- djm@cvs.openbsd.org 2012/11/04 11:09:15
[auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c]
[sshd_config.5]
Support multiple required authentication via an AuthenticationMethods
option. This option lists one or more comma-separated lists of
authentication method names. Successful completion of all the methods in
any list is required for authentication to complete;
feedback and ok markus@
diff --git a/auth2.c b/auth2.c
index b66bef6..8114ec8 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.124 2011/12/07 05:44:38 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.125 2012/11/04 11:09:15 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -96,8 +96,10 @@
static void input_userauth_request(int, u_int32_t, void *);
/* helper */
-static Authmethod *authmethod_lookup(const char *);
-static char *authmethods_get(void);
+static Authmethod *authmethod_lookup(Authctxt *, const char *);
+static char *authmethods_get(Authctxt *authctxt);
+static int method_allowed(Authctxt *, const char *);
+static int list_starts_with(const char *, const char *);
char *
auth2_read_banner(void)
@@ -255,6 +257,8 @@
if (use_privsep)
mm_inform_authserv(service, style);
userauth_banner();
+ if (auth2_setup_methods_lists(authctxt) != 0)
+ packet_disconnect("no authentication methods enabled");
} else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) {
packet_disconnect("Change of username or service not allowed: "
@@ -277,7 +281,7 @@
authctxt->server_caused_failure = 0;
/* try to authenticate user */
- m = authmethod_lookup(method);
+ m = authmethod_lookup(authctxt, method);
if (m != NULL && authctxt->failures < options.max_authtries) {
debug2("input_userauth_request: try method %s", method);
authenticated = m->userauth(authctxt);
@@ -293,6 +297,7 @@
userauth_finish(Authctxt *authctxt, int authenticated, char *method)
{
char *methods;
+ int partial = 0;
if (!authctxt->valid && authenticated)
fatal("INTERNAL ERROR: authenticated invalid user %s",
@@ -335,7 +340,13 @@
if (authctxt->postponed)
return;
- /* XXX todo: check if multiple auth methods are needed */
+ if (authenticated && options.num_auth_methods != 0) {
+ if (!auth2_update_methods_lists(authctxt, method)) {
+ authenticated = 0;
+ partial = 1;
+ }
+ }
+
if (authenticated == 1) {
/* turn off userauth */
dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
@@ -356,34 +367,61 @@
#endif
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
}
- methods = authmethods_get();
+ methods = authmethods_get(authctxt);
+ debug3("%s: failure partial=%d next methods=\"%s\"", __func__,
+ partial, methods);
packet_start(SSH2_MSG_USERAUTH_FAILURE);
packet_put_cstring(methods);
- packet_put_char(0); /* XXX partial success, unused */
+ packet_put_char(partial);
packet_send();
packet_write_wait();
xfree(methods);
}
}
+/*
+ * Checks whether method is allowed by at least one AuthenticationMethods
+ * methods list. Returns 1 if allowed, or no methods lists configured.
+ * 0 otherwise.
+ */
+static int
+method_allowed(Authctxt *authctxt, const char *method)
+{
+ u_int i;
+
+ /*
+ * NB. authctxt->num_auth_methods might be zero as a result of
+ * auth2_setup_methods_lists(), so check the configuration.
+ */
+ if (options.num_auth_methods == 0)
+ return 1;
+ for (i = 0; i < authctxt->num_auth_methods; i++) {
+ if (list_starts_with(authctxt->auth_methods[i], method))
+ return 1;
+ }
+ return 0;
+}
+
static char *
-authmethods_get(void)
+authmethods_get(Authctxt *authctxt)
{
Buffer b;
char *list;
- int i;
+ u_int i;
buffer_init(&b);
for (i = 0; authmethods[i] != NULL; i++) {
if (strcmp(authmethods[i]->name, "none") == 0)
continue;
- if (authmethods[i]->enabled != NULL &&
- *(authmethods[i]->enabled) != 0) {
- if (buffer_len(&b) > 0)
- buffer_append(&b, ",", 1);
- buffer_append(&b, authmethods[i]->name,
- strlen(authmethods[i]->name));
- }
+ if (authmethods[i]->enabled == NULL ||
+ *(authmethods[i]->enabled) == 0)
+ continue;
+ if (!method_allowed(authctxt, authmethods[i]->name))
+ continue;
+ if (buffer_len(&b) > 0)
+ buffer_append(&b, ",", 1);
+ buffer_append(&b, authmethods[i]->name,
+ strlen(authmethods[i]->name));
}
buffer_append(&b, "\0", 1);
list = xstrdup(buffer_ptr(&b));
@@ -392,7 +430,7 @@
}
static Authmethod *
-authmethod_lookup(const char *name)
+authmethod_lookup(Authctxt *authctxt, const char *name)
{
int i;
@@ -400,10 +438,154 @@
for (i = 0; authmethods[i] != NULL; i++)
if (authmethods[i]->enabled != NULL &&
*(authmethods[i]->enabled) != 0 &&
- strcmp(name, authmethods[i]->name) == 0)
+ strcmp(name, authmethods[i]->name) == 0 &&
+ method_allowed(authctxt, authmethods[i]->name))
return authmethods[i];
debug2("Unrecognized authentication method name: %s",
name ? name : "NULL");
return NULL;
}
+/*
+ * Check a comma-separated list of methods for validity. Is need_enable is
+ * non-zero, then also require that the methods are enabled.
+ * Returns 0 on success or -1 if the methods list is invalid.
+ */
+int
+auth2_methods_valid(const char *_methods, int need_enable)
+{
+ char *methods, *omethods, *method;
+ u_int i, found;
+ int ret = -1;
+
+ if (*_methods == '\0') {
+ error("empty authentication method list");
+ return -1;
+ }
+ omethods = methods = xstrdup(_methods);
+ while ((method = strsep(&methods, ",")) != NULL) {
+ for (found = i = 0; !found && authmethods[i] != NULL; i++) {
+ if (strcmp(method, authmethods[i]->name) != 0)
+ continue;
+ if (need_enable) {
+ if (authmethods[i]->enabled == NULL ||
+ *(authmethods[i]->enabled) == 0) {
+ error("Disabled method \"%s\" in "
+ "AuthenticationMethods list \"%s\"",
+ method, _methods);
+ goto out;
+ }
+ }
+ found = 1;
+ break;
+ }
+ if (!found) {
+ error("Unknown authentication method \"%s\" in list",
+ method);
+ goto out;
+ }
+ }
+ ret = 0;
+ out:
+ free(omethods);
+ return ret;
+}
+
+/*
+ * Prune the AuthenticationMethods supplied in the configuration, removing
+ * any methods lists that include disabled methods. Note that this might
+ * leave authctxt->num_auth_methods == 0, even when multiple required auth
+ * has been requested. For this reason, all tests for whether multiple is
+ * enabled should consult options.num_auth_methods directly.
+ */
+int
+auth2_setup_methods_lists(Authctxt *authctxt)
+{
+ u_int i;
+
+ if (options.num_auth_methods == 0)
+ return 0;
+ debug3("%s: checking methods", __func__);
+ authctxt->auth_methods = xcalloc(options.num_auth_methods,
+ sizeof(*authctxt->auth_methods));
+ authctxt->num_auth_methods = 0;
+ for (i = 0; i < options.num_auth_methods; i++) {
+ if (auth2_methods_valid(options.auth_methods[i], 1) != 0) {
+ logit("Authentication methods list \"%s\" contains "
+ "disabled method, skipping",
+ options.auth_methods[i]);
+ continue;
+ }
+ debug("authentication methods list %d: %s",
+ authctxt->num_auth_methods, options.auth_methods[i]);
+ authctxt->auth_methods[authctxt->num_auth_methods++] =
+ xstrdup(options.auth_methods[i]);
+ }
+ if (authctxt->num_auth_methods == 0) {
+ error("No AuthenticationMethods left after eliminating "
+ "disabled methods");
+ return -1;
+ }
+ return 0;
+}
+
+static int
+list_starts_with(const char *methods, const char *method)
+{
+ size_t l = strlen(method);
+
+ if (strncmp(methods, method, l) != 0)
+ return 0;
+ if (methods[l] != ',' && methods[l] != '\0')
+ return 0;
+ return 1;
+}
+
+/*
+ * Remove method from the start of a comma-separated list of methods.
+ * Returns 0 if the list of methods did not start with that method or 1
+ * if it did.
+ */
+static int
+remove_method(char **methods, const char *method)
+{
+ char *omethods = *methods;
+ size_t l = strlen(method);
+
+ if (!list_starts_with(omethods, method))
+ return 0;
+ *methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0));
+ free(omethods);
+ return 1;
+}
+
+/*
+ * Called after successful authentication. Will remove the successful method
+ * from the start of each list in which it occurs. If it was the last method
+ * in any list, then authentication is deemed successful.
+ * Returns 1 if the method completed any authentication list or 0 otherwise.
+ */
+int
+auth2_update_methods_lists(Authctxt *authctxt, const char *method)
+{
+ u_int i, found = 0;
+
+ debug3("%s: updating methods list after \"%s\"", __func__, method);
+ for (i = 0; i < authctxt->num_auth_methods; i++) {
+ if (!remove_method(&(authctxt->auth_methods[i]), method))
+ continue;
+ found = 1;
+ if (*authctxt->auth_methods[i] == '\0') {
+ debug2("authentication methods list %d complete", i);
+ return 1;
+ }
+ debug3("authentication methods list %d remaining: \"%s\"",
+ i, authctxt->auth_methods[i]);
+ }
+ /* This should not happen, but would be bad if it did */
+ if (!found)
+ fatal("%s: method not in AuthenticationMethods", __func__);
+ return 0;
+}
+
+