diff options
author | Colin Watson <cjwatson@debian.org> | 2013-05-07 11:47:26 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2013-05-07 11:47:26 +0100 |
commit | 2ea3f720daeb1ca9f765365fce3a9546961fe624 (patch) | |
tree | c4fb7d1f51fa51e7677232de806aae150e29e2ac /monitor.c | |
parent | f5efcd3450bbf8261915e0c4a6f851229dddaa79 (diff) | |
parent | ecebda56da46a03dafff923d91c382f31faa9eec (diff) |
* New upstream release (http://www.openssh.com/txt/release-6.2).
- Add support for multiple required authentication in SSH protocol 2 via
an AuthenticationMethods option (closes: #195716).
- Fix Sophie Germain formula in moduli(5) (closes: #698612).
- Update ssh-copy-id to Phil Hands' greatly revised version (closes:
#99785, #322228, #620428; LP: #518883, #835901, #1074798).
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 64 |
1 files changed, 50 insertions, 14 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.117 2012/06/22 12:30:26 dtucker Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.120 2012/12/11 22:16:21 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -209,6 +209,7 @@ static int key_blobtype = MM_NOKEY; | |||
209 | static char *hostbased_cuser = NULL; | 209 | static char *hostbased_cuser = NULL; |
210 | static char *hostbased_chost = NULL; | 210 | static char *hostbased_chost = NULL; |
211 | static char *auth_method = "unknown"; | 211 | static char *auth_method = "unknown"; |
212 | static char *auth_submethod = NULL; | ||
212 | static u_int session_id2_len = 0; | 213 | static u_int session_id2_len = 0; |
213 | static u_char *session_id2 = NULL; | 214 | static u_char *session_id2 = NULL; |
214 | static pid_t monitor_child_pid; | 215 | static pid_t monitor_child_pid; |
@@ -376,7 +377,7 @@ void | |||
376 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | 377 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
377 | { | 378 | { |
378 | struct mon_table *ent; | 379 | struct mon_table *ent; |
379 | int authenticated = 0; | 380 | int authenticated = 0, partial = 0; |
380 | 381 | ||
381 | debug3("preauth child monitor started"); | 382 | debug3("preauth child monitor started"); |
382 | 383 | ||
@@ -407,8 +408,26 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
407 | 408 | ||
408 | /* The first few requests do not require asynchronous access */ | 409 | /* The first few requests do not require asynchronous access */ |
409 | while (!authenticated) { | 410 | while (!authenticated) { |
411 | partial = 0; | ||
410 | auth_method = "unknown"; | 412 | auth_method = "unknown"; |
413 | auth_submethod = NULL; | ||
411 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); | 414 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); |
415 | |||
416 | /* Special handling for multiple required authentications */ | ||
417 | if (options.num_auth_methods != 0) { | ||
418 | if (!compat20) | ||
419 | fatal("AuthenticationMethods is not supported" | ||
420 | "with SSH protocol 1"); | ||
421 | if (authenticated && | ||
422 | !auth2_update_methods_lists(authctxt, | ||
423 | auth_method)) { | ||
424 | debug3("%s: method %s: partial", __func__, | ||
425 | auth_method); | ||
426 | authenticated = 0; | ||
427 | partial = 1; | ||
428 | } | ||
429 | } | ||
430 | |||
412 | if (authenticated) { | 431 | if (authenticated) { |
413 | if (!(ent->flags & MON_AUTHDECIDE)) | 432 | if (!(ent->flags & MON_AUTHDECIDE)) |
414 | fatal("%s: unexpected authentication from %d", | 433 | fatal("%s: unexpected authentication from %d", |
@@ -429,9 +448,9 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
429 | } | 448 | } |
430 | #endif | 449 | #endif |
431 | } | 450 | } |
432 | |||
433 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { | 451 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { |
434 | auth_log(authctxt, authenticated, auth_method, | 452 | auth_log(authctxt, authenticated, partial, |
453 | auth_method, auth_submethod, | ||
435 | compat20 ? " ssh2" : ""); | 454 | compat20 ? " ssh2" : ""); |
436 | if (!authenticated) | 455 | if (!authenticated) |
437 | authctxt->failures++; | 456 | authctxt->failures++; |
@@ -447,10 +466,6 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
447 | #endif | 466 | #endif |
448 | } | 467 | } |
449 | 468 | ||
450 | /* Drain any buffered messages from the child */ | ||
451 | while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) | ||
452 | ; | ||
453 | |||
454 | if (!authctxt->valid) | 469 | if (!authctxt->valid) |
455 | fatal("%s: authenticated invalid user", __func__); | 470 | fatal("%s: authenticated invalid user", __func__); |
456 | if (strcmp(auth_method, "unknown") == 0) | 471 | if (strcmp(auth_method, "unknown") == 0) |
@@ -461,6 +476,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
461 | 476 | ||
462 | mm_get_keystate(pmonitor); | 477 | mm_get_keystate(pmonitor); |
463 | 478 | ||
479 | /* Drain any buffered messages from the child */ | ||
480 | while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) | ||
481 | ; | ||
482 | |||
464 | close(pmonitor->m_sendfd); | 483 | close(pmonitor->m_sendfd); |
465 | close(pmonitor->m_log_recvfd); | 484 | close(pmonitor->m_log_recvfd); |
466 | pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; | 485 | pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; |
@@ -816,7 +835,17 @@ mm_answer_pwnamallow(int sock, Buffer *m) | |||
816 | COPY_MATCH_STRING_OPTS(); | 835 | COPY_MATCH_STRING_OPTS(); |
817 | #undef M_CP_STROPT | 836 | #undef M_CP_STROPT |
818 | #undef M_CP_STRARRAYOPT | 837 | #undef M_CP_STRARRAYOPT |
819 | 838 | ||
839 | /* Create valid auth method lists */ | ||
840 | if (compat20 && auth2_setup_methods_lists(authctxt) != 0) { | ||
841 | /* | ||
842 | * The monitor will continue long enough to let the child | ||
843 | * run to it's packet_disconnect(), but it must not allow any | ||
844 | * authentication to succeed. | ||
845 | */ | ||
846 | debug("%s: no valid authentication method lists", __func__); | ||
847 | } | ||
848 | |||
820 | debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); | 849 | debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); |
821 | mm_request_send(sock, MONITOR_ANS_PWNAM, m); | 850 | mm_request_send(sock, MONITOR_ANS_PWNAM, m); |
822 | 851 | ||
@@ -977,7 +1006,10 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) | |||
977 | debug3("%s: sending authenticated: %d", __func__, authok); | 1006 | debug3("%s: sending authenticated: %d", __func__, authok); |
978 | mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); | 1007 | mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); |
979 | 1008 | ||
980 | auth_method = "bsdauth"; | 1009 | if (compat20) |
1010 | auth_method = "keyboard-interactive"; /* XXX auth_submethod */ | ||
1011 | else | ||
1012 | auth_method = "bsdauth"; | ||
981 | 1013 | ||
982 | return (authok != 0); | 1014 | return (authok != 0); |
983 | } | 1015 | } |
@@ -1116,7 +1148,8 @@ mm_answer_pam_query(int sock, Buffer *m) | |||
1116 | xfree(prompts); | 1148 | xfree(prompts); |
1117 | if (echo_on != NULL) | 1149 | if (echo_on != NULL) |
1118 | xfree(echo_on); | 1150 | xfree(echo_on); |
1119 | auth_method = "keyboard-interactive/pam"; | 1151 | auth_method = "keyboard-interactive"; |
1152 | auth_submethod = "pam"; | ||
1120 | mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); | 1153 | mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); |
1121 | return (0); | 1154 | return (0); |
1122 | } | 1155 | } |
@@ -1145,7 +1178,8 @@ mm_answer_pam_respond(int sock, Buffer *m) | |||
1145 | buffer_clear(m); | 1178 | buffer_clear(m); |
1146 | buffer_put_int(m, ret); | 1179 | buffer_put_int(m, ret); |
1147 | mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); | 1180 | mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); |
1148 | auth_method = "keyboard-interactive/pam"; | 1181 | auth_method = "keyboard-interactive"; |
1182 | auth_submethod = "pam"; | ||
1149 | if (ret == 0) | 1183 | if (ret == 0) |
1150 | sshpam_authok = sshpam_ctxt; | 1184 | sshpam_authok = sshpam_ctxt; |
1151 | return (0); | 1185 | return (0); |
@@ -1159,7 +1193,8 @@ mm_answer_pam_free_ctx(int sock, Buffer *m) | |||
1159 | (sshpam_device.free_ctx)(sshpam_ctxt); | 1193 | (sshpam_device.free_ctx)(sshpam_ctxt); |
1160 | buffer_clear(m); | 1194 | buffer_clear(m); |
1161 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | 1195 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); |
1162 | auth_method = "keyboard-interactive/pam"; | 1196 | auth_method = "keyboard-interactive"; |
1197 | auth_submethod = "pam"; | ||
1163 | return (sshpam_authok == sshpam_ctxt); | 1198 | return (sshpam_authok == sshpam_ctxt); |
1164 | } | 1199 | } |
1165 | #endif | 1200 | #endif |
@@ -1233,7 +1268,8 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1233 | hostbased_chost = chost; | 1268 | hostbased_chost = chost; |
1234 | } else { | 1269 | } else { |
1235 | /* Log failed attempt */ | 1270 | /* Log failed attempt */ |
1236 | auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); | 1271 | auth_log(authctxt, 0, 0, auth_method, NULL, |
1272 | compat20 ? " ssh2" : ""); | ||
1237 | xfree(blob); | 1273 | xfree(blob); |
1238 | xfree(cuser); | 1274 | xfree(cuser); |
1239 | xfree(chost); | 1275 | xfree(chost); |