Attachment #2846 for bug #2408

Lines 673-678 sshpam_init_ctx(Authctxt *authctxt) Link Here

(-)a/auth-pam.c (+5 lines)
673	return (NULL);	673	return (NULL);
674	}	674	}
675		675
		676	/* Notify PAM about any already successful auth methods */
		677	if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMONLY &&
		678	authctxt->auth_details)
		679	do_pam_putenv("SSH_USER_AUTH", authctxt->auth_details);
		680
676	ctxt = xcalloc(1, sizeof *ctxt);	681	ctxt = xcalloc(1, sizeof *ctxt);
677		682
678	/* Start the authentication thread */	683	/* Start the authentication thread */

Lines 81-86 struct Authctxt { Link Here

(-)a/auth.h (+3 lines)
81		81
82	struct sshkey **prev_userkeys;	82	struct sshkey **prev_userkeys;
83	u_int nprev_userkeys;	83	u_int nprev_userkeys;
		84
		85	char *last_details;
		86	char *auth_details;
84	};	87	};
85	/*	88	/*
86	* Every authentication method has to handle authentication requests for	89	* Every authentication method has to handle authentication requests for

Lines 240-245 input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) Link Here

(-)a/auth2-gss.c (+6 lines)
240		240
241	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));	241	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
242		242
		243	if (authenticated)
		244	authctxt->last_details = ssh_gssapi_get_displayname();
		245
243	authctxt->postponed = 0;	246	authctxt->postponed = 0;
244	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);	247	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
245	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);	248	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
Lines 278-283 input_gssapi_mic(int type, u_int32_t plen, void *ctxt) Link Here
278	else	281	else
279	logit("GSSAPI MIC check failed");	282	logit("GSSAPI MIC check failed");
280		283
		284	if (authenticated)
		285	authctxt->last_details = ssh_gssapi_get_displayname();
		286
281	buffer_free(&b);	287	buffer_free(&b);
282	free(mic.value);	288	free(mic.value);
283		289

Lines 60-66 userauth_hostbased(Authctxt *authctxt) Link Here

(-)a/auth2-hostbased.c (-4 / +10 lines)
60	{	60	{
61	Buffer b;	61	Buffer b;
62	Key *key = NULL;	62	Key *key = NULL;
63	char pkalg, cuser, chost, service;	63	char pkalg, cuser, chost, service, *pubkey;
64	u_char pkblob, sig;	64	u_char pkblob, sig;
65	u_int alen, blen, slen;	65	u_int alen, blen, slen;
66	int pktype;	66	int pktype;
Lines 132-146 userauth_hostbased(Authctxt *authctxt) Link Here
132	buffer_dump(&b);	132	buffer_dump(&b);
133	#endif	133	#endif
134		134
135	pubkey_auth_info(authctxt, key,	135	pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
136	"client user \"%.100s\", client host \"%.100s\"", cuser, chost);	136	auth_info(authctxt,
		137	"%s, client user \"%.100s\", client host \"%.100s\"",
		138	pubkey, cuser, chost);
137		139
138	/* test for allowed key and correct signature */	140	/* test for allowed key and correct signature */
139	authenticated = 0;	141	authenticated = 0;
140	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&	142	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
141	PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),	143	PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
142	buffer_len(&b))) == 1)	144	buffer_len(&b))) == 1) {
143	authenticated = 1;	145	authenticated = 1;
		146	authctxt->last_details = pubkey;
		147	} else {
		148	free(pubkey);
		149	}
144		150
145	buffer_free(&b);	151	buffer_free(&b);
146	done:	152	done:

Lines 79-85 userauth_pubkey(Authctxt *authctxt) Link Here

(-)a/auth2-pubkey.c (-22 / +12 lines)
79	{	79	{
80	Buffer b;	80	Buffer b;
81	Key *key = NULL;	81	Key *key = NULL;
82	char pkalg, userstyle, *fp = NULL;	82	char pkalg, userstyle, pubkey, fp = NULL;
83	u_char pkblob, sig;	83	u_char pkblob, sig;
84	u_int alen, blen, slen;	84	u_int alen, blen, slen;
85	int have_sig, pktype;	85	int have_sig, pktype;
Lines 171-177 userauth_pubkey(Authctxt *authctxt) Link Here
171	#ifdef DEBUG_PK	171	#ifdef DEBUG_PK
172	buffer_dump(&b);	172	buffer_dump(&b);
173	#endif	173	#endif
174	pubkey_auth_info(authctxt, key, NULL);	174	pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
		175	auth_info(authctxt, "%s", pubkey);
175		176
176	/* test for correct signature */	177	/* test for correct signature */
177	authenticated = 0;	178	authenticated = 0;
Lines 179-187 userauth_pubkey(Authctxt *authctxt) Link Here
179	PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),	180	PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
180	buffer_len(&b))) == 1) {	181	buffer_len(&b))) == 1) {
181	authenticated = 1;	182	authenticated = 1;
		183	authctxt->last_details = pubkey;
182	/* Record the successful key to prevent reuse */	184	/* Record the successful key to prevent reuse */
183	auth2_record_userkey(authctxt, key);	185	auth2_record_userkey(authctxt, key);
184	key = NULL; /* Don't free below */	186	key = NULL; /* Don't free below */
		187	} else {
		188	free(pubkey);
185	}	189	}
186	buffer_free(&b);	190	buffer_free(&b);
187	free(sig);	191	free(sig);
Lines 222-228 done: Link Here
222	void	226	void
223	pubkey_auth_info(Authctxt authctxt, const Key key, const char *fmt, ...)	227	pubkey_auth_info(Authctxt authctxt, const Key key, const char *fmt, ...)
224	{	228	{
225	char fp, extra;	229	char extra, pubkey;
226	va_list ap;	230	va_list ap;
227	int i;	231	int i;
228		232
Lines 232-258 pubkey_auth_info(Authctxt authctxt, const Key key, const char *fmt, ...) Link Here
232	i = vasprintf(&extra, fmt, ap);	236	i = vasprintf(&extra, fmt, ap);
233	va_end(ap);	237	va_end(ap);
234	if (i < 0 \|\| extra == NULL)	238	if (i < 0 \|\| extra == NULL)
235	fatal("%s: vasprintf failed", __func__);	239	fatal("%s: vasprintf failed", __func__);
236	}	240	}
237		241
238	if (key_is_cert(key)) {	242	pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
239	fp = sshkey_fingerprint(key->cert->signature_key,	243	auth_info(authctxt, "%s%s%s", pubkey, extra == NULL ? "" : ", ",
240	options.fingerprint_hash, SSH_FP_DEFAULT);	244	extra == NULL ? "" : extra);
241	auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",	245	free(pubkey);
242	key_type(key), key->cert->key_id,
243	(unsigned long long)key->cert->serial,
244	key_type(key->cert->signature_key),
245	fp == NULL ? "(null)" : fp,
246	extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
247	free(fp);
248	} else {
249	fp = sshkey_fingerprint(key, options.fingerprint_hash,
250	SSH_FP_DEFAULT);
251	auth_info(authctxt, "%s %s%s%s", key_type(key),
252	fp == NULL ? "(null)" : fp,
253	extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
254	free(fp);
255	}
256	free(extra);	246	free(extra);
257	}	247	}
258		248




    const char *submethod)
{
	char *methods;
	char *prev_auth_details;
	int partial = 0;

	if (!authctxt->valid && authenticated)

	if (authctxt->postponed)
		return;

	if (authenticated || partial) {
		prev_auth_details = authctxt->auth_details;
		xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
		    prev_auth_details ? prev_auth_details : "",
		    prev_auth_details ? ", " : "", method,
		    authctxt->last_details ? ": " : "",
		    authctxt->last_details ? authctxt->last_details : "");
		free(prev_auth_details);
	}
	free(authctxt->last_details);
	authctxt->last_details = NULL;

#ifdef USE_PAM
	if (options.use_pam && authenticated) {
		if (!PRIVSEP(do_pam_account())) {




}

/* Privileged */
char*
ssh_gssapi_get_displayname(void)
{
	if (gssapi_client.displayname.length != 0 &&
	    gssapi_client.displayname.value != NULL)
		return strdup((char *)gssapi_client.displayname.value);
	return NULL;
}

/* Privileged */
OM_uint32
ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
{




{
	struct mon_table *ent;
	int authenticated = 0, partial = 0;
	char *prev_auth_details;

	debug3("preauth child monitor started");


		auth_submethod = NULL;
		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);

		if (authenticated) {
			prev_auth_details = authctxt->auth_details;
			xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
			    prev_auth_details ? prev_auth_details : "",
			    prev_auth_details ? ", " : "", auth_method,
			    authctxt->last_details ? ": " : "",
			    authctxt->last_details ? authctxt->last_details : "");
			free(prev_auth_details);
		}
		free(authctxt->last_details);
		authctxt->last_details = NULL;

		/* Special handling for multiple required authentications */
		if (options.num_auth_methods != 0) {
			if (!compat20)

	debug3("%s: key %p signature %s",
	    __func__, key, (verified == 1) ? "verified" : "unverified");

	if (verified == 1)
		authctxt->last_details = sshkey_format_oneline(key,
		    options.fingerprint_hash);

	/* If auth was successful then record key to ensure it isn't reused */
	if (verified == 1 && key_blobtype == MM_USERKEY)
		auth2_record_userkey(authctxt, key);


	auth_method = "gssapi-with-mic";

	if (authenticated)
		authctxt->last_details = ssh_gssapi_get_displayname();

	/* Monitor loop will terminate if authenticated */
	return (authenticated);
}

Lines 169-174 initialize_server_options(ServerOptions *options) Link Here

(-)a/servconf.c (+20 lines)
169	options->ip_qos_bulk = -1;	169	options->ip_qos_bulk = -1;
170	options->version_addendum = NULL;	170	options->version_addendum = NULL;
171	options->fingerprint_hash = -1;	171	options->fingerprint_hash = -1;
		172	options->expose_auth_methods = -1;
172	}	173	}
173		174
174	/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */	175	/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
Lines 353-358 fill_default_server_options(ServerOptions *options) Link Here
353	options->fwd_opts.streamlocal_bind_unlink = 0;	354	options->fwd_opts.streamlocal_bind_unlink = 0;
354	if (options->fingerprint_hash == -1)	355	if (options->fingerprint_hash == -1)
355	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;	356	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
		357	if (options->expose_auth_methods == -1)
		358	options->expose_auth_methods = EXPOSE_AUTHMETH_NEVER;
356		359
357	assemble_algorithms(options);	360	assemble_algorithms(options);
358		361
Lines 438-443 typedef enum { Link Here
438	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,	441	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
439	sStreamLocalBindMask, sStreamLocalBindUnlink,	442	sStreamLocalBindMask, sStreamLocalBindUnlink,
440	sAllowStreamLocalForwarding, sFingerprintHash,	443	sAllowStreamLocalForwarding, sFingerprintHash,
		444	sExposeAuthenticationMethods,
441	sDeprecated, sUnsupported	445	sDeprecated, sUnsupported
442	} ServerOpCodes;	446	} ServerOpCodes;
443		447
Lines 580-585 static struct { Link Here
580	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },	584	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
581	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },	585	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
582	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },	586	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
		587	{ "exposeauthenticationmethods", sExposeAuthenticationMethods, SSHCFG_ALL },
583	{ NULL, sBadOption, 0 }	588	{ NULL, sBadOption, 0 }
584	};	589	};
585		590
Lines 969-974 static const struct multistate multistate_tcpfwd[] = { Link Here
969	{ "local", FORWARD_LOCAL },	974	{ "local", FORWARD_LOCAL },
970	{ NULL, -1 }	975	{ NULL, -1 }
971	};	976	};
		977	static const struct multistate multistate_exposeauthmeth[] = {
		978	{ "never", EXPOSE_AUTHMETH_NEVER },
		979	{ "pam-only", EXPOSE_AUTHMETH_PAMONLY },
		980	{ "pam-and-env", EXPOSE_AUTHMETH_PAMENV },
		981	{ NULL, -1}
		982	};
972		983
973	int	984	int
974	process_server_config_line(ServerOptions options, char line,	985	process_server_config_line(ServerOptions options, char line,
Lines 1879-1884 process_server_config_line(ServerOptions options, char line, Link Here
1879	options->fingerprint_hash = value;	1890	options->fingerprint_hash = value;
1880	break;	1891	break;
1881		1892
		1893	case sExposeAuthenticationMethods:
		1894	intptr = &options->expose_auth_methods;
		1895	multistate_ptr = multistate_exposeauthmeth;
		1896	goto parse_multistate;
		1897
1882	case sDeprecated:	1898	case sDeprecated:
1883	logit("%s line %d: Deprecated option %s",	1899	logit("%s line %d: Deprecated option %s",
1884	filename, linenum, arg);	1900	filename, linenum, arg);
Lines 2034-2039 copy_set_server_options(ServerOptions dst, ServerOptions src, int preauth) Link Here
2034	M_CP_INTOPT(ip_qos_bulk);	2050	M_CP_INTOPT(ip_qos_bulk);
2035	M_CP_INTOPT(rekey_limit);	2051	M_CP_INTOPT(rekey_limit);
2036	M_CP_INTOPT(rekey_interval);	2052	M_CP_INTOPT(rekey_interval);
		2053	M_CP_INTOPT(expose_auth_methods);
2037		2054
2038	/*	2055	/*
2039	* The bind_mask is a mode_t that may be unsigned, so we can't use	2056	* The bind_mask is a mode_t that may be unsigned, so we can't use
Lines 2148-2153 fmt_intarg(ServerOpCodes code, int val) Link Here
2148	return fmt_multistate_int(val, multistate_tcpfwd);	2165	return fmt_multistate_int(val, multistate_tcpfwd);
2149	case sFingerprintHash:	2166	case sFingerprintHash:
2150	return ssh_digest_alg_name(val);	2167	return ssh_digest_alg_name(val);
		2168	case sExposeAuthenticationMethods:
		2169	return fmt_multistate_int(val, multistate_exposeauthmeth);
2151	case sProtocol:	2170	case sProtocol:
2152	switch (val) {	2171	switch (val) {
2153	case SSH_PROTO_1:	2172	case SSH_PROTO_1:
Lines 2337-2342 dump_config(ServerOptions *o) Link Here
2337	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);	2356	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2338	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);	2357	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2339	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);	2358	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
		2359	dump_cfg_fmtint(sExposeAuthenticationMethods, o->expose_auth_methods);
2340		2360
2341	/* string arguments */	2361	/* string arguments */
2342	dump_cfg_string(sPidFile, o->pid_file);	2362	dump_cfg_string(sPidFile, o->pid_file);

Lines 48-53 Link Here

(-)a/servconf.h (+7 lines)
48	#define FORWARD_LOCAL (1<<1)	48	#define FORWARD_LOCAL (1<<1)
49	#define FORWARD_ALLOW (FORWARD_REMOTE\|FORWARD_LOCAL)	49	#define FORWARD_ALLOW (FORWARD_REMOTE\|FORWARD_LOCAL)
50		50
		51	/* Expose AuthenticationMethods */
		52	#define EXPOSE_AUTHMETH_NEVER 0
		53	#define EXPOSE_AUTHMETH_PAMONLY 1
		54	#define EXPOSE_AUTHMETH_PAMENV 2
		55
51	#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */	56	#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
52	#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */	57	#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
53		58
Lines 195-200 typedef struct { Link Here
195	char *auth_methods[MAX_AUTH_METHODS];	200	char *auth_methods[MAX_AUTH_METHODS];
196		201
197	int fingerprint_hash;	202	int fingerprint_hash;
		203
		204	int expose_auth_methods; /* EXPOSE_AUTHMETH_* above */
198	} ServerOptions;	205	} ServerOptions;
199		206
200	/* Information about the incoming connection as used by Match */	207	/* Information about the incoming connection as used by Match */

Lines 1154-1159 copy_environment(char source, char env, u_int envsize) Link Here

(-)a/session.c (+14 lines)
1154	}	1154	}
1155	*var_val++ = '\0';	1155	*var_val++ = '\0';
1156		1156
		1157	if (options.expose_auth_methods < EXPOSE_AUTHMETH_PAMENV &&
		1158	strcmp(var_name, "SSH_USER_AUTH") == 0) {
		1159	free(var_name);
		1160	continue;
		1161	}
		1162
1157	debug3("Copy environment: %s=%s", var_name, var_val);	1163	debug3("Copy environment: %s=%s", var_name, var_val);
1158	child_set_env(env, envsize, var_name, var_val);	1164	child_set_env(env, envsize, var_name, var_val);
1159		1165
Lines 1336-1341 do_setup_env(Session s, const char shell) Link Here
1336	}	1342	}
1337	#endif /* USE_PAM */	1343	#endif /* USE_PAM */
1338		1344
		1345	if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMENV &&
		1346	s->authctxt->auth_details)
		1347	child_set_env(&env, &envsize, "SSH_USER_AUTH",
		1348	s->authctxt->auth_details);
		1349
1339	if (auth_sock_name != NULL)	1350	if (auth_sock_name != NULL)
1340	child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,	1351	child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
1341	auth_sock_name);	1352	auth_sock_name);
Lines 2777-2782 do_cleanup(Authctxt *authctxt) Link Here
2777	if (authctxt == NULL)	2788	if (authctxt == NULL)
2778	return;	2789	return;
2779		2790
		2791	free(authctxt->auth_details);
		2792	authctxt->auth_details = NULL;
		2793
2780	#ifdef USE_PAM	2794	#ifdef USE_PAM
2781	if (options.use_pam) {	2795	if (options.use_pam) {
2782	sshpam_cleanup();	2796	sshpam_cleanup();

Lines 124-129 int ssh_gssapi_check_mechanism(Gssctxt *, gss_OID, const char ); Link Here

(-)a/ssh-gss.h (+1 lines)
124	/* In the server */	124	/* In the server */
125	OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);	125	OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
126	int ssh_gssapi_userok(char *name);	126	int ssh_gssapi_userok(char *name);
		127	char* ssh_gssapi_get_displayname(void);
127	OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);	128	OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
128	void ssh_gssapi_do_child(char **, u_int );	129	void ssh_gssapi_do_child(char **, u_int );
129	void ssh_gssapi_cleanup_creds(void);	130	void ssh_gssapi_cleanup_creds(void);

Lines 1396-1401 server IP address, and server port number. Link Here

(-)a/ssh.1 (+4 lines)
1396	This variable contains the original command line if a forced command	1396	This variable contains the original command line if a forced command
1397	is executed.	1397	is executed.
1398	It can be used to extract the original arguments.	1398	It can be used to extract the original arguments.
		1399	.It Ev SSH_USER_AUTH
		1400	This variable contains, for SSH2 only, a comma-separated list of authentication
		1401	methods that were successfuly used to authenticate. When possible, these
		1402	methods are extended with detailed information on the credential used.
1399	.It Ev SSH_TTY	1403	.It Ev SSH_TTY
1400	This is set to the name of the tty (path to the device) associated	1404	This is set to the name of the tty (path to the device) associated
1401	with the current shell or command.	1405	with the current shell or command.




See PATTERNS in
.Xr ssh_config 5
for more information on patterns.
.It Cm ExposeAuthenticationMethods
When using SSH2, this option controls the exposure of the list of
successful authentication methods to PAM during the authentication
and to the shell environment via the
.Cm SSH_USER_AUTH
variable. See the description of this variable for more details.
Valid options are:
.Dq never
(Do not expose successful authentication methods),
.Dq pam-only
(Only expose them to PAM during authentication, not afterwards),
.Dq pam-and-env
(Expose them to PAM and keep them in the shell environment).
The default is
.Dq never .
.It Cm FingerprintHash
Specifies the hash algorithm used when logging key fingerprints.
Valid options are:




#define SSHKEY_INTERNAL
#include "sshkey.h"
#include "match.h"
#include "xmalloc.h"

/* openssh private key file format */
#define MARK_BEGIN		"-----BEGIN OPENSSH PRIVATE KEY-----\n"

	return retval;
}

char *
sshkey_format_oneline(const struct sshkey *key, int dgst_alg)
{
	char *fp, *result;

	if (sshkey_is_cert(key)) {
		fp = sshkey_fingerprint(key->cert->signature_key, dgst_alg,
		    SSH_FP_DEFAULT);
		xasprintf(&result, "%s ID %s (serial %llu) CA %s %s",
		    sshkey_type(key), key->cert->key_id,
		    (unsigned long long)key->cert->serial,
		    sshkey_type(key->cert->signature_key),
		    fp == NULL ? "(null)" : fp);
		free(fp);
	} else {
		fp = sshkey_fingerprint(key, dgst_alg, SSH_FP_DEFAULT);
		xasprintf(&result, "%s %s", sshkey_type(key),
		    fp == NULL ? "(null)" : fp);
		free(fp);
	}

	return result;
}

#ifdef WITH_SSH1
/*
 * Reads a multiple-precision integer in decimal from the buffer, and advances

Lines 123-128 char sshkey_fingerprint(const struct sshkey , Link Here

(-)a/sshkey.h (+1 lines)
123	int, enum sshkey_fp_rep);	123	int, enum sshkey_fp_rep);
124	int sshkey_fingerprint_raw(const struct sshkey *k,	124	int sshkey_fingerprint_raw(const struct sshkey *k,
125	int, u_char *retp, size_t lenp);	125	int, u_char *retp, size_t lenp);
		126	char sshkey_format_oneline(const struct sshkey k, int dgst_alg);
126	const char sshkey_type(const struct sshkey );	127	const char sshkey_type(const struct sshkey );
127	const char sshkey_cert_type(const struct sshkey );	128	const char sshkey_cert_type(const struct sshkey );
128	int sshkey_write(const struct sshkey , FILE );	129	int sshkey_write(const struct sshkey , FILE );

Return to bug 2408

Lines 384-389 ssh_gssapi_userok(char *user) Link Here

(-)a/gss-serv.c (+10 lines)
384	}	384	}
385		385
386	/* Privileged */	386	/* Privileged */
		387	char*
		388	ssh_gssapi_get_displayname(void)
		389	{
		390	if (gssapi_client.displayname.length != 0 &&
		391	gssapi_client.displayname.value != NULL)
		392	return strdup((char *)gssapi_client.displayname.value);
		393	return NULL;
		394	}
		395
		396	/* Privileged */
387	OM_uint32	397	OM_uint32
388	ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)	398	ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
389	{	399	{

Lines 335-340 monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor) Link Here

(-)a/monitor.c (+20 lines)
335	{	335	{
336	struct mon_table *ent;	336	struct mon_table *ent;
337	int authenticated = 0, partial = 0;	337	int authenticated = 0, partial = 0;
		338	char *prev_auth_details;
338		339
339	debug3("preauth child monitor started");	340	debug3("preauth child monitor started");
340		341
Lines 366-371 monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor) Link Here
366	auth_submethod = NULL;	367	auth_submethod = NULL;
367	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);	368	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
368		369
		370	if (authenticated) {
		371	prev_auth_details = authctxt->auth_details;
		372	xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
		373	prev_auth_details ? prev_auth_details : "",
		374	prev_auth_details ? ", " : "", auth_method,
		375	authctxt->last_details ? ": " : "",
		376	authctxt->last_details ? authctxt->last_details : "");
		377	free(prev_auth_details);
		378	}
		379	free(authctxt->last_details);
		380	authctxt->last_details = NULL;
		381
369	/* Special handling for multiple required authentications */	382	/* Special handling for multiple required authentications */
370	if (options.num_auth_methods != 0) {	383	if (options.num_auth_methods != 0) {
371	if (!compat20)	384	if (!compat20)
Lines 1450-1455 mm_answer_keyverify(int sock, Buffer *m) Link Here
1450	debug3("%s: key %p signature %s",	1463	debug3("%s: key %p signature %s",
1451	__func__, key, (verified == 1) ? "verified" : "unverified");	1464	__func__, key, (verified == 1) ? "verified" : "unverified");
1452		1465
		1466	if (verified == 1)
		1467	authctxt->last_details = sshkey_format_oneline(key,
		1468	options.fingerprint_hash);
		1469
1453	/* If auth was successful then record key to ensure it isn't reused */	1470	/* If auth was successful then record key to ensure it isn't reused */
1454	if (verified == 1 && key_blobtype == MM_USERKEY)	1471	if (verified == 1 && key_blobtype == MM_USERKEY)
1455	auth2_record_userkey(authctxt, key);	1472	auth2_record_userkey(authctxt, key);
Lines 2060-2065 mm_answer_gss_userok(int sock, Buffer *m) Link Here
2060		2077
2061	auth_method = "gssapi-with-mic";	2078	auth_method = "gssapi-with-mic";
2062		2079
		2080	if (authenticated)
		2081	authctxt->last_details = ssh_gssapi_get_displayname();
		2082
2063	/* Monitor loop will terminate if authenticated */	2083	/* Monitor loop will terminate if authenticated */
2064	return (authenticated);	2084	return (authenticated);
2065	}	2085	}

Lines 293-298 userauth_finish(Authctxt authctxt, int authenticated, const char method, Link Here

(-)a/auth2.c (+13 lines)
293	const char *submethod)	293	const char *submethod)
294	{	294	{
295	char *methods;	295	char *methods;
		296	char *prev_auth_details;
296	int partial = 0;	297	int partial = 0;
297		298
298	if (!authctxt->valid && authenticated)	299	if (!authctxt->valid && authenticated)
Lines 323-328 userauth_finish(Authctxt authctxt, int authenticated, const char method, Link Here
323	if (authctxt->postponed)	324	if (authctxt->postponed)
324	return;	325	return;
325		326
		327	if (authenticated \|\| partial) {
		328	prev_auth_details = authctxt->auth_details;
		329	xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
		330	prev_auth_details ? prev_auth_details : "",
		331	prev_auth_details ? ", " : "", method,
		332	authctxt->last_details ? ": " : "",
		333	authctxt->last_details ? authctxt->last_details : "");
		334	free(prev_auth_details);
		335	}
		336	free(authctxt->last_details);
		337	authctxt->last_details = NULL;
		338
326	#ifdef USE_PAM	339	#ifdef USE_PAM
327	if (options.use_pam && authenticated) {	340	if (options.use_pam && authenticated) {
328	if (!PRIVSEP(do_pam_account())) {	341	if (!PRIVSEP(do_pam_account())) {

Lines 579-584 and finally Link Here

(-)a/sshd_config.5 (+15 lines)
579	See PATTERNS in	579	See PATTERNS in
580	.Xr ssh_config 5	580	.Xr ssh_config 5
581	for more information on patterns.	581	for more information on patterns.
		582	.It Cm ExposeAuthenticationMethods
		583	When using SSH2, this option controls the exposure of the list of
		584	successful authentication methods to PAM during the authentication
		585	and to the shell environment via the
		586	.Cm SSH_USER_AUTH
		587	variable. See the description of this variable for more details.
		588	Valid options are:
		589	.Dq never
		590	(Do not expose successful authentication methods),
		591	.Dq pam-only
		592	(Only expose them to PAM during authentication, not afterwards),
		593	.Dq pam-and-env
		594	(Expose them to PAM and keep them in the shell environment).
		595	The default is
		596	.Dq never .
582	.It Cm FingerprintHash	597	.It Cm FingerprintHash
583	Specifies the hash algorithm used when logging key fingerprints.	598	Specifies the hash algorithm used when logging key fingerprints.
584	Valid options are:	599	Valid options are:

Lines 58-63 Link Here

(-)a/sshkey.c (+25 lines)
58	#define SSHKEY_INTERNAL	58	#define SSHKEY_INTERNAL
59	#include "sshkey.h"	59	#include "sshkey.h"
60	#include "match.h"	60	#include "match.h"
		61	#include "xmalloc.h"
61		62
62	/* openssh private key file format */	63	/* openssh private key file format */
63	#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"	64	#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
Lines 1189-1194 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, Link Here
1189	return retval;	1190	return retval;
1190	}	1191	}
1191		1192
		1193	char *
		1194	sshkey_format_oneline(const struct sshkey *key, int dgst_alg)
		1195	{
		1196	char fp, result;
		1197
		1198	if (sshkey_is_cert(key)) {
		1199	fp = sshkey_fingerprint(key->cert->signature_key, dgst_alg,
		1200	SSH_FP_DEFAULT);
		1201	xasprintf(&result, "%s ID %s (serial %llu) CA %s %s",
		1202	sshkey_type(key), key->cert->key_id,
		1203	(unsigned long long)key->cert->serial,
		1204	sshkey_type(key->cert->signature_key),
		1205	fp == NULL ? "(null)" : fp);
		1206	free(fp);
		1207	} else {
		1208	fp = sshkey_fingerprint(key, dgst_alg, SSH_FP_DEFAULT);
		1209	xasprintf(&result, "%s %s", sshkey_type(key),
		1210	fp == NULL ? "(null)" : fp);
		1211	free(fp);
		1212	}
		1213
		1214	return result;
		1215	}
		1216
1192	#ifdef WITH_SSH1	1217	#ifdef WITH_SSH1
1193	/*	1218	/*
1194	* Reads a multiple-precision integer in decimal from the buffer, and advances	1219	* Reads a multiple-precision integer in decimal from the buffer, and advances