Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / a6e3f01d1e230b8acfdd6b4cf3096459d2a325e0^! / . / monitor.c
commita6e3f01d1e230b8acfdd6b4cf3096459d2a325e0[log] [tgz]
authorDamien Miller <djm@mindrot.org>Sun Nov 04 23:21:40 2012 +1100
committerDamien Miller <djm@mindrot.org>Sun Nov 04 23:21:40 2012 +1100
tree577022d2b31e9519d26bc614c3f5396e17d58ec6
parentd0d1099b3b8a766480ce6df215631bf0af6e6bcd [diff] [blame]
   - djm@cvs.openbsd.org 2012/11/04 11:09:15
     [auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c]
     [sshd_config.5]
     Support multiple required authentication via an AuthenticationMethods
     option. This option lists one or more comma-separated lists of
     authentication method names. Successful completion of all the methods in
     any list is required for authentication to complete;
     feedback and ok markus@

diff --git a/monitor.c b/monitor.c
index e9802a3..0adbf3a 100644
--- a/monitor.c
+++ b/monitor.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.117 2012/06/22 12:30:26 dtucker Exp $ */
+/* $OpenBSD: monitor.c,v 1.118 2012/11/04 11:09:15 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -381,6 +381,21 @@
 	while (!authenticated) {
 		auth_method = "unknown";
 		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
+
+		/* Special handling for multiple required authentications */
+		if (options.num_auth_methods != 0) {
+			if (!compat20)
+				fatal("AuthenticationMethods is not supported"
+				    "with SSH protocol 1");
+			if (authenticated &&
+			    !auth2_update_methods_lists(authctxt,
+			    auth_method)) {
+				debug3("%s: method %s: partial", __func__,
+				    auth_method);
+				authenticated = 0;
+			}
+		}
+
 		if (authenticated) {
 			if (!(ent->flags & MON_AUTHDECIDE))
 				fatal("%s: unexpected authentication from %d",
@@ -401,7 +416,6 @@
 			}
 #endif
 		}
-
 		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
 			auth_log(authctxt, authenticated, auth_method,
 			    compat20 ? " ssh2" : "");
@@ -781,7 +795,17 @@
 	COPY_MATCH_STRING_OPTS();
 #undef M_CP_STROPT
 #undef M_CP_STRARRAYOPT
-	
+
+	/* Create valid auth method lists */
+	if (compat20 && auth2_setup_methods_lists(authctxt) != 0) {
+		/*
+		 * The monitor will continue long enough to let the child
+		 * run to it's packet_disconnect(), but it must not allow any
+		 * authentication to succeed.
+		 */
+		debug("%s: no valid authentication method lists", __func__);
+	}
+
 	debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
 	mm_request_send(sock, MONITOR_ANS_PWNAM, m);
 
@@ -918,7 +942,10 @@
 	debug3("%s: sending authenticated: %d", __func__, authok);
 	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
 
-	auth_method = "bsdauth";
+	if (compat20)
+		auth_method = "keyboard-interactive";
+	else
+		auth_method = "bsdauth";
 
 	return (authok != 0);
 }