Attachment #2178 for bug #983

View | Details | Raw Unified | Return to bug 983 | Differences between

and this patch




}

void
auth_log(Authctxt *authctxt, int authenticated, const char *method,
    const char *submethod, const char *info)
{
	void (*authlog) (const char *fmt,...) = verbose;
	char *authmsg;

	else
		authmsg = authenticated ? "Accepted" : "Failed";

	authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
	    authmsg,
	    method,
	    submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
	    authctxt->valid ? "" : "invalid user ",
	    authctxt->user,
	    get_remote_ipaddr(),

 * Check whether root logins are disallowed.
 */
int
auth_root_allowed(const char *method)
{
	switch (options.permit_root_login) {
	case PERMIT_YES:


	return (&fake);
}

int
auth_method_in_list(const char *list, const char *method)
{
	char *cp;

	cp = match_list(method, list, NULL);
	if (cp != NULL) {
		xfree(cp);
		return 1;
	}

	return 0;
}

#define	DELIM	","
int
auth_remove_from_list(char **list, const char *method)
{
	char *oldlist, *cp, *newlist = NULL;
	u_int len = 0, ret = 0;

	if (list == NULL || *list == NULL)
		return (0);

	oldlist = *list;
	len = strlen(oldlist) + 1;
	newlist = xmalloc(len);
	memset(newlist, '\0', len);

	/* Remove method from list, if present */
	for (;;) {
		if ((cp = strsep(&oldlist, DELIM)) == NULL)
			break;
		if (*cp == '\0')
			continue;
		if (strcmp(cp, method) != 0) {
			if (*newlist != '\0')
				strlcat(newlist, DELIM, len);
			strlcat(newlist, cp, len);
		} else
			ret++;
	}

	/* Return NULL instead of empty list */
	if (*newlist == '\0') {
		xfree(newlist);
		newlist = NULL;
	}
	xfree(*list);
	*list = newlist;

	return (ret);
}

Lines 142-151 void disable_forwarding(void); Link Here

(-)a/auth.h (-3 / +9 lines)
142	void do_authentication(Authctxt *);	142	void do_authentication(Authctxt *);
143	void do_authentication2(Authctxt *);	143	void do_authentication2(Authctxt *);
144		144
145	void auth_log(Authctxt , int, char , char *);	145	void auth_log(Authctxt , int, const char , const char , const char );
146	void userauth_finish(Authctxt , int, char );	146	void userauth_finish(Authctxt , int, const char , const char *);
		147	int auth_root_allowed(const char *);
		148
147	void userauth_send_banner(const char *);	149	void userauth_send_banner(const char *);
148	int auth_root_allowed(char *);
149		150
150	char *auth2_read_banner(void);	151	char *auth2_read_banner(void);
151		152
Lines 192-197 void auth_debug_send(void); Link Here
192	void auth_debug_reset(void);	193	void auth_debug_reset(void);
193		194
194	struct passwd *fakepw(void);	195	struct passwd *fakepw(void);
		196	int auth_method_in_list(const char , const char );
		197	int auth_remove_from_list(char *, const char );
		198
		199	int auth1_check_required(const char *);
		200	int auth2_check_required(const char *);
195		201
196	int sys_auth_passwd(Authctxt , const char );	202	int sys_auth_passwd(Authctxt , const char );
197		203




	return (NULL);
}

static const struct AuthMethod1 *
lookup_authmethod1_by_name(const char *name)
{
	int i;

	for (i = 0; auth1_methods[i].name != NULL; i++)
		if (strcmp(auth1_methods[i].name, name) == 0)
			return (&(auth1_methods[i]));

	return NULL;
}

#define	DELIM	","
int
auth1_check_required(const char *list)
{
	char *orig_methods, *methods, *cp;
	static const struct AuthMethod1 *m;
	int ret = 0;

	orig_methods = methods = xstrdup(list);
	for(;;) { /* XXX maybe: while ((cp = ...) != NULL) ? */
		if ((cp = strsep(&methods, DELIM)) == NULL)
			break;
		debug2("auth1_check_required: method \"%s\"", cp);
		if (*cp == '\0') {
			debug("auth1_check_required: empty method");
			ret = -1;
		}
		if ((m = lookup_authmethod1_by_name(cp)) == NULL) {
			debug("auth1_check_required: unknown method "
			    "\"%s\"", cp);
			ret = -1;
			break;
		}
		if (*(m->enabled) == 0) {
			debug("auth1_check_required: method %s explicitly "
			    "disabled", cp);
			ret = -1;
		}
		/* Activate method if it isn't already */
		if (*(m->enabled) == -1)
			*(m->enabled) = 1;
        }
	xfree(orig_methods);
	return (ret);
}

static char *
get_authname(int type)
{

{
	int authenticated = 0;
	char info[1024];
	const char *meth_name;
	int prev = 0, type = 0;
	const struct AuthMethod1 *meth;


	    authctxt->valid ? "" : "invalid user ", authctxt->user);

	/* If the user has no password, accept authentication immediately. */
	if (options.permit_empty_passwd && options.password_authentication && options.password_authentication &&
#ifdef KRB5
	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif

		if (options.use_pam && (PRIVSEP(do_pam_account())))
#endif
		{
			auth_log(authctxt, 1, "without authentication", NULL, "");
			return;
		}
	}

		/* Get a packet from the client. */
		prev = type;
		type = packet_read();
		meth_name = get_authname(type);

		/*
		 * If we started challenge-response authentication but the

		if (authctxt->failures >= options.max_authtries)
			goto skip;
		if ((meth = lookup_authmethod1(type)) == NULL) {
			logit("Unknown message during authentication: type %d",
			    type);
			goto skip;
		}


			goto skip;
		}

		/*
		 * Skip methods not in required list, until all the required
		 * ones are done
		 */
		if (options.required_auth1 != NULL &&
		    !auth_method_in_list(options.required_auth1, meth_name)) {
			debug("Skipping method \"%s\" until required "
			    "authentication completed", meth_name);
			goto skip;
		}

		authenticated = meth->method(authctxt, info, sizeof(info));
		if (authenticated == -1)
			continue; /* "postponed" */


 skip:
		/* Log before sending the reply */
		auth_log(authctxt, authenticated, meth_name, NULL, info);

		/* Loop until the required authmethods are done */
		if (authenticated && options.required_auth1 != NULL) {
			if (auth_remove_from_list(&options.required_auth1,
			    meth_name) == 0)
				fatal("INTERNAL ERROR: authenticated method "
				    "\"%s\" not in required list \"%s\"",
				    meth_name, options.required_auth1);
			debug2("do_authloop: required list now: %s",
			    options.required_auth1 == NULL ?
			    "DONE" : options.required_auth1);
			if (options.required_auth1 == NULL)
				return;
			authenticated = 0;
			/*
			 * Disable method so client can't authenticate with it
			 * after the required authentications are complete.
			 */
			*(meth->enabled) = 0;
			packet_send_debug("Further authentication required");
			goto send_fail;
		}

		if (client_user != NULL) {
			xfree(client_user);

#endif
			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
		}
 send_fail:

		packet_start(SSH_SMSG_FAILURE);
		packet_send();

Lines 341-347 input_userauth_info_response(int type, u_int32_t seq, void *ctxt) Link Here

(-)a/auth2-chall.c (-1 / +2 lines)
341	auth2_challenge_start(authctxt);	341	auth2_challenge_start(authctxt);
342	}	342	}
343	}	343	}
344	userauth_finish(authctxt, authenticated, method);	344	userauth_finish(authctxt, authenticated, "keyboard-interactive",
		345	authctxt->kbdintctxt?kbdintctxt->device->name:NULL);
345	xfree(method);	346	xfree(method);
346	}	347	}
347		348




		}
		authctxt->postponed = 0;
		dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
		userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
	} else {
		if (send_tok.length != 0) {
			packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);

	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
}

static void

	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
}

Authmethod method_gssapi = {

Lines 61-67 userauth_none(Authctxt *authctxt) Link Here

(-)a/auth2-none.c (-1 / +1 lines)
61	{	61	{
62	none_enabled = 0;	62	none_enabled = 0;
63	packet_check_eom();	63	packet_check_eom();
64	if (options.permit_empty_passwd && options.password_authentication)	64	if (options.permit_empty_passwd && options.password_authentication && options.required_auth2 == NULL)
65	return (PRIVSEP(auth_password(authctxt, "")));	65	return (PRIVSEP(auth_password(authctxt, "")));
66	return (0);	66	return (0);
67	}	67	}




{
	Authctxt *authctxt = ctxt;
	Authmethod *m = NULL;
	char *user, *service, *method, *active_methods, *style = NULL;
	int authenticated = 0;

	if (authctxt == NULL)

	authctxt->server_caused_failure = 0;

	/* try to authenticate user */
	active_methods = authmethods_get();
	if (strcmp(method, "none") == 0 ||
	    auth_method_in_list(active_methods, method)) {
		m = authmethod_lookup(method);
		if (m != NULL) {
			debug2("input_userauth_request: try method %s", method);
			authenticated =	m->userauth(authctxt);
		}

	}
	xfree(active_methods);
	userauth_finish(authctxt, authenticated, method, NULL);

	xfree(service);
	xfree(user);

}

void
userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
    const char *submethod)
{
	char *methods;
	Authmethod *m = NULL;
	u_int partial = 0;

	if (!authctxt->valid && authenticated)
		fatal("INTERNAL ERROR: authenticated invalid user %s",

#endif /* _UNICOS */

	/* Log before sending the reply */
	auth_log(authctxt, authenticated, method, submethod, " ssh2");

	if (authctxt->postponed)
		return;

	/* Handle RequiredAuthentications2: loop until required methods done */
	if (authenticated && options.required_auth2 != NULL) {
		if ((m = authmethod_lookup(method)) == NULL)
			fatal("INTERNAL ERROR: authenticated method "
			    "\"%s\" unknown", method);
		if (auth_remove_from_list(&options.required_auth2, method) == 0)
			fatal("INTERNAL ERROR: authenticated method "
			    "\"%s\" not in required list \"%s\"",
			    method, options.required_auth2);
		debug2("userauth_finish: required list now: %s",
		    options.required_auth2 == NULL ?
		    "DONE" : options.required_auth2);
		/*
		 * if authenticated and no more required methods
		 * then declare success
		 */
		if ( authenticated && options.required_auth2 == NULL ) {
			debug2("userauth_finish: authenticated and no more required methods");
		} else {
			/*
			 * Disable method so client can't authenticate with it after
			 * the required authentications are complete.
			 */
			if (m->enabled != NULL)
			*(m->enabled) = 0;
			authenticated = 0;
			partial = 1;
			goto send_fail;
		}
	}

	if (authenticated == 1) {
		/* turn off userauth */
		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);

		/* now we can break out */
		authctxt->success = 1;
	} else {

		/* Allow initial try of "none" auth without failure penalty */
		if (!authctxt->server_caused_failure &&
		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))

#endif
			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
		}
 send_fail:
		methods = authmethods_get();
		packet_start(SSH2_MSG_USERAUTH_FAILURE);
		packet_put_cstring(methods);
		packet_put_char(partial);
		packet_send();
		packet_write_wait();
		xfree(methods);

	char *list;
	int i;

	if (options.required_auth2 != NULL)
		return xstrdup(options.required_auth2);

	buffer_init(&b);
	for (i = 0; authmethods[i] != NULL; i++) {
		if (strcmp(authmethods[i]->name, "none") == 0)

	return NULL;
}

#define DELIM ","

int
auth2_check_required(const char *list)
{
	char *orig_methods, *methods, *cp;
	struct Authmethod *m;
	int i, ret = 0;

	orig_methods = methods = xstrdup(list);
	for(;;) {
		if ((cp = strsep(&methods, DELIM)) == NULL)
			break;
		debug2("auth2_check_required: method \"%s\"", cp);
		if (*cp == '\0') {
			debug("auth2_check_required: empty method");
			ret = -1;
		}
		for (i = 0; authmethods[i] != NULL; i++)
			if (strcmp(cp, authmethods[i]->name) == 0)
				break;
		if ((m = authmethods[i]) == NULL) {
			debug("auth2_check_required: unknown method "
			    "\"%s\"", cp);
			ret = -1;
			break;
		}
		if (m->enabled == NULL || *(m->enabled) == 0) {
			debug("auth2_check_required: method %s explicitly "
			    "disabled", cp);
			ret = -1;
		}
		/* Activate method if it isn't already */
		if (m->enabled != NULL && *(m->enabled) == -1)
			*(m->enabled) = 1;
	}
	xfree(orig_methods);
	return (ret);
}





static char *hostbased_cuser = NULL;
static char *hostbased_chost = NULL;
static char *auth_method = "unknown";
static char *auth_submethod = NULL;
static u_int session_id2_len = 0;
static u_char *session_id2 = NULL;
static pid_t monitor_child_pid;

{
	struct mon_table *ent;
	int authenticated = 0;
	char **req_auth;

	debug3("preauth child monitor started");



	if (compat20) {
		mon_dispatch = mon_dispatch_proto20;
		req_auth = &options.required_auth2;

		/* Permit requests for moduli and signatures */
		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
	} else {
		mon_dispatch = mon_dispatch_proto15;
		req_auth = &options.required_auth1;

		monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
	}

	/* The first few requests do not require asynchronous access */
	while (!authenticated) {
		auth_method = "unknown";
		auth_submethod = NULL;
		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
		if (authenticated) {
			if (!(ent->flags & MON_AUTHDECIDE))

			}
#endif
		}
		/* Loop until the required authmethods are done */
		if (authenticated && *req_auth != NULL) {
			if (auth_remove_from_list(req_auth, auth_method) == 0)
				fatal("INTERNAL ERROR: authenticated method "
				    "\"%s\" not in required list \"%s\"",
				    auth_method, *req_auth);
			debug2("monitor_child_preauth: required list now: %s",
			    *req_auth == NULL ? "DONE" : *req_auth);
		}

		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
			auth_log(authctxt, authenticated, auth_method,
				 auth_submethod, compat20 ? " ssh2" : "");
			if (!authenticated)
				authctxt->failures++;
		}

			}
		}
#endif
		if (*req_auth != NULL)
			authenticated = 0;
	}

	/* Drain any buffered messages from the child */

		auth_method = "none";
	else
		auth_method = "password";
	auth_submethod = NULL;

	/* Causes monitor loop to terminate if authenticated */
	return (authenticated);

	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);

	auth_method = "bsdauth";
	auth_submethod = NULL;

	return (authok != 0);
}

	mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);

	auth_method = "skey";
	auth_submethod = NULL;

	return (authok != 0);
}

		xfree(prompts);
	if (echo_on != NULL)
		xfree(echo_on);
	auth_method = "keyboard-interactive";
	auth_submethod = "pam";
	mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
	return (0);
}

	buffer_clear(m);
	buffer_put_int(m, ret);
	mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
	auth_method = "keyboard-interactive";
	auth_submethod = "pam";
	if (ret == 0)
		sshpam_authok = sshpam_ctxt;
	return (0);

	(sshpam_device.free_ctx)(sshpam_ctxt);
	buffer_clear(m);
	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
	auth_method = "keyboard-interactive";
	auth_submethod = "pam";
	return (sshpam_authok == sshpam_ctxt);
}
#endif

			allowed = options.pubkey_authentication &&
			    user_key_allowed(authctxt->pw, key);
			auth_method = "publickey";
			auth_submethod = NULL;
			if (options.pubkey_authentication && allowed != 1)
				auth_clear_options();
			break;

			    hostbased_key_allowed(authctxt->pw,
			    cuser, chost, key);
			auth_method = "hostbased";
			auth_submethod = NULL;
			break;
		case MM_RSAHOSTKEY:
			key->type = KEY_RSA1; /* XXX */

			if (options.rhosts_rsa_authentication && allowed != 1)
				auth_clear_options();
			auth_method = "rsa";
			auth_submethod = NULL;
			break;
		default:
			fatal("%s: unknown key type %d", __func__, type);

		hostbased_chost = chost;
	} else {
		/* Log failed attempt */
		auth_log(authctxt, 0, auth_method, auth_submethod,
		    compat20 ? " ssh2" : "");
		xfree(blob);
		xfree(cuser);
		xfree(chost);

	xfree(data);

	auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
	auth_submethod = NULL;

	monitor_reset_key_state();


	debug3("%s entering", __func__);

	auth_method = "rsa";
	auth_submethod = NULL;
	if (options.rsa_authentication && authctxt->valid) {
		if ((client_n = BN_new()) == NULL)
			fatal("%s: BN_new", __func__);

	xfree(response);

	auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
	auth_submethod = NULL;

	/* reset state */
	BN_clear_free(ssh1_challenge);

	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);

	auth_method = "gssapi-with-mic";
	auth_submethod = NULL;

	/* Monitor loop will terminate if authenticated */
	return (authenticated);

	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);

	auth_method = "jpake-01@openssh.com";
	auth_submethod = NULL;
	return authenticated;
}


Lines 43-48 Link Here

(-)a/servconf.c (+34 lines)
43	#include "key.h"	43	#include "key.h"
44	#include "kex.h"	44	#include "kex.h"
45	#include "mac.h"	45	#include "mac.h"
		46	#include "hostfile.h"
		47	#include "auth.h"
46	#include "match.h"	48	#include "match.h"
47	#include "channels.h"	49	#include "channels.h"
48	#include "groupaccess.h"	50	#include "groupaccess.h"
Lines 132-137 initialize_server_options(ServerOptions *options) Link Here
132	options->num_authkeys_files = 0;	134	options->num_authkeys_files = 0;
133	options->num_accept_env = 0;	135	options->num_accept_env = 0;
134	options->permit_tun = -1;	136	options->permit_tun = -1;
		137	options->required_auth1 = NULL;
		138	options->required_auth2 = NULL;
135	options->num_permitted_opens = -1;	139	options->num_permitted_opens = -1;
136	options->adm_forced_command = NULL;	140	options->adm_forced_command = NULL;
137	options->chroot_directory = NULL;	141	options->chroot_directory = NULL;
Lines 324-329 typedef enum { Link Here
324	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	328	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
325	sClientAliveCountMax, sAuthorizedKeysFile,	329	sClientAliveCountMax, sAuthorizedKeysFile,
326	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,	330	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
		331	sRequiredAuthentications1, sRequiredAuthentications2,
327	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,	332	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
328	sUsePrivilegeSeparation, sAllowAgentForwarding,	333	sUsePrivilegeSeparation, sAllowAgentForwarding,
329	sZeroKnowledgePasswordAuthentication, sHostCertificate,	334	sZeroKnowledgePasswordAuthentication, sHostCertificate,
Lines 452-457 static struct { Link Here
452	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },	457	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
453	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },	458	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
454	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },	459	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
		460	{ "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
		461	{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
455	{ "ipqos", sIPQoS, SSHCFG_ALL },	462	{ "ipqos", sIPQoS, SSHCFG_ALL },
456	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },	463	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
457	{ NULL, sBadOption, 0 }	464	{ NULL, sBadOption, 0 }
Lines 1298-1303 process_server_config_line(ServerOptions options, char line, Link Here
1298	options->max_startups = options->max_startups_begin;	1305	options->max_startups = options->max_startups_begin;
1299	break;	1306	break;
1300		1307
		1308
		1309	case sRequiredAuthentications1:
		1310	charptr = &options->required_auth1;
		1311	arg = strdelim(&cp);
		1312	if (!arg \|\| *arg == '\0')
		1313	fatal("%.200s line %d: Missing argument.",
		1314	filename, linenum);
		1315	if (auth1_check_required(arg) != 0)
		1316	fatal("%.200s line %d: Invalid required authentication "
		1317	"list", filename, linenum);
		1318	if (*charptr == NULL)
		1319	*charptr = xstrdup(arg);
		1320	break;
		1321
		1322	case sRequiredAuthentications2:
		1323	charptr = &options->required_auth2;
		1324	arg = strdelim(&cp);
		1325	if (!arg \|\| *arg == '\0')
		1326	fatal("%.200s line %d: Missing argument.",
		1327	filename, linenum);
		1328	if (auth2_check_required(arg) != 0)
		1329	fatal("%.200s line %d: Invalid required authentication "
		1330	"list", filename, linenum);
		1331	if (*charptr == NULL)
		1332	*charptr = xstrdup(arg);
		1333	break;
		1334
1301	case sMaxAuthTries:	1335	case sMaxAuthTries:
1302	intptr = &options->max_authtries;	1336	intptr = &options->max_authtries;
1303	goto parse_int;	1337	goto parse_int;

Lines 154-159 typedef struct { Link Here

(-)a/servconf.h (+3 lines)
154	u_int num_authkeys_files; /* Files containing public keys */	154	u_int num_authkeys_files; /* Files containing public keys */
155	char *authorized_keys_files[MAX_AUTHKEYS_FILES];	155	char *authorized_keys_files[MAX_AUTHKEYS_FILES];
156		156
		157	char required_auth1; / Required, but not sufficient */
		158	char *required_auth2;
		159
157	char *adm_forced_command;	160	char *adm_forced_command;
158		161
159	int use_pam; /* Enable auth via PAM */	162	int use_pam; /* Enable auth via PAM */

Lines 731-736 Available keywords are Link Here

(-)a/sshd_config.5 (-1 / +17 lines)
731	.Cm PermitOpen ,	731	.Cm PermitOpen ,
732	.Cm PermitRootLogin ,	732	.Cm PermitRootLogin ,
733	.Cm PermitTunnel ,	733	.Cm PermitTunnel ,
		734	.Cm RequiredAuthentications1,
		735	.Cm RequiredAuthentications2,
734	.Cm PubkeyAuthentication ,	736	.Cm PubkeyAuthentication ,
735	.Cm RhostsRSAAuthentication ,	737	.Cm RhostsRSAAuthentication ,
736	.Cm RSAAuthentication ,	738	.Cm RSAAuthentication ,
Lines 931-936 Specifies a list of revoked public keys. Link Here
931	Keys listed in this file will be refused for public key authentication.	933	Keys listed in this file will be refused for public key authentication.
932	Note that if this file is not readable, then public key authentication will	934	Note that if this file is not readable, then public key authentication will
933	be refused for all users.	935	be refused for all users.
		936	.It Cm RequiredAuthentications[12]
		937	Specifies required methods of authentications that has to succeed before authorizing the connection.
		938	(RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
		939
		940	RequiredAuthentications1 method[,method...]
		941	RequiredAuthentications2 method[,method...]
		942
		943	.Pp
		944	Example 1:
		945
		946	RequiredAuthentications2 password,hostbased
		947
		948	Example 2:
		949	RequiredAuthentications2 publickey,password
		950
934	.It Cm RhostsRSAAuthentication	951	.It Cm RhostsRSAAuthentication
935	Specifies whether rhosts or /etc/hosts.equiv authentication together	952	Specifies whether rhosts or /etc/hosts.equiv authentication together
936	with successful RSA host authentication is allowed.	953	with successful RSA host authentication is allowed.
937	-

Return to bug 983

Lines 163-169 input_gssapi_token(int type, u_int32_t plen, void *ctxt) Link Here

(-)a/auth2-gss.c (-3 / +3 lines)
163	}	163	}
164	authctxt->postponed = 0;	164	authctxt->postponed = 0;
165	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);	165	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
166	userauth_finish(authctxt, 0, "gssapi-with-mic");	166	userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
167	} else {	167	} else {
168	if (send_tok.length != 0) {	168	if (send_tok.length != 0) {
169	packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);	169	packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
Lines 251-257 input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) Link Here
251	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);	251	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
252	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);	252	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
253	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);	253	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
254	userauth_finish(authctxt, authenticated, "gssapi-with-mic");	254	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
255	}	255	}
256		256
257	static void	257	static void
Lines 291-297 input_gssapi_mic(int type, u_int32_t plen, void *ctxt) Link Here
291	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);	291	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
292	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);	292	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
293	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);	293	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
294	userauth_finish(authctxt, authenticated, "gssapi-with-mic");	294	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
295	}	295	}
296		296
297	Authmethod method_gssapi = {	297	Authmethod method_gssapi = {

Lines 199-204 static int key_blobtype = MM_NOKEY; Link Here

(-)a/monitor.c (-5 / +36 lines)
199	static char *hostbased_cuser = NULL;	199	static char *hostbased_cuser = NULL;
200	static char *hostbased_chost = NULL;	200	static char *hostbased_chost = NULL;
201	static char *auth_method = "unknown";	201	static char *auth_method = "unknown";
		202	static char *auth_submethod = NULL;
202	static u_int session_id2_len = 0;	203	static u_int session_id2_len = 0;
203	static u_char *session_id2 = NULL;	204	static u_char *session_id2 = NULL;
204	static pid_t monitor_child_pid;	205	static pid_t monitor_child_pid;
Lines 353-358 monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor) Link Here
353	{	354	{
354	struct mon_table *ent;	355	struct mon_table *ent;
355	int authenticated = 0;	356	int authenticated = 0;
		357	char **req_auth;
356		358
357	debug3("preauth child monitor started");	359	debug3("preauth child monitor started");
358		360
Lines 367-378 monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor) Link Here
367		369
368	if (compat20) {	370	if (compat20) {
369	mon_dispatch = mon_dispatch_proto20;	371	mon_dispatch = mon_dispatch_proto20;
		372	req_auth = &options.required_auth2;
370		373
371	/* Permit requests for moduli and signatures */	374	/* Permit requests for moduli and signatures */
372	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	375	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
373	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	376	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
374	} else {	377	} else {
375	mon_dispatch = mon_dispatch_proto15;	378	mon_dispatch = mon_dispatch_proto15;
		379	req_auth = &options.required_auth1;
376		380
377	monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);	381	monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
378	}	382	}
Lines 380-385 monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor) Link Here
380	/* The first few requests do not require asynchronous access */	384	/* The first few requests do not require asynchronous access */
381	while (!authenticated) {	385	while (!authenticated) {
382	auth_method = "unknown";	386	auth_method = "unknown";
		387	auth_submethod = NULL;
383	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);	388	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
384	if (authenticated) {	389	if (authenticated) {
385	if (!(ent->flags & MON_AUTHDECIDE))	390	if (!(ent->flags & MON_AUTHDECIDE))
Lines 401-410 monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor) Link Here
401	}	406	}
402	#endif	407	#endif
403	}	408	}
		409	/* Loop until the required authmethods are done */
		410	if (authenticated && *req_auth != NULL) {
		411	if (auth_remove_from_list(req_auth, auth_method) == 0)
		412	fatal("INTERNAL ERROR: authenticated method "
		413	"\"%s\" not in required list \"%s\"",
		414	auth_method, *req_auth);
		415	debug2("monitor_child_preauth: required list now: %s",
		416	req_auth == NULL ? "DONE" : req_auth);
		417	}
404		418
405	if (ent->flags & (MON_AUTHDECIDE\|MON_ALOG)) {	419	if (ent->flags & (MON_AUTHDECIDE\|MON_ALOG)) {
406	auth_log(authctxt, authenticated, auth_method,	420	auth_log(authctxt, authenticated, auth_method,
407	compat20 ? " ssh2" : "");	421	auth_submethod, compat20 ? " ssh2" : "");
408	if (!authenticated)	422	if (!authenticated)
409	authctxt->failures++;	423	authctxt->failures++;
410	}	424	}
Lines 417-422 monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor) Link Here
417	}	431	}
418	}	432	}
419	#endif	433	#endif
		434	if (*req_auth != NULL)
		435	authenticated = 0;
420	}	436	}
421		437
422	/* Drain any buffered messages from the child */	438	/* Drain any buffered messages from the child */
Lines 860-865 mm_answer_authpassword(int sock, Buffer *m) Link Here
860	auth_method = "none";	876	auth_method = "none";
861	else	877	else
862	auth_method = "password";	878	auth_method = "password";
		879	auth_submethod = NULL;
863		880
864	/* Causes monitor loop to terminate if authenticated */	881	/* Causes monitor loop to terminate if authenticated */
865	return (authenticated);	882	return (authenticated);
Lines 919-924 mm_answer_bsdauthrespond(int sock, Buffer *m) Link Here
919	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);	936	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
920		937
921	auth_method = "bsdauth";	938	auth_method = "bsdauth";
		939	auth_submethod = NULL;
922		940
923	return (authok != 0);	941	return (authok != 0);
924	}	942	}
Lines 968-973 mm_answer_skeyrespond(int sock, Buffer *m) Link Here
968	mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);	986	mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
969		987
970	auth_method = "skey";	988	auth_method = "skey";
		989	auth_submethod = NULL;
971		990
972	return (authok != 0);	991	return (authok != 0);
973	}	992	}
Lines 1057-1063 mm_answer_pam_query(int sock, Buffer *m) Link Here
1057	xfree(prompts);	1076	xfree(prompts);
1058	if (echo_on != NULL)	1077	if (echo_on != NULL)
1059	xfree(echo_on);	1078	xfree(echo_on);
1060	auth_method = "keyboard-interactive/pam";	1079	auth_method = "keyboard-interactive";
		1080	auth_submethod = "pam";
1061	mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);	1081	mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
1062	return (0);	1082	return (0);
1063	}	1083	}
Lines 1086-1092 mm_answer_pam_respond(int sock, Buffer *m) Link Here
1086	buffer_clear(m);	1106	buffer_clear(m);
1087	buffer_put_int(m, ret);	1107	buffer_put_int(m, ret);
1088	mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);	1108	mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
1089	auth_method = "keyboard-interactive/pam";	1109	auth_method = "keyboard-interactive";
		1110	auth_submethod = "pam";
1090	if (ret == 0)	1111	if (ret == 0)
1091	sshpam_authok = sshpam_ctxt;	1112	sshpam_authok = sshpam_ctxt;
1092	return (0);	1113	return (0);
Lines 1100-1106 mm_answer_pam_free_ctx(int sock, Buffer *m) Link Here
1100	(sshpam_device.free_ctx)(sshpam_ctxt);	1121	(sshpam_device.free_ctx)(sshpam_ctxt);
1101	buffer_clear(m);	1122	buffer_clear(m);
1102	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);	1123	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
1103	auth_method = "keyboard-interactive/pam";	1124	auth_method = "keyboard-interactive";
		1125	auth_submethod = "pam";
1104	return (sshpam_authok == sshpam_ctxt);	1126	return (sshpam_authok == sshpam_ctxt);
1105	}	1127	}
1106	#endif	1128	#endif
Lines 1136-1141 mm_answer_keyallowed(int sock, Buffer *m) Link Here
1136	allowed = options.pubkey_authentication &&	1158	allowed = options.pubkey_authentication &&
1137	user_key_allowed(authctxt->pw, key);	1159	user_key_allowed(authctxt->pw, key);
1138	auth_method = "publickey";	1160	auth_method = "publickey";
		1161	auth_submethod = NULL;
1139	if (options.pubkey_authentication && allowed != 1)	1162	if (options.pubkey_authentication && allowed != 1)
1140	auth_clear_options();	1163	auth_clear_options();
1141	break;	1164	break;
Lines 1144-1149 mm_answer_keyallowed(int sock, Buffer *m) Link Here
1144	hostbased_key_allowed(authctxt->pw,	1167	hostbased_key_allowed(authctxt->pw,
1145	cuser, chost, key);	1168	cuser, chost, key);
1146	auth_method = "hostbased";	1169	auth_method = "hostbased";
		1170	auth_submethod = NULL;
1147	break;	1171	break;
1148	case MM_RSAHOSTKEY:	1172	case MM_RSAHOSTKEY:
1149	key->type = KEY_RSA1; /* XXX */	1173	key->type = KEY_RSA1; /* XXX */
Lines 1153-1158 mm_answer_keyallowed(int sock, Buffer *m) Link Here
1153	if (options.rhosts_rsa_authentication && allowed != 1)	1177	if (options.rhosts_rsa_authentication && allowed != 1)
1154	auth_clear_options();	1178	auth_clear_options();
1155	auth_method = "rsa";	1179	auth_method = "rsa";
		1180	auth_submethod = NULL;
1156	break;	1181	break;
1157	default:	1182	default:
1158	fatal("%s: unknown key type %d", __func__, type);	1183	fatal("%s: unknown key type %d", __func__, type);
Lines 1174-1180 mm_answer_keyallowed(int sock, Buffer *m) Link Here
1174	hostbased_chost = chost;	1199	hostbased_chost = chost;
1175	} else {	1200	} else {
1176	/* Log failed attempt */	1201	/* Log failed attempt */
1177	auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : "");	1202	auth_log(authctxt, 0, auth_method, auth_submethod,
		1203	compat20 ? " ssh2" : "");
1178	xfree(blob);	1204	xfree(blob);
1179	xfree(cuser);	1205	xfree(cuser);
1180	xfree(chost);	1206	xfree(chost);
Lines 1353-1358 mm_answer_keyverify(int sock, Buffer *m) Link Here
1353	xfree(data);	1379	xfree(data);
1354		1380
1355	auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";	1381	auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
		1382	auth_submethod = NULL;
1356		1383
1357	monitor_reset_key_state();	1384	monitor_reset_key_state();
1358		1385
Lines 1542-1547 mm_answer_rsa_keyallowed(int sock, Buffer *m) Link Here
1542	debug3("%s entering", __func__);	1569	debug3("%s entering", __func__);
1543		1570
1544	auth_method = "rsa";	1571	auth_method = "rsa";
		1572	auth_submethod = NULL;
1545	if (options.rsa_authentication && authctxt->valid) {	1573	if (options.rsa_authentication && authctxt->valid) {
1546	if ((client_n = BN_new()) == NULL)	1574	if ((client_n = BN_new()) == NULL)
1547	fatal("%s: BN_new", __func__);	1575	fatal("%s: BN_new", __func__);
Lines 1647-1652 mm_answer_rsa_response(int sock, Buffer *m) Link Here
1647	xfree(response);	1675	xfree(response);
1648		1676
1649	auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";	1677	auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
		1678	auth_submethod = NULL;
1650		1679
1651	/* reset state */	1680	/* reset state */
1652	BN_clear_free(ssh1_challenge);	1681	BN_clear_free(ssh1_challenge);
Lines 2096-2101 mm_answer_gss_userok(int sock, Buffer *m) Link Here
2096	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);	2125	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
2097		2126
2098	auth_method = "gssapi-with-mic";	2127	auth_method = "gssapi-with-mic";
		2128	auth_submethod = NULL;
2099		2129
2100	/* Monitor loop will terminate if authenticated */	2130	/* Monitor loop will terminate if authenticated */
2101	return (authenticated);	2131	return (authenticated);
Lines 2300-2305 mm_answer_jpake_check_confirm(int sock, Buffer *m) Link Here
2300	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);	2330	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
2301		2331
2302	auth_method = "jpake-01@openssh.com";	2332	auth_method = "jpake-01@openssh.com";
		2333	auth_submethod = NULL;
2303	return authenticated;	2334	return authenticated;
2304	}	2335	}
2305		2336

Lines 251-257 allowed_user(struct passwd * pw) Link Here

(-)a/auth.c (-3 / +59 lines)
251	}	251	}
252		252
253	void	253	void
254	auth_log(Authctxt authctxt, int authenticated, char method, char *info)	254	auth_log(Authctxt authctxt, int authenticated, const char method,
		255	const char submethod, const char info)
255	{	256	{
256	void (authlog) (const char fmt,...) = verbose;	257	void (authlog) (const char fmt,...) = verbose;
257	char *authmsg;	258	char *authmsg;
Lines 271-279 auth_log(Authctxt authctxt, int authenticated, char method, char *info) Link Here
271	else	272	else
272	authmsg = authenticated ? "Accepted" : "Failed";	273	authmsg = authenticated ? "Accepted" : "Failed";
273		274
274	authlog("%s %s for %s%.100s from %.200s port %d%s",	275	authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
275	authmsg,	276	authmsg,
276	method,	277	method,
		278	submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
277	authctxt->valid ? "" : "invalid user ",	279	authctxt->valid ? "" : "invalid user ",
278	authctxt->user,	280	authctxt->user,
279	get_remote_ipaddr(),	281	get_remote_ipaddr(),
Lines 303-309 auth_log(Authctxt authctxt, int authenticated, char method, char *info) Link Here
303	* Check whether root logins are disallowed.	305	* Check whether root logins are disallowed.
304	*/	306	*/
305	int	307	int
306	auth_root_allowed(char *method)	308	auth_root_allowed(const char *method)
307	{	309	{
308	switch (options.permit_root_login) {	310	switch (options.permit_root_login) {
309	case PERMIT_YES:	311	case PERMIT_YES:
Lines 695-697 fakepw(void) Link Here
695		697
696	return (&fake);	698	return (&fake);
697	}	699	}
		700
		701	int
		702	auth_method_in_list(const char list, const char method)
		703	{
		704	char *cp;
		705
		706	cp = match_list(method, list, NULL);
		707	if (cp != NULL) {
		708	xfree(cp);
		709	return 1;
		710	}
		711
		712	return 0;
		713	}
		714
		715	#define DELIM ","
		716	int
		717	auth_remove_from_list(char *list, const char method)
		718	{
		719	char oldlist, cp, *newlist = NULL;
		720	u_int len = 0, ret = 0;
		721
		722	if (list == NULL \|\| *list == NULL)
		723	return (0);
		724
		725	oldlist = *list;
		726	len = strlen(oldlist) + 1;
		727	newlist = xmalloc(len);
		728	memset(newlist, '\0', len);
		729
		730	/* Remove method from list, if present */
		731	for (;;) {
		732	if ((cp = strsep(&oldlist, DELIM)) == NULL)
		733	break;
		734	if (*cp == '\0')
		735	continue;
		736	if (strcmp(cp, method) != 0) {
		737	if (*newlist != '\0')
		738	strlcat(newlist, DELIM, len);
		739	strlcat(newlist, cp, len);
		740	} else
		741	ret++;
		742	}
		743
		744	/* Return NULL instead of empty list */
		745	if (*newlist == '\0') {
		746	xfree(newlist);
		747	newlist = NULL;
		748	}
		749	xfree(*list);
		750	*list = newlist;
		751
		752	return (ret);
		753	}

Lines 98-103 static const struct AuthMethod1 Link Here

(-)a/auth1.c (-5 / +89 lines)
98	return (NULL);	98	return (NULL);
99	}	99	}
100		100
		101	static const struct AuthMethod1 *
		102	lookup_authmethod1_by_name(const char *name)
		103	{
		104	int i;
		105
		106	for (i = 0; auth1_methods[i].name != NULL; i++)
		107	if (strcmp(auth1_methods[i].name, name) == 0)
		108	return (&(auth1_methods[i]));
		109
		110	return NULL;
		111	}
		112
		113	#define DELIM ","
		114	int
		115	auth1_check_required(const char *list)
		116	{
		117	char orig_methods, methods, *cp;
		118	static const struct AuthMethod1 *m;
		119	int ret = 0;
		120
		121	orig_methods = methods = xstrdup(list);
		122	for(;;) { /* XXX maybe: while ((cp = ...) != NULL) ? */
		123	if ((cp = strsep(&methods, DELIM)) == NULL)
		124	break;
		125	debug2("auth1_check_required: method \"%s\"", cp);
		126	if (*cp == '\0') {
		127	debug("auth1_check_required: empty method");
		128	ret = -1;
		129	}
		130	if ((m = lookup_authmethod1_by_name(cp)) == NULL) {
		131	debug("auth1_check_required: unknown method "
		132	"\"%s\"", cp);
		133	ret = -1;
		134	break;
		135	}
		136	if (*(m->enabled) == 0) {
		137	debug("auth1_check_required: method %s explicitly "
		138	"disabled", cp);
		139	ret = -1;
		140	}
		141	/* Activate method if it isn't already */
		142	if (*(m->enabled) == -1)
		143	*(m->enabled) = 1;
		144	}
		145	xfree(orig_methods);
		146	return (ret);
		147	}
		148
101	static char *	149	static char *
102	get_authname(int type)	150	get_authname(int type)
103	{	151	{
Lines 237-242 do_authloop(Authctxt *authctxt) Link Here
237	{	285	{
238	int authenticated = 0;	286	int authenticated = 0;
239	char info[1024];	287	char info[1024];
		288	const char *meth_name;
240	int prev = 0, type = 0;	289	int prev = 0, type = 0;
241	const struct AuthMethod1 *meth;	290	const struct AuthMethod1 *meth;
242		291
Lines 244-250 do_authloop(Authctxt *authctxt) Link Here
244	authctxt->valid ? "" : "invalid user ", authctxt->user);	293	authctxt->valid ? "" : "invalid user ", authctxt->user);
245		294
246	/* If the user has no password, accept authentication immediately. */	295	/* If the user has no password, accept authentication immediately. */
247	if (options.permit_empty_passwd && options.password_authentication &&	296	if (options.permit_empty_passwd && options.password_authentication && options.password_authentication &&
248	#ifdef KRB5	297	#ifdef KRB5
249	(!options.kerberos_authentication \|\| options.kerberos_or_local_passwd) &&	298	(!options.kerberos_authentication \|\| options.kerberos_or_local_passwd) &&
250	#endif	299	#endif
Lines 253-259 do_authloop(Authctxt *authctxt) Link Here
253	if (options.use_pam && (PRIVSEP(do_pam_account())))	302	if (options.use_pam && (PRIVSEP(do_pam_account())))
254	#endif	303	#endif
255	{	304	{
256	auth_log(authctxt, 1, "without authentication", "");	305	auth_log(authctxt, 1, "without authentication", NULL, "");
257	return;	306	return;
258	}	307	}
259	}	308	}
Lines 272-277 do_authloop(Authctxt *authctxt) Link Here
272	/* Get a packet from the client. */	321	/* Get a packet from the client. */
273	prev = type;	322	prev = type;
274	type = packet_read();	323	type = packet_read();
		324	meth_name = get_authname(type);
275		325
276	/*	326	/*
277	* If we started challenge-response authentication but the	327	* If we started challenge-response authentication but the
Lines 287-294 do_authloop(Authctxt *authctxt) Link Here
287	if (authctxt->failures >= options.max_authtries)	337	if (authctxt->failures >= options.max_authtries)
288	goto skip;	338	goto skip;
289	if ((meth = lookup_authmethod1(type)) == NULL) {	339	if ((meth = lookup_authmethod1(type)) == NULL) {
290	logit("Unknown message during authentication: "	340	logit("Unknown message during authentication: type %d",
291	"type %d", type);	341	type);
292	goto skip;	342	goto skip;
293	}	343	}
294		344
Lines 297-302 do_authloop(Authctxt *authctxt) Link Here
297	goto skip;	347	goto skip;
298	}	348	}
299		349
		350	/*
		351	* Skip methods not in required list, until all the required
		352	* ones are done
		353	*/
		354	if (options.required_auth1 != NULL &&
		355	!auth_method_in_list(options.required_auth1, meth_name)) {
		356	debug("Skipping method \"%s\" until required "
		357	"authentication completed", meth_name);
		358	goto skip;
		359	}
		360
300	authenticated = meth->method(authctxt, info, sizeof(info));	361	authenticated = meth->method(authctxt, info, sizeof(info));
301	if (authenticated == -1)	362	if (authenticated == -1)
302	continue; /* "postponed" */	363	continue; /* "postponed" */
Lines 352-358 do_authloop(Authctxt *authctxt) Link Here
352		413
353	skip:	414	skip:
354	/* Log before sending the reply */	415	/* Log before sending the reply */
355	auth_log(authctxt, authenticated, get_authname(type), info);	416	auth_log(authctxt, authenticated, meth_name, NULL, info);
		417
		418	/* Loop until the required authmethods are done */
		419	if (authenticated && options.required_auth1 != NULL) {
		420	if (auth_remove_from_list(&options.required_auth1,
		421	meth_name) == 0)
		422	fatal("INTERNAL ERROR: authenticated method "
		423	"\"%s\" not in required list \"%s\"",
		424	meth_name, options.required_auth1);
		425	debug2("do_authloop: required list now: %s",
		426	options.required_auth1 == NULL ?
		427	"DONE" : options.required_auth1);
		428	if (options.required_auth1 == NULL)
		429	return;
		430	authenticated = 0;
		431	/*
		432	* Disable method so client can't authenticate with it
		433	* after the required authentications are complete.
		434	*/
		435	*(meth->enabled) = 0;
		436	packet_send_debug("Further authentication required");
		437	goto send_fail;
		438	}
356		439
357	if (client_user != NULL) {	440	if (client_user != NULL) {
358	xfree(client_user);	441	xfree(client_user);
Lines 368-373 do_authloop(Authctxt *authctxt) Link Here
368	#endif	451	#endif
369	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);	452	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
370	}	453	}
		454	send_fail:
371		455
372	packet_start(SSH_SMSG_FAILURE);	456	packet_start(SSH_SMSG_FAILURE);
373	packet_send();	457	packet_send();

Lines 215-221 input_userauth_request(int type, u_int32_t seq, void *ctxt) Link Here

(-)a/auth2.c (-11 / +93 lines)
215	{	215	{
216	Authctxt *authctxt = ctxt;	216	Authctxt *authctxt = ctxt;
217	Authmethod *m = NULL;	217	Authmethod *m = NULL;
218	char user, service, method, style = NULL;	218	char user, service, method, active_methods, *style = NULL;
219	int authenticated = 0;	219	int authenticated = 0;
220		220
221	if (authctxt == NULL)	221	if (authctxt == NULL)
Lines 277-288 input_userauth_request(int type, u_int32_t seq, void *ctxt) Link Here
277	authctxt->server_caused_failure = 0;	277	authctxt->server_caused_failure = 0;
278		278
279	/* try to authenticate user */	279	/* try to authenticate user */
280	m = authmethod_lookup(method);	280	active_methods = authmethods_get();
281	if (m != NULL && authctxt->failures < options.max_authtries) {	281	if (strcmp(method, "none") == 0 \|\|
282	debug2("input_userauth_request: try method %s", method);	282	auth_method_in_list(active_methods, method)) {
283	authenticated = m->userauth(authctxt);	283	m = authmethod_lookup(method);
		284	if (m != NULL) {
		285	debug2("input_userauth_request: try method %s", method);
		286	authenticated = m->userauth(authctxt);
		287	}
		288
284	}	289	}
285	userauth_finish(authctxt, authenticated, method);	290	xfree(active_methods);
		291	userauth_finish(authctxt, authenticated, method, NULL);
286		292
287	xfree(service);	293	xfree(service);
288	xfree(user);	294	xfree(user);
Lines 290-298 input_userauth_request(int type, u_int32_t seq, void *ctxt) Link Here
290	}	296	}
291		297
292	void	298	void
293	userauth_finish(Authctxt authctxt, int authenticated, char method)	299	userauth_finish(Authctxt authctxt, int authenticated, const char method,
		300	const char *submethod)
294	{	301	{
295	char *methods;	302	char *methods;
		303	Authmethod *m = NULL;
		304	u_int partial = 0;
296		305
297	if (!authctxt->valid && authenticated)	306	if (!authctxt->valid && authenticated)
298	fatal("INTERNAL ERROR: authenticated invalid user %s",	307	fatal("INTERNAL ERROR: authenticated invalid user %s",
Lines 330-341 userauth_finish(Authctxt authctxt, int authenticated, char method) Link Here
330	#endif /* _UNICOS */	339	#endif /* _UNICOS */
331		340
332	/* Log before sending the reply */	341	/* Log before sending the reply */
333	auth_log(authctxt, authenticated, method, " ssh2");	342	auth_log(authctxt, authenticated, method, submethod, " ssh2");
334		343
335	if (authctxt->postponed)	344	if (authctxt->postponed)
336	return;	345	return;
337		346
338	/* XXX todo: check if multiple auth methods are needed */	347	/* Handle RequiredAuthentications2: loop until required methods done */
		348	if (authenticated && options.required_auth2 != NULL) {
		349	if ((m = authmethod_lookup(method)) == NULL)
		350	fatal("INTERNAL ERROR: authenticated method "
		351	"\"%s\" unknown", method);
		352	if (auth_remove_from_list(&options.required_auth2, method) == 0)
		353	fatal("INTERNAL ERROR: authenticated method "
		354	"\"%s\" not in required list \"%s\"",
		355	method, options.required_auth2);
		356	debug2("userauth_finish: required list now: %s",
		357	options.required_auth2 == NULL ?
		358	"DONE" : options.required_auth2);
		359	/*
		360	* if authenticated and no more required methods
		361	* then declare success
		362	*/
		363	if ( authenticated && options.required_auth2 == NULL ) {
		364	debug2("userauth_finish: authenticated and no more required methods");
		365	} else {
		366	/*
		367	* Disable method so client can't authenticate with it after
		368	* the required authentications are complete.
		369	*/
		370	if (m->enabled != NULL)
		371	*(m->enabled) = 0;
		372	authenticated = 0;
		373	partial = 1;
		374	goto send_fail;
		375	}
		376	}
		377
339	if (authenticated == 1) {	378	if (authenticated == 1) {
340	/* turn off userauth */	379	/* turn off userauth */
341	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);	380	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
Lines 345-351 userauth_finish(Authctxt authctxt, int authenticated, char method) Link Here
345	/* now we can break out */	384	/* now we can break out */
346	authctxt->success = 1;	385	authctxt->success = 1;
347	} else {	386	} else {
348
349	/* Allow initial try of "none" auth without failure penalty */	387	/* Allow initial try of "none" auth without failure penalty */
350	if (!authctxt->server_caused_failure &&	388	if (!authctxt->server_caused_failure &&
351	(authctxt->attempt > 1 \|\| strcmp(method, "none") != 0))	389	(authctxt->attempt > 1 \|\| strcmp(method, "none") != 0))
Lines 356-365 userauth_finish(Authctxt authctxt, int authenticated, char method) Link Here
356	#endif	394	#endif
357	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);	395	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
358	}	396	}
		397	send_fail:
359	methods = authmethods_get();	398	methods = authmethods_get();
360	packet_start(SSH2_MSG_USERAUTH_FAILURE);	399	packet_start(SSH2_MSG_USERAUTH_FAILURE);
361	packet_put_cstring(methods);	400	packet_put_cstring(methods);
362	packet_put_char(0); /* XXX partial success, unused */	401	packet_put_char(partial);
363	packet_send();	402	packet_send();
364	packet_write_wait();	403	packet_write_wait();
365	xfree(methods);	404	xfree(methods);
Lines 373-378 authmethods_get(void) Link Here
373	char *list;	412	char *list;
374	int i;	413	int i;
375		414
		415	if (options.required_auth2 != NULL)
		416	return xstrdup(options.required_auth2);
		417
376	buffer_init(&b);	418	buffer_init(&b);
377	for (i = 0; authmethods[i] != NULL; i++) {	419	for (i = 0; authmethods[i] != NULL; i++) {
378	if (strcmp(authmethods[i]->name, "none") == 0)	420	if (strcmp(authmethods[i]->name, "none") == 0)
Lines 407-409 authmethod_lookup(const char *name) Link Here
407	return NULL;	449	return NULL;
408	}	450	}
409		451
		452	#define DELIM ","
		453
		454	int
		455	auth2_check_required(const char *list)
		456	{
		457	char orig_methods, methods, *cp;
		458	struct Authmethod *m;
		459	int i, ret = 0;
		460
		461	orig_methods = methods = xstrdup(list);
		462	for(;;) {
		463	if ((cp = strsep(&methods, DELIM)) == NULL)
		464	break;
		465	debug2("auth2_check_required: method \"%s\"", cp);
		466	if (*cp == '\0') {
		467	debug("auth2_check_required: empty method");
		468	ret = -1;
		469	}
		470	for (i = 0; authmethods[i] != NULL; i++)
		471	if (strcmp(cp, authmethods[i]->name) == 0)
		472	break;
		473	if ((m = authmethods[i]) == NULL) {
		474	debug("auth2_check_required: unknown method "
		475	"\"%s\"", cp);
		476	ret = -1;
		477	break;
		478	}
		479	if (m->enabled == NULL \|\| *(m->enabled) == 0) {
		480	debug("auth2_check_required: method %s explicitly "
		481	"disabled", cp);
		482	ret = -1;
		483	}
		484	/* Activate method if it isn't already */
		485	if (m->enabled != NULL && *(m->enabled) == -1)
		486	*(m->enabled) = 1;
		487	}
		488	xfree(orig_methods);
		489	return (ret);
		490	}
		491