Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / a6e3f01d1e230b8acfdd6b4cf3096459d2a325e0^! / . / servconf.c
commita6e3f01d1e230b8acfdd6b4cf3096459d2a325e0[log] [tgz]
authorDamien Miller <djm@mindrot.org>Sun Nov 04 23:21:40 2012 +1100
committerDamien Miller <djm@mindrot.org>Sun Nov 04 23:21:40 2012 +1100
tree577022d2b31e9519d26bc614c3f5396e17d58ec6
parentd0d1099b3b8a766480ce6df215631bf0af6e6bcd [diff] [blame]
   - djm@cvs.openbsd.org 2012/11/04 11:09:15
     [auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c]
     [sshd_config.5]
     Support multiple required authentication via an AuthenticationMethods
     option. This option lists one or more comma-separated lists of
     authentication method names. Successful completion of all the methods in
     any list is required for authentication to complete;
     feedback and ok markus@

diff --git a/servconf.c b/servconf.c
index 8e69ea5..b90dba6 100644
--- a/servconf.c
+++ b/servconf.c

@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.231 2012/10/30 21:29:54 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.232 2012/11/04 11:09:15 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -48,6 +48,8 @@
 #include "groupaccess.h"
 #include "canohost.h"
 #include "packet.h"
+#include "hostfile.h"
+#include "auth.h"
 
 static void add_listen_addr(ServerOptions *, char *, int);
 static void add_one_listen_addr(ServerOptions *, char *, int);
@@ -332,6 +334,7 @@
 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
 	sKexAlgorithms, sIPQoS, sVersionAddendum,
 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
+	sAuthenticationMethods,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
 
@@ -459,6 +462,7 @@
 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
+	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
 	{ NULL, sBadOption, 0 }
 };
 
@@ -1522,6 +1526,24 @@
 			*charptr = xstrdup(arg);
 		break;
 
+	case sAuthenticationMethods:
+		if (*activep && options->num_auth_methods == 0) {
+			while ((arg = strdelim(&cp)) && *arg != '\0') {
+				if (options->num_auth_methods >=
+				    MAX_AUTH_METHODS)
+					fatal("%s line %d: "
+					    "too many authentication methods.",
+					    filename, linenum);
+				if (auth2_methods_valid(arg, 0) != 0)
+					fatal("%s line %d: invalid "
+					    "authentication method list.",
+					    filename, linenum);
+				options->auth_methods[
+				    options->num_auth_methods++] = xstrdup(arg);
+			}
+		}
+		return 0;
+
 	case sDeprecated:
 		logit("%s line %d: Deprecated option %s",
 		    filename, linenum, arg);
@@ -1953,6 +1975,8 @@
 	dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
 	dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
 	dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
+	dump_cfg_strarray_oneline(sAuthenticationMethods,
+	    o->num_auth_methods, o->auth_methods);
 
 	/* other arguments */
 	for (i = 0; i < o->num_subsystems; i++)