- djm@cvs.openbsd.org 2012/11/04 11:09:15

[auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c] [sshd_config.5] Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
author: Damien Miller <djm@mindrot.org> 2012-11-04 23:21:40 +1100
committer: Damien Miller <djm@mindrot.org> 2012-11-04 23:21:40 +1100
commit: a6e3f01d1e230b8acfdd6b4cf3096459d2a325e0 (patch)
tree: 577022d2b31e9519d26bc614c3f5396e17d58ec6 /monitor.c
parent: d0d1099b3b8a766480ce6df215631bf0af6e6bcd (diff)
1 files changed, 31 insertions, 4 deletions
diff --git a/monitor.c b/monitor.c
index e9802a3fd..0adbf3a65 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.117 2012/06/22 12:30:26 dtucker Exp $ */
+/* $OpenBSD: monitor.c,v 1.118 2012/11/04 11:09:15 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -381,6 +381,21 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
        while (!authenticated) {
                auth_method = "unknown";
                authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
+                /* Special handling for multiple required authentications */
+                if (options.num_auth_methods != 0) {
+                        if (!compat20)
+                                fatal("AuthenticationMethods is not supported"
+                                    "with SSH protocol 1");
+                        if (authenticated &&
+                            !auth2_update_methods_lists(authctxt,
+                            auth_method)) {
+                                debug3("%s: method %s: partial", __func__,
+                                    auth_method);
+                                authenticated = 0;
+                        }
+                }
                if (authenticated) {
                        if (!(ent->flags & MON_AUTHDECIDE))
                                fatal("%s: unexpected authentication from %d",
@@ -401,7 +416,6 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                        }
 #endif
                }
                if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
                        auth_log(authctxt, authenticated, auth_method,
                            compat20 ? " ssh2" : "");
@@ -781,7 +795,17 @@ mm_answer_pwnamallow(int sock, Buffer *m)
        COPY_MATCH_STRING_OPTS();
 #undef M_CP_STROPT
 #undef M_CP_STRARRAYOPT
-        
+        /* Create valid auth method lists */
+        if (compat20 && auth2_setup_methods_lists(authctxt) != 0) {
+                /*
+                 * The monitor will continue long enough to let the child
+                 * run to it's packet_disconnect(), but it must not allow any
+                 * authentication to succeed.
+                 */
+                debug("%s: no valid authentication method lists", __func__);
+        }
        debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
        mm_request_send(sock, MONITOR_ANS_PWNAM, m);
@@ -918,7 +942,10 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
        debug3("%s: sending authenticated: %d", __func__, authok);
        mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
-        auth_method = "bsdauth";
+        if (compat20)
+                auth_method = "keyboard-interactive";
+        else
+                auth_method = "bsdauth";
        return (authok != 0);
 }
author	Damien Miller <djm@mindrot.org>	2012-11-04 23:21:40 +1100
committer	Damien Miller <djm@mindrot.org>	2012-11-04 23:21:40 +1100
commit	a6e3f01d1e230b8acfdd6b4cf3096459d2a325e0 (patch)
tree	577022d2b31e9519d26bc614c3f5396e17d58ec6 /monitor.c
parent	d0d1099b3b8a766480ce6df215631bf0af6e6bcd (diff)