* New upstream release (http://www.openssh.com/txt/release-6.2).

  - Add support for multiple required authentication in SSH protocol 2 via
    an AuthenticationMethods option (closes: #195716).
  - Fix Sophie Germain formula in moduli(5) (closes: #698612).
  - Update ssh-copy-id to Phil Hands' greatly revised version (closes:
    #99785, #322228, #620428; LP: #518883, #835901, #1074798).

1 files changed, 212 insertions, 27 deletions

diff --git a/auth2.c b/auth2.c
index 1b7403904..f00f14764 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.124 2011/12/07 05:44:38 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -98,8 +98,10 @@ static void input_service_request(int, u_int32_t, void *);
 static void input_userauth_request(int, u_int32_t, void *);
 
 /* helper */
-static Authmethod *authmethod_lookup(const char *);
-static char *authmethods_get(void);
+static Authmethod *authmethod_lookup(Authctxt *, const char *);
+static char *authmethods_get(Authctxt *authctxt);
+static int method_allowed(Authctxt *, const char *);
+static int list_starts_with(const char *, const char *);
 
 char *
 auth2_read_banner(void)
@@ -263,6 +265,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                 if (use_privsep)
                         mm_inform_authserv(service, style, role);
                 userauth_banner();
+                if (auth2_setup_methods_lists(authctxt) != 0)
+                        packet_disconnect("no authentication methods enabled");
         } else if (strcmp(user, authctxt->user) != 0 ||
             strcmp(service, authctxt->service) != 0) {
                 packet_disconnect("Change of username or service not allowed: "
@@ -285,12 +289,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
         authctxt->server_caused_failure = 0;
 
         /* try to authenticate user */
-        m = authmethod_lookup(method);
+        m = authmethod_lookup(authctxt, method);
         if (m != NULL && authctxt->failures < options.max_authtries) {
                 debug2("input_userauth_request: try method %s", method);
                 authenticated = m->userauth(authctxt);
         }
-        userauth_finish(authctxt, authenticated, method);
+        userauth_finish(authctxt, authenticated, method, NULL);
 
         xfree(service);
         xfree(user);
@@ -298,13 +302,17 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 }
 
 void
-userauth_finish(Authctxt *authctxt, int authenticated, char *method)
+userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
+    const char *submethod)
 {
         char *methods;
+        int partial = 0;
 
         if (!authctxt->valid && authenticated)
                 fatal("INTERNAL ERROR: authenticated invalid user %s",
                     authctxt->user);
+        if (authenticated && authctxt->postponed)
+                fatal("INTERNAL ERROR: authenticated and postponed");
 
         /* Special handling for root */
         if (authenticated && authctxt->pw->pw_uid == 0 &&
@@ -315,6 +323,19 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 #endif
         }
 
+        if (authenticated && options.num_auth_methods != 0) {
+                if (!auth2_update_methods_lists(authctxt, method)) {
+                        authenticated = 0;
+                        partial = 1;
+                }
+        }
+
+        /* Log before sending the reply */
+        auth_log(authctxt, authenticated, partial, method, submethod, " ssh2");
+
+        if (authctxt->postponed)
+                return;
+
 #ifdef USE_PAM
         if (options.use_pam && authenticated) {
                 if (!PRIVSEP(do_pam_account())) {
@@ -333,17 +354,10 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 #ifdef _UNICOS
         if (authenticated && cray_access_denied(authctxt->user)) {
                 authenticated = 0;
-                fatal("Access denied for user %s.",authctxt->user);
+                fatal("Access denied for user %s.", authctxt->user);
         }
 #endif /* _UNICOS */
 
-        /* Log before sending the reply */
-        auth_log(authctxt, authenticated, method, " ssh2");
-
-        if (authctxt->postponed)
-                return;
-
-        /* XXX todo: check if multiple auth methods are needed */
         if (authenticated == 1) {
                 /* turn off userauth */
                 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
@@ -364,34 +378,61 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 #endif
                         packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
                 }
-                methods = authmethods_get();
+                methods = authmethods_get(authctxt);
+                debug3("%s: failure partial=%d next methods=\"%s\"", __func__,
+                    partial, methods);
                 packet_start(SSH2_MSG_USERAUTH_FAILURE);
                 packet_put_cstring(methods);
-                packet_put_char(0);     /* XXX partial success, unused */
+                packet_put_char(partial);
                 packet_send();
                 packet_write_wait();
                 xfree(methods);
         }
 }
 
+/*
+ * Checks whether method is allowed by at least one AuthenticationMethods
+ * methods list. Returns 1 if allowed, or no methods lists configured.
+ * 0 otherwise.
+ */
+static int
+method_allowed(Authctxt *authctxt, const char *method)
+{
+        u_int i;
+
+        /*
+         * NB. authctxt->num_auth_methods might be zero as a result of
+         * auth2_setup_methods_lists(), so check the configuration.
+         */
+        if (options.num_auth_methods == 0)
+                return 1;
+        for (i = 0; i < authctxt->num_auth_methods; i++) {
+                if (list_starts_with(authctxt->auth_methods[i], method))
+                        return 1;
+        }
+        return 0;
+}
+
 static char *
-authmethods_get(void)
+authmethods_get(Authctxt *authctxt)
 {
         Buffer b;
         char *list;
-        int i;
+        u_int i;
 
         buffer_init(&b);
         for (i = 0; authmethods[i] != NULL; i++) {
                 if (strcmp(authmethods[i]->name, "none") == 0)
                         continue;
-                if (authmethods[i]->enabled != NULL &&
-                    *(authmethods[i]->enabled) != 0) {
-                        if (buffer_len(&b) > 0)
-                                buffer_append(&b, ",", 1);
-                        buffer_append(&b, authmethods[i]->name,
-                            strlen(authmethods[i]->name));
-                }
+                if (authmethods[i]->enabled == NULL ||
+                    *(authmethods[i]->enabled) == 0)
+                        continue;
+                if (!method_allowed(authctxt, authmethods[i]->name))
+                        continue;
+                if (buffer_len(&b) > 0)
+                        buffer_append(&b, ",", 1);
+                buffer_append(&b, authmethods[i]->name,
+                    strlen(authmethods[i]->name));
         }
         buffer_append(&b, "\0", 1);
         list = xstrdup(buffer_ptr(&b));
@@ -400,7 +441,7 @@ authmethods_get(void)
 }
 
 static Authmethod *
-authmethod_lookup(const char *name)
+authmethod_lookup(Authctxt *authctxt, const char *name)
 {
         int i;
 
@@ -408,10 +449,154 @@ authmethod_lookup(const char *name)
                 for (i = 0; authmethods[i] != NULL; i++)
                         if (authmethods[i]->enabled != NULL &&
                             *(authmethods[i]->enabled) != 0 &&
-                            strcmp(name, authmethods[i]->name) == 0)
+                            strcmp(name, authmethods[i]->name) == 0 &&
+                            method_allowed(authctxt, authmethods[i]->name))
                                 return authmethods[i];
         debug2("Unrecognized authentication method name: %s",
             name ? name : "NULL");
         return NULL;
 }
 
+/*
+ * Check a comma-separated list of methods for validity. Is need_enable is
+ * non-zero, then also require that the methods are enabled.
+ * Returns 0 on success or -1 if the methods list is invalid.
+ */
+int
+auth2_methods_valid(const char *_methods, int need_enable)
+{
+        char *methods, *omethods, *method;
+        u_int i, found;
+        int ret = -1;
+
+        if (*_methods == '\0') {
+                error("empty authentication method list");
+                return -1;
+        }
+        omethods = methods = xstrdup(_methods);
+        while ((method = strsep(&methods, ",")) != NULL) {
+                for (found = i = 0; !found && authmethods[i] != NULL; i++) {
+                        if (strcmp(method, authmethods[i]->name) != 0)
+                                continue;
+                        if (need_enable) {
+                                if (authmethods[i]->enabled == NULL ||
+                                    *(authmethods[i]->enabled) == 0) {
+                                        error("Disabled method \"%s\" in "
+                                            "AuthenticationMethods list \"%s\"",
+                                            method, _methods);
+                                        goto out;
+                                }
+                        }
+                        found = 1;
+                        break;
+                }
+                if (!found) {
+                        error("Unknown authentication method \"%s\" in list",
+                            method);
+                        goto out;
+                }
+        }
+        ret = 0;
+ out:
+        free(omethods);
+        return ret;
+}
+
+/*
+ * Prune the AuthenticationMethods supplied in the configuration, removing
+ * any methods lists that include disabled methods. Note that this might
+ * leave authctxt->num_auth_methods == 0, even when multiple required auth
+ * has been requested. For this reason, all tests for whether multiple is
+ * enabled should consult options.num_auth_methods directly.
+ */
+int
+auth2_setup_methods_lists(Authctxt *authctxt)
+{
+        u_int i;
+
+        if (options.num_auth_methods == 0)
+                return 0;
+        debug3("%s: checking methods", __func__);
+        authctxt->auth_methods = xcalloc(options.num_auth_methods,
+            sizeof(*authctxt->auth_methods));
+        authctxt->num_auth_methods = 0;
+        for (i = 0; i < options.num_auth_methods; i++) {
+                if (auth2_methods_valid(options.auth_methods[i], 1) != 0) {
+                        logit("Authentication methods list \"%s\" contains "
+                            "disabled method, skipping",
+                            options.auth_methods[i]);
+                        continue;
+                }
+                debug("authentication methods list %d: %s",
+                    authctxt->num_auth_methods, options.auth_methods[i]);
+                authctxt->auth_methods[authctxt->num_auth_methods++] =
+                    xstrdup(options.auth_methods[i]);
+        }
+        if (authctxt->num_auth_methods == 0) {
+                error("No AuthenticationMethods left after eliminating "
+                    "disabled methods");
+                return -1;
+        }
+        return 0;
+}
+
+static int
+list_starts_with(const char *methods, const char *method)
+{
+        size_t l = strlen(method);
+
+        if (strncmp(methods, method, l) != 0)
+                return 0;
+        if (methods[l] != ',' && methods[l] != '\0')
+                return 0;
+        return 1;
+}
+
+/*
+ * Remove method from the start of a comma-separated list of methods.
+ * Returns 0 if the list of methods did not start with that method or 1
+ * if it did.
+ */
+static int
+remove_method(char **methods, const char *method)
+{
+        char *omethods = *methods;
+        size_t l = strlen(method);
+
+        if (!list_starts_with(omethods, method))
+                return 0;
+        *methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0));
+        free(omethods);
+        return 1;
+}
+
+/*
+ * Called after successful authentication. Will remove the successful method
+ * from the start of each list in which it occurs. If it was the last method
+ * in any list, then authentication is deemed successful.
+ * Returns 1 if the method completed any authentication list or 0 otherwise.
+ */
+int
+auth2_update_methods_lists(Authctxt *authctxt, const char *method)
+{
+        u_int i, found = 0;
+
+        debug3("%s: updating methods list after \"%s\"", __func__, method);
+        for (i = 0; i < authctxt->num_auth_methods; i++) {
+                if (!remove_method(&(authctxt->auth_methods[i]), method))
+                        continue;
+                found = 1;
+                if (*authctxt->auth_methods[i] == '\0') {
+                        debug2("authentication methods list %d complete", i);
+                        return 1;
+                }
+                debug3("authentication methods list %d remaining: \"%s\"",
+                    i, authctxt->auth_methods[i]);
+        }
+        /* This should not happen, but would be bad if it did */
+        if (!found)
+                fatal("%s: method not in AuthenticationMethods", __func__);
+        return 0;
+}
+
+