Bugzilla – Attachment 2084 Details for
Bug 983
Required authentication
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Another approach to solution of the problem (updated)
openssh-5.9p1-2auth.patch (text/plain), 14.04 KB, created by
jchadima
on 2011-09-17 20:00:32 AEST
(
hide
)
Description:
Another approach to solution of the problem (updated)
Filename:
MIME Type:
Creator:
jchadima
Created:
2011-09-17 20:00:32 AEST
Size:
14.04 KB
patch
obsolete
>diff -up openssh-5.9p1/auth.h.2auth openssh-5.9p1/auth.h >--- openssh-5.9p1/auth.h.2auth 2011-05-29 13:39:38.000000000 +0200 >+++ openssh-5.9p1/auth.h 2011-09-17 11:17:56.972459934 +0200 >@@ -149,6 +149,8 @@ int auth_root_allowed(char *); > > char *auth2_read_banner(void); > >+void userauth_restart(const char *); >+ > void privsep_challenge_enable(void); > > int auth2_challenge(Authctxt *, char *); >diff -up openssh-5.9p1/auth2.c.2auth openssh-5.9p1/auth2.c >--- openssh-5.9p1/auth2.c.2auth 2011-05-05 06:04:11.000000000 +0200 >+++ openssh-5.9p1/auth2.c 2011-09-17 11:17:57.077584849 +0200 >@@ -290,6 +290,24 @@ input_userauth_request(int type, u_int32 > } > > void >+userauth_restart(const char *method) >+{ >+ options.two_factor_authentication = 0; >+ >+ debug2("userauth restart, method = %s", method); >+ options.pubkey_authentication = options.second_pubkey_authentication && strcmp(method, method_pubkey.name); >+#ifdef GSSAPI >+ options.gss_authentication = options.second_gss_authentication && strcmp(method, method_gssapi.name); >+#endif >+#ifdef JPAKE >+ options.zero_knowledge_password_authentication = options.second_zero_knowledge_password_authentication && strcmp(method, method_jpake.name); >+#endif >+ options.password_authentication = options.second_password_authentication && strcmp(method, method_passwd.name); >+ options.kbd_interactive_authentication = options.second_kbd_interactive_authentication && strcmp(method, method_kbdint.name); >+ options.hostbased_authentication = options.second_hostbased_authentication && strcmp(method, method_hostbased.name); >+} >+ >+void > userauth_finish(Authctxt *authctxt, int authenticated, char *method) > { > char *methods; >@@ -337,6 +355,12 @@ userauth_finish(Authctxt *authctxt, int > > /* XXX todo: check if multiple auth methods are needed */ > if (authenticated == 1) { >+ if (options.two_factor_authentication) { >+ userauth_restart(method); >+ debug("1st factor authentication done go to 2nd factor"); >+ goto ask_methods; >+ } >+ > /* turn off userauth */ > dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); > packet_start(SSH2_MSG_USERAUTH_SUCCESS); >@@ -356,7 +380,9 @@ userauth_finish(Authctxt *authctxt, int > #endif > packet_disconnect(AUTH_FAIL_MSG, authctxt->user); > } >+ask_methods: > methods = authmethods_get(); >+ debug2("next auth methods = %s", methods); > packet_start(SSH2_MSG_USERAUTH_FAILURE); > packet_put_cstring(methods); > packet_put_char(0); /* XXX partial success, unused */ >diff -up openssh-5.9p1/monitor.c.2auth openssh-5.9p1/monitor.c >--- openssh-5.9p1/monitor.c.2auth 2011-08-05 22:15:18.000000000 +0200 >+++ openssh-5.9p1/monitor.c 2011-09-17 11:17:57.191569713 +0200 >@@ -417,6 +417,10 @@ monitor_child_preauth(Authctxt *_authctx > } > } > #endif >+ if (authenticated && options.two_factor_authentication) { >+ userauth_restart(auth_method); >+ authenticated = 0; >+ } > } > > /* Drain any buffered messages from the child */ >diff -up openssh-5.9p1/servconf.c.2auth openssh-5.9p1/servconf.c >--- openssh-5.9p1/servconf.c.2auth 2011-06-23 00:30:03.000000000 +0200 >+++ openssh-5.9p1/servconf.c 2011-09-17 11:17:57.312458299 +0200 >@@ -92,6 +92,13 @@ initialize_server_options(ServerOptions > options->hostbased_uses_name_from_packet_only = -1; > options->rsa_authentication = -1; > options->pubkey_authentication = -1; >+ options->two_factor_authentication = -1; >+ options->second_pubkey_authentication = -1; >+ options->second_gss_authentication = -1; >+ options->second_password_authentication = -1; >+ options->second_kbd_interactive_authentication = -1; >+ options->second_zero_knowledge_password_authentication = -1; >+ options->second_hostbased_authentication = -1; > options->kerberos_authentication = -1; > options->kerberos_or_local_passwd = -1; > options->kerberos_ticket_cleanup = -1; >@@ -237,6 +244,20 @@ fill_default_server_options(ServerOption > options->permit_empty_passwd = 0; > if (options->permit_user_env == -1) > options->permit_user_env = 0; >+ if (options->two_factor_authentication == -1) >+ options->two_factor_authentication = 0; >+ if (options->second_pubkey_authentication == -1) >+ options->second_pubkey_authentication = 1; >+ if (options->second_gss_authentication == -1) >+ options->second_gss_authentication = 0; >+ if (options->second_password_authentication == -1) >+ options->second_password_authentication = 1; >+ if (options->second_kbd_interactive_authentication == -1) >+ options->second_kbd_interactive_authentication = 0; >+ if (options->second_zero_knowledge_password_authentication == -1) >+ options->second_zero_knowledge_password_authentication = 0; >+ if (options->second_hostbased_authentication == -1) >+ options->second_hostbased_authentication = 0; > if (options->use_login == -1) > options->use_login = 0; > if (options->compression == -1) >@@ -316,8 +337,11 @@ typedef enum { > sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, > sMaxStartups, sMaxAuthTries, sMaxSessions, > sBanner, sUseDNS, sHostbasedAuthentication, >- sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, >- sClientAliveCountMax, sAuthorizedKeysFile, >+ sHostbasedUsesNameFromPacketOnly, sTwoFactorAuthentication, >+ sSecondPubkeyAuthentication, sSecondGssAuthentication, >+ sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication, >+ sSecondZeroKnowledgePasswordAuthentication, sSecondHostbasedAuthentication, >+ sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, > sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, > sMatch, sPermitOpen, sForceCommand, sChrootDirectory, > sUsePrivilegeSeparation, sAllowAgentForwarding, >@@ -395,6 +419,21 @@ static struct { > #else > { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL }, > #endif >+ { "twofactorauthentication", sTwoFactorAuthentication, SSHCFG_ALL }, >+ { "secondpubkeyauthentication", sSecondPubkeyAuthentication, SSHCFG_ALL }, >+#ifdef GSSAPI >+ { "secondgssapiauthentication", sSecondGssAuthentication, SSHCFG_ALL }, >+#else >+ { "secondgssapiauthentication", sUnsupported, SSHCFG_ALL }, >+#endif >+ { "secondpasswordauthentication", sSecondPasswordAuthentication, SSHCFG_ALL }, >+ { "secondkbdinteractiveauthentication", sSecondKbdInteractiveAuthentication, SSHCFG_ALL }, >+#ifdef JPAKE >+ { "secondzeroknowledgepasswordauthentication", sSecondZeroKnowledgePasswordAuthentication, SSHCFG_ALL }, >+#else >+ { "secondzeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL }, >+#endif >+ { "secondhostbasedauthentication", sSecondHostbasedAuthentication, SSHCFG_ALL }, > { "checkmail", sDeprecated, SSHCFG_GLOBAL }, > { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, > { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, >@@ -982,6 +1021,34 @@ process_server_config_line(ServerOptions > intptr = &options->challenge_response_authentication; > goto parse_flag; > >+ case sTwoFactorAuthentication: >+ intptr = &options->two_factor_authentication; >+ goto parse_flag; >+ >+ case sSecondPubkeyAuthentication: >+ intptr = &options->second_pubkey_authentication; >+ goto parse_flag; >+ >+ case sSecondGssAuthentication: >+ intptr = &options->second_gss_authentication; >+ goto parse_flag; >+ >+ case sSecondPasswordAuthentication: >+ intptr = &options->second_password_authentication; >+ goto parse_flag; >+ >+ case sSecondKbdInteractiveAuthentication: >+ intptr = &options->second_kbd_interactive_authentication; >+ goto parse_flag; >+ >+ case sSecondZeroKnowledgePasswordAuthentication: >+ intptr = &options->second_zero_knowledge_password_authentication; >+ goto parse_flag; >+ >+ case sSecondHostbasedAuthentication: >+ intptr = &options->second_hostbased_authentication; >+ goto parse_flag; >+ > case sPrintMotd: > intptr = &options->print_motd; > goto parse_flag; >@@ -1491,14 +1558,21 @@ void > copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) > { > M_CP_INTOPT(password_authentication); >+ M_CP_INTOPT(second_password_authentication); > M_CP_INTOPT(gss_authentication); >+ M_CP_INTOPT(second_gss_authentication); > M_CP_INTOPT(rsa_authentication); > M_CP_INTOPT(pubkey_authentication); >+ M_CP_INTOPT(second_pubkey_authentication); > M_CP_INTOPT(kerberos_authentication); > M_CP_INTOPT(hostbased_authentication); >+ M_CP_INTOPT(second_hostbased_authentication); > M_CP_INTOPT(hostbased_uses_name_from_packet_only); > M_CP_INTOPT(kbd_interactive_authentication); >+ M_CP_INTOPT(second_kbd_interactive_authentication); > M_CP_INTOPT(zero_knowledge_password_authentication); >+ M_CP_INTOPT(second_zero_knowledge_password_authentication); >+ M_CP_INTOPT(two_factor_authentication); > M_CP_INTOPT(permit_root_login); > M_CP_INTOPT(permit_empty_passwd); > >@@ -1720,17 +1794,24 @@ dump_config(ServerOptions *o) > #endif > #ifdef GSSAPI > dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); >+ dump_cfg_fmtint(sSecondGssAuthentication, o->second_gss_authentication); > dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); > #endif > #ifdef JPAKE > dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, > o->zero_knowledge_password_authentication); >+ dump_cfg_fmtint(sSecondZeroKnowledgePasswordAuthentication, >+ o->second_zero_knowledge_password_authentication); > #endif > dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); >+ dump_cfg_fmtint(sSecondPasswordAuthentication, o->second_password_authentication); > dump_cfg_fmtint(sKbdInteractiveAuthentication, > o->kbd_interactive_authentication); >+ dump_cfg_fmtint(sSecondKbdInteractiveAuthentication, >+ o->second_kbd_interactive_authentication); > dump_cfg_fmtint(sChallengeResponseAuthentication, > o->challenge_response_authentication); >+ dump_cfg_fmtint(sTwoFactorAuthentication, o->two_factor_authentication); > dump_cfg_fmtint(sPrintMotd, o->print_motd); > dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); > dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); >diff -up openssh-5.9p1/servconf.h.2auth openssh-5.9p1/servconf.h >--- openssh-5.9p1/servconf.h.2auth 2011-06-23 00:30:03.000000000 +0200 >+++ openssh-5.9p1/servconf.h 2011-09-17 11:17:57.413540357 +0200 >@@ -112,6 +112,14 @@ typedef struct { > /* If true, permit jpake auth */ > int permit_empty_passwd; /* If false, do not permit empty > * passwords. */ >+ int two_factor_authentication; /* If true, the first sucessful authentication >+ * will be followed by the second one from anorher set */ >+ int second_pubkey_authentication; /* second set of authentications */ >+ int second_gss_authentication; >+ int second_password_authentication; >+ int second_kbd_interactive_authentication; >+ int second_zero_knowledge_password_authentication; >+ int second_hostbased_authentication; > int permit_user_env; /* If true, read ~/.ssh/environment */ > int use_login; /* If true, login(1) is used */ > int compression; /* If true, compression is allowed */ >diff -up openssh-5.9p1/sshd_config.2auth openssh-5.9p1/sshd_config >--- openssh-5.9p1/sshd_config.2auth 2011-05-29 13:39:39.000000000 +0200 >+++ openssh-5.9p1/sshd_config 2011-09-17 11:17:57.508521949 +0200 >@@ -87,6 +87,13 @@ AuthorizedKeysFile .ssh/authorized_keys > # and ChallengeResponseAuthentication to 'no'. > #UsePAM no > >+#TwoFactorAuthentication no >+#SecondPubkeyAuthentication yes >+#SecondHostbasedAuthentication no >+#SecondPasswordAuthentication yes >+#SecondKBDInteractiveAuthentication yes >+#SecondGSSAPIAuthentication no >+ > #AllowAgentForwarding yes > #AllowTcpForwarding yes > #GatewayPorts no >diff -up openssh-5.9p1/sshd_config.5.2auth openssh-5.9p1/sshd_config.5 >--- openssh-5.9p1/sshd_config.5.2auth 2011-08-05 22:17:33.000000000 +0200 >+++ openssh-5.9p1/sshd_config.5 2011-09-17 11:17:57.622504475 +0200 >@@ -726,6 +726,12 @@ Available keywords are > .Cm PubkeyAuthentication , > .Cm RhostsRSAAuthentication , > .Cm RSAAuthentication , >+.Cm SecondGSSAPIAuthentication , >+.Cm SecondHostbasedAuthentication , >+.Cm SecondKbdInteractiveAuthentication , >+.Cm SecondPasswordAuthentication , >+.Cm SecondPubkeyAuthentication , >+.Cm TwoFactorAuthentication , > .Cm X11DisplayOffset , > .Cm X11Forwarding > and >@@ -931,6 +937,41 @@ Specifies whether pure RSA authenticatio > The default is > .Dq yes . > This option applies to protocol version 1 only. >+.It Cm SecondGSSAPIAuthentication >+Specifies whether the >+.Cm GSSAPIAuthentication >+may be used on the second authentication while >+.Cm TwoFactorAuthentication >+is set. >+The argument must be âyesâ or ânoâ. The default is ânoâ. >+.It Cm SecondHostbasedAuthentication >+Specifies whether the >+.Cm HostbasedAuthentication >+may be used on the second authentication while >+.Cm TwoFactorAuthentication >+is set. >+The argument must be âyesâ or ânoâ. The default is ânoâ. >+.It Cm SecondKbdInteractiveAuthentication >+Specifies whether the >+.Cm KbdInteractiveAuthentication >+may be used on the second authentication while >+.Cm TwoFactorAuthentication >+is set. >+The argument must be âyesâ or ânoâ. The default is ânoâ. >+.It Cm SecondPasswordAuthentication >+Specifies whether the >+.Cm PasswordAuthentication >+may be used on the second authentication while >+.Cm TwoFactorAuthentication >+is set. >+The argument must be âyesâ or ânoâ. The default is âyesâ. >+.It Cm SecondPubkeyAuthentication >+Specifies whether the >+.Cm PubkeyAuthentication >+may be used on the second authentication while >+.Cm TwoFactorAuthentication >+is set. >+The argument must be âyesâ or ânoâ. The default is âyesâ. > .It Cm ServerKeyBits > Defines the number of bits in the ephemeral protocol version 1 server key. > The minimum value is 512, and the default is 1024. >@@ -1011,6 +1052,22 @@ For more details on certificates, see th > .Sx CERTIFICATES > section in > .Xr ssh-keygen 1 . >+.It Cm TwoFactorAuthentication >+Specifies whether for a successful login is necessary to meet two independent authentications. >+If select the first method is selected from the set of allowed methods from >+.Cm GSSAPIAuthentication , >+.Cm HostbasedAuthentication , >+.Cm KbdInteractiveAuthentication , >+.Cm PasswordAuthentication , >+.Cm PubkeyAuthentication . >+And the second method is selected from the set of allowed methods from >+.Cm SecondGSSAPIAuthentication , >+.Cm SecondHostbasedAuthentication , >+.Cm SecondKbdInteractiveAuthentication , >+.Cm SecondPasswordAuthentication , >+.Cm SecondPubkeyAuthentication >+without the method used for the first authentication. >+The argument must be âyesâ or ânoâ. The default is ânoâ. > .It Cm UseDNS > Specifies whether > .Xr sshd 8
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2084">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 983
:
807
|
941
|
1121
|
1122
|
1123
|
1455
|
1518
|
1521
|
1567
|
1667
|
1768
|
1955
|
1999
|
2079
| 2084 |
2096
|
2138
|
2177
|
2178
|
2192
|
2196