Attachment #3089 for bug #2408

Lines 688-693 Link Here

(-)openssh-7.2p2/auth-pam.c (+5 lines)
688	return (NULL);	688	return (NULL);
689	}	689	}
690		690
		691	/* Notify PAM about any already successful auth methods */
		692	if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMONLY &&
		693	authctxt->auth_details)
		694	do_pam_putenv("SSH_USER_AUTH", authctxt->auth_details);
		695
691	ctxt = xcalloc(1, sizeof *ctxt);	696	ctxt = xcalloc(1, sizeof *ctxt);
692		697
693	/* Start the authentication thread */	698	/* Start the authentication thread */

Lines 80-85 Link Here

(-)openssh-7.2p2/auth.h (+3 lines)
80	Buffer *loginmsg;	80	Buffer *loginmsg;
81	void *methoddata;	81	void *methoddata;
82		82
		83	char *last_details;
		84	char *auth_details;
		85
83	struct sshkey **prev_userkeys;	86	struct sshkey **prev_userkeys;
84	u_int nprev_userkeys;	87	u_int nprev_userkeys;
85	};	88	};

Lines 275-280 Link Here

(-)openssh-7.2p2/auth2-gss.c (+6 lines)
275	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,	275	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
276	authctxt->pw));	276	authctxt->pw));
277		277
		278	if (authenticated)
		279	authctxt->last_details = ssh_gssapi_get_displayname();
		280
278	authctxt->postponed = 0;	281	authctxt->postponed = 0;
279	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);	282	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
280	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);	283	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
Lines 314-319 Link Here
314	else	317	else
315	logit("GSSAPI MIC check failed");	318	logit("GSSAPI MIC check failed");
316		319
		320	if (authenticated)
		321	authctxt->last_details = ssh_gssapi_get_displayname();
		322
317	buffer_free(&b);	323	buffer_free(&b);
318	free(mic.value);	324	free(mic.value);
319		325

Lines 60-66 Link Here

(-)openssh-7.2p2/auth2-hostbased.c (-5 / +11 lines)
60	{	60	{
61	Buffer b;	61	Buffer b;
62	Key *key = NULL;	62	Key *key = NULL;
63	char pkalg, cuser, chost, service;	63	char pkalg, cuser, chost, service, *pubkey;
64	u_char pkblob, sig;	64	u_char pkblob, sig;
65	u_int alen, blen, slen;	65	u_int alen, blen, slen;
66	int pktype;	66	int pktype;
Lines 132-146 Link Here
132	buffer_dump(&b);	132	buffer_dump(&b);
133	#endif	133	#endif
134		134
135	pubkey_auth_info(authctxt, key,	135	pubkey = key_format_oneline(key);
136	"client user \"%.100s\", client host \"%.100s\"", cuser, chost);	136	auth_info(authctxt,
		137	"%s, client user \"%.100s\", client host \"%.100s\"",
		138	pubkey, cuser, chost);
137		139
138	/* test for allowed key and correct signature */	140	/* test for allowed key and correct signature */
139	authenticated = 0;	141	authenticated = 0;
140	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&	142	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
141	PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),	143	PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
142	buffer_len(&b))) == 1)	144	buffer_len(&b))) == 1) {
143	authenticated = 1;	145	authenticated = 1;
		146	authctxt->last_details = pubkey;
		147	} else {
		148	free(pubkey);
		149	}
144		150
145	buffer_free(&b);	151	buffer_free(&b);
146	done:	152	done:
Lines 202-208 Link Here
202	}	208	}
203	debug2("%s: access allowed by auth_rhosts2", __func__);	209	debug2("%s: access allowed by auth_rhosts2", __func__);
204		210
205	if (key_is_cert(key) &&	211	if (key_is_cert(key) &&
206	key_cert_check_authority(key, 1, 0, lookup, &reason)) {	212	key_cert_check_authority(key, 1, 0, lookup, &reason)) {
207	error("%s", reason);	213	error("%s", reason);
208	auth_debug_add("%s", reason);	214	auth_debug_add("%s", reason);

Lines 79-85 Link Here

(-)openssh-7.2p2/auth2-pubkey.c (-22 / +14 lines)
79	{	79	{
80	Buffer b;	80	Buffer b;
81	Key *key = NULL;	81	Key *key = NULL;
82	char pkalg, userstyle, *fp = NULL;	82	char pkalg, userstyle, pubkey, fp = NULL;
83	u_char pkblob, sig;	83	u_char pkblob, sig;
84	u_int alen, blen, slen;	84	u_int alen, blen, slen;
85	int have_sig, pktype;	85	int have_sig, pktype;
Lines 171-177 Link Here
171	#ifdef DEBUG_PK	171	#ifdef DEBUG_PK
172	buffer_dump(&b);	172	buffer_dump(&b);
173	#endif	173	#endif
174	pubkey_auth_info(authctxt, key, NULL);	174
		175	pubkey = key_format_oneline(key);
		176	auth_info(authctxt, "%s", pubkey);
175		177
176	/* test for correct signature */	178	/* test for correct signature */
177	authenticated = 0;	179	authenticated = 0;
Lines 182-187 Link Here
182	/* Record the successful key to prevent reuse */	184	/* Record the successful key to prevent reuse */
183	auth2_record_userkey(authctxt, key);	185	auth2_record_userkey(authctxt, key);
184	key = NULL; /* Don't free below */	186	key = NULL; /* Don't free below */
		187	authctxt->last_details = pubkey;
		188	} else {
		189	free(pubkey);
185	}	190	}
186	buffer_free(&b);	191	buffer_free(&b);
187	free(sig);	192	free(sig);
Lines 222-228 Link Here
222	void	227	void
223	pubkey_auth_info(Authctxt authctxt, const Key key, const char *fmt, ...)	228	pubkey_auth_info(Authctxt authctxt, const Key key, const char *fmt, ...)
224	{	229	{
225	char fp, extra;	230	char extra, pubkey;
226	va_list ap;	231	va_list ap;
227	int i;	232	int i;
228		233
Lines 232-258 Link Here
232	i = vasprintf(&extra, fmt, ap);	237	i = vasprintf(&extra, fmt, ap);
233	va_end(ap);	238	va_end(ap);
234	if (i < 0 \|\| extra == NULL)	239	if (i < 0 \|\| extra == NULL)
235	fatal("%s: vasprintf failed", __func__);	240	fatal("%s: vasprintf failed", __func__);
236	}	241	}
237		242
238	if (key_is_cert(key)) {	243	pubkey = key_format_oneline(key);
239	fp = sshkey_fingerprint(key->cert->signature_key,	244	auth_info(authctxt, "%s%s%s", pubkey, extra == NULL ? "" : ", ",
240	options.fingerprint_hash, SSH_FP_DEFAULT);	245	extra == NULL ? "" : extra);
241	auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",	246	free(pubkey);
242	key_type(key), key->cert->key_id,	247
243	(unsigned long long)key->cert->serial,
244	key_type(key->cert->signature_key),
245	fp == NULL ? "(null)" : fp,
246	extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
247	free(fp);
248	} else {
249	fp = sshkey_fingerprint(key, options.fingerprint_hash,
250	SSH_FP_DEFAULT);
251	auth_info(authctxt, "%s %s%s%s", key_type(key),
252	fp == NULL ? "(null)" : fp,
253	extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
254	free(fp);
255	}
256	free(extra);	248	free(extra);
257	}	249	}
258		250




    const char *submethod)
{
	char *methods;
	char *prev_auth_details;
	int partial = 0;

	if (!authctxt->valid && authenticated)

	if (authctxt->postponed)
		return;

	if (authenticated || partial) {
		prev_auth_details = authctxt->auth_details;
		xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
		    prev_auth_details ? prev_auth_details : "",
		    prev_auth_details ? ", " : "", method,
		    authctxt->last_details ? ": " : "",
		    authctxt->last_details ? authctxt->last_details : "");
		free(prev_auth_details);
	}
	free(authctxt->last_details);
	authctxt->last_details = NULL;

#ifdef USE_PAM
	if (options.use_pam && authenticated) {
		if (!PRIVSEP(do_pam_account())) {




	return (0);
}

/* Privileged */
char*
ssh_gssapi_get_displayname(void)
{
	if (gssapi_client.displayname.length != 0 &&
	    gssapi_client.displayname.value != NULL)
		return strdup((char *)gssapi_client.displayname.value);
	return NULL;
}

/* These bits are only used for rekeying. The unpriviledged child is running 
 * as the user, the monitor is root.
 *




	return ret;
}

char *
key_format_oneline(const Key *key)
{
	char *fp, *result;

	if (sshkey_is_cert(key)) {
		fp = sshkey_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
		xasprintf(&result, "%s ID %s (serial %llu) CA %s %s",
		    sshkey_type(key), key->cert->key_id,
		    (unsigned long long)key->cert->serial,
		    sshkey_type(key->cert->signature_key), fp);
		free(fp);
	} else {
		fp = sshkey_selected_fingerprint(key, SSH_FP_HEX);
		xasprintf(&result, "%s %s", key_type(key), fp);
		free(fp);
	}

	return result;
}

/* authfile.c */

int

{
	return sshkey_perm_ok(fd, filename) == 0 ? 1 : 0;
}


Lines 90-95 Link Here

(-)openssh-7.2p2/key.h (+1 lines)
90		90
91	void key_private_serialize(const Key , struct sshbuf );	91	void key_private_serialize(const Key , struct sshbuf );
92	Key key_private_deserialize(struct sshbuf );	92	Key key_private_deserialize(struct sshbuf );
		93	char key_format_oneline(const Key key);
93		94
94	/* authfile.c */	95	/* authfile.c */
95	int key_save_private(Key , const char , const char , const char ,	96	int key_save_private(Key , const char , const char , const char ,




{
	struct mon_table *ent;
	int authenticated = 0, partial = 0;
	char *prev_auth_details;

	debug3("preauth child monitor started");


		auth_submethod = NULL;
		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);

		if (authenticated) {
			prev_auth_details = authctxt->auth_details;
			xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
			    prev_auth_details ? prev_auth_details : "",
			    prev_auth_details ? ", " : "", auth_method,
			    authctxt->last_details ? ": " : "",
			    authctxt->last_details ? authctxt->last_details : "");
			free(prev_auth_details);
		}
		free(authctxt->last_details);
		authctxt->last_details = NULL;

		/* Special handling for multiple required authentications */
		if (options.num_auth_methods != 0) {
			if (!compat20)

#ifdef GSSAPI
		/* and for the GSSAPI key exchange */
		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
#endif
	} else {
		mon_dispatch = mon_dispatch_postauth15;
		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);

	debug3("%s: key %p signature %s",
	    __func__, key, (verified == 1) ? "verified" : "unverified");

	if (verified == 1)
		authctxt->last_details = key_format_oneline(key);

	/* If auth was successful then record key to ensure it isn't reused */
	if (verified == 1 && key_blobtype == MM_USERKEY)
		auth2_record_userkey(authctxt, key);

	if (!options.gss_authentication && !options.gss_keyex)
		fatal("In GSSAPI monitor when GSSAPI is disabled");

	authenticated = authctxt->valid &&
	    ssh_gssapi_userok(authctxt->user, authctxt->pw);

	buffer_clear(m);


	auth_method = "gssapi-with-mic";

	if (authenticated)
                authctxt->last_details = ssh_gssapi_get_displayname();

	/* Monitor loop will terminate if authenticated */
	return (authenticated);
}

int
mm_answer_gss_sign(int socket, Buffer *m)
{
	gss_buffer_desc data;


	data.value = buffer_get_string(m, &len);
	data.length = len;
	if (data.length != 20)
		fatal("%s: data length incorrect: %d", __func__,
		    (int) data.length);

	/* Save the session ID on the first time around */


	/* Turn on getpwnam permissions */
	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);

	/* And credential updating, for when rekeying */
	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);


}

#endif /* GSSAPI */


Lines 172-177 Link Here

(-)openssh-7.2p2/servconf.c (+20 lines)
172	options->version_addendum = NULL;	172	options->version_addendum = NULL;
173	options->fingerprint_hash = -1;	173	options->fingerprint_hash = -1;
174	options->debian_banner = -1;	174	options->debian_banner = -1;
		175	options->expose_auth_methods = -1;
175	}	176	}
176		177
177	/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */	178	/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
Lines 399-404 Link Here
399	}	400	}
400	#endif	401	#endif
401		402
		403	if (options->expose_auth_methods == -1)
		404	options->expose_auth_methods = EXPOSE_AUTHMETH_NEVER;
402	}	405	}
403		406
404	/* Keyword tokens. */	407	/* Keyword tokens. */
Lines 441-446 Link Here
441	sStreamLocalBindMask, sStreamLocalBindUnlink,	444	sStreamLocalBindMask, sStreamLocalBindUnlink,
442	sAllowStreamLocalForwarding, sFingerprintHash,	445	sAllowStreamLocalForwarding, sFingerprintHash,
443	sDebianBanner,	446	sDebianBanner,
		447	sExposeAuthenticationMethods,
444	sDeprecated, sUnsupported	448	sDeprecated, sUnsupported
445	} ServerOpCodes;	449	} ServerOpCodes;
446		450
Lines 593-598 Link Here
593	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },	597	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
594	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },	598	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
595	{ "debianbanner", sDebianBanner, SSHCFG_GLOBAL },	599	{ "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
		600	{ "exposeauthenticationmethods", sExposeAuthenticationMethods, SSHCFG_ALL },
596	{ NULL, sBadOption, 0 }	601	{ NULL, sBadOption, 0 }
597	};	602	};
598		603
Lines 981-986 Link Here
981	{ "local", FORWARD_LOCAL },	986	{ "local", FORWARD_LOCAL },
982	{ NULL, -1 }	987	{ NULL, -1 }
983	};	988	};
		989	static const struct multistate multistate_exposeauthmeth[] = {
		990	{ "never", EXPOSE_AUTHMETH_NEVER },
		991	{ "pam-only", EXPOSE_AUTHMETH_PAMONLY },
		992	{ "pam-and-env", EXPOSE_AUTHMETH_PAMENV },
		993	{ NULL, -1}
		994	};
984		995
985	int	996	int
986	process_server_config_line(ServerOptions options, char line,	997	process_server_config_line(ServerOptions options, char line,
Lines 1883-1888 Link Here
1883	intptr = &options->debian_banner;	1894	intptr = &options->debian_banner;
1884	goto parse_int;	1895	goto parse_int;
1885		1896
		1897	case sExposeAuthenticationMethods:
		1898	intptr = &options->expose_auth_methods;
		1899	multistate_ptr = multistate_exposeauthmeth;
		1900	goto parse_multistate;
		1901
1886	case sDeprecated:	1902	case sDeprecated:
1887	logit("%s line %d: Deprecated option %s",	1903	logit("%s line %d: Deprecated option %s",
1888	filename, linenum, arg);	1904	filename, linenum, arg);
Lines 2037-2042 Link Here
2037	M_CP_INTOPT(ip_qos_bulk);	2053	M_CP_INTOPT(ip_qos_bulk);
2038	M_CP_INTOPT(rekey_limit);	2054	M_CP_INTOPT(rekey_limit);
2039	M_CP_INTOPT(rekey_interval);	2055	M_CP_INTOPT(rekey_interval);
		2056	M_CP_INTOPT(expose_auth_methods);
2040		2057
2041	/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */	2058	/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2042	#define M_CP_STROPT(n) do {\	2059	#define M_CP_STROPT(n) do {\
Lines 2140-2145 Link Here
2140	return fmt_multistate_int(val, multistate_tcpfwd);	2157	return fmt_multistate_int(val, multistate_tcpfwd);
2141	case sFingerprintHash:	2158	case sFingerprintHash:
2142	return ssh_digest_alg_name(val);	2159	return ssh_digest_alg_name(val);
		2160	case sExposeAuthenticationMethods:
		2161	return fmt_multistate_int(val, multistate_exposeauthmeth);
2143	case sProtocol:	2162	case sProtocol:
2144	switch (val) {	2163	switch (val) {
2145	case SSH_PROTO_1:	2164	case SSH_PROTO_1:
Lines 2329-2334 Link Here
2329	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);	2348	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2330	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);	2349	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2331	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);	2350	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
		2351	dump_cfg_fmtint(sExposeAuthenticationMethods, o->expose_auth_methods);
2332		2352
2333	/* string arguments */	2353	/* string arguments */
2334	dump_cfg_string(sPidFile, o->pid_file);	2354	dump_cfg_string(sPidFile, o->pid_file);

Lines 48-53 Link Here

(-)openssh-7.2p2/servconf.h (-1 / +7 lines)
48	#define FORWARD_LOCAL (1<<1)	48	#define FORWARD_LOCAL (1<<1)
49	#define FORWARD_ALLOW (FORWARD_REMOTE\|FORWARD_LOCAL)	49	#define FORWARD_ALLOW (FORWARD_REMOTE\|FORWARD_LOCAL)
50		50
		51	/* Expose AuthenticationMethods */
		52	#define EXPOSE_AUTHMETH_NEVER 0
		53	#define EXPOSE_AUTHMETH_PAMONLY 1
		54	#define EXPOSE_AUTHMETH_PAMENV 2
		55
51	#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */	56	#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
52	#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */	57	#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
53		58
Lines 195-201 Link Here
195		200
196	u_int num_auth_methods;	201	u_int num_auth_methods;
197	char *auth_methods[MAX_AUTH_METHODS];	202	char *auth_methods[MAX_AUTH_METHODS];
198		203	int expose_auth_methods; /* EXPOSE_AUTHMETH_* above */
		204
199	int fingerprint_hash;	205	int fingerprint_hash;
200		206
201	int debian_banner;	207	int debian_banner;

Lines 1151-1156 Link Here

(-)openssh-7.2p2/session.c (+14 lines)
1151	}	1151	}
1152	*var_val++ = '\0';	1152	*var_val++ = '\0';
1153		1153
		1154	if (options.expose_auth_methods < EXPOSE_AUTHMETH_PAMENV &&
		1155	strcmp(var_name, "SSH_USER_AUTH") == 0) {
		1156	free(var_name);
		1157	continue;
		1158	}
		1159
1154	debug3("Copy environment: %s=%s", var_name, var_val);	1160	debug3("Copy environment: %s=%s", var_name, var_val);
1155	child_set_env(env, envsize, var_name, var_val);	1161	child_set_env(env, envsize, var_name, var_val);
1156		1162
Lines 1330-1335 Link Here
1330	}	1336	}
1331	#endif /* USE_PAM */	1337	#endif /* USE_PAM */
1332		1338
		1339	if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMENV &&
		1340	s->authctxt->auth_details)
		1341	child_set_env(&env, &envsize, "SSH_USER_AUTH",
		1342	s->authctxt->auth_details);
		1343
1333	if (auth_sock_name != NULL)	1344	if (auth_sock_name != NULL)
1334	child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,	1345	child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
1335	auth_sock_name);	1346	auth_sock_name);
Lines 2769-2774 Link Here
2769	if (authctxt == NULL)	2780	if (authctxt == NULL)
2770	return;	2781	return;
2771		2782
		2783	free(authctxt->auth_details);
		2784	authctxt->auth_details = NULL;
		2785
2772	#ifdef USE_PAM	2786	#ifdef USE_PAM
2773	if (options.use_pam) {	2787	if (options.use_pam) {
2774	sshpam_cleanup();	2788	sshpam_cleanup();

Lines 151-156 Link Here

(-)openssh-7.2p2/ssh-gss.h (+1 lines)
151	const char *);	151	const char *);
152	OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);	152	OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
153	int ssh_gssapi_userok(char name, struct passwd );	153	int ssh_gssapi_userok(char name, struct passwd );
		154	char* ssh_gssapi_get_displayname(void);
154	OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);	155	OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
155	void ssh_gssapi_do_child(char **, u_int );	156	void ssh_gssapi_do_child(char **, u_int );
156	void ssh_gssapi_cleanup_creds(void);	157	void ssh_gssapi_cleanup_creds(void);

Lines 1416-1421 Link Here

(-)openssh-7.2p2/ssh.1 (+4 lines)
1416	This variable contains the original command line if a forced command	1416	This variable contains the original command line if a forced command
1417	is executed.	1417	is executed.
1418	It can be used to extract the original arguments.	1418	It can be used to extract the original arguments.
		1419	.It Ev SSH_USER_AUTH
		1420	This variable contains, for SSH2 only, a comma-separated list of authentication
		1421	methods that were successfuly used to authenticate. When possible, these
		1422	methods are extended with detailed information on the credential used.
1419	.It Ev SSH_TTY	1423	.It Ev SSH_TTY
1420	This is set to the name of the tty (path to the device) associated	1424	This is set to the name of the tty (path to the device) associated
1421	with the current shell or command.	1425	with the current shell or command.




.Dq sha256 .
The default is
.Dq sha256 .
.It Cm ExposeAuthenticationMethods
When using SSH2, this option controls the exposure of the list of
successful authentication methods to PAM during the authentication
and to the shell environment via the
.Cm SSH_USER_AUTH
variable. See the description of this variable for more details.
Valid options are:
.Dq never
(Do not expose successful authentication methods),
.Dq pam-only
(Only expose them to PAM during authentication, not afterwards),
.Dq pam-and-env
(Expose them to PAM and keep them in the shell environment).
The default is
.Dq never .
.It Cm ForceCommand
Forces the execution of the command specified by
.Cm ForceCommand ,

The default is
.Dq yes .
.It Cm GSSAPIStoreCredentialsOnRekey
Controls whether the user's GSSAPI credentials should be updated following a
successful connection rekeying. This option can be used to accepted renewed
or updated credentials from a compatible client. The default is
.Dq no .
.It Cm HostbasedAcceptedKeyTypes

Return to bug 2408

Lines 464-469 Link Here

(-)openssh-7.2p2/gss-serv.c (+10 lines)
464	return (0);	464	return (0);
465	}	465	}
466		466
		467	/* Privileged */
		468	char*
		469	ssh_gssapi_get_displayname(void)
		470	{
		471	if (gssapi_client.displayname.length != 0 &&
		472	gssapi_client.displayname.value != NULL)
		473	return strdup((char *)gssapi_client.displayname.value);
		474	return NULL;
		475	}
		476
467	/* These bits are only used for rekeying. The unpriviledged child is running	477	/* These bits are only used for rekeying. The unpriviledged child is running
468	* as the user, the monitor is root.	478	* as the user, the monitor is root.
469	*	479	*

Lines 288-293 Link Here

(-)openssh-7.2p2/key.c (-1 / +21 lines)
288	return ret;	288	return ret;
289	}	289	}
290		290
		291	char *
		292	key_format_oneline(const Key *key)
		293	{
		294	char fp, result;
		295
		296	if (sshkey_is_cert(key)) {
		297	fp = sshkey_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
		298	xasprintf(&result, "%s ID %s (serial %llu) CA %s %s",
		299	sshkey_type(key), key->cert->key_id,
		300	(unsigned long long)key->cert->serial,
		301	sshkey_type(key->cert->signature_key), fp);
		302	free(fp);
		303	} else {
		304	fp = sshkey_selected_fingerprint(key, SSH_FP_HEX);
		305	xasprintf(&result, "%s %s", key_type(key), fp);
		306	free(fp);
		307	}
		308
		309	return result;
		310	}
		311
291	/* authfile.c */	312	/* authfile.c */
292		313
293	int	314	int
Lines 423-426 Link Here
423	{	444	{
424	return sshkey_perm_ok(fd, filename) == 0 ? 1 : 0;	445	return sshkey_perm_ok(fd, filename) == 0 ? 1 : 0;
425	}	446	}
426

Lines 345-350 Link Here

(-)openssh-7.2p2/monitor.c (-7 / +25 lines)
345	{	345	{
346	struct mon_table *ent;	346	struct mon_table *ent;
347	int authenticated = 0, partial = 0;	347	int authenticated = 0, partial = 0;
		348	char *prev_auth_details;
348		349
349	debug3("preauth child monitor started");	350	debug3("preauth child monitor started");
350		351
Lines 380-385 Link Here
380	auth_submethod = NULL;	381	auth_submethod = NULL;
381	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);	382	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
382		383
		384	if (authenticated) {
		385	prev_auth_details = authctxt->auth_details;
		386	xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
		387	prev_auth_details ? prev_auth_details : "",
		388	prev_auth_details ? ", " : "", auth_method,
		389	authctxt->last_details ? ": " : "",
		390	authctxt->last_details ? authctxt->last_details : "");
		391	free(prev_auth_details);
		392	}
		393	free(authctxt->last_details);
		394	authctxt->last_details = NULL;
		395
383	/* Special handling for multiple required authentications */	396	/* Special handling for multiple required authentications */
384	if (options.num_auth_methods != 0) {	397	if (options.num_auth_methods != 0) {
385	if (!compat20)	398	if (!compat20)
Lines 478-484 Link Here
478	#ifdef GSSAPI	491	#ifdef GSSAPI
479	/* and for the GSSAPI key exchange */	492	/* and for the GSSAPI key exchange */
480	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);	493	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
481	#endif	494	#endif
482	} else {	495	} else {
483	mon_dispatch = mon_dispatch_postauth15;	496	mon_dispatch = mon_dispatch_postauth15;
484	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	497	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
Lines 1488-1493 Link Here
1488	debug3("%s: key %p signature %s",	1501	debug3("%s: key %p signature %s",
1489	__func__, key, (verified == 1) ? "verified" : "unverified");	1502	__func__, key, (verified == 1) ? "verified" : "unverified");
1490		1503
		1504	if (verified == 1)
		1505	authctxt->last_details = key_format_oneline(key);
		1506
1491	/* If auth was successful then record key to ensure it isn't reused */	1507	/* If auth was successful then record key to ensure it isn't reused */
1492	if (verified == 1 && key_blobtype == MM_USERKEY)	1508	if (verified == 1 && key_blobtype == MM_USERKEY)
1493	auth2_record_userkey(authctxt, key);	1509	auth2_record_userkey(authctxt, key);
Lines 2104-2110 Link Here
2104	if (!options.gss_authentication && !options.gss_keyex)	2120	if (!options.gss_authentication && !options.gss_keyex)
2105	fatal("In GSSAPI monitor when GSSAPI is disabled");	2121	fatal("In GSSAPI monitor when GSSAPI is disabled");
2106		2122
2107	authenticated = authctxt->valid &&	2123	authenticated = authctxt->valid &&
2108	ssh_gssapi_userok(authctxt->user, authctxt->pw);	2124	ssh_gssapi_userok(authctxt->user, authctxt->pw);
2109		2125
2110	buffer_clear(m);	2126	buffer_clear(m);
Lines 2115-2125 Link Here
2115		2131
2116	auth_method = "gssapi-with-mic";	2132	auth_method = "gssapi-with-mic";
2117		2133
		2134	if (authenticated)
		2135	authctxt->last_details = ssh_gssapi_get_displayname();
		2136
2118	/* Monitor loop will terminate if authenticated */	2137	/* Monitor loop will terminate if authenticated */
2119	return (authenticated);	2138	return (authenticated);
2120	}	2139	}
2121		2140
2122	int	2141	int
2123	mm_answer_gss_sign(int socket, Buffer *m)	2142	mm_answer_gss_sign(int socket, Buffer *m)
2124	{	2143	{
2125	gss_buffer_desc data;	2144	gss_buffer_desc data;
Lines 2132-2139 Link Here
2132		2151
2133	data.value = buffer_get_string(m, &len);	2152	data.value = buffer_get_string(m, &len);
2134	data.length = len;	2153	data.length = len;
2135	if (data.length != 20)	2154	if (data.length != 20)
2136	fatal("%s: data length incorrect: %d", __func__,	2155	fatal("%s: data length incorrect: %d", __func__,
2137	(int) data.length);	2156	(int) data.length);
2138		2157
2139	/* Save the session ID on the first time around */	2158	/* Save the session ID on the first time around */
Lines 2156-2162 Link Here
2156		2175
2157	/* Turn on getpwnam permissions */	2176	/* Turn on getpwnam permissions */
2158	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);	2177	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
2159		2178
2160	/* And credential updating, for when rekeying */	2179	/* And credential updating, for when rekeying */
2161	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);	2180	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
2162		2181
Lines 2187-2190 Link Here
2187	}	2206	}
2188		2207
2189	#endif /* GSSAPI */	2208	#endif /* GSSAPI */
2190

Lines 301-306 Link Here

(-)openssh-7.2p2/auth2.c (+13 lines)
301	const char *submethod)	301	const char *submethod)
302	{	302	{
303	char *methods;	303	char *methods;
		304	char *prev_auth_details;
304	int partial = 0;	305	int partial = 0;
305		306
306	if (!authctxt->valid && authenticated)	307	if (!authctxt->valid && authenticated)
Lines 331-336 Link Here
331	if (authctxt->postponed)	332	if (authctxt->postponed)
332	return;	333	return;
333		334
		335	if (authenticated \|\| partial) {
		336	prev_auth_details = authctxt->auth_details;
		337	xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
		338	prev_auth_details ? prev_auth_details : "",
		339	prev_auth_details ? ", " : "", method,
		340	authctxt->last_details ? ": " : "",
		341	authctxt->last_details ? authctxt->last_details : "");
		342	free(prev_auth_details);
		343	}
		344	free(authctxt->last_details);
		345	authctxt->last_details = NULL;
		346
334	#ifdef USE_PAM	347	#ifdef USE_PAM
335	if (options.use_pam && authenticated) {	348	if (options.use_pam && authenticated) {
336	if (!PRIVSEP(do_pam_account())) {	349	if (!PRIVSEP(do_pam_account())) {

Lines 607-612 Link Here

(-)openssh-7.2p2/sshd_config.5 (-2 / +17 lines)
607	.Dq sha256 .	607	.Dq sha256 .
608	The default is	608	The default is
609	.Dq sha256 .	609	.Dq sha256 .
		610	.It Cm ExposeAuthenticationMethods
		611	When using SSH2, this option controls the exposure of the list of
		612	successful authentication methods to PAM during the authentication
		613	and to the shell environment via the
		614	.Cm SSH_USER_AUTH
		615	variable. See the description of this variable for more details.
		616	Valid options are:
		617	.Dq never
		618	(Do not expose successful authentication methods),
		619	.Dq pam-only
		620	(Only expose them to PAM during authentication, not afterwards),
		621	.Dq pam-and-env
		622	(Expose them to PAM and keep them in the shell environment).
		623	The default is
		624	.Dq never .
610	.It Cm ForceCommand	625	.It Cm ForceCommand
611	Forces the execution of the command specified by	626	Forces the execution of the command specified by
612	.Cm ForceCommand ,	627	.Cm ForceCommand ,
Lines 678-685 Link Here
678	The default is	693	The default is
679	.Dq yes .	694	.Dq yes .
680	.It Cm GSSAPIStoreCredentialsOnRekey	695	.It Cm GSSAPIStoreCredentialsOnRekey
681	Controls whether the user's GSSAPI credentials should be updated following a	696	Controls whether the user's GSSAPI credentials should be updated following a
682	successful connection rekeying. This option can be used to accepted renewed	697	successful connection rekeying. This option can be used to accepted renewed
683	or updated credentials from a compatible client. The default is	698	or updated credentials from a compatible client. The default is
684	.Dq no .	699	.Dq no .
685	.It Cm HostbasedAcceptedKeyTypes	700	.It Cm HostbasedAcceptedKeyTypes