->permit_user_env = 0;	246	options->permit_user_env = 0;
		247	if (options->two_factor_authentication == -1)
		248	options->two_factor_authentication = 0;
		249	if (options->second_pubkey_authentication == -1)
		250	options->second_pubkey_authentication = 1;
		251	if (options->second_gss_authentication == -1)
		252	options->second_gss_authentication = 0;
		253	if (options->second_password_authentication == -1)
		254	options->second_password_authentication = 1;
		255	if (options->second_kbd_interactive_authentication == -1)
		256	options->second_kbd_interactive_authentication = 0;
		257	if (options->second_zero_knowledge_password_authentication == -1)
		258	options->second_zero_knowledge_password_authentication = 0;
		259	if (options->second_hostbased_authentication == -1)
		260	options->second_hostbased_authentication = 0;
240	if (options->use_login == -1)	261	if (options->use_login == -1)
241	options->use_login = 0;	262	options->use_login = 0;
242	if (options->compression == -1)	263	if (options->compression == -1)
Lines 316-323 typedef enum { Link Here
316	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,	337	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
317	sMaxStartups, sMaxAuthTries, sMaxSessions,	338	sMaxStartups, sMaxAuthTries, sMaxSessions,
318	sBanner, sUseDNS, sHostbasedAuthentication,	339	sBanner, sUseDNS, sHostbasedAuthentication,
319	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	340	sHostbasedUsesNameFromPacketOnly, sTwoFactorAuthentication,
320	sClientAliveCountMax, sAuthorizedKeysFile,	341	sSecondPubkeyAuthentication, sSecondGssAuthentication,
		342	sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication,
		343	sSecondZeroKnowledgePasswordAuthentication, sSecondHostbasedAuthentication,
		344	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
321	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,	345	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
322	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,	346	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
323	sUsePrivilegeSeparation, sAllowAgentForwarding,	347	sUsePrivilegeSeparation, sAllowAgentForwarding,
Lines 395-400 static struct { Link Here
395	#else	419	#else
396	{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },	420	{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
397	#endif	421	#endif
		422	{ "twofactorauthentication", sTwoFactorAuthentication, SSHCFG_ALL },
		423	{ "secondpubkeyauthentication", sSecondPubkeyAuthentication, SSHCFG_ALL },
		424	#ifdef GSSAPI
		425	{ "secondgssapiauthentication", sSecondGssAuthentication, SSHCFG_ALL },
		426	#else
		427	{ "secondgssapiauthentication", sUnsupported, SSHCFG_ALL },
		428	#endif
		429	{ "secondpasswordauthentication", sSecondPasswordAuthentication, SSHCFG_ALL },
		430	{ "secondkbdinteractiveauthentication", sSecondKbdInteractiveAuthentication, SSHCFG_ALL },
		431	#ifdef JPAKE
		432	{ "secondzeroknowledgepasswordauthentication", sSecondZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
		433	#else
		434	{ "secondzeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
		435	#endif
		436	{ "secondhostbasedauthentication", sSecondHostbasedAuthentication, SSHCFG_ALL },
398	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },	437	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
399	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },	438	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
400	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },	439	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
Lines 982-987 process_server_config_line(ServerOptions Link Here
982	intptr = &options->challenge_response_authentication;	1021	intptr = &options->challenge_response_authentication;
983	goto parse_flag;	1022	goto parse_flag;
984		1023
		1024	case sTwoFactorAuthentication:
		1025	intptr = &options->two_factor_authentication;
		1026	goto parse_flag;
		1027
		1028	case sSecondPubkeyAuthentication:
		1029	intptr = &options->second_pubkey_authentication;
		1030	goto parse_flag;
		1031
		1032	case sSecondGssAuthentication:
		1033	intptr = &options->second_gss_authentication;
		1034	goto parse_flag;
		1035
		1036	case sSecondPasswordAuthentication:
		1037	intptr = &options->second_password_authentication;
		1038	goto parse_flag;
		1039
		1040	case sSecondKbdInteractiveAuthentication:
		1041	intptr = &options->second_kbd_interactive_authentication;
		1042	goto parse_flag;
		1043
		1044	case sSecondZeroKnowledgePasswordAuthentication:
		1045	intptr = &options->second_zero_knowledge_password_authentication;
		1046	goto parse_flag;
		1047
		1048	case sSecondHostbasedAuthentication:
		1049	intptr = &options->second_hostbased_authentication;
		1050	goto parse_flag;
		1051
985	case sPrintMotd:	1052	case sPrintMotd:
986	intptr = &options->print_motd;	1053	intptr = &options->print_motd;
987	goto parse_flag;	1054	goto parse_flag;
Lines 1491-1504 void Link Here
1491	copy_set_server_options(ServerOptions dst, ServerOptions src, int preauth)	1558	copy_set_server_options(ServerOptions dst, ServerOptions src, int preauth)
1492	{	1559	{
1493	M_CP_INTOPT(password_authentication);	1560	M_CP_INTOPT(password_authentication);
		1561	M_CP_INTOPT(second_password_authentication);
1494	M_CP_INTOPT(gss_authentication);	1562	M_CP_INTOPT(gss_authentication);
		1563	M_CP_INTOPT(second_gss_authentication);
1495	M_CP_INTOPT(rsa_authentication);	1564	M_CP_INTOPT(rsa_authentication);
1496	M_CP_INTOPT(pubkey_authentication);	1565	M_CP_INTOPT(pubkey_authentication);
		1566	M_CP_INTOPT(second_pubkey_authentication);
1497	M_CP_INTOPT(kerberos_authentication);	1567	M_CP_INTOPT(kerberos_authentication);
1498	M_CP_INTOPT(hostbased_authentication);	1568	M_CP_INTOPT(hostbased_authentication);
		1569	M_CP_INTOPT(second_hostbased_authentication);
1499	M_CP_INTOPT(hostbased_uses_name_from_packet_only);	1570	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1500	M_CP_INTOPT(kbd_interactive_authentication);	1571	M_CP_INTOPT(kbd_interactive_authentication);
		1572	M_CP_INTOPT(second_kbd_interactive_authentication);
1501	M_CP_INTOPT(zero_knowledge_password_authentication);	1573	M_CP_INTOPT(zero_knowledge_password_authentication);
		1574	M_CP_INTOPT(second_zero_knowledge_password_authentication);
		1575	M_CP_INTOPT(two_factor_authentication);
1502	M_CP_INTOPT(permit_root_login);	1576	M_CP_INTOPT(permit_root_login);
1503	M_CP_INTOPT(permit_empty_passwd);	1577	M_CP_INTOPT(permit_empty_passwd);
1504		1578
Lines 1720-1736 dump_config(ServerOptions *o) Link Here
1720	#endif	1794	#endif
1721	#ifdef GSSAPI	1795	#ifdef GSSAPI
1722	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);	1796	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
		1797	dump_cfg_fmtint(sSecondGssAuthentication, o->second_gss_authentication);
1723	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);	1798	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1724	#endif	1799	#endif
1725	#ifdef JPAKE	1800	#ifdef JPAKE
1726	dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,	1801	dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1727	o->zero_knowledge_password_authentication);	1802	o->zero_knowledge_password_authentication);
		1803	dump_cfg_fmtint(sSecondZeroKnowledgePasswordAuthentication,
		1804	o->second_zero_knowledge_password_authentication);
1728	#endif	1805	#endif
1729	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);	1806	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
		1807	dump_cfg_fmtint(sSecondPasswordAuthentication, o->second_password_authentication);
1730	dump_cfg_fmtint(sKbdInteractiveAuthentication,	1808	dump_cfg_fmtint(sKbdInteractiveAuthentication,
1731	o->kbd_interactive_authentication);	1809	o->kbd_interactive_authentication);
		1810	dump_cfg_fmtint(sSecondKbdInteractiveAuthentication,
		1811	o->second_kbd_interactive_authentication);
1732	dump_cfg_fmtint(sChallengeResponseAuthentication,	1812	dump_cfg_fmtint(sChallengeResponseAuthentication,
1733	o->challenge_response_authentication);	1813	o->challenge_response_authentication);
		1814	dump_cfg_fmtint(sTwoFactorAuthentication, o->two_factor_authentication);
1734	dump_cfg_fmtint(sPrintMotd, o->print_motd);	1815	dump_cfg_fmtint(sPrintMotd, o->print_motd);
1735	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);	1816	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1736	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);	1817	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);

Lines 112-117 typedef struct { Link Here

(-)openssh-5.9p1/servconf.h.2auth (+8 lines)
112	/* If true, permit jpake auth */	112	/* If true, permit jpake auth */
113	int permit_empty_passwd; /* If false, do not permit empty	113	int permit_empty_passwd; /* If false, do not permit empty
114	* passwords. */	114	* passwords. */
		115	int two_factor_authentication; /* If true, the first sucessful authentication
		116	* will be followed by the second one from anorher set */
		117	int second_pubkey_authentication; /* second set of authentications */
		118	int second_gss_authentication;
		119	int second_password_authentication;
		120	int second_kbd_interactive_authentication;
		121	int second_zero_knowledge_password_authentication;
		122	int second_hostbased_authentication;
115	int permit_user_env; /* If true, read ~/.ssh/environment */	123	int permit_user_env; /* If true, read ~/.ssh/environment */
116	int use_login; /* If true, login(1) is used */	124	int use_login; /* If true, login(1) is used */
117	int compression; /* If true, compression is allowed */	125	int compression; /* If true, compression is allowed */

Lines 87-92 AuthorizedKeysFile .ssh/authorized_keys Link Here

(-)openssh-5.9p1/sshd_config.2auth (+7 lines)
87	# and ChallengeResponseAuthentication to 'no'.	87	# and ChallengeResponseAuthentication to 'no'.
88	#UsePAM no	88	#UsePAM no
89		89
		90	#TwoFactorAuthentication no
		91	#SecondPubkeyAuthentication yes
		92	#SecondHostbasedAuthentication no
		93	#SecondPasswordAuthentication yes
		94	#SecondKBDInteractiveAuthentication yes
		95	#SecondGSSAPIAuthentication no
		96
90	#AllowAgentForwarding yes	97	#AllowAgentForwarding yes
91	#AllowTcpForwarding yes	98	#AllowTcpForwarding yes
92	#GatewayPorts no	99	#GatewayPorts no

Lines 726-731 Available keywords are Link Here

(-)openssh-5.9p1/sshd_config.5.2auth (+57 lines)
726	.Cm PubkeyAuthentication ,	726	.Cm PubkeyAuthentication ,
727	.Cm RhostsRSAAuthentication ,	727	.Cm RhostsRSAAuthentication ,
728	.Cm RSAAuthentication ,	728	.Cm RSAAuthentication ,
		729	.Cm SecondGSSAPIAuthentication ,
		730	.Cm SecondHostbasedAuthentication ,
		731	.Cm SecondKbdInteractiveAuthentication ,
		732	.Cm SecondPasswordAuthentication ,
		733	.Cm SecondPubkeyAuthentication ,
		734	.Cm TwoFactorAuthentication ,
729	.Cm X11DisplayOffset ,	735	.Cm X11DisplayOffset ,
730	.Cm X11Forwarding	736	.Cm X11Forwarding
731	and	737	and
Lines 931-936 Specifies whether pure RSA authenticatio Link Here
931	The default is	937	The default is
932	.Dq yes .	938	.Dq yes .
933	This option applies to protocol version 1 only.	939	This option applies to protocol version 1 only.
		940	.It Cm SecondGSSAPIAuthentication
		941	Specifies whether the
		942	.Cm GSSAPIAuthentication
		943	may be used on the second authentication while
		944	.Cm TwoFactorAuthentication
		945	is set.
		946	The argument must be “yes” or “no”. The default is “no”.
		947	.It Cm SecondHostbasedAuthentication
		948	Specifies whether the
		949	.Cm HostbasedAuthentication
		950	may be used on the second authentication while
		951	.Cm TwoFactorAuthentication
		952	is set.
		953	The argument must be “yes” or “no”. The default is “no”.
		954	.It Cm SecondKbdInteractiveAuthentication
		955	Specifies whether the
		956	.Cm KbdInteractiveAuthentication
		957	may be used on the second authentication while
		958	.Cm TwoFactorAuthentication
		959	is set.
		960	The argument must be “yes” or “no”. The default is “no”.
		961	.It Cm SecondPasswordAuthentication
		962	Specifies whether the
		963	.Cm PasswordAuthentication
		964	may be used on the second authentication while
		965	.Cm TwoFactorAuthentication
		966	is set.
		967	The argument must be “yes” or “no”. The default is “yes”.
		968	.It Cm SecondPubkeyAuthentication
		969	Specifies whether the
		970	.Cm PubkeyAuthentication
		971	may be used on the second authentication while
		972	.Cm TwoFactorAuthentication
		973	is set.
		974	The argument must be “yes” or “no”. The default is “yes”.
934	.It Cm ServerKeyBits	975	.It Cm ServerKeyBits
935	Defines the number of bits in the ephemeral protocol version 1 server key.	976	Defines the number of bits in the ephemeral protocol version 1 server key.
936	The minimum value is 512, and the default is 1024.	977	The minimum value is 512, and the default is 1024.
Lines 1011-1016 For more details on certificates, see th Link Here
1011	.Sx CERTIFICATES	1052	.Sx CERTIFICATES
1012	section in	1053	section in
1013	.Xr ssh-keygen 1 .	1054	.Xr ssh-keygen 1 .
		1055	.It Cm TwoFactorAuthentication
		1056	Specifies whether for a successful login is necessary to meet two independent authentications.
		1057	If select the first method is selected from the set of allowed methods from
		1058	.Cm GSSAPIAuthentication ,
		1059	.Cm HostbasedAuthentication ,
		1060	.Cm KbdInteractiveAuthentication ,
		1061	.Cm PasswordAuthentication ,
		1062	.Cm PubkeyAuthentication .
		1063	And the second method is selected from the set of allowed methods from
		1064	.Cm SecondGSSAPIAuthentication ,
		1065	.Cm SecondHostbasedAuthentication ,
		1066	.Cm SecondKbdInteractiveAuthentication ,
		1067	.Cm SecondPasswordAuthentication ,
		1068	.Cm SecondPubkeyAuthentication
		1069	without the method used for the first authentication.
		1070	The argument must be “yes” or “no”. The default is “no”.
1014	.It Cm UseDNS	1071	.It Cm UseDNS
1015	Specifies whether	1072	Specifies whether
1016	.Xr sshd 8	1073	.Xr sshd 8

Return to bug 983

Lines 290-295 input_userauth_request(int type, u_int32 Link Here

(-)openssh-5.9p1/auth2.c.2auth (+26 lines)
290	}	290	}
291		291
292	void	292	void
		293	userauth_restart(const char *method)
		294	{
		295	options.two_factor_authentication = 0;
		296
		297	debug2("userauth restart, method = %s", method);
		298	options.pubkey_authentication = options.second_pubkey_authentication && strcmp(method, method_pubkey.name);
		299	#ifdef GSSAPI
		300	options.gss_authentication = options.second_gss_authentication && strcmp(method, method_gssapi.name);
		301	#endif
		302	#ifdef JPAKE
		303	options.zero_knowledge_password_authentication = options.second_zero_knowledge_password_authentication && strcmp(method, method_jpake.name);
		304	#endif
		305	options.password_authentication = options.second_password_authentication && strcmp(method, method_passwd.name);
		306	options.kbd_interactive_authentication = options.second_kbd_interactive_authentication && strcmp(method, method_kbdint.name);
		307	options.hostbased_authentication = options.second_hostbased_authentication && strcmp(method, method_hostbased.name);
		308	}
		309
		310	void
293	userauth_finish(Authctxt authctxt, int authenticated, char method)	311	userauth_finish(Authctxt authctxt, int authenticated, char method)
294	{	312	{
295	char *methods;	313	char *methods;
Lines 337-342 userauth_finish(Authctxt *authctxt, int Link Here
337		355
338	/* XXX todo: check if multiple auth methods are needed */	356	/* XXX todo: check if multiple auth methods are needed */
339	if (authenticated == 1) {	357	if (authenticated == 1) {
		358	if (options.two_factor_authentication) {
		359	userauth_restart(method);
		360	debug("1st factor authentication done go to 2nd factor");
		361	goto ask_methods;
		362	}
		363
340	/* turn off userauth */	364	/* turn off userauth */
341	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);	365	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
342	packet_start(SSH2_MSG_USERAUTH_SUCCESS);	366	packet_start(SSH2_MSG_USERAUTH_SUCCESS);
Lines 356-362 userauth_finish(Authctxt *authctxt, int Link Here
356	#endif	380	#endif
357	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);	381	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
358	}	382	}
		383	ask_methods:
359	methods = authmethods_get();	384	methods = authmethods_get();
		385	debug2("next auth methods = %s", methods);
360	packet_start(SSH2_MSG_USERAUTH_FAILURE);	386	packet_start(SSH2_MSG_USERAUTH_FAILURE);
361	packet_put_cstring(methods);	387	packet_put_cstring(methods);
362	packet_put_char(0); /* XXX partial success, unused */	388	packet_put_char(0); /* XXX partial success, unused */