diff options
| author | Colin Watson <cjwatson@debian.org> | 2013-05-07 11:47:26 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2013-05-07 11:47:26 +0100 |
| commit | 2ea3f720daeb1ca9f765365fce3a9546961fe624 (patch) | |
| tree | c4fb7d1f51fa51e7677232de806aae150e29e2ac /monitor.c | |
| parent | f5efcd3450bbf8261915e0c4a6f851229dddaa79 (diff) | |
| parent | ecebda56da46a03dafff923d91c382f31faa9eec (diff) | |
* New upstream release (http://www.openssh.com/txt/release-6.2).
- Add support for multiple required authentication in SSH protocol 2 via
an AuthenticationMethods option (closes: #195716).
- Fix Sophie Germain formula in moduli(5) (closes: #698612).
- Update ssh-copy-id to Phil Hands' greatly revised version (closes:
#99785, #322228, #620428; LP: #518883, #835901, #1074798).
Diffstat (limited to 'monitor.c')
| -rw-r--r-- | monitor.c | 64 |
1 files changed, 50 insertions, 14 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: monitor.c,v 1.117 2012/06/22 12:30:26 dtucker Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.120 2012/12/11 22:16:21 markus Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
| 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
| @@ -209,6 +209,7 @@ static int key_blobtype = MM_NOKEY; | |||
| 209 | static char *hostbased_cuser = NULL; | 209 | static char *hostbased_cuser = NULL; |
| 210 | static char *hostbased_chost = NULL; | 210 | static char *hostbased_chost = NULL; |
| 211 | static char *auth_method = "unknown"; | 211 | static char *auth_method = "unknown"; |
| 212 | static char *auth_submethod = NULL; | ||
| 212 | static u_int session_id2_len = 0; | 213 | static u_int session_id2_len = 0; |
| 213 | static u_char *session_id2 = NULL; | 214 | static u_char *session_id2 = NULL; |
| 214 | static pid_t monitor_child_pid; | 215 | static pid_t monitor_child_pid; |
| @@ -376,7 +377,7 @@ void | |||
| 376 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | 377 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
| 377 | { | 378 | { |
| 378 | struct mon_table *ent; | 379 | struct mon_table *ent; |
| 379 | int authenticated = 0; | 380 | int authenticated = 0, partial = 0; |
| 380 | 381 | ||
| 381 | debug3("preauth child monitor started"); | 382 | debug3("preauth child monitor started"); |
| 382 | 383 | ||
| @@ -407,8 +408,26 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
| 407 | 408 | ||
| 408 | /* The first few requests do not require asynchronous access */ | 409 | /* The first few requests do not require asynchronous access */ |
| 409 | while (!authenticated) { | 410 | while (!authenticated) { |
| 411 | partial = 0; | ||
| 410 | auth_method = "unknown"; | 412 | auth_method = "unknown"; |
| 413 | auth_submethod = NULL; | ||
| 411 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); | 414 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); |
| 415 | |||
| 416 | /* Special handling for multiple required authentications */ | ||
| 417 | if (options.num_auth_methods != 0) { | ||
| 418 | if (!compat20) | ||
| 419 | fatal("AuthenticationMethods is not supported" | ||
| 420 | "with SSH protocol 1"); | ||
| 421 | if (authenticated && | ||
| 422 | !auth2_update_methods_lists(authctxt, | ||
| 423 | auth_method)) { | ||
| 424 | debug3("%s: method %s: partial", __func__, | ||
| 425 | auth_method); | ||
| 426 | authenticated = 0; | ||
| 427 | partial = 1; | ||
| 428 | } | ||
| 429 | } | ||
| 430 | |||
| 412 | if (authenticated) { | 431 | if (authenticated) { |
| 413 | if (!(ent->flags & MON_AUTHDECIDE)) | 432 | if (!(ent->flags & MON_AUTHDECIDE)) |
| 414 | fatal("%s: unexpected authentication from %d", | 433 | fatal("%s: unexpected authentication from %d", |
| @@ -429,9 +448,9 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
| 429 | } | 448 | } |
| 430 | #endif | 449 | #endif |
| 431 | } | 450 | } |
| 432 | |||
| 433 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { | 451 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { |
| 434 | auth_log(authctxt, authenticated, auth_method, | 452 | auth_log(authctxt, authenticated, partial, |
| 453 | auth_method, auth_submethod, | ||
| 435 | compat20 ? " ssh2" : ""); | 454 | compat20 ? " ssh2" : ""); |
| 436 | if (!authenticated) | 455 | if (!authenticated) |
| 437 | authctxt->failures++; | 456 | authctxt->failures++; |
| @@ -447,10 +466,6 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
| 447 | #endif | 466 | #endif |
| 448 | } | 467 | } |
| 449 | 468 | ||
| 450 | /* Drain any buffered messages from the child */ | ||
| 451 | while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) | ||
| 452 | ; | ||
| 453 | |||
| 454 | if (!authctxt->valid) | 469 | if (!authctxt->valid) |
| 455 | fatal("%s: authenticated invalid user", __func__); | 470 | fatal("%s: authenticated invalid user", __func__); |
| 456 | if (strcmp(auth_method, "unknown") == 0) | 471 | if (strcmp(auth_method, "unknown") == 0) |
| @@ -461,6 +476,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
| 461 | 476 | ||
| 462 | mm_get_keystate(pmonitor); | 477 | mm_get_keystate(pmonitor); |
| 463 | 478 | ||
| 479 | /* Drain any buffered messages from the child */ | ||
| 480 | while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) | ||
| 481 | ; | ||
| 482 | |||
| 464 | close(pmonitor->m_sendfd); | 483 | close(pmonitor->m_sendfd); |
| 465 | close(pmonitor->m_log_recvfd); | 484 | close(pmonitor->m_log_recvfd); |
| 466 | pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; | 485 | pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; |
| @@ -816,7 +835,17 @@ mm_answer_pwnamallow(int sock, Buffer *m) | |||
| 816 | COPY_MATCH_STRING_OPTS(); | 835 | COPY_MATCH_STRING_OPTS(); |
| 817 | #undef M_CP_STROPT | 836 | #undef M_CP_STROPT |
| 818 | #undef M_CP_STRARRAYOPT | 837 | #undef M_CP_STRARRAYOPT |
| 819 | 838 | ||
| 839 | /* Create valid auth method lists */ | ||
| 840 | if (compat20 && auth2_setup_methods_lists(authctxt) != 0) { | ||
| 841 | /* | ||
| 842 | * The monitor will continue long enough to let the child | ||
| 843 | * run to it's packet_disconnect(), but it must not allow any | ||
| 844 | * authentication to succeed. | ||
| 845 | */ | ||
| 846 | debug("%s: no valid authentication method lists", __func__); | ||
| 847 | } | ||
| 848 | |||
| 820 | debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); | 849 | debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); |
| 821 | mm_request_send(sock, MONITOR_ANS_PWNAM, m); | 850 | mm_request_send(sock, MONITOR_ANS_PWNAM, m); |
| 822 | 851 | ||
| @@ -977,7 +1006,10 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) | |||
| 977 | debug3("%s: sending authenticated: %d", __func__, authok); | 1006 | debug3("%s: sending authenticated: %d", __func__, authok); |
| 978 | mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); | 1007 | mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); |
| 979 | 1008 | ||
| 980 | auth_method = "bsdauth"; | 1009 | if (compat20) |
| 1010 | auth_method = "keyboard-interactive"; /* XXX auth_submethod */ | ||
| 1011 | else | ||
| 1012 | auth_method = "bsdauth"; | ||
| 981 | 1013 | ||
| 982 | return (authok != 0); | 1014 | return (authok != 0); |
| 983 | } | 1015 | } |
| @@ -1116,7 +1148,8 @@ mm_answer_pam_query(int sock, Buffer *m) | |||
| 1116 | xfree(prompts); | 1148 | xfree(prompts); |
| 1117 | if (echo_on != NULL) | 1149 | if (echo_on != NULL) |
| 1118 | xfree(echo_on); | 1150 | xfree(echo_on); |
| 1119 | auth_method = "keyboard-interactive/pam"; | 1151 | auth_method = "keyboard-interactive"; |
| 1152 | auth_submethod = "pam"; | ||
| 1120 | mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); | 1153 | mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); |
| 1121 | return (0); | 1154 | return (0); |
| 1122 | } | 1155 | } |
| @@ -1145,7 +1178,8 @@ mm_answer_pam_respond(int sock, Buffer *m) | |||
| 1145 | buffer_clear(m); | 1178 | buffer_clear(m); |
| 1146 | buffer_put_int(m, ret); | 1179 | buffer_put_int(m, ret); |
| 1147 | mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); | 1180 | mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); |
| 1148 | auth_method = "keyboard-interactive/pam"; | 1181 | auth_method = "keyboard-interactive"; |
| 1182 | auth_submethod = "pam"; | ||
| 1149 | if (ret == 0) | 1183 | if (ret == 0) |
| 1150 | sshpam_authok = sshpam_ctxt; | 1184 | sshpam_authok = sshpam_ctxt; |
| 1151 | return (0); | 1185 | return (0); |
| @@ -1159,7 +1193,8 @@ mm_answer_pam_free_ctx(int sock, Buffer *m) | |||
| 1159 | (sshpam_device.free_ctx)(sshpam_ctxt); | 1193 | (sshpam_device.free_ctx)(sshpam_ctxt); |
| 1160 | buffer_clear(m); | 1194 | buffer_clear(m); |
| 1161 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | 1195 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); |
| 1162 | auth_method = "keyboard-interactive/pam"; | 1196 | auth_method = "keyboard-interactive"; |
| 1197 | auth_submethod = "pam"; | ||
| 1163 | return (sshpam_authok == sshpam_ctxt); | 1198 | return (sshpam_authok == sshpam_ctxt); |
| 1164 | } | 1199 | } |
| 1165 | #endif | 1200 | #endif |
| @@ -1233,7 +1268,8 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
| 1233 | hostbased_chost = chost; | 1268 | hostbased_chost = chost; |
| 1234 | } else { | 1269 | } else { |
| 1235 | /* Log failed attempt */ | 1270 | /* Log failed attempt */ |
| 1236 | auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); | 1271 | auth_log(authctxt, 0, 0, auth_method, NULL, |
| 1272 | compat20 ? " ssh2" : ""); | ||
| 1237 | xfree(blob); | 1273 | xfree(blob); |
| 1238 | xfree(cuser); | 1274 | xfree(cuser); |
| 1239 | xfree(chost); | 1275 | xfree(chost); |