- djm@cvs.openbsd.org 2012/11/04 11:09:15

[auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c] [sshd_config.5] Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
author: Damien Miller <djm@mindrot.org> 2012-11-04 23:21:40 +1100
committer: Damien Miller <djm@mindrot.org> 2012-11-04 23:21:40 +1100
commit: a6e3f01d1e230b8acfdd6b4cf3096459d2a325e0 (patch)
tree: 577022d2b31e9519d26bc614c3f5396e17d58ec6 /sshd.c
parent: d0d1099b3b8a766480ce6df215631bf0af6e6bcd (diff)
1 files changed, 22 insertions, 1 deletions
diff --git a/sshd.c b/sshd.c
index 4ad1a4bd1..af7ff91ba 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.395 2012/11/04 10:38:43 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.396 2012/11/04 11:09:15 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1337,6 +1337,7 @@ main(int ac, char **av)
        int remote_port;
        char *line;
        int config_s[2] = { -1 , -1 };
+        u_int n;
        u_int64_t ibytes, obytes;
        mode_t new_umask;
        Key *key;
@@ -1566,6 +1567,26 @@ main(int ac, char **av)
                fatal("AuthorizedKeysCommand set without "
                    "AuthorizedKeysCommandUser");
+        /*
+         * Check whether there is any path through configured auth methods.
+         * Unfortunately it is not possible to verify this generally before
+         * daemonisation in the presence of Match block, but this catches
+         * and warns for trivial misconfigurations that could break login.
+         */
+        if (options.num_auth_methods != 0) {
+                if ((options.protocol & SSH_PROTO_1))
+                        fatal("AuthenticationMethods is not supported with "
+                            "SSH protocol 1");
+                for (n = 0; n < options.num_auth_methods; n++) {
+                        if (auth2_methods_valid(options.auth_methods[n],
+                            1) == 0)
+                                break;
+                }
+                if (n >= options.num_auth_methods)
+                        fatal("AuthenticationMethods cannot be satisfied by "
+                            "enabled authentication methods");
+        }
        /* set default channel AF */
        channel_set_af(options.address_family);
author	Damien Miller <djm@mindrot.org>	2012-11-04 23:21:40 +1100
committer	Damien Miller <djm@mindrot.org>	2012-11-04 23:21:40 +1100
commit	a6e3f01d1e230b8acfdd6b4cf3096459d2a325e0 (patch)
tree	577022d2b31e9519d26bc614c3f5396e17d58ec6 /sshd.c
parent	d0d1099b3b8a766480ce6df215631bf0af6e6bcd (diff)

diff --git a/sshd.c b/sshd.c index 4ad1a4bd1..af7ff91ba 100644 --- a/sshd.c +++ b/sshd.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: sshd.c,v 1.395 2012/11/04 10:38:43 djm Exp $ */	1	/* $OpenBSD: sshd.c,v 1.396 2012/11/04 11:09:15 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1337,6 +1337,7 @@ main(int ac, char **av)
1337	int remote_port;	1337	int remote_port;
1338	char *line;	1338	char *line;
1339	int config_s[2] = { -1 , -1 };	1339	int config_s[2] = { -1 , -1 };
		1340	u_int n;
1340	u_int64_t ibytes, obytes;	1341	u_int64_t ibytes, obytes;
1341	mode_t new_umask;	1342	mode_t new_umask;
1342	Key *key;	1343	Key *key;
@@ -1566,6 +1567,26 @@ main(int ac, char **av)
1566	fatal("AuthorizedKeysCommand set without "	1567	fatal("AuthorizedKeysCommand set without "
1567	"AuthorizedKeysCommandUser");	1568	"AuthorizedKeysCommandUser");
1568		1569
		1570	/*
		1571	* Check whether there is any path through configured auth methods.
		1572	* Unfortunately it is not possible to verify this generally before
		1573	* daemonisation in the presence of Match block, but this catches
		1574	* and warns for trivial misconfigurations that could break login.
		1575	*/
		1576	if (options.num_auth_methods != 0) {
		1577	if ((options.protocol & SSH_PROTO_1))
		1578	fatal("AuthenticationMethods is not supported with "
		1579	"SSH protocol 1");
		1580	for (n = 0; n < options.num_auth_methods; n++) {
		1581	if (auth2_methods_valid(options.auth_methods[n],
		1582	1) == 0)
		1583	break;
		1584	}
		1585	if (n >= options.num_auth_methods)
		1586	fatal("AuthenticationMethods cannot be satisfied by "
		1587	"enabled authentication methods");
		1588	}
		1589
1569	/* set default channel AF */	1590	/* set default channel AF */
1570	channel_set_af(options.address_family);	1591	channel_set_af(options.address_family);
1571		1592