- djm@cvs.openbsd.org 2012/11/04 11:09:15

[auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c] [sshd_config.5] Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
author: Damien Miller <djm@mindrot.org> 2012-11-04 23:21:40 +1100
committer: Damien Miller <djm@mindrot.org> 2012-11-04 23:21:40 +1100
commit: a6e3f01d1e230b8acfdd6b4cf3096459d2a325e0 (patch)
tree: 577022d2b31e9519d26bc614c3f5396e17d58ec6 /auth2.c
parent: d0d1099b3b8a766480ce6df215631bf0af6e6bcd (diff)
1 files changed, 200 insertions, 18 deletions
diff --git a/auth2.c b/auth2.c
index b66bef64c..8114ec863 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.124 2011/12/07 05:44:38 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.125 2012/11/04 11:09:15 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -96,8 +96,10 @@ static void input_service_request(int, u_int32_t, void *);
 static void input_userauth_request(int, u_int32_t, void *);
 /* helper */
-static Authmethod *authmethod_lookup(const char *);
+static Authmethod *authmethod_lookup(Authctxt *, const char *);
-static char *authmethods_get(void);
+static char *authmethods_get(Authctxt *authctxt);
+static int method_allowed(Authctxt *, const char *);
+static int list_starts_with(const char *, const char *);
 char *
 auth2_read_banner(void)
@@ -255,6 +257,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                if (use_privsep)
                        mm_inform_authserv(service, style);
                userauth_banner();
+                if (auth2_setup_methods_lists(authctxt) != 0)
+                        packet_disconnect("no authentication methods enabled");
        } else if (strcmp(user, authctxt->user) != 0 ||
            strcmp(service, authctxt->service) != 0) {
                packet_disconnect("Change of username or service not allowed: "
@@ -277,7 +281,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
        authctxt->server_caused_failure = 0;
        /* try to authenticate user */
-        m = authmethod_lookup(method);
+        m = authmethod_lookup(authctxt, method);
        if (m != NULL && authctxt->failures < options.max_authtries) {
                debug2("input_userauth_request: try method %s", method);
                authenticated = m->userauth(authctxt);
@@ -293,6 +297,7 @@ void
 userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 {
        char *methods;
+        int partial = 0;
        if (!authctxt->valid && authenticated)
                fatal("INTERNAL ERROR: authenticated invalid user %s",
@@ -335,7 +340,13 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
        if (authctxt->postponed)
                return;
-        /* XXX todo: check if multiple auth methods are needed */
+        if (authenticated && options.num_auth_methods != 0) {
+                if (!auth2_update_methods_lists(authctxt, method)) {
+                        authenticated = 0;
+                        partial = 1;
+                }
+        }
        if (authenticated == 1) {
                /* turn off userauth */
                dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
@@ -356,34 +367,61 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 #endif
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
                }
-                methods = authmethods_get();
+                methods = authmethods_get(authctxt);
+                debug3("%s: failure partial=%d next methods=\"%s\"", __func__,
+                    partial, methods);
                packet_start(SSH2_MSG_USERAUTH_FAILURE);
                packet_put_cstring(methods);
-                packet_put_char(0);     /* XXX partial success, unused */
+                packet_put_char(partial);
                packet_send();
                packet_write_wait();
                xfree(methods);
        }
 }
+/*
+ * Checks whether method is allowed by at least one AuthenticationMethods
+ * methods list. Returns 1 if allowed, or no methods lists configured.
+ * 0 otherwise.
+ */
+static int
+method_allowed(Authctxt *authctxt, const char *method)
+{
+        u_int i;
+        /*
+         * NB. authctxt->num_auth_methods might be zero as a result of
+         * auth2_setup_methods_lists(), so check the configuration.
+         */
+        if (options.num_auth_methods == 0)
+                return 1;
+        for (i = 0; i < authctxt->num_auth_methods; i++) {
+                if (list_starts_with(authctxt->auth_methods[i], method))
+                        return 1;
+        }
+        return 0;
+}
 static char *
-authmethods_get(void)
+authmethods_get(Authctxt *authctxt)
 {
        Buffer b;
        char *list;
-        int i;
+        u_int i;
        buffer_init(&b);
        for (i = 0; authmethods[i] != NULL; i++) {
                if (strcmp(authmethods[i]->name, "none") == 0)
                        continue;
-                if (authmethods[i]->enabled != NULL &&
+                if (authmethods[i]->enabled == NULL ||
-                    *(authmethods[i]->enabled) != 0) {
+                    *(authmethods[i]->enabled) == 0)
-                        if (buffer_len(&b) > 0)
+                        continue;
-                                buffer_append(&b, ",", 1);
+                if (!method_allowed(authctxt, authmethods[i]->name))
-                        buffer_append(&b, authmethods[i]->name,
+                        continue;
-                            strlen(authmethods[i]->name));
+                if (buffer_len(&b) > 0)
-                }
+                        buffer_append(&b, ",", 1);
+                buffer_append(&b, authmethods[i]->name,
+                    strlen(authmethods[i]->name));
        }
        buffer_append(&b, "\0", 1);
        list = xstrdup(buffer_ptr(&b));
@@ -392,7 +430,7 @@ authmethods_get(void)
 }
 static Authmethod *
-authmethod_lookup(const char *name)
+authmethod_lookup(Authctxt *authctxt, const char *name)
 {
        int i;
@@ -400,10 +438,154 @@ authmethod_lookup(const char *name)
                for (i = 0; authmethods[i] != NULL; i++)
                        if (authmethods[i]->enabled != NULL &&
                            *(authmethods[i]->enabled) != 0 &&
-                            strcmp(name, authmethods[i]->name) == 0)
+                            strcmp(name, authmethods[i]->name) == 0 &&
+                            method_allowed(authctxt, authmethods[i]->name))
                                return authmethods[i];
        debug2("Unrecognized authentication method name: %s",
            name ? name : "NULL");
        return NULL;
 }
+/*
+ * Check a comma-separated list of methods for validity. Is need_enable is
+ * non-zero, then also require that the methods are enabled.
+ * Returns 0 on success or -1 if the methods list is invalid.
+ */
+int
+auth2_methods_valid(const char *_methods, int need_enable)
+{
+        char *methods, *omethods, *method;
+        u_int i, found;
+        int ret = -1;
+        if (*_methods == '\0') {
+                error("empty authentication method list");
+                return -1;
+        }
+        omethods = methods = xstrdup(_methods);
+        while ((method = strsep(&methods, ",")) != NULL) {
+                for (found = i = 0; !found && authmethods[i] != NULL; i++) {
+                        if (strcmp(method, authmethods[i]->name) != 0)
+                                continue;
+                        if (need_enable) {
+                                if (authmethods[i]->enabled == NULL ||
+                                    *(authmethods[i]->enabled) == 0) {
+                                        error("Disabled method \"%s\" in "
+                                            "AuthenticationMethods list \"%s\"",
+                                            method, _methods);
+                                        goto out;
+                                }
+                        }
+                        found = 1;
+                        break;
+                }
+                if (!found) {
+                        error("Unknown authentication method \"%s\" in list",
+                            method);
+                        goto out;
+                }
+        }
+        ret = 0;
+ out:
+        free(omethods);
+        return ret;
+}
+/*
+ * Prune the AuthenticationMethods supplied in the configuration, removing
+ * any methods lists that include disabled methods. Note that this might
+ * leave authctxt->num_auth_methods == 0, even when multiple required auth
+ * has been requested. For this reason, all tests for whether multiple is
+ * enabled should consult options.num_auth_methods directly.
+ */
+int
+auth2_setup_methods_lists(Authctxt *authctxt)
+{
+        u_int i;
+        if (options.num_auth_methods == 0)
+                return 0;
+        debug3("%s: checking methods", __func__);
+        authctxt->auth_methods = xcalloc(options.num_auth_methods,
+            sizeof(*authctxt->auth_methods));
+        authctxt->num_auth_methods = 0;
+        for (i = 0; i < options.num_auth_methods; i++) {
+                if (auth2_methods_valid(options.auth_methods[i], 1) != 0) {
+                        logit("Authentication methods list \"%s\" contains "
+                            "disabled method, skipping",
+                            options.auth_methods[i]);
+                        continue;
+                }
+                debug("authentication methods list %d: %s",
+                    authctxt->num_auth_methods, options.auth_methods[i]);
+                authctxt->auth_methods[authctxt->num_auth_methods++] =
+                    xstrdup(options.auth_methods[i]);
+        }
+        if (authctxt->num_auth_methods == 0) {
+                error("No AuthenticationMethods left after eliminating "
+                    "disabled methods");
+                return -1;
+        }
+        return 0;
+}
+static int
+list_starts_with(const char *methods, const char *method)
+{
+        size_t l = strlen(method);
+        if (strncmp(methods, method, l) != 0)
+                return 0;
+        if (methods[l] != ',' && methods[l] != '\0')
+                return 0;
+        return 1;
+}
+/*
+ * Remove method from the start of a comma-separated list of methods.
+ * Returns 0 if the list of methods did not start with that method or 1
+ * if it did.
+ */
+static int
+remove_method(char **methods, const char *method)
+{
+        char *omethods = *methods;
+        size_t l = strlen(method);
+        if (!list_starts_with(omethods, method))
+                return 0;
+        *methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0));
+        free(omethods);
+        return 1;
+}
+/*
+ * Called after successful authentication. Will remove the successful method
+ * from the start of each list in which it occurs. If it was the last method
+ * in any list, then authentication is deemed successful.
+ * Returns 1 if the method completed any authentication list or 0 otherwise.
+ */
+int
+auth2_update_methods_lists(Authctxt *authctxt, const char *method)
+{
+        u_int i, found = 0;
+        debug3("%s: updating methods list after \"%s\"", __func__, method);
+        for (i = 0; i < authctxt->num_auth_methods; i++) {
+                if (!remove_method(&(authctxt->auth_methods[i]), method))
+                        continue;
+                found = 1;
+                if (*authctxt->auth_methods[i] == '\0') {
+                        debug2("authentication methods list %d complete", i);
+                        return 1;
+                }
+                debug3("authentication methods list %d remaining: \"%s\"",
+                    i, authctxt->auth_methods[i]);
+        }
+        /* This should not happen, but would be bad if it did */
+        if (!found)
+                fatal("%s: method not in AuthenticationMethods", __func__);
+        return 0;
+}
author	Damien Miller <djm@mindrot.org>	2012-11-04 23:21:40 +1100
committer	Damien Miller <djm@mindrot.org>	2012-11-04 23:21:40 +1100
commit	a6e3f01d1e230b8acfdd6b4cf3096459d2a325e0 (patch)
tree	577022d2b31e9519d26bc614c3f5396e17d58ec6 /auth2.c
parent	d0d1099b3b8a766480ce6df215631bf0af6e6bcd (diff)

diff --git a/auth2.c b/auth2.c index b66bef64c..8114ec863 100644 --- a/auth2.c +++ b/auth2.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth2.c,v 1.124 2011/12/07 05:44:38 djm Exp $ */	1	/* $OpenBSD: auth2.c,v 1.125 2012/11/04 11:09:15 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -96,8 +96,10 @@ static void input_service_request(int, u_int32_t, void *);
96	static void input_userauth_request(int, u_int32_t, void *);	96	static void input_userauth_request(int, u_int32_t, void *);
97		97
98	/* helper */	98	/* helper */
99	static Authmethod authmethod_lookup(const char );	99	static Authmethod authmethod_lookup(Authctxt , const char *);
100	static char *authmethods_get(void);	100	static char authmethods_get(Authctxt authctxt);
		101	static int method_allowed(Authctxt , const char );
		102	static int list_starts_with(const char , const char );
101		103
102	char *	104	char *
103	auth2_read_banner(void)	105	auth2_read_banner(void)
@@ -255,6 +257,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
255	if (use_privsep)	257	if (use_privsep)
256	mm_inform_authserv(service, style);	258	mm_inform_authserv(service, style);
257	userauth_banner();	259	userauth_banner();
		260	if (auth2_setup_methods_lists(authctxt) != 0)
		261	packet_disconnect("no authentication methods enabled");
258	} else if (strcmp(user, authctxt->user) != 0 \|\|	262	} else if (strcmp(user, authctxt->user) != 0 \|\|
259	strcmp(service, authctxt->service) != 0) {	263	strcmp(service, authctxt->service) != 0) {
260	packet_disconnect("Change of username or service not allowed: "	264	packet_disconnect("Change of username or service not allowed: "
@@ -277,7 +281,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
277	authctxt->server_caused_failure = 0;	281	authctxt->server_caused_failure = 0;
278		282
279	/* try to authenticate user */	283	/* try to authenticate user */
280	m = authmethod_lookup(method);	284	m = authmethod_lookup(authctxt, method);
281	if (m != NULL && authctxt->failures < options.max_authtries) {	285	if (m != NULL && authctxt->failures < options.max_authtries) {
282	debug2("input_userauth_request: try method %s", method);	286	debug2("input_userauth_request: try method %s", method);
283	authenticated = m->userauth(authctxt);	287	authenticated = m->userauth(authctxt);
@@ -293,6 +297,7 @@ void
293	userauth_finish(Authctxt authctxt, int authenticated, char method)	297	userauth_finish(Authctxt authctxt, int authenticated, char method)
294	{	298	{
295	char *methods;	299	char *methods;
		300	int partial = 0;
296		301
297	if (!authctxt->valid && authenticated)	302	if (!authctxt->valid && authenticated)
298	fatal("INTERNAL ERROR: authenticated invalid user %s",	303	fatal("INTERNAL ERROR: authenticated invalid user %s",
@@ -335,7 +340,13 @@ userauth_finish(Authctxt authctxt, int authenticated, char method)
335	if (authctxt->postponed)	340	if (authctxt->postponed)
336	return;	341	return;
337		342
338	/* XXX todo: check if multiple auth methods are needed */	343	if (authenticated && options.num_auth_methods != 0) {
		344	if (!auth2_update_methods_lists(authctxt, method)) {
		345	authenticated = 0;
		346	partial = 1;
		347	}
		348	}
		349
339	if (authenticated == 1) {	350	if (authenticated == 1) {
340	/* turn off userauth */	351	/* turn off userauth */
341	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);	352	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
@@ -356,34 +367,61 @@ userauth_finish(Authctxt authctxt, int authenticated, char method)
356	#endif	367	#endif
357	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);	368	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
358	}	369	}
359	methods = authmethods_get();	370	methods = authmethods_get(authctxt);
		371	debug3("%s: failure partial=%d next methods=\"%s\"", __func__,
		372	partial, methods);
360	packet_start(SSH2_MSG_USERAUTH_FAILURE);	373	packet_start(SSH2_MSG_USERAUTH_FAILURE);
361	packet_put_cstring(methods);	374	packet_put_cstring(methods);
362	packet_put_char(0); /* XXX partial success, unused */	375	packet_put_char(partial);
363	packet_send();	376	packet_send();
364	packet_write_wait();	377	packet_write_wait();
365	xfree(methods);	378	xfree(methods);
366	}	379	}
367	}	380	}
368		381
		382	/*
		383	* Checks whether method is allowed by at least one AuthenticationMethods
		384	* methods list. Returns 1 if allowed, or no methods lists configured.
		385	* 0 otherwise.
		386	*/
		387	static int
		388	method_allowed(Authctxt authctxt, const char method)
		389	{
		390	u_int i;
		391
		392	/*
		393	* NB. authctxt->num_auth_methods might be zero as a result of
		394	* auth2_setup_methods_lists(), so check the configuration.
		395	*/
		396	if (options.num_auth_methods == 0)
		397	return 1;
		398	for (i = 0; i < authctxt->num_auth_methods; i++) {
		399	if (list_starts_with(authctxt->auth_methods[i], method))
		400	return 1;
		401	}
		402	return 0;
		403	}
		404
369	static char *	405	static char *
370	authmethods_get(void)	406	authmethods_get(Authctxt *authctxt)
371	{	407	{
372	Buffer b;	408	Buffer b;
373	char *list;	409	char *list;
374	int i;	410	u_int i;
375		411
376	buffer_init(&b);	412	buffer_init(&b);
377	for (i = 0; authmethods[i] != NULL; i++) {	413	for (i = 0; authmethods[i] != NULL; i++) {
378	if (strcmp(authmethods[i]->name, "none") == 0)	414	if (strcmp(authmethods[i]->name, "none") == 0)
379	continue;	415	continue;
380	if (authmethods[i]->enabled != NULL &&	416	if (authmethods[i]->enabled == NULL \|\|
381	*(authmethods[i]->enabled) != 0) {	417	*(authmethods[i]->enabled) == 0)
382	if (buffer_len(&b) > 0)	418	continue;
383	buffer_append(&b, ",", 1);	419	if (!method_allowed(authctxt, authmethods[i]->name))
384	buffer_append(&b, authmethods[i]->name,	420	continue;
385	strlen(authmethods[i]->name));	421	if (buffer_len(&b) > 0)
386	}	422	buffer_append(&b, ",", 1);
		423	buffer_append(&b, authmethods[i]->name,
		424	strlen(authmethods[i]->name));
387	}	425	}
388	buffer_append(&b, "\0", 1);	426	buffer_append(&b, "\0", 1);
389	list = xstrdup(buffer_ptr(&b));	427	list = xstrdup(buffer_ptr(&b));
@@ -392,7 +430,7 @@ authmethods_get(void)
392	}	430	}
393		431
394	static Authmethod *	432	static Authmethod *
395	authmethod_lookup(const char *name)	433	authmethod_lookup(Authctxt authctxt, const char name)
396	{	434	{
397	int i;	435	int i;
398		436
@@ -400,10 +438,154 @@ authmethod_lookup(const char *name)
400	for (i = 0; authmethods[i] != NULL; i++)	438	for (i = 0; authmethods[i] != NULL; i++)
401	if (authmethods[i]->enabled != NULL &&	439	if (authmethods[i]->enabled != NULL &&
402	*(authmethods[i]->enabled) != 0 &&	440	*(authmethods[i]->enabled) != 0 &&
403	strcmp(name, authmethods[i]->name) == 0)	441	strcmp(name, authmethods[i]->name) == 0 &&
		442	method_allowed(authctxt, authmethods[i]->name))
404	return authmethods[i];	443	return authmethods[i];
405	debug2("Unrecognized authentication method name: %s",	444	debug2("Unrecognized authentication method name: %s",
406	name ? name : "NULL");	445	name ? name : "NULL");
407	return NULL;	446	return NULL;
408	}	447	}
409		448
		449	/*
		450	* Check a comma-separated list of methods for validity. Is need_enable is
		451	* non-zero, then also require that the methods are enabled.
		452	* Returns 0 on success or -1 if the methods list is invalid.
		453	*/
		454	int
		455	auth2_methods_valid(const char *_methods, int need_enable)
		456	{
		457	char methods, omethods, *method;
		458	u_int i, found;
		459	int ret = -1;
		460
		461	if (*_methods == '\0') {
		462	error("empty authentication method list");
		463	return -1;
		464	}
		465	omethods = methods = xstrdup(_methods);
		466	while ((method = strsep(&methods, ",")) != NULL) {
		467	for (found = i = 0; !found && authmethods[i] != NULL; i++) {
		468	if (strcmp(method, authmethods[i]->name) != 0)
		469	continue;
		470	if (need_enable) {
		471	if (authmethods[i]->enabled == NULL \|\|
		472	*(authmethods[i]->enabled) == 0) {
		473	error("Disabled method \"%s\" in "
		474	"AuthenticationMethods list \"%s\"",
		475	method, _methods);
		476	goto out;
		477	}
		478	}
		479	found = 1;
		480	break;
		481	}
		482	if (!found) {
		483	error("Unknown authentication method \"%s\" in list",
		484	method);
		485	goto out;
		486	}
		487	}
		488	ret = 0;
		489	out:
		490	free(omethods);
		491	return ret;
		492	}
		493
		494	/*
		495	* Prune the AuthenticationMethods supplied in the configuration, removing
		496	* any methods lists that include disabled methods. Note that this might
		497	* leave authctxt->num_auth_methods == 0, even when multiple required auth
		498	* has been requested. For this reason, all tests for whether multiple is
		499	* enabled should consult options.num_auth_methods directly.
		500	*/
		501	int
		502	auth2_setup_methods_lists(Authctxt *authctxt)
		503	{
		504	u_int i;
		505
		506	if (options.num_auth_methods == 0)
		507	return 0;
		508	debug3("%s: checking methods", __func__);
		509	authctxt->auth_methods = xcalloc(options.num_auth_methods,
		510	sizeof(*authctxt->auth_methods));
		511	authctxt->num_auth_methods = 0;
		512	for (i = 0; i < options.num_auth_methods; i++) {
		513	if (auth2_methods_valid(options.auth_methods[i], 1) != 0) {
		514	logit("Authentication methods list \"%s\" contains "
		515	"disabled method, skipping",
		516	options.auth_methods[i]);
		517	continue;
		518	}
		519	debug("authentication methods list %d: %s",
		520	authctxt->num_auth_methods, options.auth_methods[i]);
		521	authctxt->auth_methods[authctxt->num_auth_methods++] =
		522	xstrdup(options.auth_methods[i]);
		523	}
		524	if (authctxt->num_auth_methods == 0) {
		525	error("No AuthenticationMethods left after eliminating "
		526	"disabled methods");
		527	return -1;
		528	}
		529	return 0;
		530	}
		531
		532	static int
		533	list_starts_with(const char methods, const char method)
		534	{
		535	size_t l = strlen(method);
		536
		537	if (strncmp(methods, method, l) != 0)
		538	return 0;
		539	if (methods[l] != ',' && methods[l] != '\0')
		540	return 0;
		541	return 1;
		542	}
		543
		544	/*
		545	* Remove method from the start of a comma-separated list of methods.
		546	* Returns 0 if the list of methods did not start with that method or 1
		547	* if it did.
		548	*/
		549	static int
		550	remove_method(char *methods, const char method)
		551	{
		552	char omethods = methods;
		553	size_t l = strlen(method);
		554
		555	if (!list_starts_with(omethods, method))
		556	return 0;
		557	*methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0));
		558	free(omethods);
		559	return 1;
		560	}
		561
		562	/*
		563	* Called after successful authentication. Will remove the successful method
		564	* from the start of each list in which it occurs. If it was the last method
		565	* in any list, then authentication is deemed successful.
		566	* Returns 1 if the method completed any authentication list or 0 otherwise.
		567	*/
		568	int
		569	auth2_update_methods_lists(Authctxt authctxt, const char method)
		570	{
		571	u_int i, found = 0;
		572
		573	debug3("%s: updating methods list after \"%s\"", __func__, method);
		574	for (i = 0; i < authctxt->num_auth_methods; i++) {
		575	if (!remove_method(&(authctxt->auth_methods[i]), method))
		576	continue;
		577	found = 1;
		578	if (*authctxt->auth_methods[i] == '\0') {
		579	debug2("authentication methods list %d complete", i);
		580	return 1;
		581	}
		582	debug3("authentication methods list %d remaining: \"%s\"",
		583	i, authctxt->auth_methods[i]);
		584	}
		585	/* This should not happen, but would be bad if it did */
		586	if (!found)
		587	fatal("%s: method not in AuthenticationMethods", __func__);
		588	return 0;
		589	}
		590
		591