removed dead code and fixed segfault in openssh-5.9p1-required-authentications.patch

2012-07-27 12:55:06 +02:00 · 2012-07-27 12:55:06 +02:00 · 420ff03c91
commit 420ff03c91
parent e9620308c8
2 changed files with 99 additions and 98 deletions
--- a/openssh-5.9p1-audit4.patch
+++ b/openssh-5.9p1-audit4.patch
@ -1,6 +1,6 @@
 diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
--- openssh-5.9p1/audit-bsm.c.audit4	2012-02-06 17:15:01.574908126 +0100
-+++ openssh-5.9p1/audit-bsm.c	2012-02-06 17:15:21.656095559 +0100
+--- openssh-5.9p1/audit-bsm.c.audit4	2012-07-27 14:27:56.149474798 +0200
+++ openssh-5.9p1/audit-bsm.c	2012-07-27 14:27:56.164474882 +0200
@@ -408,4 +408,10 @@ audit_kex_body(int ctos, char *enc, char
 {
 	/* not implemented */
@ -13,8 +13,8 @@ diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
 +}
 #endif /* BSM */
 diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
--- openssh-5.9p1/audit.c.audit4	2012-02-06 17:15:01.576787216 +0100
-+++ openssh-5.9p1/audit.c	2012-02-06 17:15:21.690032906 +0100
+--- openssh-5.9p1/audit.c.audit4	2012-07-27 14:27:56.150474804 +0200
+++ openssh-5.9p1/audit.c	2012-07-27 14:27:56.165474888 +0200
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
 	PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
 }
@ -45,8 +45,8 @@ diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
--- openssh-5.9p1/audit.h.audit4	2012-02-06 17:15:01.576787216 +0100
-+++ openssh-5.9p1/audit.h	2012-02-06 17:15:21.690876254 +0100
+--- openssh-5.9p1/audit.h.audit4	2012-07-27 14:27:56.151474810 +0200
+++ openssh-5.9p1/audit.h	2012-07-27 14:27:56.165474888 +0200
@@ -62,5 +62,7 @@ void	audit_unsupported(int);
 void	audit_kex(int, char *, char *, char *);
 void	audit_unsupported_body(int);
@ -56,8 +56,8 @@ diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
 
 #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
--- openssh-5.9p1/audit-linux.c.audit4	2012-02-06 17:15:01.575908525 +0100
-+++ openssh-5.9p1/audit-linux.c	2012-02-06 17:15:21.682001323 +0100
+--- openssh-5.9p1/audit-linux.c.audit4	2012-07-27 14:27:56.149474798 +0200
+++ openssh-5.9p1/audit-linux.c	2012-07-27 14:27:56.166474894 +0200
@@ -294,6 +294,8 @@ audit_unsupported_body(int what)
 #endif
 }
@ -109,8 +109,8 @@ diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
 +
 #endif /* USE_LINUX_AUDIT */
 diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
--- openssh-5.9p1/auditstub.c.audit4	2012-02-06 17:15:01.576787216 +0100
-+++ openssh-5.9p1/auditstub.c	2012-02-06 17:15:21.690876254 +0100
+--- openssh-5.9p1/auditstub.c.audit4	2012-07-27 14:27:56.151474810 +0200
+++ openssh-5.9p1/auditstub.c	2012-07-27 14:27:56.166474894 +0200
@@ -27,6 +27,8 @@
  * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
  */
@ -134,8 +134,8 @@ diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
 +{
 +}
 diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
--- openssh-5.9p1/kex.c.audit4	2012-02-06 17:15:01.578907640 +0100
-+++ openssh-5.9p1/kex.c	2012-02-06 17:15:21.691785656 +0100
+--- openssh-5.9p1/kex.c.audit4	2012-07-27 14:27:56.153474822 +0200
+++ openssh-5.9p1/kex.c	2012-07-27 14:27:56.167474900 +0200
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
 	fprintf(stderr, "\n");
 }
@ -173,7 +173,7 @@ diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
 +
 diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
 --- openssh-5.9p1/kex.h.audit4	2010-09-24 14:11:14.000000000 +0200
-+++ openssh-5.9p1/kex.h	2012-02-06 17:15:21.691785656 +0100
+++ openssh-5.9p1/kex.h	2012-07-27 14:27:56.168474905 +0200
@@ -156,6 +156,8 @@ void	 kexgex_server(Kex *);
 void	 kexecdh_client(Kex *);
 void	 kexecdh_server(Kex *);
@ -185,7 +185,7 @@ diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
     BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
 diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
 --- openssh-5.9p1/mac.c.audit4	2011-08-17 02:29:03.000000000 +0200
-+++ openssh-5.9p1/mac.c	2012-02-06 17:15:21.692918961 +0100
+++ openssh-5.9p1/mac.c	2012-07-27 14:27:56.168474905 +0200
@@ -168,6 +168,20 @@ mac_clear(Mac *mac)
 	mac->umac_ctx = NULL;
 }
@ -209,15 +209,15 @@ diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
 int
 diff -up openssh-5.9p1/mac.h.audit4 openssh-5.9p1/mac.h
 --- openssh-5.9p1/mac.h.audit4	2007-06-11 06:01:42.000000000 +0200
-+++ openssh-5.9p1/mac.h	2012-02-06 17:15:21.692918961 +0100
+++ openssh-5.9p1/mac.h	2012-07-27 14:27:56.169474910 +0200
@@ -28,3 +28,4 @@ int	 mac_setup(Mac *, char *);
 int	 mac_init(Mac *);
 u_char	*mac_compute(Mac *, u_int32_t, u_char *, int);
 void	 mac_clear(Mac *);
 +void	 mac_destroy(Mac *);
 diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.audit4	2012-02-06 17:15:01.579896475 +0100
-+++ openssh-5.9p1/monitor.c	2012-02-06 17:16:32.405783810 +0100
+--- openssh-5.9p1/monitor.c.audit4	2012-07-27 14:27:56.154474827 +0200
+++ openssh-5.9p1/monitor.c	2012-07-27 14:31:20.311655098 +0200
@@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer
 int mm_answer_audit_end_command(int, Buffer *);
 int mm_answer_audit_unsupported_body(int, Buffer *);
@ -258,8 +258,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 #endif
     {0, 0, NULL}
 };
-@@ -451,10 +456,6 @@ monitor_child_preauth(Authctxt *_authctx
- #endif
+@@ -449,10 +454,6 @@ monitor_child_preauth(Authctxt *_authctx
+ 			authenticated = 0;
 	}
 
 -	/* Drain any buffered messages from the child */
@ -269,7 +269,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 	if (!authctxt->valid)
 		fatal("%s: authenticated invalid user", __func__);
 	if (strcmp(auth_method, "unknown") == 0)
-@@ -1954,11 +1955,13 @@ mm_get_keystate(struct monitor *pmonitor
+@@ -1952,11 +1953,13 @@ mm_get_keystate(struct monitor *pmonitor
 
 	blob = buffer_get_string(&m, &bloblen);
 	current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
@ -283,7 +283,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 	xfree(blob);
 
 	/* Now get sequence numbers for the packets */
-@@ -2004,6 +2007,21 @@ mm_get_keystate(struct monitor *pmonitor
+@@ -2002,6 +2005,21 @@ mm_get_keystate(struct monitor *pmonitor
 	}
 
 	buffer_free(&m);
@ -305,7 +305,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 }
 
 
-@@ -2450,4 +2468,22 @@ mm_answer_audit_kex_body(int sock, Buffe
+@@ -2448,4 +2466,22 @@ mm_answer_audit_kex_body(int sock, Buffe
 	return 0;
 }
 
@ -329,8 +329,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 +}
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
--- openssh-5.9p1/monitor.h.audit4	2012-02-06 17:15:01.580908188 +0100
-+++ openssh-5.9p1/monitor.h	2012-02-06 17:15:21.695033617 +0100
+--- openssh-5.9p1/monitor.h.audit4	2012-07-27 14:27:56.155474832 +0200
+++ openssh-5.9p1/monitor.h	2012-07-27 14:27:56.171474920 +0200
@@ -63,6 +63,7 @@ enum monitor_reqtype {
 	MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
 	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
@ -340,8 +340,8 @@ diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
 	MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
 	MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
 diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
--- openssh-5.9p1/monitor_wrap.c.audit4	2012-02-06 17:15:01.581802928 +0100
-+++ openssh-5.9p1/monitor_wrap.c	2012-02-06 17:15:21.696033353 +0100
+--- openssh-5.9p1/monitor_wrap.c.audit4	2012-07-27 14:27:56.156474837 +0200
+++ openssh-5.9p1/monitor_wrap.c	2012-07-27 14:27:56.172474926 +0200
@@ -653,12 +653,14 @@ mm_send_keystate(struct monitor *monitor
 		fatal("%s: conversion of newkeys failed", __func__);
 
@ -378,8 +378,8 @@ diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
 +}
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
--- openssh-5.9p1/monitor_wrap.h.audit4	2012-02-06 17:15:01.582908343 +0100
-+++ openssh-5.9p1/monitor_wrap.h	2012-02-06 17:15:21.696033353 +0100
+--- openssh-5.9p1/monitor_wrap.h.audit4	2012-07-27 14:27:56.157474843 +0200
+++ openssh-5.9p1/monitor_wrap.h	2012-07-27 14:27:56.173474932 +0200
@@ -79,6 +79,7 @@ int mm_audit_run_command(const char *);
 void mm_audit_end_command(int, const char *);
 void mm_audit_unsupported_body(int);
@ -389,8 +389,8 @@ diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
 
 struct Session;
 diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
--- openssh-5.9p1/packet.c.audit4	2012-02-06 17:15:01.545908387 +0100
-+++ openssh-5.9p1/packet.c	2012-02-06 17:15:21.696886524 +0100
+--- openssh-5.9p1/packet.c.audit4	2012-07-27 14:27:56.099474520 +0200
+++ openssh-5.9p1/packet.c	2012-07-27 14:27:56.174474938 +0200
@@ -60,6 +60,7 @@
 #include <signal.h>
 
@ -584,7 +584,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
 +
 diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
 --- openssh-5.9p1/packet.h.audit4	2011-05-15 00:43:13.000000000 +0200
-+++ openssh-5.9p1/packet.h	2012-02-06 17:15:21.697874825 +0100
+++ openssh-5.9p1/packet.h	2012-07-27 14:27:56.175474944 +0200
@@ -124,4 +124,5 @@ void	 packet_restore_state(void);
 void	*packet_get_input(void);
 void	*packet_get_output(void);
@ -592,8 +592,8 @@ diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
 +void	 packet_destroy_all(int, int);
 #endif				/* PACKET_H */
 diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
--- openssh-5.9p1/session.c.audit4	2012-02-06 17:15:01.562908533 +0100
-+++ openssh-5.9p1/session.c	2012-02-06 17:15:21.697874825 +0100
+--- openssh-5.9p1/session.c.audit4	2012-07-27 14:27:56.130474693 +0200
+++ openssh-5.9p1/session.c	2012-07-27 14:27:56.176474950 +0200
@@ -1634,6 +1634,9 @@ do_child(Session *s, const char *command
 
 	/* remove hostkey from the child's memory */
@ -605,8 +605,8 @@ diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
 	/* Force a password change */
 	if (s->authctxt->force_pwchange) {
 diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
--- openssh-5.9p1/sshd.c.audit4	2012-02-06 17:15:01.583866459 +0100
-+++ openssh-5.9p1/sshd.c	2012-02-06 17:15:21.699033720 +0100
+--- openssh-5.9p1/sshd.c.audit4	2012-07-27 14:27:56.159474855 +0200
+++ openssh-5.9p1/sshd.c	2012-07-27 14:27:56.178474961 +0200
@@ -686,6 +686,8 @@ privsep_preauth(Authctxt *authctxt)
 	}
 }
--- a/openssh-5.9p1-required-authentications.patch
+++ b/openssh-5.9p1-required-authentications.patch
@ -1,6 +1,6 @@
 diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
--- openssh-5.9p1/auth.c.required-authentication	2012-03-30 18:37:59.990184619 +0200
-+++ openssh-5.9p1/auth.c	2012-03-30 18:38:00.003189876 +0200
+--- openssh-5.9p1/auth.c.required-authentication	2012-07-27 12:21:41.181601972 +0200
+++ openssh-5.9p1/auth.c	2012-07-27 12:21:41.203602020 +0200
@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
 }
 
@ -92,7 +92,7 @@ diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
 +}
 diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
 --- openssh-5.9p1/auth.h.required-authentication	2011-05-29 13:39:38.000000000 +0200
-+++ openssh-5.9p1/auth.h	2012-03-30 18:38:00.003189876 +0200
+++ openssh-5.9p1/auth.h	2012-07-27 12:21:41.204602022 +0200
@@ -142,10 +142,11 @@ void disable_forwarding(void);
 void	do_authentication(Authctxt *);
 void	do_authentication2(Authctxt *);
@ -122,8 +122,8 @@ diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
 
 diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 --- openssh-5.9p1/auth1.c.required-authentication	2010-08-31 14:36:39.000000000 +0200
-+++ openssh-5.9p1/auth1.c	2012-03-30 18:38:00.004189905 +0200
-@@ -98,6 +98,54 @@ static const struct AuthMethod1
+++ openssh-5.9p1/auth1.c	2012-07-27 12:50:50.708706675 +0200
+@@ -98,6 +98,55 @@ static const struct AuthMethod1
 	return (NULL);
 }
 
@ -160,6 +160,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 +			debug("auth1_check_required: unknown method "
 +			    "\"%s\"", cp);
 +			ret = -1;
+			break;
 +		}
 +		if (*(m->enabled) == 0) {
 +			debug("auth1_check_required: method %s explicitly "
@ -178,7 +179,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 static char *
 get_authname(int type)
 {
-@@ -237,6 +285,7 @@ do_authloop(Authctxt *authctxt)
+@@ -237,6 +286,7 @@ do_authloop(Authctxt *authctxt)
 {
 	int authenticated = 0;
 	char info[1024];
@ -186,7 +187,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 	int prev = 0, type = 0;
 	const struct AuthMethod1 *meth;
 
-@@ -244,7 +293,7 @@ do_authloop(Authctxt *authctxt)
+@@ -244,7 +294,7 @@ do_authloop(Authctxt *authctxt)
 	    authctxt->valid ? "" : "invalid user ", authctxt->user);
 
 	/* If the user has no password, accept authentication immediately. */
@ -195,7 +196,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 #ifdef KRB5
 	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
 #endif
-@@ -253,7 +302,7 @@ do_authloop(Authctxt *authctxt)
+@@ -253,7 +303,7 @@ do_authloop(Authctxt *authctxt)
 		if (options.use_pam && (PRIVSEP(do_pam_account())))
 #endif
 		{
@ -204,7 +205,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 			return;
 		}
 	}
-@@ -272,6 +321,7 @@ do_authloop(Authctxt *authctxt)
+@@ -272,6 +322,7 @@ do_authloop(Authctxt *authctxt)
 		/* Get a packet from the client. */
 		prev = type;
 		type = packet_read();
@ -212,7 +213,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 
 		/*
 		 * If we started challenge-response authentication but the
-@@ -287,8 +337,8 @@ do_authloop(Authctxt *authctxt)
+@@ -287,8 +338,8 @@ do_authloop(Authctxt *authctxt)
 		if (authctxt->failures >= options.max_authtries)
 			goto skip;
 		if ((meth = lookup_authmethod1(type)) == NULL) {
@ -223,7 +224,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 			goto skip;
 		}
 
-@@ -297,6 +347,17 @@ do_authloop(Authctxt *authctxt)
+@@ -297,6 +348,17 @@ do_authloop(Authctxt *authctxt)
 			goto skip;
 		}
 
@ -241,7 +242,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 		authenticated = meth->method(authctxt, info, sizeof(info));
 		if (authenticated == -1)
 			continue; /* "postponed" */
-@@ -352,7 +413,29 @@ do_authloop(Authctxt *authctxt)
+@@ -352,7 +414,29 @@ do_authloop(Authctxt *authctxt)
 
  skip:
 		/* Log before sending the reply */
@ -251,7 +252,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 +		/* Loop until the required authmethods are done */
 +		if (authenticated && options.required_auth1 != NULL) {
 +			if (auth_remove_from_list(&options.required_auth1,
-+			    meth_name) != 1)
+			    meth_name) == 0)
 +				fatal("INTERNAL ERROR: authenticated method "
 +				    "\"%s\" not in required list \"%s\"",
 +				    meth_name, options.required_auth1);
@ -272,7 +273,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 
 		if (client_user != NULL) {
 			xfree(client_user);
-@@ -368,6 +451,7 @@ do_authloop(Authctxt *authctxt)
+@@ -368,6 +452,7 @@ do_authloop(Authctxt *authctxt)
 #endif
 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
 		}
@ -282,7 +283,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 		packet_send();
 diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
 --- openssh-5.9p1/auth2.c.required-authentication	2011-05-05 06:04:11.000000000 +0200
-+++ openssh-5.9p1/auth2.c	2012-03-30 18:38:04.560122485 +0200
+++ openssh-5.9p1/auth2.c	2012-07-27 12:51:59.048241612 +0200
@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
 {
 	Authctxt *authctxt = ctxt;
@ -347,7 +348,7 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
 +		if ((m = authmethod_lookup(method)) == NULL)
 +			fatal("INTERNAL ERROR: authenticated method "
 +			    "\"%s\" unknown", method);
-+		if (auth_remove_from_list(&options.required_auth2, method) != 1)
+		if (auth_remove_from_list(&options.required_auth2, method) == 0)
 +			fatal("INTERNAL ERROR: authenticated method "
 +			    "\"%s\" not in required list \"%s\"", 
 +			    method, options.required_auth2);
@ -453,7 +454,7 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
 +
 diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
 --- openssh-5.9p1/auth2-gss.c.required-authentication	2011-05-05 06:04:11.000000000 +0200
-+++ openssh-5.9p1/auth2-gss.c	2012-03-30 18:38:00.005184630 +0200
+++ openssh-5.9p1/auth2-gss.c	2012-07-27 12:21:41.206602026 +0200
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
 		}
 		authctxt->postponed = 0;
@ -483,7 +484,7 @@ diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-g
 Authmethod method_gssapi = {
 diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
 --- openssh-5.9p1/auth2-chall.c.required-authentication	2009-01-28 06:13:39.000000000 +0100
-+++ openssh-5.9p1/auth2-chall.c	2012-03-30 19:25:49.049897712 +0200
+++ openssh-5.9p1/auth2-chall.c	2012-07-27 12:21:41.206602026 +0200
@@ -341,7 +341,8 @@ input_userauth_info_response(int type, u
 			auth2_challenge_start(authctxt);
 		}
@ -496,7 +497,7 @@ diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2
 
 diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
 --- openssh-5.9p1/auth2-none.c.required-authentication	2010-06-26 02:01:33.000000000 +0200
-+++ openssh-5.9p1/auth2-none.c	2012-03-30 18:38:00.006184515 +0200
+++ openssh-5.9p1/auth2-none.c	2012-07-27 12:21:41.207602028 +0200
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
 {
 	none_enabled = 0;
@ -507,8 +508,8 @@ diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-
 	return (0);
 }
 diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.required-authentication	2012-03-30 18:37:59.976189954 +0200
-+++ openssh-5.9p1/monitor.c	2012-03-30 18:38:04.555127442 +0200
+--- openssh-5.9p1/monitor.c.required-authentication	2012-07-27 12:21:41.161601930 +0200
+++ openssh-5.9p1/monitor.c	2012-07-27 12:51:18.884927066 +0200
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
 static char *hostbased_cuser = NULL;
 static char *hostbased_chost = NULL;
@ -517,12 +518,10 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 static u_int session_id2_len = 0;
 static u_char *session_id2 = NULL;
 static pid_t monitor_child_pid;
-@@ -352,7 +353,8 @@ void
- monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
+@@ -353,6 +354,7 @@ monitor_child_preauth(Authctxt *_authctx
 {
 	struct mon_table *ent;
-	int authenticated = 0;
-+	int no_increment, authenticated = 0;
+ 	int authenticated = 0;
 +	char **req_auth;
 
 	debug3("preauth child monitor started");
@ -542,43 +541,45 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 
 		monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
 	}
-@@ -380,6 +384,8 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -380,6 +384,7 @@ monitor_child_preauth(Authctxt *_authctx
 	/* The first few requests do not require asynchronous access */
 	while (!authenticated) {
 		auth_method = "unknown";
 +		auth_submethod = NULL;
-+		no_increment = 1;
 		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
 		if (authenticated) {
 			if (!(ent->flags & MON_AUTHDECIDE))
-@@ -401,11 +407,24 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -401,10 +406,19 @@ monitor_child_preauth(Authctxt *_authctx
 			}
 #endif
 		}
 +		/* Loop until the required authmethods are done */
 +		if (authenticated && *req_auth != NULL) {
-+			if (auth_remove_from_list(req_auth, auth_method) != 1)
+			if (auth_remove_from_list(req_auth, auth_method) == 0)
 +				fatal("INTERNAL ERROR: authenticated method "
 +				    "\"%s\" not in required list \"%s\"",
 +				    auth_method, *req_auth);
 +			debug2("monitor_child_preauth: required list now: %s",
 +			    *req_auth == NULL ? "DONE" : *req_auth);
-+			if (*req_auth != NULL) {
-+				authenticated = 0;
-+				no_increment = 1;
-+			}
 +		}
 
 		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
 			auth_log(authctxt, authenticated, auth_method,
 -			    compat20 ? " ssh2" : "");
-			if (!authenticated)
 +				 auth_submethod, compat20 ? " ssh2" : "");
-+			if (!authenticated && !no_increment)
+ 			if (!authenticated)
 				authctxt->failures++;
 		}
- #ifdef JPAKE
-@@ -862,6 +881,7 @@ mm_answer_authpassword(int sock, Buffer 
+@@ -417,6 +431,8 @@ monitor_child_preauth(Authctxt *_authctx
+ 			}
+ 		}
+ #endif
+		if (*req_auth != NULL)
+			authenticated = 0;
+ 	}
+ 
+ 	/* Drain any buffered messages from the child */
+@@ -862,6 +878,7 @@ mm_answer_authpassword(int sock, Buffer
 		auth_method = "none";
 	else
 		auth_method = "password";
@ -586,7 +587,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 
 	/* Causes monitor loop to terminate if authenticated */
 	return (authenticated);
-@@ -921,6 +941,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
+@@ -921,6 +938,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
 	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
 
 	auth_method = "bsdauth";
@ -594,7 +595,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 
 	return (authok != 0);
 }
-@@ -970,6 +991,7 @@ mm_answer_skeyrespond(int sock, Buffer *
+@@ -970,6 +988,7 @@ mm_answer_skeyrespond(int sock, Buffer *
 	mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
 
 	auth_method = "skey";
@ -602,7 +603,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 
 	return (authok != 0);
 }
-@@ -1059,7 +1081,8 @@ mm_answer_pam_query(int sock, Buffer *m)
+@@ -1059,7 +1078,8 @@ mm_answer_pam_query(int sock, Buffer *m)
 		xfree(prompts);
 	if (echo_on != NULL)
 		xfree(echo_on);
@ -612,7 +613,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 	mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
 	return (0);
 }
-@@ -1088,7 +1111,8 @@ mm_answer_pam_respond(int sock, Buffer *
+@@ -1088,7 +1108,8 @@ mm_answer_pam_respond(int sock, Buffer *
 	buffer_clear(m);
 	buffer_put_int(m, ret);
 	mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
@ -622,7 +623,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 	if (ret == 0)
 		sshpam_authok = sshpam_ctxt;
 	return (0);
-@@ -1102,7 +1126,8 @@ mm_answer_pam_free_ctx(int sock, Buffer 
+@@ -1102,7 +1123,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
 	(sshpam_device.free_ctx)(sshpam_ctxt);
 	buffer_clear(m);
 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
@ -632,7 +633,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 	return (sshpam_authok == sshpam_ctxt);
 }
 #endif
-@@ -1138,6 +1163,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1138,6 +1160,7 @@ mm_answer_keyallowed(int sock, Buffer *m
 			allowed = options.pubkey_authentication &&
 			    user_key_allowed(authctxt->pw, key);
 			auth_method = "publickey";
@ -640,7 +641,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 			if (options.pubkey_authentication && allowed != 1)
 				auth_clear_options();
 			break;
-@@ -1146,6 +1172,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1146,6 +1169,7 @@ mm_answer_keyallowed(int sock, Buffer *m
 			    hostbased_key_allowed(authctxt->pw,
 			    cuser, chost, key);
 			auth_method = "hostbased";
@ -648,7 +649,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 			break;
 		case MM_RSAHOSTKEY:
 			key->type = KEY_RSA1; /* XXX */
-@@ -1155,6 +1182,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1155,6 +1179,7 @@ mm_answer_keyallowed(int sock, Buffer *m
 			if (options.rhosts_rsa_authentication && allowed != 1)
 				auth_clear_options();
 			auth_method = "rsa";
@ -656,7 +657,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 			break;
 		default:
 			fatal("%s: unknown key type %d", __func__, type);
-@@ -1180,7 +1208,8 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1180,7 +1205,8 @@ mm_answer_keyallowed(int sock, Buffer *m
 		hostbased_chost = chost;
 	} else {
 		/* Log failed attempt */
@ -666,7 +667,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 		xfree(blob);
 		xfree(cuser);
 		xfree(chost);
-@@ -1356,6 +1385,7 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1356,6 +1382,7 @@ mm_answer_keyverify(int sock, Buffer *m)
 	xfree(data);
 
 	auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
@ -674,7 +675,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 
 	monitor_reset_key_state();
 
-@@ -1545,6 +1575,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
+@@ -1545,6 +1572,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
 	debug3("%s entering", __func__);
 
 	auth_method = "rsa";
@ -682,7 +683,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 	if (options.rsa_authentication && authctxt->valid) {
 		if ((client_n = BN_new()) == NULL)
 			fatal("%s: BN_new", __func__);
-@@ -1650,6 +1681,7 @@ mm_answer_rsa_response(int sock, Buffer 
+@@ -1650,6 +1678,7 @@ mm_answer_rsa_response(int sock, Buffer
 	xfree(response);
 
 	auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
@ -690,7 +691,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 
 	/* reset state */
 	BN_clear_free(ssh1_challenge);
-@@ -2099,6 +2131,7 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2099,6 +2128,7 @@ mm_answer_gss_userok(int sock, Buffer *m
 	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
 
 	auth_method = "gssapi-with-mic";
@ -698,7 +699,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 
 	/* Monitor loop will terminate if authenticated */
 	return (authenticated);
-@@ -2303,6 +2336,7 @@ mm_answer_jpake_check_confirm(int sock, 
+@@ -2303,6 +2333,7 @@ mm_answer_jpake_check_confirm(int sock,
 	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
 
 	auth_method = "jpake-01@openssh.com";
@ -707,8 +708,8 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 }
 
 diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.required-authentication	2012-03-30 18:37:59.981184513 +0200
-+++ openssh-5.9p1/servconf.c	2012-03-30 18:38:04.558121635 +0200
+--- openssh-5.9p1/servconf.c.required-authentication	2012-07-27 12:21:41.167601942 +0200
+++ openssh-5.9p1/servconf.c	2012-07-27 12:21:41.209602032 +0200
@@ -42,6 +42,8 @@
 #include "key.h"
 #include "kex.h"
@ -780,7 +781,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
 		goto parse_int;
 diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
 --- openssh-5.9p1/servconf.h.required-authentication	2011-06-23 00:30:03.000000000 +0200
-+++ openssh-5.9p1/servconf.h	2012-03-30 18:38:00.009184624 +0200
+++ openssh-5.9p1/servconf.h	2012-07-27 12:21:41.210602035 +0200
@@ -154,6 +154,9 @@ typedef struct {
 	u_int num_authkeys_files;	/* Files containing public keys */
 	char   *authorized_keys_files[MAX_AUTHKEYS_FILES];
@ -793,7 +794,7 @@ diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf
 	int	use_pam;		/* Enable auth via PAM */
 diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
 --- openssh-5.9p1/sshd_config.5.required-authentication	2011-08-05 22:17:33.000000000 +0200
-+++ openssh-5.9p1/sshd_config.5	2012-03-30 18:38:00.009184624 +0200
+++ openssh-5.9p1/sshd_config.5	2012-07-27 12:38:47.607222070 +0200
@@ -723,6 +723,8 @@ Available keywords are
 .Cm PermitOpen ,
 .Cm PermitRootLogin ,
@ -808,7 +809,7 @@ diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_
 Note that if this file is not readable, then public key authentication will
 be refused for all users.
 +.It Cm RequiredAuthentications[12]
-+ Requires two authentication methods to succeed before authorizing the connection.
+ Specifies required methods of authentications that has to succeed before authorizing the connection.
 + (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
 +
 + RequiredAuthentications1 method[,method...]