Attachment #2096 for bug #983

View | Details | Raw Unified | Return to bug 983 | Differences between

and this patch




}

void
auth_log(Authctxt *authctxt, int authenticated, const char *method,
    const char *submethod, const char *info)
{
	void (*authlog) (const char *fmt,...) = verbose;
	char *authmsg;

	else
		authmsg = authenticated ? "Accepted" : "Failed";

	authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
	    authmsg,
	    method,
	    submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
	    authctxt->valid ? "" : "invalid user ",
	    authctxt->user,
	    get_remote_ipaddr(),

 * Check whether root logins are disallowed.
 */
int
auth_root_allowed(const char *method)
{
	switch (options.permit_root_login) {
	case PERMIT_YES:


	return (&fake);
}

int
auth_method_in_list(const char *list, const char *method)
{
	char *cp;

	cp = match_list(method, list, NULL);
	if (cp != NULL) {
		xfree(cp);
		return 1;
	}

	return 0;
}

#define	DELIM	","
int
auth_remove_from_list(char **list, const char *method)
{
	char *oldlist, *cp, *newlist = NULL;
	u_int len = 0, ret = 0;

	if (list == NULL || *list == NULL)
		return (0);

	oldlist = *list;
	len = strlen(oldlist) + 1;
	newlist = xmalloc(len);
	memset(newlist, '\0', len);

	/* Remove method from list, if present */
	for (;;) {
		if ((cp = strsep(&oldlist, DELIM)) == NULL)
			break;
		if (*cp == '\0')
			continue;
		if (strcmp(cp, method) != 0) {
			if (*newlist != '\0')
				strlcat(newlist, DELIM, len);
			strlcat(newlist, cp, len);
		} else
			ret++;
	}

	/* Return NULL instead of empty list */
	if (*newlist == '\0') {
		xfree(newlist);
		newlist = NULL;
	}
	xfree(*list);
	*list = newlist;
	
	return (ret);
}

Lines 142-151 void disable_forwarding(void); Link Here

(-)a/auth.h (-3 / +9 lines)
142	void do_authentication(Authctxt *);	142	void do_authentication(Authctxt *);
143	void do_authentication2(Authctxt *);	143	void do_authentication2(Authctxt *);
144		144
145	void auth_log(Authctxt , int, char , char *);	145	void auth_log(Authctxt , int, const char , const char , const char );
146	void userauth_finish(Authctxt , int, char );	146	void userauth_finish(Authctxt , int, const char , const char *);
		147	int auth_root_allowed(const char *);
		148
147	void userauth_send_banner(const char *);	149	void userauth_send_banner(const char *);
148	int auth_root_allowed(char *);
149		150
150	char *auth2_read_banner(void);	151	char *auth2_read_banner(void);
151		152
Lines 192-197 void auth_debug_send(void); Link Here
192	void auth_debug_reset(void);	193	void auth_debug_reset(void);
193		194
194	struct passwd *fakepw(void);	195	struct passwd *fakepw(void);
		196	int auth_method_in_list(const char , const char );
		197	int auth_remove_from_list(char *, const char );
		198
		199	int auth1_check_required(const char *);
		200	int auth2_check_required(const char *);
195		201
196	int sys_auth_passwd(Authctxt , const char );	202	int sys_auth_passwd(Authctxt , const char );
197		203




	return (NULL);
}

static const struct AuthMethod1 *
lookup_authmethod1_by_name(const char *name)
{
	int i;

	for (i = 0; auth1_methods[i].name != NULL; i++)
		if (strcmp(auth1_methods[i].name, name) == 0)
			return (&(auth1_methods[i]));

	return NULL;
}

#define	DELIM	","
int
auth1_check_required(const char *list)
{
	char *orig_methods, *methods, *cp;
	static const struct AuthMethod1 *m;
	int ret = 0;

	orig_methods = methods = xstrdup(list);
	for(;;) { /* XXX maybe: while ((cp = ...) != NULL) ? */
		if ((cp = strsep(&methods, DELIM)) == NULL)
			break;
		debug2("auth1_check_required: method \"%s\"", cp);
		if (*cp == '\0') {
			debug("auth1_check_required: empty method");
			ret = -1;
		}
		if ((m = lookup_authmethod1_by_name(cp)) == NULL) {
			debug("auth1_check_required: unknown method "
			    "\"%s\"", cp);
			ret = -1;
		}
		if (*(m->enabled) == 0) {
			debug("auth1_check_required: method %s explicitly "
			    "disabled", cp);
			ret = -1;
		}
		/* Activate method if it isn't already */
		if (*(m->enabled) == -1)
			*(m->enabled) = 1;
        }
	xfree(orig_methods);
	return (ret);
}


static char *
get_authname(int type)
{

{
	int authenticated = 0;
	char info[1024];
	const char *meth_name;
	int prev = 0, type = 0;
	const struct AuthMethod1 *meth;


	    authctxt->valid ? "" : "invalid user ", authctxt->user);

	/* If the user has no password, accept authentication immediately. */
	if (options.permit_empty_passwd && options.password_authentication && options.password_authentication &&
#ifdef KRB5
	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif

		if (options.use_pam && (PRIVSEP(do_pam_account())))
#endif
		{
			auth_log(authctxt, 1, "without authentication", NULL, "");
			return;
		}
	}

		/* Get a packet from the client. */
		prev = type;
		type = packet_read();
		meth_name = get_authname(type);

		/*
		 * If we started challenge-response authentication but the

		if (authctxt->failures >= options.max_authtries)
			goto skip;
		if ((meth = lookup_authmethod1(type)) == NULL) {
			logit("Unknown message during authentication: type %d",
			    type);
			goto skip;
		}


			goto skip;
		}

		/*
		 * Skip methods not in required list, until all the required
		 * ones are done
		 */
		if (options.required_auth1 != NULL &&
		    !auth_method_in_list(options.required_auth1, meth_name)) {
			debug("Skipping method \"%s\" until required "
			    "authentication completed", meth_name);
			goto skip;
		}

		authenticated = meth->method(authctxt, info, sizeof(info));
		if (authenticated == -1)
			continue; /* "postponed" */


 skip:
		/* Log before sending the reply */
		auth_log(authctxt, authenticated, meth_name, NULL, info);

		/* Loop until the required authmethods are done */
		if (authenticated && options.required_auth1 != NULL) {
			if (auth_remove_from_list(&options.required_auth1,
			    meth_name) != 1)
				fatal("INTERNAL ERROR: authenticated method "
				    "\"%s\" not in required list \"%s\"",
				    meth_name, options.required_auth1);
			debug2("do_authloop: required list now: %s",
			    options.required_auth1 == NULL ?
			    "DONE" : options.required_auth1);
			if (options.required_auth1 == NULL)
				return;
			authenticated = 0;
			/*
			 * Disable method so client can't authenticate with it
			 * after the required authentications are complete.
			 */
			*(meth->enabled) = 0;
			packet_send_debug("Further authentication required");
			goto send_fail;
		}

		if (client_user != NULL) {
			xfree(client_user);

#endif
			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
		}
 send_fail:

		packet_start(SSH_SMSG_FAILURE);
		packet_send();

Lines 341-348 input_userauth_info_response(int type, u_int32_t seq, void *ctxt) Link Here

(-)a/auth2-chall.c (-2 / +2 lines)
341	auth2_challenge_start(authctxt);	341	auth2_challenge_start(authctxt);
342	}	342	}
343	}	343	}
344	userauth_finish(authctxt, authenticated, method);	344	userauth_finish(authctxt, authenticated, "keyboard-interactive",
345	xfree(method);	345	kbdintctxt->device?kbdintctxt->device->name:NULL);
346	}	346	}
347		347
348	void	348	void




		}
		authctxt->postponed = 0;
		dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
		userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
	} else {
		if (send_tok.length != 0) {
			packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);

	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
}

static void

	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
}

Authmethod method_gssapi = {

Lines 61-67 userauth_none(Authctxt *authctxt) Link Here

(-)a/auth2-none.c (-1 / +1 lines)
61	{	61	{
62	none_enabled = 0;	62	none_enabled = 0;
63	packet_check_eom();	63	packet_check_eom();
64	if (options.permit_empty_passwd && options.password_authentication)	64	if (options.permit_empty_passwd && options.password_authentication && options.required_auth2 == NULL)
65	return (PRIVSEP(auth_password(authctxt, "")));	65	return (PRIVSEP(auth_password(authctxt, "")));
66	return (0);	66	return (0);
67	}	67	}

Lines 215-221 input_userauth_request(int type, u_int32_t seq, void *ctxt) Link Here

(-)a/auth2.c (-12 / +94 lines)
215	{	215	{
216	Authctxt *authctxt = ctxt;	216	Authctxt *authctxt = ctxt;
217	Authmethod *m = NULL;	217	Authmethod *m = NULL;
218	char user, service, method, style = NULL;	218	char user, service, method, active_methods, *style = NULL;
219	int authenticated = 0;	219	int authenticated = 0;
220		220
221	if (authctxt == NULL)	221	if (authctxt == NULL)
Lines 277-298 input_userauth_request(int type, u_int32_t seq, void *ctxt) Link Here
277	authctxt->server_caused_failure = 0;	277	authctxt->server_caused_failure = 0;
278		278
279	/* try to authenticate user */	279	/* try to authenticate user */
280	m = authmethod_lookup(method);	280	active_methods = authmethods_get();
281	if (m != NULL && authctxt->failures < options.max_authtries) {	281	if (strcmp(method, "none") == 0 \|\|
282	debug2("input_userauth_request: try method %s", method);	282	auth_method_in_list(active_methods, method)) {
283	authenticated = m->userauth(authctxt);	283	m = authmethod_lookup(method);
284	}	284	if (m != NULL) {
285	userauth_finish(authctxt, authenticated, method);	285	debug2("input_userauth_request: try method %s", method);
		286	authenticated = m->userauth(authctxt);
		287	}
286		288
		289	}
		290	xfree(active_methods);
		291	userauth_finish(authctxt, authenticated, method, NULL);
		292
287	xfree(service);	293	xfree(service);
288	xfree(user);	294	xfree(user);
289	xfree(method);	295	xfree(method);
290	}	296	}
291		297
292	void	298	void
293	userauth_finish(Authctxt authctxt, int authenticated, char method)	299	userauth_finish(Authctxt authctxt, int authenticated, const char method,
		300	const char *submethod)
294	{	301	{
295	char *methods;	302	char *methods;
		303	Authmethod *m = NULL;
		304	u_int partial = 0;
296		305
297	if (!authctxt->valid && authenticated)	306	if (!authctxt->valid && authenticated)
298	fatal("INTERNAL ERROR: authenticated invalid user %s",	307	fatal("INTERNAL ERROR: authenticated invalid user %s",
Lines 330-341 userauth_finish(Authctxt authctxt, int authenticated, char method) Link Here
330	#endif /* _UNICOS */	339	#endif /* _UNICOS */
331		340
332	/* Log before sending the reply */	341	/* Log before sending the reply */
333	auth_log(authctxt, authenticated, method, " ssh2");	342	auth_log(authctxt, authenticated, method, submethod, " ssh2");
334		343
335	if (authctxt->postponed)	344	if (authctxt->postponed)
336	return;	345	return;
337		346
338	/* XXX todo: check if multiple auth methods are needed */	347	/* Handle RequiredAuthentications2: loop until required methods done */
		348	if (authenticated && options.required_auth2 != NULL) {
		349	if ((m = authmethod_lookup(method)) == NULL)
		350	fatal("INTERNAL ERROR: authenticated method "
		351	"\"%s\" unknown", method);
		352	if (auth_remove_from_list(&options.required_auth2, method) != 1)
		353	fatal("INTERNAL ERROR: authenticated method "
		354	"\"%s\" not in required list \"%s\"",
		355	method, options.required_auth2);
		356	debug2("userauth_finish: required list now: %s",
		357	options.required_auth2 == NULL ?
		358	"DONE" : options.required_auth2);
		359	/*
		360	* if authenticated and no more required methods
		361	* then declare success
		362	*/
		363	if ( authenticated && options.required_auth2 == NULL ) {
		364	debug2("userauth_finish: authenticated and no more required methods");
		365	} else {
		366	/*
		367	* Disable method so client can't authenticate with it after
		368	* the required authentications are complete.
		369	*/
		370	if (m->enabled != NULL)
		371	*(m->enabled) = 0;
		372	authenticated = 0;
		373	partial = 1;
		374	goto send_fail;
		375	}
		376	}
		377
339	if (authenticated == 1) {	378	if (authenticated == 1) {
340	/* turn off userauth */	379	/* turn off userauth */
341	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);	380	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
Lines 345-351 userauth_finish(Authctxt authctxt, int authenticated, char method) Link Here
345	/* now we can break out */	384	/* now we can break out */
346	authctxt->success = 1;	385	authctxt->success = 1;
347	} else {	386	} else {
348
349	/* Allow initial try of "none" auth without failure penalty */	387	/* Allow initial try of "none" auth without failure penalty */
350	if (!authctxt->server_caused_failure &&	388	if (!authctxt->server_caused_failure &&
351	(authctxt->attempt > 1 \|\| strcmp(method, "none") != 0))	389	(authctxt->attempt > 1 \|\| strcmp(method, "none") != 0))
Lines 356-365 userauth_finish(Authctxt authctxt, int authenticated, char method) Link Here
356	#endif	394	#endif
357	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);	395	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
358	}	396	}
		397	send_fail:
359	methods = authmethods_get();	398	methods = authmethods_get();
360	packet_start(SSH2_MSG_USERAUTH_FAILURE);	399	packet_start(SSH2_MSG_USERAUTH_FAILURE);
361	packet_put_cstring(methods);	400	packet_put_cstring(methods);
362	packet_put_char(0); /* XXX partial success, unused */	401	packet_put_char(partial);
363	packet_send();	402	packet_send();
364	packet_write_wait();	403	packet_write_wait();
365	xfree(methods);	404	xfree(methods);
Lines 373-378 authmethods_get(void) Link Here
373	char *list;	412	char *list;
374	int i;	413	int i;
375		414
		415	if (options.required_auth2 != NULL)
		416	return xstrdup(options.required_auth2);
		417
376	buffer_init(&b);	418	buffer_init(&b);
377	for (i = 0; authmethods[i] != NULL; i++) {	419	for (i = 0; authmethods[i] != NULL; i++) {
378	if (strcmp(authmethods[i]->name, "none") == 0)	420	if (strcmp(authmethods[i]->name, "none") == 0)
Lines 407-409 authmethod_lookup(const char *name) Link Here
407	return NULL;	449	return NULL;
408	}	450	}
409		451
		452	#define DELIM ","
		453
		454	int
		455	auth2_check_required(const char *list)
		456	{
		457	char orig_methods, methods, *cp;
		458	struct Authmethod *m;
		459	int i, ret = 0;
		460
		461	orig_methods = methods = xstrdup(list);
		462	for(;;) {
		463	if ((cp = strsep(&methods, DELIM)) == NULL)
		464	break;
		465	debug2("auth2_check_required: method \"%s\"", cp);
		466	if (*cp == '\0') {
		467	debug("auth2_check_required: empty method");
		468	ret = -1;
		469	}
		470	for (i = 0; authmethods[i] != NULL; i++)
		471	if (strcmp(cp, authmethods[i]->name) == 0)
		472	break;
		473	if ((m = authmethods[i]) == NULL) {
		474	debug("auth2_check_required: unknown method "
		475	"\"%s\"", cp);
		476	ret = -1;
		477	break;
		478	}
		479	if (m->enabled == NULL \|\| *(m->enabled) == 0) {
		480	debug("auth2_check_required: method %s explicitly "
		481	"disabled", cp);
		482	ret = -1;
		483	}
		484	/* Activate method if it isn't already */
		485	if (*(m->enabled) == -1)
		486	*(m->enabled) = 1;
		487	}
		488	xfree(orig_methods);
		489	return (ret);
		490	}
		491




static char *hostbased_cuser = NULL;
static char *hostbased_chost = NULL;
static char *auth_method = "unknown";
static char *auth_submethod = NULL;
static u_int session_id2_len = 0;
static u_char *session_id2 = NULL;
static pid_t monitor_child_pid;

monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
{
	struct mon_table *ent;
	int no_increment, authenticated = 0;
	char **req_auth;

	debug3("preauth child monitor started");



	if (compat20) {
		mon_dispatch = mon_dispatch_proto20;
		req_auth = &options.required_auth2;

		/* Permit requests for moduli and signatures */
		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
	} else {
		mon_dispatch = mon_dispatch_proto15;
		req_auth = &options.required_auth1;

		monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
	}

	/* The first few requests do not require asynchronous access */
	while (!authenticated) {
		auth_method = "unknown";
		auth_submethod = NULL;
		no_increment = 1;
		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
		if (authenticated) {
			if (!(ent->flags & MON_AUTHDECIDE))

			}
#endif
		}
		/* Loop until the required authmethods are done */
		if (authenticated && *req_auth != NULL) {
			if (auth_remove_from_list(req_auth, auth_method) != 1)
				fatal("INTERNAL ERROR: authenticated method "
				    "\"%s\" not in required list \"%s\"",
				    auth_method, *req_auth);
			debug2("monitor_child_preauth: required list now: %s",
			    *req_auth == NULL ? "DONE" : *req_auth);
			if (*req_auth != NULL)
				authenticated = 0;
			no_increment = 1;
		}

		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
			auth_log(authctxt, authenticated, auth_method,
				 auth_submethod, compat20 ? " ssh2" : "");
			if (!authenticated && !no_increment)
				authctxt->failures++;
		}
#ifdef JPAKE

		auth_method = "none";
	else
		auth_method = "password";
	auth_submethod = NULL;

	/* Causes monitor loop to terminate if authenticated */
	return (authenticated);

	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);

	auth_method = "bsdauth";
	auth_submethod = NULL;

	return (authok != 0);
}

	mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);

	auth_method = "skey";
	auth_submethod = NULL;

	return (authok != 0);
}

		xfree(prompts);
	if (echo_on != NULL)
		xfree(echo_on);
	auth_method = "keyboard-interactive";
	auth_submethod = "pam";
	mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
	return (0);
}

	buffer_clear(m);
	buffer_put_int(m, ret);
	mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
	auth_method = "keyboard-interactive";
	auth_submethod = "pam";
	if (ret == 0)
		sshpam_authok = sshpam_ctxt;
	return (0);

	(sshpam_device.free_ctx)(sshpam_ctxt);
	buffer_clear(m);
	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
	auth_method = "keyboard-interactive";
	auth_submethod = "pam";
	return (sshpam_authok == sshpam_ctxt);
}
#endif

			allowed = options.pubkey_authentication &&
			    user_key_allowed(authctxt->pw, key);
			auth_method = "publickey";
			auth_submethod = NULL;
			if (options.pubkey_authentication && allowed != 1)
				auth_clear_options();
			break;

			    hostbased_key_allowed(authctxt->pw,
			    cuser, chost, key);
			auth_method = "hostbased";
			auth_submethod = NULL;
			break;
		case MM_RSAHOSTKEY:
			key->type = KEY_RSA1; /* XXX */

			if (options.rhosts_rsa_authentication && allowed != 1)
				auth_clear_options();
			auth_method = "rsa";
			auth_submethod = NULL;
			break;
		default:
			fatal("%s: unknown key type %d", __func__, type);

		hostbased_chost = chost;
	} else {
		/* Log failed attempt */
		auth_log(authctxt, 0, auth_method, auth_submethod,
		    compat20 ? " ssh2" : "");
		xfree(blob);
		xfree(cuser);
		xfree(chost);

	xfree(data);

	auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
	auth_submethod = NULL;

	monitor_reset_key_state();


	debug3("%s entering", __func__);

	auth_method = "rsa";
	auth_submethod = NULL;
	if (options.rsa_authentication && authctxt->valid) {
		if ((client_n = BN_new()) == NULL)
			fatal("%s: BN_new", __func__);

	xfree(response);

	auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
	auth_submethod = NULL;

	/* reset state */
	BN_clear_free(ssh1_challenge);

	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);

	auth_method = "gssapi-with-mic";
	auth_submethod = NULL;

	/* Monitor loop will terminate if authenticated */
	return (authenticated);

	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);

	auth_method = "jpake-01@openssh.com";
	auth_submethod = NULL;
	return authenticated;
}


Lines 42-47 Link Here

(-)a/servconf.c (+34 lines)
42	#include "key.h"	42	#include "key.h"
43	#include "kex.h"	43	#include "kex.h"
44	#include "mac.h"	44	#include "mac.h"
		45	#include "hostfile.h"
		46	#include "auth.h"
45	#include "match.h"	47	#include "match.h"
46	#include "channels.h"	48	#include "channels.h"
47	#include "groupaccess.h"	49	#include "groupaccess.h"
Lines 129-134 initialize_server_options(ServerOptions *options) Link Here
129	options->num_authkeys_files = 0;	131	options->num_authkeys_files = 0;
130	options->num_accept_env = 0;	132	options->num_accept_env = 0;
131	options->permit_tun = -1;	133	options->permit_tun = -1;
		134	options->required_auth1 = NULL;
		135	options->required_auth2 = NULL;
132	options->num_permitted_opens = -1;	136	options->num_permitted_opens = -1;
133	options->adm_forced_command = NULL;	137	options->adm_forced_command = NULL;
134	options->chroot_directory = NULL;	138	options->chroot_directory = NULL;
Lines 319-324 typedef enum { Link Here
319	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	323	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
320	sClientAliveCountMax, sAuthorizedKeysFile,	324	sClientAliveCountMax, sAuthorizedKeysFile,
321	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,	325	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
		326	sRequiredAuthentications1, sRequiredAuthentications2,
322	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,	327	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
323	sUsePrivilegeSeparation, sAllowAgentForwarding,	328	sUsePrivilegeSeparation, sAllowAgentForwarding,
324	sZeroKnowledgePasswordAuthentication, sHostCertificate,	329	sZeroKnowledgePasswordAuthentication, sHostCertificate,
Lines 447-452 static struct { Link Here
447	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },	452	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
448	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },	453	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
449	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },	454	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
		455	{ "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
		456	{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
450	{ "ipqos", sIPQoS, SSHCFG_ALL },	457	{ "ipqos", sIPQoS, SSHCFG_ALL },
451	{ NULL, sBadOption, 0 }	458	{ NULL, sBadOption, 0 }
452	};	459	};
Lines 1220-1225 process_server_config_line(ServerOptions options, char line, Link Here
1220	options->max_startups = options->max_startups_begin;	1227	options->max_startups = options->max_startups_begin;
1221	break;	1228	break;
1222		1229
		1230
		1231	case sRequiredAuthentications1:
		1232	charptr = &options->required_auth1;
		1233	arg = strdelim(&cp);
		1234	if (auth1_check_required(arg) != 0)
		1235	fatal("%.200s line %d: Invalid required authentication "
		1236	"list", filename, linenum);
		1237	if (!arg \|\| *arg == '\0')
		1238	fatal("%.200s line %d: Missing argument.",
		1239	filename, linenum);
		1240	if (*charptr == NULL)
		1241	*charptr = xstrdup(arg);
		1242	break;
		1243
		1244	case sRequiredAuthentications2:
		1245	charptr = &options->required_auth2;
		1246	arg = strdelim(&cp);
		1247	if (auth2_check_required(arg) != 0)
		1248	fatal("%.200s line %d: Invalid required authentication "
		1249	"list", filename, linenum);
		1250	if (!arg \|\| *arg == '\0')
		1251	fatal("%.200s line %d: Missing argument.",
		1252	filename, linenum);
		1253	if (*charptr == NULL)
		1254	*charptr = xstrdup(arg);
		1255	break;
		1256
1223	case sMaxAuthTries:	1257	case sMaxAuthTries:
1224	intptr = &options->max_authtries;	1258	intptr = &options->max_authtries;
1225	goto parse_int;	1259	goto parse_int;

Lines 154-159 typedef struct { Link Here

(-)a/servconf.h (+3 lines)
154	u_int num_authkeys_files; /* Files containing public keys */	154	u_int num_authkeys_files; /* Files containing public keys */
155	char *authorized_keys_files[MAX_AUTHKEYS_FILES];	155	char *authorized_keys_files[MAX_AUTHKEYS_FILES];
156		156
		157	char required_auth1; / Required, but not sufficient */
		158	char *required_auth2;
		159
157	char *adm_forced_command;	160	char *adm_forced_command;
158		161
159	int use_pam; /* Enable auth via PAM */	162	int use_pam; /* Enable auth via PAM */




Available keywords are
.Cm AllowAgentForwarding ,
.Cm AllowTcpForwarding ,
.Cm AuthorizedKeysFile ,
.Cm AuthorizedPrincipalsFile ,
.Cm Banner ,
.Cm ChrootDirectory ,
.Cm ForceCommand ,
.Cm GatewayPorts ,
.Cm GSSAPIAuthentication ,
.Cm HostbasedAuthentication ,
.Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
.Cm MaxAuthTries ,

.Cm PermitEmptyPasswords ,
.Cm PermitOpen ,
.Cm PermitRootLogin ,
.Cm RequiredMethods1,
.Cm RequiredMethods2,
.Cm PubkeyAuthentication ,
.Cm RhostsRSAAuthentication ,
.Cm RSAAuthentication ,

.Cm X11Forwarding
and
.Cm X11UseLocalHost .
.It Cm RequiredMethods[12]
 Requires two authentication methods to succeed before authorizing the connection.
 (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)

 RequiredAuthentications1 method[,method...] 
 RequiredAuthentications2 method[,method...]

.Pp
Example 1:

 RequiredAuthentications2 password,hostbased

Example 2:
 RequiredAuthentications2 publickey,password

.It Cm MaxAuthTries
Specifies the maximum number of authentication attempts permitted per
connection.

Specifies whether public key authentication is allowed.
The default is
.Dq yes .
.It Cm RequiredMethods[12]
 Requires two authentication methods to succeed before authorizing the connection.
 (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)

 RequiredAuthentications1 method[,method...] 
 RequiredAuthentications2 method[,method...]

.Pp
Example 1:

 RequiredAuthentications2 password,hostbased

Example 2:
 RequiredAuthentications2 publickey,password

.It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed.

.Pp
To disable TCP keepalive messages, the value should be set to
.Dq no .
.It Cm TrustedUserCAKeys
Specifies a file containing public keys of certificate authorities that are
trusted to sign user certificates for authentication.
Keys are listed one per line; empty lines and comments starting with
.Ql #
are allowed.
If a certificate is presented for authentication and has its signing CA key
listed in this file, then it may be used for authentication for any user
listed in the certificate's principals list.
Note that certificates that lack a list of principals will not be permitted
for authentication using
.Cm TrustedUserCAKeys .
For more details on certificates, see the
.Sx CERTIFICATES
section in
.Xr ssh-keygen 1 .
.It Cm UseDNS
Specifies whether
.Xr sshd 8

Return to bug 983

Lines 705-719 keyword. Link Here

(-)a/sshd_config.5 (-26 / +32 lines)
705	Available keywords are	705	Available keywords are
706	.Cm AllowAgentForwarding ,	706	.Cm AllowAgentForwarding ,
707	.Cm AllowTcpForwarding ,	707	.Cm AllowTcpForwarding ,
708	.Cm AuthorizedKeysFile ,
709	.Cm AuthorizedPrincipalsFile ,
710	.Cm Banner ,	708	.Cm Banner ,
711	.Cm ChrootDirectory ,	709	.Cm ChrootDirectory ,
712	.Cm ForceCommand ,	710	.Cm ForceCommand ,
713	.Cm GatewayPorts ,	711	.Cm GatewayPorts ,
714	.Cm GSSAPIAuthentication ,	712	.Cm GSSAPIAuthentication ,
715	.Cm HostbasedAuthentication ,	713	.Cm HostbasedAuthentication ,
716	.Cm HostbasedUsesNameFromPacketOnly ,
717	.Cm KbdInteractiveAuthentication ,	714	.Cm KbdInteractiveAuthentication ,
718	.Cm KerberosAuthentication ,	715	.Cm KerberosAuthentication ,
719	.Cm MaxAuthTries ,	716	.Cm MaxAuthTries ,
Lines 722-728 Available keywords are Link Here
722	.Cm PermitEmptyPasswords ,	719	.Cm PermitEmptyPasswords ,
723	.Cm PermitOpen ,	720	.Cm PermitOpen ,
724	.Cm PermitRootLogin ,	721	.Cm PermitRootLogin ,
725	.Cm PermitTunnel ,	722	.Cm RequiredMethods1,
		723	.Cm RequiredMethods2,
726	.Cm PubkeyAuthentication ,	724	.Cm PubkeyAuthentication ,
727	.Cm RhostsRSAAuthentication ,	725	.Cm RhostsRSAAuthentication ,
728	.Cm RSAAuthentication ,	726	.Cm RSAAuthentication ,
Lines 730-735 Available keywords are Link Here
730	.Cm X11Forwarding	728	.Cm X11Forwarding
731	and	729	and
732	.Cm X11UseLocalHost .	730	.Cm X11UseLocalHost .
		731	.It Cm RequiredMethods[12]
		732	Requires two authentication methods to succeed before authorizing the connection.
		733	(RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
		734
		735	RequiredAuthentications1 method[,method...]
		736	RequiredAuthentications2 method[,method...]
		737
		738	.Pp
		739	Example 1:
		740
		741	RequiredAuthentications2 password,hostbased
		742
		743	Example 2:
		744	RequiredAuthentications2 publickey,password
		745
733	.It Cm MaxAuthTries	746	.It Cm MaxAuthTries
734	Specifies the maximum number of authentication attempts permitted per	747	Specifies the maximum number of authentication attempts permitted per
735	connection.	748	connection.
Lines 914-925 is identical to Link Here
914	Specifies whether public key authentication is allowed.	927	Specifies whether public key authentication is allowed.
915	The default is	928	The default is
916	.Dq yes .	929	.Dq yes .
917	Note that this option applies to protocol version 2 only.	930	.It Cm RequiredMethods[12]
918	.It Cm RevokedKeys	931	Requires two authentication methods to succeed before authorizing the connection.
919	Specifies a list of revoked public keys.	932	(RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
920	Keys listed in this file will be refused for public key authentication.	933
921	Note that if this file is not readable, then public key authentication will	934	RequiredAuthentications1 method[,method...]
922	be refused for all users.	935	RequiredAuthentications2 method[,method...]
		936
		937	.Pp
		938	Example 1:
		939
		940	RequiredAuthentications2 password,hostbased
		941
		942	Example 2:
		943	RequiredAuthentications2 publickey,password
		944
923	.It Cm RhostsRSAAuthentication	945	.It Cm RhostsRSAAuthentication
924	Specifies whether rhosts or /etc/hosts.equiv authentication together	946	Specifies whether rhosts or /etc/hosts.equiv authentication together
925	with successful RSA host authentication is allowed.	947	with successful RSA host authentication is allowed.
Lines 995-1016 This avoids infinitely hanging sessions. Link Here
995	.Pp	1017	.Pp
996	To disable TCP keepalive messages, the value should be set to	1018	To disable TCP keepalive messages, the value should be set to
997	.Dq no .	1019	.Dq no .
998	.It Cm TrustedUserCAKeys
999	Specifies a file containing public keys of certificate authorities that are
1000	trusted to sign user certificates for authentication.
1001	Keys are listed one per line; empty lines and comments starting with
1002	.Ql #
1003	are allowed.
1004	If a certificate is presented for authentication and has its signing CA key
1005	listed in this file, then it may be used for authentication for any user
1006	listed in the certificate's principals list.
1007	Note that certificates that lack a list of principals will not be permitted
1008	for authentication using
1009	.Cm TrustedUserCAKeys .
1010	For more details on certificates, see the
1011	.Sx CERTIFICATES
1012	section in
1013	.Xr ssh-keygen 1 .
1014	.It Cm UseDNS	1020	.It Cm UseDNS
1015	Specifies whether	1021	Specifies whether
1016	.Xr sshd 8	1022	.Xr sshd 8

Lines 251-257 allowed_user(struct passwd * pw) Link Here

(-)a/auth.c (-3 / +59 lines)
251	}	251	}
252		252
253	void	253	void
254	auth_log(Authctxt authctxt, int authenticated, char method, char *info)	254	auth_log(Authctxt authctxt, int authenticated, const char method,
		255	const char submethod, const char info)
255	{	256	{
256	void (authlog) (const char fmt,...) = verbose;	257	void (authlog) (const char fmt,...) = verbose;
257	char *authmsg;	258	char *authmsg;
Lines 271-279 auth_log(Authctxt authctxt, int authenticated, char method, char *info) Link Here
271	else	272	else
272	authmsg = authenticated ? "Accepted" : "Failed";	273	authmsg = authenticated ? "Accepted" : "Failed";
273		274
274	authlog("%s %s for %s%.100s from %.200s port %d%s",	275	authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
275	authmsg,	276	authmsg,
276	method,	277	method,
		278	submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
277	authctxt->valid ? "" : "invalid user ",	279	authctxt->valid ? "" : "invalid user ",
278	authctxt->user,	280	authctxt->user,
279	get_remote_ipaddr(),	281	get_remote_ipaddr(),
Lines 303-309 auth_log(Authctxt authctxt, int authenticated, char method, char *info) Link Here
303	* Check whether root logins are disallowed.	305	* Check whether root logins are disallowed.
304	*/	306	*/
305	int	307	int
306	auth_root_allowed(char *method)	308	auth_root_allowed(const char *method)
307	{	309	{
308	switch (options.permit_root_login) {	310	switch (options.permit_root_login) {
309	case PERMIT_YES:	311	case PERMIT_YES:
Lines 693-695 fakepw(void) Link Here
693		695
694	return (&fake);	696	return (&fake);
695	}	697	}
		698
		699	int
		700	auth_method_in_list(const char list, const char method)
		701	{
		702	char *cp;
		703
		704	cp = match_list(method, list, NULL);
		705	if (cp != NULL) {
		706	xfree(cp);
		707	return 1;
		708	}
		709
		710	return 0;
		711	}
		712
		713	#define DELIM ","
		714	int
		715	auth_remove_from_list(char *list, const char method)
		716	{
		717	char oldlist, cp, *newlist = NULL;
		718	u_int len = 0, ret = 0;
		719
		720	if (list == NULL \|\| *list == NULL)
		721	return (0);
		722
		723	oldlist = *list;
		724	len = strlen(oldlist) + 1;
		725	newlist = xmalloc(len);
		726	memset(newlist, '\0', len);
		727
		728	/* Remove method from list, if present */
		729	for (;;) {
		730	if ((cp = strsep(&oldlist, DELIM)) == NULL)
		731	break;
		732	if (*cp == '\0')
		733	continue;
		734	if (strcmp(cp, method) != 0) {
		735	if (*newlist != '\0')
		736	strlcat(newlist, DELIM, len);
		737	strlcat(newlist, cp, len);
		738	} else
		739	ret++;
		740	}
		741
		742	/* Return NULL instead of empty list */
		743	if (*newlist == '\0') {
		744	xfree(newlist);
		745	newlist = NULL;
		746	}
		747	xfree(*list);
		748	*list = newlist;
		749
		750	return (ret);
		751	}

Lines 98-103 static const struct AuthMethod1 Link Here

(-)a/auth1.c (-5 / +89 lines)
98	return (NULL);	98	return (NULL);
99	}	99	}
100		100
		101	static const struct AuthMethod1 *
		102	lookup_authmethod1_by_name(const char *name)
		103	{
		104	int i;
		105
		106	for (i = 0; auth1_methods[i].name != NULL; i++)
		107	if (strcmp(auth1_methods[i].name, name) == 0)
		108	return (&(auth1_methods[i]));
		109
		110	return NULL;
		111	}
		112
		113	#define DELIM ","
		114	int
		115	auth1_check_required(const char *list)
		116	{
		117	char orig_methods, methods, *cp;
		118	static const struct AuthMethod1 *m;
		119	int ret = 0;
		120
		121	orig_methods = methods = xstrdup(list);
		122	for(;;) { /* XXX maybe: while ((cp = ...) != NULL) ? */
		123	if ((cp = strsep(&methods, DELIM)) == NULL)
		124	break;
		125	debug2("auth1_check_required: method \"%s\"", cp);
		126	if (*cp == '\0') {
		127	debug("auth1_check_required: empty method");
		128	ret = -1;
		129	}
		130	if ((m = lookup_authmethod1_by_name(cp)) == NULL) {
		131	debug("auth1_check_required: unknown method "
		132	"\"%s\"", cp);
		133	ret = -1;
		134	}
		135	if (*(m->enabled) == 0) {
		136	debug("auth1_check_required: method %s explicitly "
		137	"disabled", cp);
		138	ret = -1;
		139	}
		140	/* Activate method if it isn't already */
		141	if (*(m->enabled) == -1)
		142	*(m->enabled) = 1;
		143	}
		144	xfree(orig_methods);
		145	return (ret);
		146	}
		147
		148
101	static char *	149	static char *
102	get_authname(int type)	150	get_authname(int type)
103	{	151	{
Lines 237-242 do_authloop(Authctxt *authctxt) Link Here
237	{	285	{
238	int authenticated = 0;	286	int authenticated = 0;
239	char info[1024];	287	char info[1024];
		288	const char *meth_name;
240	int prev = 0, type = 0;	289	int prev = 0, type = 0;
241	const struct AuthMethod1 *meth;	290	const struct AuthMethod1 *meth;
242		291
Lines 244-250 do_authloop(Authctxt *authctxt) Link Here
244	authctxt->valid ? "" : "invalid user ", authctxt->user);	293	authctxt->valid ? "" : "invalid user ", authctxt->user);
245		294
246	/* If the user has no password, accept authentication immediately. */	295	/* If the user has no password, accept authentication immediately. */
247	if (options.permit_empty_passwd && options.password_authentication &&	296	if (options.permit_empty_passwd && options.password_authentication && options.password_authentication &&
248	#ifdef KRB5	297	#ifdef KRB5
249	(!options.kerberos_authentication \|\| options.kerberos_or_local_passwd) &&	298	(!options.kerberos_authentication \|\| options.kerberos_or_local_passwd) &&
250	#endif	299	#endif
Lines 253-259 do_authloop(Authctxt *authctxt) Link Here
253	if (options.use_pam && (PRIVSEP(do_pam_account())))	302	if (options.use_pam && (PRIVSEP(do_pam_account())))
254	#endif	303	#endif
255	{	304	{
256	auth_log(authctxt, 1, "without authentication", "");	305	auth_log(authctxt, 1, "without authentication", NULL, "");
257	return;	306	return;
258	}	307	}
259	}	308	}
Lines 272-277 do_authloop(Authctxt *authctxt) Link Here
272	/* Get a packet from the client. */	321	/* Get a packet from the client. */
273	prev = type;	322	prev = type;
274	type = packet_read();	323	type = packet_read();
		324	meth_name = get_authname(type);
275		325
276	/*	326	/*
277	* If we started challenge-response authentication but the	327	* If we started challenge-response authentication but the
Lines 287-294 do_authloop(Authctxt *authctxt) Link Here
287	if (authctxt->failures >= options.max_authtries)	337	if (authctxt->failures >= options.max_authtries)
288	goto skip;	338	goto skip;
289	if ((meth = lookup_authmethod1(type)) == NULL) {	339	if ((meth = lookup_authmethod1(type)) == NULL) {
290	logit("Unknown message during authentication: "	340	logit("Unknown message during authentication: type %d",
291	"type %d", type);	341	type);
292	goto skip;	342	goto skip;
293	}	343	}
294		344
Lines 297-302 do_authloop(Authctxt *authctxt) Link Here
297	goto skip;	347	goto skip;
298	}	348	}
299		349
		350	/*
		351	* Skip methods not in required list, until all the required
		352	* ones are done
		353	*/
		354	if (options.required_auth1 != NULL &&
		355	!auth_method_in_list(options.required_auth1, meth_name)) {
		356	debug("Skipping method \"%s\" until required "
		357	"authentication completed", meth_name);
		358	goto skip;
		359	}
		360
300	authenticated = meth->method(authctxt, info, sizeof(info));	361	authenticated = meth->method(authctxt, info, sizeof(info));
301	if (authenticated == -1)	362	if (authenticated == -1)
302	continue; /* "postponed" */	363	continue; /* "postponed" */
Lines 352-358 do_authloop(Authctxt *authctxt) Link Here
352		413
353	skip:	414	skip:
354	/* Log before sending the reply */	415	/* Log before sending the reply */
355	auth_log(authctxt, authenticated, get_authname(type), info);	416	auth_log(authctxt, authenticated, meth_name, NULL, info);
		417
		418	/* Loop until the required authmethods are done */
		419	if (authenticated && options.required_auth1 != NULL) {
		420	if (auth_remove_from_list(&options.required_auth1,
		421	meth_name) != 1)
		422	fatal("INTERNAL ERROR: authenticated method "
		423	"\"%s\" not in required list \"%s\"",
		424	meth_name, options.required_auth1);
		425	debug2("do_authloop: required list now: %s",
		426	options.required_auth1 == NULL ?
		427	"DONE" : options.required_auth1);
		428	if (options.required_auth1 == NULL)
		429	return;
		430	authenticated = 0;
		431	/*
		432	* Disable method so client can't authenticate with it
		433	* after the required authentications are complete.
		434	*/
		435	*(meth->enabled) = 0;
		436	packet_send_debug("Further authentication required");
		437	goto send_fail;
		438	}
356		439
357	if (client_user != NULL) {	440	if (client_user != NULL) {
358	xfree(client_user);	441	xfree(client_user);
Lines 368-373 do_authloop(Authctxt *authctxt) Link Here
368	#endif	451	#endif
369	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);	452	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
370	}	453	}
		454	send_fail:
371		455
372	packet_start(SSH_SMSG_FAILURE);	456	packet_start(SSH_SMSG_FAILURE);
373	packet_send();	457	packet_send();

Lines 163-169 input_gssapi_token(int type, u_int32_t plen, void *ctxt) Link Here

(-)a/auth2-gss.c (-3 / +3 lines)
163	}	163	}
164	authctxt->postponed = 0;	164	authctxt->postponed = 0;
165	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);	165	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
166	userauth_finish(authctxt, 0, "gssapi-with-mic");	166	userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
167	} else {	167	} else {
168	if (send_tok.length != 0) {	168	if (send_tok.length != 0) {
169	packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);	169	packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
Lines 251-257 input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) Link Here
251	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);	251	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
252	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);	252	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
253	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);	253	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
254	userauth_finish(authctxt, authenticated, "gssapi-with-mic");	254	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
255	}	255	}
256		256
257	static void	257	static void
Lines 291-297 input_gssapi_mic(int type, u_int32_t plen, void *ctxt) Link Here
291	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);	291	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
292	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);	292	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
293	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);	293	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
294	userauth_finish(authctxt, authenticated, "gssapi-with-mic");	294	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
295	}	295	}
296		296
297	Authmethod method_gssapi = {	297	Authmethod method_gssapi = {

Lines 199-204 static int key_blobtype = MM_NOKEY; Link Here

(-)a/monitor.c (-7 / +40 lines)
199	static char *hostbased_cuser = NULL;	199	static char *hostbased_cuser = NULL;
200	static char *hostbased_chost = NULL;	200	static char *hostbased_chost = NULL;
201	static char *auth_method = "unknown";	201	static char *auth_method = "unknown";
		202	static char *auth_submethod = NULL;
202	static u_int session_id2_len = 0;	203	static u_int session_id2_len = 0;
203	static u_char *session_id2 = NULL;	204	static u_char *session_id2 = NULL;
204	static pid_t monitor_child_pid;	205	static pid_t monitor_child_pid;
Lines 352-358 void Link Here
352	monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)	353	monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)
353	{	354	{
354	struct mon_table *ent;	355	struct mon_table *ent;
355	int authenticated = 0;	356	int no_increment, authenticated = 0;
		357	char **req_auth;
356		358
357	debug3("preauth child monitor started");	359	debug3("preauth child monitor started");
358		360
Lines 367-378 monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor) Link Here
367		369
368	if (compat20) {	370	if (compat20) {
369	mon_dispatch = mon_dispatch_proto20;	371	mon_dispatch = mon_dispatch_proto20;
		372	req_auth = &options.required_auth2;
370		373
371	/* Permit requests for moduli and signatures */	374	/* Permit requests for moduli and signatures */
372	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	375	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
373	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	376	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
374	} else {	377	} else {
375	mon_dispatch = mon_dispatch_proto15;	378	mon_dispatch = mon_dispatch_proto15;
		379	req_auth = &options.required_auth1;
376		380
377	monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);	381	monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
378	}	382	}
Lines 380-385 monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor) Link Here
380	/* The first few requests do not require asynchronous access */	384	/* The first few requests do not require asynchronous access */
381	while (!authenticated) {	385	while (!authenticated) {
382	auth_method = "unknown";	386	auth_method = "unknown";
		387	auth_submethod = NULL;
		388	no_increment = 1;
383	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);	389	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
384	if (authenticated) {	390	if (authenticated) {
385	if (!(ent->flags & MON_AUTHDECIDE))	391	if (!(ent->flags & MON_AUTHDECIDE))
Lines 401-411 monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor) Link Here
401	}	407	}
402	#endif	408	#endif
403	}	409	}
		410	/* Loop until the required authmethods are done */
		411	if (authenticated && *req_auth != NULL) {
		412	if (auth_remove_from_list(req_auth, auth_method) != 1)
		413	fatal("INTERNAL ERROR: authenticated method "
		414	"\"%s\" not in required list \"%s\"",
		415	auth_method, *req_auth);
		416	debug2("monitor_child_preauth: required list now: %s",
		417	req_auth == NULL ? "DONE" : req_auth);
		418	if (*req_auth != NULL)
		419	authenticated = 0;
		420	no_increment = 1;
		421	}
404		422
405	if (ent->flags & (MON_AUTHDECIDE\|MON_ALOG)) {	423	if (ent->flags & (MON_AUTHDECIDE\|MON_ALOG)) {
406	auth_log(authctxt, authenticated, auth_method,	424	auth_log(authctxt, authenticated, auth_method,
407	compat20 ? " ssh2" : "");	425	auth_submethod, compat20 ? " ssh2" : "");
408	if (!authenticated)	426	if (!authenticated && !no_increment)
409	authctxt->failures++;	427	authctxt->failures++;
410	}	428	}
411	#ifdef JPAKE	429	#ifdef JPAKE
Lines 862-867 mm_answer_authpassword(int sock, Buffer *m) Link Here
862	auth_method = "none";	880	auth_method = "none";
863	else	881	else
864	auth_method = "password";	882	auth_method = "password";
		883	auth_submethod = NULL;
865		884
866	/* Causes monitor loop to terminate if authenticated */	885	/* Causes monitor loop to terminate if authenticated */
867	return (authenticated);	886	return (authenticated);
Lines 921-926 mm_answer_bsdauthrespond(int sock, Buffer *m) Link Here
921	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);	940	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
922		941
923	auth_method = "bsdauth";	942	auth_method = "bsdauth";
		943	auth_submethod = NULL;
924		944
925	return (authok != 0);	945	return (authok != 0);
926	}	946	}
Lines 970-975 mm_answer_skeyrespond(int sock, Buffer *m) Link Here
970	mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);	990	mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
971		991
972	auth_method = "skey";	992	auth_method = "skey";
		993	auth_submethod = NULL;
973		994
974	return (authok != 0);	995	return (authok != 0);
975	}	996	}
Lines 1059-1065 mm_answer_pam_query(int sock, Buffer *m) Link Here
1059	xfree(prompts);	1080	xfree(prompts);
1060	if (echo_on != NULL)	1081	if (echo_on != NULL)
1061	xfree(echo_on);	1082	xfree(echo_on);
1062	auth_method = "keyboard-interactive/pam";	1083	auth_method = "keyboard-interactive";
		1084	auth_submethod = "pam";
1063	mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);	1085	mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
1064	return (0);	1086	return (0);
1065	}	1087	}
Lines 1088-1094 mm_answer_pam_respond(int sock, Buffer *m) Link Here
1088	buffer_clear(m);	1110	buffer_clear(m);
1089	buffer_put_int(m, ret);	1111	buffer_put_int(m, ret);
1090	mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);	1112	mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
1091	auth_method = "keyboard-interactive/pam";	1113	auth_method = "keyboard-interactive";
		1114	auth_submethod = "pam";
1092	if (ret == 0)	1115	if (ret == 0)
1093	sshpam_authok = sshpam_ctxt;	1116	sshpam_authok = sshpam_ctxt;
1094	return (0);	1117	return (0);
Lines 1102-1108 mm_answer_pam_free_ctx(int sock, Buffer *m) Link Here
1102	(sshpam_device.free_ctx)(sshpam_ctxt);	1125	(sshpam_device.free_ctx)(sshpam_ctxt);
1103	buffer_clear(m);	1126	buffer_clear(m);
1104	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);	1127	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
1105	auth_method = "keyboard-interactive/pam";	1128	auth_method = "keyboard-interactive";
		1129	auth_submethod = "pam";
1106	return (sshpam_authok == sshpam_ctxt);	1130	return (sshpam_authok == sshpam_ctxt);
1107	}	1131	}
1108	#endif	1132	#endif
Lines 1138-1143 mm_answer_keyallowed(int sock, Buffer *m) Link Here
1138	allowed = options.pubkey_authentication &&	1162	allowed = options.pubkey_authentication &&
1139	user_key_allowed(authctxt->pw, key);	1163	user_key_allowed(authctxt->pw, key);
1140	auth_method = "publickey";	1164	auth_method = "publickey";
		1165	auth_submethod = NULL;
1141	if (options.pubkey_authentication && allowed != 1)	1166	if (options.pubkey_authentication && allowed != 1)
1142	auth_clear_options();	1167	auth_clear_options();
1143	break;	1168	break;
Lines 1146-1151 mm_answer_keyallowed(int sock, Buffer *m) Link Here
1146	hostbased_key_allowed(authctxt->pw,	1171	hostbased_key_allowed(authctxt->pw,
1147	cuser, chost, key);	1172	cuser, chost, key);
1148	auth_method = "hostbased";	1173	auth_method = "hostbased";
		1174	auth_submethod = NULL;
1149	break;	1175	break;
1150	case MM_RSAHOSTKEY:	1176	case MM_RSAHOSTKEY:
1151	key->type = KEY_RSA1; /* XXX */	1177	key->type = KEY_RSA1; /* XXX */
Lines 1155-1160 mm_answer_keyallowed(int sock, Buffer *m) Link Here
1155	if (options.rhosts_rsa_authentication && allowed != 1)	1181	if (options.rhosts_rsa_authentication && allowed != 1)
1156	auth_clear_options();	1182	auth_clear_options();
1157	auth_method = "rsa";	1183	auth_method = "rsa";
		1184	auth_submethod = NULL;
1158	break;	1185	break;
1159	default:	1186	default:
1160	fatal("%s: unknown key type %d", __func__, type);	1187	fatal("%s: unknown key type %d", __func__, type);
Lines 1176-1182 mm_answer_keyallowed(int sock, Buffer *m) Link Here
1176	hostbased_chost = chost;	1203	hostbased_chost = chost;
1177	} else {	1204	} else {
1178	/* Log failed attempt */	1205	/* Log failed attempt */
1179	auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : "");	1206	auth_log(authctxt, 0, auth_method, auth_submethod,
		1207	compat20 ? " ssh2" : "");
1180	xfree(blob);	1208	xfree(blob);
1181	xfree(cuser);	1209	xfree(cuser);
1182	xfree(chost);	1210	xfree(chost);
Lines 1355-1360 mm_answer_keyverify(int sock, Buffer *m) Link Here
1355	xfree(data);	1383	xfree(data);
1356		1384
1357	auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";	1385	auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
		1386	auth_submethod = NULL;
1358		1387
1359	monitor_reset_key_state();	1388	monitor_reset_key_state();
1360		1389
Lines 1544-1549 mm_answer_rsa_keyallowed(int sock, Buffer *m) Link Here
1544	debug3("%s entering", __func__);	1573	debug3("%s entering", __func__);
1545		1574
1546	auth_method = "rsa";	1575	auth_method = "rsa";
		1576	auth_submethod = NULL;
1547	if (options.rsa_authentication && authctxt->valid) {	1577	if (options.rsa_authentication && authctxt->valid) {
1548	if ((client_n = BN_new()) == NULL)	1578	if ((client_n = BN_new()) == NULL)
1549	fatal("%s: BN_new", __func__);	1579	fatal("%s: BN_new", __func__);
Lines 1649-1654 mm_answer_rsa_response(int sock, Buffer *m) Link Here
1649	xfree(response);	1679	xfree(response);
1650		1680
1651	auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";	1681	auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
		1682	auth_submethod = NULL;
1652		1683
1653	/* reset state */	1684	/* reset state */
1654	BN_clear_free(ssh1_challenge);	1685	BN_clear_free(ssh1_challenge);
Lines 2098-2103 mm_answer_gss_userok(int sock, Buffer *m) Link Here
2098	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);	2129	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
2099		2130
2100	auth_method = "gssapi-with-mic";	2131	auth_method = "gssapi-with-mic";
		2132	auth_submethod = NULL;
2101		2133
2102	/* Monitor loop will terminate if authenticated */	2134	/* Monitor loop will terminate if authenticated */
2103	return (authenticated);	2135	return (authenticated);
Lines 2302-2307 mm_answer_jpake_check_confirm(int sock, Buffer *m) Link Here
2302	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);	2334	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
2303		2335
2304	auth_method = "jpake-01@openssh.com";	2336	auth_method = "jpake-01@openssh.com";
		2337	auth_submethod = NULL;
2305	return authenticated;	2338	return authenticated;
2306	}	2339	}
2307		2340