Attachment 2620 Details for Bug 2398 – proposed patch

[patch] proposed patch

authentication_methods_v1.patch (text/plain), 3.83 KB, created by Jakub Jelen on 2015-05-14 00:20:11 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Jakub Jelen

Created: 2015-05-14 00:20:11 AEST

Size: 3.83 KB

patch

obsolete

>diff --git a/auth.h b/auth.h
>index 8b27575..c7ff210 100644
>--- a/auth.h
>+++ b/auth.h
>@@ -226,4 +226,6 @@ int	 sys_auth_passwd(Authctxt *, const char *);
> #include <krb5.h>
> krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
> #endif
>+
>+#define METHOD_ANY "any"
> #endif
>diff --git a/auth1.c b/auth1.c
>index 5073c49..76c0556 100644
>--- a/auth1.c
>+++ b/auth1.c
>@@ -407,7 +407,7 @@ do_authentication(Authctxt *authctxt)
> 	}
> 
> 	/* Configuration may have changed as a result of Match */
>-	if (options.num_auth_methods != 0)
>+	if (strcmp(options.auth_methods[0], METHOD_ANY) != 0)
> 		fatal("AuthenticationMethods is not supported with SSH "
> 		    "protocol 1");
> 
>diff --git a/auth2.c b/auth2.c
>index 7177962..9e3d7fd 100644
>--- a/auth2.c
>+++ b/auth2.c
>@@ -310,7 +310,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
> #endif
> 	}
> 
>-	if (authenticated && options.num_auth_methods != 0) {
>+	if (authenticated && strcmp(options.auth_methods[0], METHOD_ANY) != 0) {
> 		if (!auth2_update_methods_lists(authctxt, method, submethod)) {
> 			authenticated = 0;
> 			partial = 1;
>@@ -392,7 +392,7 @@ auth2_method_allowed(Authctxt *authctxt, const char *method,
> 	 * NB. authctxt->num_auth_methods might be zero as a result of
> 	 * auth2_setup_methods_lists(), so check the configuration.
> 	 */
>-	if (options.num_auth_methods == 0)
>+	if (strcmp(options.auth_methods[0], METHOD_ANY) == 0)
> 		return 1;
> 	for (i = 0; i < authctxt->num_auth_methods; i++) {
> 		if (list_starts_with(authctxt->auth_methods[i], method,
>@@ -507,7 +507,7 @@ auth2_setup_methods_lists(Authctxt *authctxt)
> {
> 	u_int i;
> 
>-	if (options.num_auth_methods == 0)
>+	if (strcmp(options.auth_methods[0], METHOD_ANY) == 0)
> 		return 0;
> 	debug3("%s: checking methods", __func__);
> 	authctxt->auth_methods = xcalloc(options.num_auth_methods,
>diff --git a/monitor.c b/monitor.c
>index f520c97..1bb063d 100644
>--- a/monitor.c
>+++ b/monitor.c
>@@ -367,7 +367,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
> 		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
> 
> 		/* Special handling for multiple required authentications */
>-		if (options.num_auth_methods != 0) {
>+		if (strcmp(options.auth_methods[0], METHOD_ANY) != 0) {
> 			if (!compat20)
> 				fatal("AuthenticationMethods is not supported"
> 				    "with SSH protocol 1");
>diff --git a/servconf.c b/servconf.c
>index 9257a17..9d7bade 100644
>--- a/servconf.c
>+++ b/servconf.c
>@@ -336,6 +336,8 @@ fill_default_server_options(ServerOptions *options)
> 		options->fwd_opts.streamlocal_bind_unlink = 0;
> 	if (options->fingerprint_hash == -1)
> 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
>+	if (options->num_auth_methods == 0)
>+		options->auth_methods[options->num_auth_methods++] = strdup(METHOD_ANY);
> 	/* Turn privilege separation on by default */
> 	if (use_privsep == -1)
> 		use_privsep = PRIVSEP_NOSANDBOX;
>@@ -1735,7 +1737,14 @@ process_server_config_line(ServerOptions *options, char *line,
> 		break;
> 
> 	case sAuthenticationMethods:
>+		if (cp == NULL || *cp == '\0')
>+			fatal("%.200s line %d: Missing argument.", filename, linenum);
> 		if (options->num_auth_methods == 0) {
>+			if (strcmp(cp, METHOD_ANY) == 0) {
>+				options->auth_methods[
>+				    options->num_auth_methods++] = xstrdup(strdelim(&cp));
>+				break;
>+			}
> 			while ((arg = strdelim(&cp)) && *arg != '\0') {
> 				if (options->num_auth_methods >=
> 				    MAX_AUTH_METHODS)
>diff --git a/sshd.c b/sshd.c
>index 78729dd..39662f0 100644
>--- a/sshd.c
>+++ b/sshd.c
>@@ -1705,7 +1705,7 @@ main(int ac, char **av)
> 	 * daemonisation in the presence of Match block, but this catches
> 	 * and warns for trivial misconfigurations that could break login.
> 	 */
>-	if (options.num_auth_methods != 0) {
>+	if (strcmp(options.auth_methods[0], METHOD_ANY) != 0) {
> 		if ((options.protocol & SSH_PROTO_1))
> 			fatal("AuthenticationMethods is not supported with "
> 			    "SSH protocol 1");

Actions: View | Diff

Attachments on bug 2398: 2620 | 2836 | 2837 | 2838