View | Details | Raw Unified | Return to bug 2408 | Differences between
and this patch

Collapse All | Expand All

(-)a/auth-pam.c (+5 lines)
Lines 673-678 sshpam_init_ctx(Authctxt *authctxt) Link Here
673
		return (NULL);
673
		return (NULL);
674
	}
674
	}
675
675
676
	/* Notify PAM about any already successful auth methods */
677
	if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMONLY &&
678
			authctxt->auth_details)
679
		do_pam_putenv("SSH_USER_AUTH", authctxt->auth_details);
680
676
	ctxt = xcalloc(1, sizeof *ctxt);
681
	ctxt = xcalloc(1, sizeof *ctxt);
677
682
678
	/* Start the authentication thread */
683
	/* Start the authentication thread */
(-)a/auth.h (+3 lines)
Lines 81-86 struct Authctxt { Link Here
81
81
82
	struct sshkey	**prev_userkeys;
82
	struct sshkey	**prev_userkeys;
83
	u_int		 nprev_userkeys;
83
	u_int		 nprev_userkeys;
84
85
	char		*last_details;
86
	char		*auth_details;
84
};
87
};
85
/*
88
/*
86
 * Every authentication method has to handle authentication requests for
89
 * Every authentication method has to handle authentication requests for
(-)a/auth2-gss.c (+6 lines)
Lines 240-245 input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) Link Here
240
240
241
	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
241
	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
242
242
243
	if (authenticated)
244
		authctxt->last_details = ssh_gssapi_get_displayname();
245
243
	authctxt->postponed = 0;
246
	authctxt->postponed = 0;
244
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
247
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
245
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
248
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
Lines 278-283 input_gssapi_mic(int type, u_int32_t plen, void *ctxt) Link Here
278
	else
281
	else
279
		logit("GSSAPI MIC check failed");
282
		logit("GSSAPI MIC check failed");
280
283
284
	if (authenticated)
285
		authctxt->last_details = ssh_gssapi_get_displayname();
286
281
	buffer_free(&b);
287
	buffer_free(&b);
282
	free(mic.value);
288
	free(mic.value);
283
289
(-)a/auth2-hostbased.c (-4 / +10 lines)
Lines 60-66 userauth_hostbased(Authctxt *authctxt) Link Here
60
{
60
{
61
	Buffer b;
61
	Buffer b;
62
	Key *key = NULL;
62
	Key *key = NULL;
63
	char *pkalg, *cuser, *chost, *service;
63
	char *pkalg, *cuser, *chost, *service, *pubkey;
64
	u_char *pkblob, *sig;
64
	u_char *pkblob, *sig;
65
	u_int alen, blen, slen;
65
	u_int alen, blen, slen;
66
	int pktype;
66
	int pktype;
Lines 132-146 userauth_hostbased(Authctxt *authctxt) Link Here
132
	buffer_dump(&b);
132
	buffer_dump(&b);
133
#endif
133
#endif
134
134
135
	pubkey_auth_info(authctxt, key,
135
	pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
136
	    "client user \"%.100s\", client host \"%.100s\"", cuser, chost);
136
	auth_info(authctxt,
137
	    "%s, client user \"%.100s\", client host \"%.100s\"",
138
	    pubkey, cuser, chost);
137
139
138
	/* test for allowed key and correct signature */
140
	/* test for allowed key and correct signature */
139
	authenticated = 0;
141
	authenticated = 0;
140
	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
142
	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
141
	    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
143
	    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
142
			buffer_len(&b))) == 1)
144
			buffer_len(&b))) == 1) {
143
		authenticated = 1;
145
		authenticated = 1;
146
		authctxt->last_details = pubkey;
147
	} else {
148
		free(pubkey);
149
	}
144
150
145
	buffer_free(&b);
151
	buffer_free(&b);
146
done:
152
done:
(-)a/auth2-pubkey.c (-22 / +12 lines)
Lines 79-85 userauth_pubkey(Authctxt *authctxt) Link Here
79
{
79
{
80
	Buffer b;
80
	Buffer b;
81
	Key *key = NULL;
81
	Key *key = NULL;
82
	char *pkalg, *userstyle, *fp = NULL;
82
	char *pkalg, *userstyle, *pubkey, *fp = NULL;
83
	u_char *pkblob, *sig;
83
	u_char *pkblob, *sig;
84
	u_int alen, blen, slen;
84
	u_int alen, blen, slen;
85
	int have_sig, pktype;
85
	int have_sig, pktype;
Lines 171-177 userauth_pubkey(Authctxt *authctxt) Link Here
171
#ifdef DEBUG_PK
171
#ifdef DEBUG_PK
172
		buffer_dump(&b);
172
		buffer_dump(&b);
173
#endif
173
#endif
174
		pubkey_auth_info(authctxt, key, NULL);
174
		pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
175
		auth_info(authctxt, "%s", pubkey);
175
176
176
		/* test for correct signature */
177
		/* test for correct signature */
177
		authenticated = 0;
178
		authenticated = 0;
Lines 179-187 userauth_pubkey(Authctxt *authctxt) Link Here
179
		    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
180
		    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
180
		    buffer_len(&b))) == 1) {
181
		    buffer_len(&b))) == 1) {
181
			authenticated = 1;
182
			authenticated = 1;
183
			authctxt->last_details = pubkey;
182
			/* Record the successful key to prevent reuse */
184
			/* Record the successful key to prevent reuse */
183
			auth2_record_userkey(authctxt, key);
185
			auth2_record_userkey(authctxt, key);
184
			key = NULL; /* Don't free below */
186
			key = NULL; /* Don't free below */
187
		} else {
188
			free(pubkey);
185
		}
189
		}
186
		buffer_free(&b);
190
		buffer_free(&b);
187
		free(sig);
191
		free(sig);
Lines 222-228 done: Link Here
222
void
226
void
223
pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
227
pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
224
{
228
{
225
	char *fp, *extra;
229
	char *extra, *pubkey;
226
	va_list ap;
230
	va_list ap;
227
	int i;
231
	int i;
228
232
Lines 232-258 pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) Link Here
232
		i = vasprintf(&extra, fmt, ap);
236
		i = vasprintf(&extra, fmt, ap);
233
		va_end(ap);
237
		va_end(ap);
234
		if (i < 0 || extra == NULL)
238
		if (i < 0 || extra == NULL)
235
			fatal("%s: vasprintf failed", __func__);	
239
			fatal("%s: vasprintf failed", __func__);
236
	}
240
	}
237
241
238
	if (key_is_cert(key)) {
242
	pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
239
		fp = sshkey_fingerprint(key->cert->signature_key,
243
	auth_info(authctxt, "%s%s%s", pubkey, extra == NULL ? "" : ", ",
240
		    options.fingerprint_hash, SSH_FP_DEFAULT);
244
	    extra == NULL ? "" : extra);
241
		auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", 
245
	free(pubkey);
242
		    key_type(key), key->cert->key_id,
243
		    (unsigned long long)key->cert->serial,
244
		    key_type(key->cert->signature_key),
245
		    fp == NULL ? "(null)" : fp,
246
		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
247
		free(fp);
248
	} else {
249
		fp = sshkey_fingerprint(key, options.fingerprint_hash,
250
		    SSH_FP_DEFAULT);
251
		auth_info(authctxt, "%s %s%s%s", key_type(key),
252
		    fp == NULL ? "(null)" : fp,
253
		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
254
		free(fp);
255
	}
256
	free(extra);
246
	free(extra);
257
}
247
}
258
248
(-)a/auth2.c (+13 lines)
Lines 293-298 userauth_finish(Authctxt *authctxt, int authenticated, const char *method, Link Here
293
    const char *submethod)
293
    const char *submethod)
294
{
294
{
295
	char *methods;
295
	char *methods;
296
	char *prev_auth_details;
296
	int partial = 0;
297
	int partial = 0;
297
298
298
	if (!authctxt->valid && authenticated)
299
	if (!authctxt->valid && authenticated)
Lines 323-328 userauth_finish(Authctxt *authctxt, int authenticated, const char *method, Link Here
323
	if (authctxt->postponed)
324
	if (authctxt->postponed)
324
		return;
325
		return;
325
326
327
	if (authenticated || partial) {
328
		prev_auth_details = authctxt->auth_details;
329
		xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
330
		    prev_auth_details ? prev_auth_details : "",
331
		    prev_auth_details ? ", " : "", method,
332
		    authctxt->last_details ? ": " : "",
333
		    authctxt->last_details ? authctxt->last_details : "");
334
		free(prev_auth_details);
335
	}
336
	free(authctxt->last_details);
337
	authctxt->last_details = NULL;
338
326
#ifdef USE_PAM
339
#ifdef USE_PAM
327
	if (options.use_pam && authenticated) {
340
	if (options.use_pam && authenticated) {
328
		if (!PRIVSEP(do_pam_account())) {
341
		if (!PRIVSEP(do_pam_account())) {
(-)a/gss-serv.c (+10 lines)
Lines 384-389 ssh_gssapi_userok(char *user) Link Here
384
}
384
}
385
385
386
/* Privileged */
386
/* Privileged */
387
char*
388
ssh_gssapi_get_displayname(void)
389
{
390
	if (gssapi_client.displayname.length != 0 &&
391
	    gssapi_client.displayname.value != NULL)
392
		return strdup((char *)gssapi_client.displayname.value);
393
	return NULL;
394
}
395
396
/* Privileged */
387
OM_uint32
397
OM_uint32
388
ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
398
ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
389
{
399
{
(-)a/monitor.c (+20 lines)
Lines 335-340 monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) Link Here
335
{
335
{
336
	struct mon_table *ent;
336
	struct mon_table *ent;
337
	int authenticated = 0, partial = 0;
337
	int authenticated = 0, partial = 0;
338
	char *prev_auth_details;
338
339
339
	debug3("preauth child monitor started");
340
	debug3("preauth child monitor started");
340
341
Lines 366-371 monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) Link Here
366
		auth_submethod = NULL;
367
		auth_submethod = NULL;
367
		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
368
		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
368
369
370
		if (authenticated) {
371
			prev_auth_details = authctxt->auth_details;
372
			xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
373
			    prev_auth_details ? prev_auth_details : "",
374
			    prev_auth_details ? ", " : "", auth_method,
375
			    authctxt->last_details ? ": " : "",
376
			    authctxt->last_details ? authctxt->last_details : "");
377
			free(prev_auth_details);
378
		}
379
		free(authctxt->last_details);
380
		authctxt->last_details = NULL;
381
369
		/* Special handling for multiple required authentications */
382
		/* Special handling for multiple required authentications */
370
		if (options.num_auth_methods != 0) {
383
		if (options.num_auth_methods != 0) {
371
			if (!compat20)
384
			if (!compat20)
Lines 1450-1455 mm_answer_keyverify(int sock, Buffer *m) Link Here
1450
	debug3("%s: key %p signature %s",
1463
	debug3("%s: key %p signature %s",
1451
	    __func__, key, (verified == 1) ? "verified" : "unverified");
1464
	    __func__, key, (verified == 1) ? "verified" : "unverified");
1452
1465
1466
	if (verified == 1)
1467
		authctxt->last_details = sshkey_format_oneline(key,
1468
		    options.fingerprint_hash);
1469
1453
	/* If auth was successful then record key to ensure it isn't reused */
1470
	/* If auth was successful then record key to ensure it isn't reused */
1454
	if (verified == 1 && key_blobtype == MM_USERKEY)
1471
	if (verified == 1 && key_blobtype == MM_USERKEY)
1455
		auth2_record_userkey(authctxt, key);
1472
		auth2_record_userkey(authctxt, key);
Lines 2060-2065 mm_answer_gss_userok(int sock, Buffer *m) Link Here
2060
2077
2061
	auth_method = "gssapi-with-mic";
2078
	auth_method = "gssapi-with-mic";
2062
2079
2080
	if (authenticated)
2081
		authctxt->last_details = ssh_gssapi_get_displayname();
2082
2063
	/* Monitor loop will terminate if authenticated */
2083
	/* Monitor loop will terminate if authenticated */
2064
	return (authenticated);
2084
	return (authenticated);
2065
}
2085
}
(-)a/servconf.c (+20 lines)
Lines 169-174 initialize_server_options(ServerOptions *options) Link Here
169
	options->ip_qos_bulk = -1;
169
	options->ip_qos_bulk = -1;
170
	options->version_addendum = NULL;
170
	options->version_addendum = NULL;
171
	options->fingerprint_hash = -1;
171
	options->fingerprint_hash = -1;
172
	options->expose_auth_methods = -1;
172
}
173
}
173
174
174
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
175
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
Lines 353-358 fill_default_server_options(ServerOptions *options) Link Here
353
		options->fwd_opts.streamlocal_bind_unlink = 0;
354
		options->fwd_opts.streamlocal_bind_unlink = 0;
354
	if (options->fingerprint_hash == -1)
355
	if (options->fingerprint_hash == -1)
355
		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
356
		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
357
	if (options->expose_auth_methods == -1)
358
		options->expose_auth_methods = EXPOSE_AUTHMETH_NEVER;
356
359
357
	assemble_algorithms(options);
360
	assemble_algorithms(options);
358
361
Lines 438-443 typedef enum { Link Here
438
	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
441
	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
439
	sStreamLocalBindMask, sStreamLocalBindUnlink,
442
	sStreamLocalBindMask, sStreamLocalBindUnlink,
440
	sAllowStreamLocalForwarding, sFingerprintHash,
443
	sAllowStreamLocalForwarding, sFingerprintHash,
444
	sExposeAuthenticationMethods,
441
	sDeprecated, sUnsupported
445
	sDeprecated, sUnsupported
442
} ServerOpCodes;
446
} ServerOpCodes;
443
447
Lines 580-585 static struct { Link Here
580
	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
584
	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
581
	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
585
	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
582
	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
586
	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
587
	{ "exposeauthenticationmethods", sExposeAuthenticationMethods, SSHCFG_ALL },
583
	{ NULL, sBadOption, 0 }
588
	{ NULL, sBadOption, 0 }
584
};
589
};
585
590
Lines 969-974 static const struct multistate multistate_tcpfwd[] = { Link Here
969
	{ "local",			FORWARD_LOCAL },
974
	{ "local",			FORWARD_LOCAL },
970
	{ NULL, -1 }
975
	{ NULL, -1 }
971
};
976
};
977
static const struct multistate multistate_exposeauthmeth[] = {
978
	{ "never",			EXPOSE_AUTHMETH_NEVER },
979
	{ "pam-only",			EXPOSE_AUTHMETH_PAMONLY },
980
	{ "pam-and-env",		EXPOSE_AUTHMETH_PAMENV },
981
	{ NULL, -1}
982
};
972
983
973
int
984
int
974
process_server_config_line(ServerOptions *options, char *line,
985
process_server_config_line(ServerOptions *options, char *line,
Lines 1879-1884 process_server_config_line(ServerOptions *options, char *line, Link Here
1879
			options->fingerprint_hash = value;
1890
			options->fingerprint_hash = value;
1880
		break;
1891
		break;
1881
1892
1893
	case sExposeAuthenticationMethods:
1894
		intptr = &options->expose_auth_methods;
1895
		multistate_ptr = multistate_exposeauthmeth;
1896
		goto parse_multistate;
1897
1882
	case sDeprecated:
1898
	case sDeprecated:
1883
		logit("%s line %d: Deprecated option %s",
1899
		logit("%s line %d: Deprecated option %s",
1884
		    filename, linenum, arg);
1900
		    filename, linenum, arg);
Lines 2034-2039 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) Link Here
2034
	M_CP_INTOPT(ip_qos_bulk);
2050
	M_CP_INTOPT(ip_qos_bulk);
2035
	M_CP_INTOPT(rekey_limit);
2051
	M_CP_INTOPT(rekey_limit);
2036
	M_CP_INTOPT(rekey_interval);
2052
	M_CP_INTOPT(rekey_interval);
2053
	M_CP_INTOPT(expose_auth_methods);
2037
2054
2038
	/*
2055
	/*
2039
	 * The bind_mask is a mode_t that may be unsigned, so we can't use
2056
	 * The bind_mask is a mode_t that may be unsigned, so we can't use
Lines 2148-2153 fmt_intarg(ServerOpCodes code, int val) Link Here
2148
		return fmt_multistate_int(val, multistate_tcpfwd);
2165
		return fmt_multistate_int(val, multistate_tcpfwd);
2149
	case sFingerprintHash:
2166
	case sFingerprintHash:
2150
		return ssh_digest_alg_name(val);
2167
		return ssh_digest_alg_name(val);
2168
	case sExposeAuthenticationMethods:
2169
		return fmt_multistate_int(val, multistate_exposeauthmeth);
2151
	case sProtocol:
2170
	case sProtocol:
2152
		switch (val) {
2171
		switch (val) {
2153
		case SSH_PROTO_1:
2172
		case SSH_PROTO_1:
Lines 2337-2342 dump_config(ServerOptions *o) Link Here
2337
	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2356
	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2338
	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2357
	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2339
	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2358
	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2359
	dump_cfg_fmtint(sExposeAuthenticationMethods, o->expose_auth_methods);
2340
2360
2341
	/* string arguments */
2361
	/* string arguments */
2342
	dump_cfg_string(sPidFile, o->pid_file);
2362
	dump_cfg_string(sPidFile, o->pid_file);
(-)a/servconf.h (+7 lines)
Lines 48-53 Link Here
48
#define FORWARD_LOCAL		(1<<1)
48
#define FORWARD_LOCAL		(1<<1)
49
#define FORWARD_ALLOW		(FORWARD_REMOTE|FORWARD_LOCAL)
49
#define FORWARD_ALLOW		(FORWARD_REMOTE|FORWARD_LOCAL)
50
50
51
/* Expose AuthenticationMethods */
52
#define EXPOSE_AUTHMETH_NEVER   0
53
#define EXPOSE_AUTHMETH_PAMONLY 1
54
#define EXPOSE_AUTHMETH_PAMENV  2
55
51
#define DEFAULT_AUTH_FAIL_MAX	6	/* Default for MaxAuthTries */
56
#define DEFAULT_AUTH_FAIL_MAX	6	/* Default for MaxAuthTries */
52
#define DEFAULT_SESSIONS_MAX	10	/* Default for MaxSessions */
57
#define DEFAULT_SESSIONS_MAX	10	/* Default for MaxSessions */
53
58
Lines 195-200 typedef struct { Link Here
195
	char   *auth_methods[MAX_AUTH_METHODS];
200
	char   *auth_methods[MAX_AUTH_METHODS];
196
201
197
	int	fingerprint_hash;
202
	int	fingerprint_hash;
203
204
	int	expose_auth_methods; /* EXPOSE_AUTHMETH_* above */
198
}       ServerOptions;
205
}       ServerOptions;
199
206
200
/* Information about the incoming connection as used by Match */
207
/* Information about the incoming connection as used by Match */
(-)a/session.c (+14 lines)
Lines 1154-1159 copy_environment(char **source, char ***env, u_int *envsize) Link Here
1154
		}
1154
		}
1155
		*var_val++ = '\0';
1155
		*var_val++ = '\0';
1156
1156
1157
		if (options.expose_auth_methods < EXPOSE_AUTHMETH_PAMENV &&
1158
				strcmp(var_name, "SSH_USER_AUTH") == 0) {
1159
			free(var_name);
1160
			continue;
1161
		}
1162
1157
		debug3("Copy environment: %s=%s", var_name, var_val);
1163
		debug3("Copy environment: %s=%s", var_name, var_val);
1158
		child_set_env(env, envsize, var_name, var_val);
1164
		child_set_env(env, envsize, var_name, var_val);
1159
1165
Lines 1336-1341 do_setup_env(Session *s, const char *shell) Link Here
1336
	}
1342
	}
1337
#endif /* USE_PAM */
1343
#endif /* USE_PAM */
1338
1344
1345
	if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMENV &&
1346
			s->authctxt->auth_details)
1347
		child_set_env(&env, &envsize, "SSH_USER_AUTH",
1348
		     s->authctxt->auth_details);
1349
1339
	if (auth_sock_name != NULL)
1350
	if (auth_sock_name != NULL)
1340
		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
1351
		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
1341
		    auth_sock_name);
1352
		    auth_sock_name);
Lines 2777-2782 do_cleanup(Authctxt *authctxt) Link Here
2777
	if (authctxt == NULL)
2788
	if (authctxt == NULL)
2778
		return;
2789
		return;
2779
2790
2791
	free(authctxt->auth_details);
2792
	authctxt->auth_details = NULL;
2793
2780
#ifdef USE_PAM
2794
#ifdef USE_PAM
2781
	if (options.use_pam) {
2795
	if (options.use_pam) {
2782
		sshpam_cleanup();
2796
		sshpam_cleanup();
(-)a/ssh-gss.h (+1 lines)
Lines 124-129 int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *); Link Here
124
/* In the server */
124
/* In the server */
125
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
125
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
126
int ssh_gssapi_userok(char *name);
126
int ssh_gssapi_userok(char *name);
127
char* ssh_gssapi_get_displayname(void);
127
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
128
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
128
void ssh_gssapi_do_child(char ***, u_int *);
129
void ssh_gssapi_do_child(char ***, u_int *);
129
void ssh_gssapi_cleanup_creds(void);
130
void ssh_gssapi_cleanup_creds(void);
(-)a/ssh.1 (+4 lines)
Lines 1396-1401 server IP address, and server port number. Link Here
1396
This variable contains the original command line if a forced command
1396
This variable contains the original command line if a forced command
1397
is executed.
1397
is executed.
1398
It can be used to extract the original arguments.
1398
It can be used to extract the original arguments.
1399
.It Ev SSH_USER_AUTH
1400
This variable contains, for SSH2 only, a comma-separated list of authentication
1401
methods that were successfuly used to authenticate. When possible, these
1402
methods are extended with detailed information on the credential used.
1399
.It Ev SSH_TTY
1403
.It Ev SSH_TTY
1400
This is set to the name of the tty (path to the device) associated
1404
This is set to the name of the tty (path to the device) associated
1401
with the current shell or command.
1405
with the current shell or command.
(-)a/sshd_config.5 (+15 lines)
Lines 579-584 and finally Link Here
579
See PATTERNS in
579
See PATTERNS in
580
.Xr ssh_config 5
580
.Xr ssh_config 5
581
for more information on patterns.
581
for more information on patterns.
582
.It Cm ExposeAuthenticationMethods
583
When using SSH2, this option controls the exposure of the list of
584
successful authentication methods to PAM during the authentication
585
and to the shell environment via the
586
.Cm SSH_USER_AUTH
587
variable. See the description of this variable for more details.
588
Valid options are:
589
.Dq never
590
(Do not expose successful authentication methods),
591
.Dq pam-only
592
(Only expose them to PAM during authentication, not afterwards),
593
.Dq pam-and-env
594
(Expose them to PAM and keep them in the shell environment).
595
The default is
596
.Dq never .
582
.It Cm FingerprintHash
597
.It Cm FingerprintHash
583
Specifies the hash algorithm used when logging key fingerprints.
598
Specifies the hash algorithm used when logging key fingerprints.
584
Valid options are:
599
Valid options are:
(-)a/sshkey.c (+25 lines)
Lines 58-63 Link Here
58
#define SSHKEY_INTERNAL
58
#define SSHKEY_INTERNAL
59
#include "sshkey.h"
59
#include "sshkey.h"
60
#include "match.h"
60
#include "match.h"
61
#include "xmalloc.h"
61
62
62
/* openssh private key file format */
63
/* openssh private key file format */
63
#define MARK_BEGIN		"-----BEGIN OPENSSH PRIVATE KEY-----\n"
64
#define MARK_BEGIN		"-----BEGIN OPENSSH PRIVATE KEY-----\n"
Lines 1189-1194 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, Link Here
1189
	return retval;
1190
	return retval;
1190
}
1191
}
1191
1192
1193
char *
1194
sshkey_format_oneline(const struct sshkey *key, int dgst_alg)
1195
{
1196
	char *fp, *result;
1197
1198
	if (sshkey_is_cert(key)) {
1199
		fp = sshkey_fingerprint(key->cert->signature_key, dgst_alg,
1200
		    SSH_FP_DEFAULT);
1201
		xasprintf(&result, "%s ID %s (serial %llu) CA %s %s",
1202
		    sshkey_type(key), key->cert->key_id,
1203
		    (unsigned long long)key->cert->serial,
1204
		    sshkey_type(key->cert->signature_key),
1205
		    fp == NULL ? "(null)" : fp);
1206
		free(fp);
1207
	} else {
1208
		fp = sshkey_fingerprint(key, dgst_alg, SSH_FP_DEFAULT);
1209
		xasprintf(&result, "%s %s", sshkey_type(key),
1210
		    fp == NULL ? "(null)" : fp);
1211
		free(fp);
1212
	}
1213
1214
	return result;
1215
}
1216
1192
#ifdef WITH_SSH1
1217
#ifdef WITH_SSH1
1193
/*
1218
/*
1194
 * Reads a multiple-precision integer in decimal from the buffer, and advances
1219
 * Reads a multiple-precision integer in decimal from the buffer, and advances
(-)a/sshkey.h (+1 lines)
Lines 123-128 char *sshkey_fingerprint(const struct sshkey *, Link Here
123
    int, enum sshkey_fp_rep);
123
    int, enum sshkey_fp_rep);
124
int		 sshkey_fingerprint_raw(const struct sshkey *k,
124
int		 sshkey_fingerprint_raw(const struct sshkey *k,
125
    int, u_char **retp, size_t *lenp);
125
    int, u_char **retp, size_t *lenp);
126
char		*sshkey_format_oneline(const struct sshkey *k, int dgst_alg);
126
const char	*sshkey_type(const struct sshkey *);
127
const char	*sshkey_type(const struct sshkey *);
127
const char	*sshkey_cert_type(const struct sshkey *);
128
const char	*sshkey_cert_type(const struct sshkey *);
128
int		 sshkey_write(const struct sshkey *, FILE *);
129
int		 sshkey_write(const struct sshkey *, FILE *);

Return to bug 2408