Attachment #2812 for bug #2408

Lines 691-697 sshpam_init_ctx(Authctxt *authctxt) Link Here

(-)a/auth-pam.c (-1 / +2 lines)
691	}	691	}
692		692
693	/* Notify PAM about any already successful auth methods */	693	/* Notify PAM about any already successful auth methods */
694	if (authctxt->auth_details)	694	if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMONLY &&
		695	authctxt->auth_details)
695	do_pam_putenv("SSH_USER_AUTH", authctxt->auth_details);	696	do_pam_putenv("SSH_USER_AUTH", authctxt->auth_details);
696		697
697	ctxt = xcalloc(1, sizeof *ctxt);	698	ctxt = xcalloc(1, sizeof *ctxt);

Lines 169-174 initialize_server_options(ServerOptions *options) Link Here

(-)a/servconf.c (+20 lines)
169	options->ip_qos_bulk = -1;	169	options->ip_qos_bulk = -1;
170	options->version_addendum = NULL;	170	options->version_addendum = NULL;
171	options->fingerprint_hash = -1;	171	options->fingerprint_hash = -1;
		172	options->expose_auth_methods = -1;
172	}	173	}
173		174
174	/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */	175	/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
Lines 353-358 fill_default_server_options(ServerOptions *options) Link Here
353	options->fwd_opts.streamlocal_bind_unlink = 0;	354	options->fwd_opts.streamlocal_bind_unlink = 0;
354	if (options->fingerprint_hash == -1)	355	if (options->fingerprint_hash == -1)
355	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;	356	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
		357	if (options->expose_auth_methods == -1)
		358	options->expose_auth_methods = EXPOSE_AUTHMETH_PAMONLY;
356		359
357	assemble_algorithms(options);	360	assemble_algorithms(options);
358		361
Lines 430-435 typedef enum { Link Here
430	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,	433	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
431	sStreamLocalBindMask, sStreamLocalBindUnlink,	434	sStreamLocalBindMask, sStreamLocalBindUnlink,
432	sAllowStreamLocalForwarding, sFingerprintHash,	435	sAllowStreamLocalForwarding, sFingerprintHash,
		436	sExposeAuthenticationMethods,
433	sDeprecated, sUnsupported	437	sDeprecated, sUnsupported
434	} ServerOpCodes;	438	} ServerOpCodes;
435		439
Lines 572-577 static struct { Link Here
572	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },	576	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
573	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },	577	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
574	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },	578	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
		579	{ "exposeauthenticationmethods", sExposeAuthenticationMethods, SSHCFG_GLOBAL },
575	{ NULL, sBadOption, 0 }	580	{ NULL, sBadOption, 0 }
576	};	581	};
577		582
Lines 961-966 static const struct multistate multistate_tcpfwd[] = { Link Here
961	{ "local", FORWARD_LOCAL },	966	{ "local", FORWARD_LOCAL },
962	{ NULL, -1 }	967	{ NULL, -1 }
963	};	968	};
		969	static const struct multistate multistate_exposeauthmeth[] = {
		970	{ "never", EXPOSE_AUTHMETH_NEVER },
		971	{ "pam-only", EXPOSE_AUTHMETH_PAMONLY },
		972	{ "pam-and-env", EXPOSE_AUTHMETH_PAMENV },
		973	{ NULL, -1}
		974	};
964		975
965	int	976	int
966	process_server_config_line(ServerOptions options, char line,	977	process_server_config_line(ServerOptions options, char line,
Lines 1851-1856 process_server_config_line(ServerOptions options, char line, Link Here
1851	options->fingerprint_hash = value;	1862	options->fingerprint_hash = value;
1852	break;	1863	break;
1853		1864
		1865	case sExposeAuthenticationMethods:
		1866	intptr = &options->expose_auth_methods;
		1867	multistate_ptr = multistate_exposeauthmeth;
		1868	goto parse_multistate;
		1869
1854	case sDeprecated:	1870	case sDeprecated:
1855	logit("%s line %d: Deprecated option %s",	1871	logit("%s line %d: Deprecated option %s",
1856	filename, linenum, arg);	1872	filename, linenum, arg);
Lines 2005-2010 copy_set_server_options(ServerOptions dst, ServerOptions src, int preauth) Link Here
2005	M_CP_INTOPT(ip_qos_bulk);	2021	M_CP_INTOPT(ip_qos_bulk);
2006	M_CP_INTOPT(rekey_limit);	2022	M_CP_INTOPT(rekey_limit);
2007	M_CP_INTOPT(rekey_interval);	2023	M_CP_INTOPT(rekey_interval);
		2024	M_CP_INTOPT(expose_auth_methods);
2008		2025
2009	/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */	2026	/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2010	#define M_CP_STROPT(n) do {\	2027	#define M_CP_STROPT(n) do {\
Lines 2109-2114 fmt_intarg(ServerOpCodes code, int val) Link Here
2109	return fmt_multistate_int(val, multistate_tcpfwd);	2126	return fmt_multistate_int(val, multistate_tcpfwd);
2110	case sFingerprintHash:	2127	case sFingerprintHash:
2111	return ssh_digest_alg_name(val);	2128	return ssh_digest_alg_name(val);
		2129	case sExposeAuthenticationMethods:
		2130	return fmt_multistate_int(val, multistate_exposeauthmeth);
2112	case sProtocol:	2131	case sProtocol:
2113	switch (val) {	2132	switch (val) {
2114	case SSH_PROTO_1:	2133	case SSH_PROTO_1:
Lines 2295-2300 dump_config(ServerOptions *o) Link Here
2295	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);	2314	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2296	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);	2315	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2297	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);	2316	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
		2317	dump_cfg_fmtint(sExposeAuthenticationMethods, o->expose_auth_methods);
2298		2318
2299	/* string arguments */	2319	/* string arguments */
2300	dump_cfg_string(sPidFile, o->pid_file);	2320	dump_cfg_string(sPidFile, o->pid_file);

Lines 48-53 Link Here

(-)a/servconf.h (+7 lines)
48	#define FORWARD_LOCAL (1<<1)	48	#define FORWARD_LOCAL (1<<1)
49	#define FORWARD_ALLOW (FORWARD_REMOTE\|FORWARD_LOCAL)	49	#define FORWARD_ALLOW (FORWARD_REMOTE\|FORWARD_LOCAL)
50		50
		51	/* Expose AuthenticationMethods */
		52	#define EXPOSE_AUTHMETH_NEVER 0
		53	#define EXPOSE_AUTHMETH_PAMONLY 1
		54	#define EXPOSE_AUTHMETH_PAMENV 2
		55
51	#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */	56	#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
52	#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */	57	#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
53		58
Lines 195-200 typedef struct { Link Here
195	char *auth_methods[MAX_AUTH_METHODS];	200	char *auth_methods[MAX_AUTH_METHODS];
196		201
197	int fingerprint_hash;	202	int fingerprint_hash;
		203
		204	int expose_auth_methods; /* EXPOSE_AUTHMETH_* above */
198	} ServerOptions;	205	} ServerOptions;
199		206
200	/* Information about the incoming connection as used by Match */	207	/* Information about the incoming connection as used by Match */

Lines 1153-1158 copy_environment(char source, char env, u_int envsize) Link Here

(-)a/session.c (-1 / +8 lines)
1153	}	1153	}
1154	*var_val++ = '\0';	1154	*var_val++ = '\0';
1155		1155
		1156	if (options.expose_auth_methods < EXPOSE_AUTHMETH_PAMENV &&
		1157	strcmp(var_name, "SSH_USER_AUTH") == 0) {
		1158	free(var_name);
		1159	continue;
		1160	}
		1161
1156	debug3("Copy environment: %s=%s", var_name, var_val);	1162	debug3("Copy environment: %s=%s", var_name, var_val);
1157	child_set_env(env, envsize, var_name, var_val);	1163	child_set_env(env, envsize, var_name, var_val);
1158		1164
Lines 1335-1341 do_setup_env(Session s, const char shell) Link Here
1335	}	1341	}
1336	#endif /* USE_PAM */	1342	#endif /* USE_PAM */
1337		1343
1338	if (s->authctxt->auth_details)	1344	if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMENV &&
		1345	s->authctxt->auth_details)
1339	child_set_env(&env, &envsize, "SSH_USER_AUTH",	1346	child_set_env(&env, &envsize, "SSH_USER_AUTH",
1340	s->authctxt->auth_details);	1347	s->authctxt->auth_details);
1341		1348




See PATTERNS in
.Xr ssh_config 5
for more information on patterns.
.It Cm ExposeAuthenticationMethods
When using SSH2, this option controls the exposure of the list of
successful authentication methods to PAM during the authentication
and to the shell environment via the
.Cm SSH_USER_AUTH
variable. See the description of this variable for more details.
Valid options are:
.Dq never
(Do not expose successful authentication methods),
.Dq pam-only
(Only expose them to PAM during authentication, not afterwards),
.Dq pam-and-env
(Expose them to PAM and keep them in the shell environment).
The default is
.Dq pam-only .
.It Cm FingerprintHash
Specifies the hash algorithm used when logging key fingerprints.
Valid options are:
- 

Return to bug 2408

Lines 574-579 and finally Link Here

(-)a/sshd_config.5 (-1 / +15 lines)
574	See PATTERNS in	574	See PATTERNS in
575	.Xr ssh_config 5	575	.Xr ssh_config 5
576	for more information on patterns.	576	for more information on patterns.
		577	.It Cm ExposeAuthenticationMethods
		578	When using SSH2, this option controls the exposure of the list of
		579	successful authentication methods to PAM during the authentication
		580	and to the shell environment via the
		581	.Cm SSH_USER_AUTH
		582	variable. See the description of this variable for more details.
		583	Valid options are:
		584	.Dq never
		585	(Do not expose successful authentication methods),
		586	.Dq pam-only
		587	(Only expose them to PAM during authentication, not afterwards),
		588	.Dq pam-and-env
		589	(Expose them to PAM and keep them in the shell environment).
		590	The default is
		591	.Dq pam-only .
577	.It Cm FingerprintHash	592	.It Cm FingerprintHash
578	Specifies the hash algorithm used when logging key fingerprints.	593	Specifies the hash algorithm used when logging key fingerprints.
579	Valid options are:	594	Valid options are:
580	-