diff --git a/auth.c b/auth.c index ee0cb05..1b2fc2b 100644 --- a/auth.c +++ b/auth.c @@ -251,7 +251,8 @@ allowed_user(struct passwd * pw) } void -auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) +auth_log(Authctxt *authctxt, int authenticated, int partial, + const char *method, const char *submethod, const char *info) { void (*authlog) (const char *fmt,...) = verbose; char *authmsg; @@ -268,12 +269,15 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) if (authctxt->postponed) authmsg = "Postponed"; + else if (partial) + authmsg = "Partial"; else authmsg = authenticated ? "Accepted" : "Failed"; - authlog("%s %s for %s%.100s from %.200s port %d%s", + authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", authmsg, method, + submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, authctxt->valid ? "" : "invalid user ", authctxt->user, get_remote_ipaddr(), @@ -303,7 +307,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) * Check whether root logins are disallowed. */ int -auth_root_allowed(char *method) +auth_root_allowed(const char *method) { switch (options.permit_root_login) { case PERMIT_YES: diff --git a/auth.h b/auth.h index 0d786c4..29823bb 100644 --- a/auth.h +++ b/auth.h @@ -64,6 +64,8 @@ struct Authctxt { #ifdef BSD_AUTH auth_session_t *as; #endif + char **auth_methods; /* modified from server config */ + u_int num_auth_methods; #ifdef KRB5 krb5_context krb5_ctx; krb5_ccache krb5_fwd_ccache; @@ -142,12 +144,17 @@ void disable_forwarding(void); void do_authentication(Authctxt *); void do_authentication2(Authctxt *); -void auth_log(Authctxt *, int, char *, char *); -void userauth_finish(Authctxt *, int, char *); +void auth_log(Authctxt *, int, int, const char *, const char *, + const char *); +void userauth_finish(Authctxt *, int, const char *, const char *); +int auth_root_allowed(const char *); + void userauth_send_banner(const char *); -int auth_root_allowed(char *); char *auth2_read_banner(void); +int auth2_methods_valid(const char *, int); +int auth2_update_methods_lists(Authctxt *, const char *); +int auth2_setup_methods_lists(Authctxt *); void privsep_challenge_enable(void); diff --git a/auth1.c b/auth1.c index cc85aec..458a110 100644 --- a/auth1.c +++ b/auth1.c @@ -253,7 +253,8 @@ do_authloop(Authctxt *authctxt) if (options.use_pam && (PRIVSEP(do_pam_account()))) #endif { - auth_log(authctxt, 1, "without authentication", ""); + auth_log(authctxt, 1, 0, "without authentication", + NULL, ""); return; } } @@ -352,7 +353,8 @@ do_authloop(Authctxt *authctxt) skip: /* Log before sending the reply */ - auth_log(authctxt, authenticated, get_authname(type), info); + auth_log(authctxt, authenticated, 0, get_authname(type), + NULL, info); if (client_user != NULL) { xfree(client_user); @@ -406,6 +408,11 @@ do_authentication(Authctxt *authctxt) authctxt->pw = fakepw(); } + /* Configuration may have changed as a result of Match */ + if (options.num_auth_methods != 0) + fatal("AuthenticationMethods is not supported with SSH " + "protocol 1"); + setproctitle("%s%s", authctxt->valid ? user : "unknown", use_privsep ? " [net]" : ""); diff --git a/auth2-chall.c b/auth2-chall.c index e6dbffe..5f7ec6d 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -283,7 +283,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) KbdintAuthctxt *kbdintctxt; int authenticated = 0, res; u_int i, nresp; - char **response = NULL, *method; + char *devicename = NULL, **response = NULL; if (authctxt == NULL) fatal("input_userauth_info_response: no authctxt"); @@ -329,9 +329,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) /* Failure! */ break; } - - xasprintf(&method, "keyboard-interactive/%s", kbdintctxt->device->name); - + devicename = kbdintctxt->device->name; if (!authctxt->postponed) { if (authenticated) { auth2_challenge_stop(authctxt); @@ -341,8 +339,8 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) auth2_challenge_start(authctxt); } } - userauth_finish(authctxt, authenticated, method); - xfree(method); + userauth_finish(authctxt, authenticated, "keyboard-interactive", + devicename); } void diff --git a/auth2-gss.c b/auth2-gss.c index 0d59b21..338c748 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) } authctxt->postponed = 0; dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); - userauth_finish(authctxt, 0, "gssapi-with-mic"); + userauth_finish(authctxt, 0, "gssapi-with-mic", NULL); } else { if (send_tok.length != 0) { packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); @@ -251,7 +251,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); - userauth_finish(authctxt, authenticated, "gssapi-with-mic"); + userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); } static void @@ -291,7 +291,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); - userauth_finish(authctxt, authenticated, "gssapi-with-mic"); + userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); } Authmethod method_gssapi = { diff --git a/auth2-jpake.c b/auth2-jpake.c index a460e82..e4ba9aa 100644 --- a/auth2-jpake.c +++ b/auth2-jpake.c @@ -556,7 +556,7 @@ input_userauth_jpake_client_confirm(int type, u_int32_t seq, void *ctxt) authctxt->postponed = 0; jpake_free(authctxt->jpake_ctx); authctxt->jpake_ctx = NULL; - userauth_finish(authctxt, authenticated, method_jpake.name); + userauth_finish(authctxt, authenticated, method_jpake.name, NULL); } #endif /* JPAKE */ diff --git a/auth2.c b/auth2.c index b66bef6..ea0fd92 100644 --- a/auth2.c +++ b/auth2.c @@ -96,8 +96,10 @@ static void input_service_request(int, u_int32_t, void *); static void input_userauth_request(int, u_int32_t, void *); /* helper */ -static Authmethod *authmethod_lookup(const char *); -static char *authmethods_get(void); +static Authmethod *authmethod_lookup(Authctxt *, const char *); +static char *authmethods_get(Authctxt *authctxt); +static int method_allowed(Authctxt *, const char *); +static int list_starts_with(const char *, const char *); char * auth2_read_banner(void) @@ -255,6 +257,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) if (use_privsep) mm_inform_authserv(service, style); userauth_banner(); + if (auth2_setup_methods_lists(authctxt) != 0) + packet_disconnect("no authentication methods enabled"); } else if (strcmp(user, authctxt->user) != 0 || strcmp(service, authctxt->service) != 0) { packet_disconnect("Change of username or service not allowed: " @@ -277,12 +281,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) authctxt->server_caused_failure = 0; /* try to authenticate user */ - m = authmethod_lookup(method); + m = authmethod_lookup(authctxt, method); if (m != NULL && authctxt->failures < options.max_authtries) { debug2("input_userauth_request: try method %s", method); authenticated = m->userauth(authctxt); } - userauth_finish(authctxt, authenticated, method); + userauth_finish(authctxt, authenticated, method, NULL); xfree(service); xfree(user); @@ -290,13 +294,17 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) } void -userauth_finish(Authctxt *authctxt, int authenticated, char *method) +userauth_finish(Authctxt *authctxt, int authenticated, const char *method, + const char *submethod) { char *methods; + int partial = 0; if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); + if (authenticated && authctxt->postponed) + fatal("INTERNAL ERROR: authenticated and postponed"); /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && @@ -307,6 +315,19 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) #endif } + if (authenticated && options.num_auth_methods != 0) { + if (!auth2_update_methods_lists(authctxt, method)) { + authenticated = 0; + partial = 1; + } + } + + /* Log before sending the reply */ + auth_log(authctxt, authenticated, partial, method, submethod, " ssh2"); + + if (authctxt->postponed) + return; + #ifdef USE_PAM if (options.use_pam && authenticated) { if (!PRIVSEP(do_pam_account())) { @@ -325,17 +346,10 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) #ifdef _UNICOS if (authenticated && cray_access_denied(authctxt->user)) { authenticated = 0; - fatal("Access denied for user %s.",authctxt->user); + fatal("Access denied for user %s.", authctxt->user); } #endif /* _UNICOS */ - /* Log before sending the reply */ - auth_log(authctxt, authenticated, method, " ssh2"); - - if (authctxt->postponed) - return; - - /* XXX todo: check if multiple auth methods are needed */ if (authenticated == 1) { /* turn off userauth */ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); @@ -348,7 +362,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) /* Allow initial try of "none" auth without failure penalty */ if (!authctxt->server_caused_failure && - (authctxt->attempt > 1 || strcmp(method, "none") != 0)) + (authctxt->attempt > 1 || strcmp(method, "none") != 0) && + partial == 0) authctxt->failures++; if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS @@ -356,34 +371,61 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) #endif packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } - methods = authmethods_get(); + methods = authmethods_get(authctxt); + debug3("%s: failure partial=%d next methods=\"%s\"", __func__, + partial, methods); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); - packet_put_char(0); /* XXX partial success, unused */ + packet_put_char(partial); packet_send(); packet_write_wait(); xfree(methods); } } +/* + * Checks whether method is allowed by at least one AuthenticationMethods + * methods list. Returns 1 if allowed, or no methods lists configured. + * 0 otherwise. + */ +static int +method_allowed(Authctxt *authctxt, const char *method) +{ + u_int i; + + /* + * NB. authctxt->num_auth_methods might be zero as a result of + * auth2_setup_methods_lists(), so check the configuration. + */ + if (options.num_auth_methods == 0) + return 1; + for (i = 0; i < authctxt->num_auth_methods; i++) { + if (list_starts_with(authctxt->auth_methods[i], method)) + return 1; + } + return 0; +} + static char * -authmethods_get(void) +authmethods_get(Authctxt *authctxt) { Buffer b; char *list; - int i; + u_int i; buffer_init(&b); for (i = 0; authmethods[i] != NULL; i++) { if (strcmp(authmethods[i]->name, "none") == 0) continue; - if (authmethods[i]->enabled != NULL && - *(authmethods[i]->enabled) != 0) { - if (buffer_len(&b) > 0) - buffer_append(&b, ",", 1); - buffer_append(&b, authmethods[i]->name, - strlen(authmethods[i]->name)); - } + if (authmethods[i]->enabled == NULL || + *(authmethods[i]->enabled) == 0) + continue; + if (!method_allowed(authctxt, authmethods[i]->name)) + continue; + if (buffer_len(&b) > 0) + buffer_append(&b, ",", 1); + buffer_append(&b, authmethods[i]->name, + strlen(authmethods[i]->name)); } buffer_append(&b, "\0", 1); list = xstrdup(buffer_ptr(&b)); @@ -392,7 +434,7 @@ authmethods_get(void) } static Authmethod * -authmethod_lookup(const char *name) +authmethod_lookup(Authctxt *authctxt, const char *name) { int i; @@ -400,10 +442,152 @@ authmethod_lookup(const char *name) for (i = 0; authmethods[i] != NULL; i++) if (authmethods[i]->enabled != NULL && *(authmethods[i]->enabled) != 0 && - strcmp(name, authmethods[i]->name) == 0) + strcmp(name, authmethods[i]->name) == 0 && + method_allowed(authctxt, authmethods[i]->name)) return authmethods[i]; debug2("Unrecognized authentication method name: %s", name ? name : "NULL"); return NULL; } +/* + * Check a comma-separated list of methods for validity. Is need_enable is + * non-zero, then also require that the methods are enabled. + * Returns 0 on success or -1 if the methods list is invalid. + */ +int +auth2_methods_valid(const char *_methods, int need_enable) +{ + char *methods, *omethods, *method; + u_int i, found; + int ret = -1; + + if (*_methods == '\0') { + error("empty authentication method list"); + return -1; + } + omethods = methods = xstrdup(_methods); + while ((method = strsep(&methods, ",")) != NULL) { + for (found = i = 0; !found && authmethods[i] != NULL; i++) { + if (strcmp(method, authmethods[i]->name) != 0) + continue; + if (need_enable) { + if (authmethods[i]->enabled == NULL || + *(authmethods[i]->enabled) == 0) { + error("Disabled method \"%s\" in " + "AuthenticationMethods list \"%s\"", + method, _methods); + goto out; + } + } + found = 1; + break; + } + if (!found) { + error("Unknown authentication method \"%s\" in list", + method); + goto out; + } + } + ret = 0; + out: + free(omethods); + return ret; +} + +/* + * Prune the AuthenticationMethods supplied in the configuration, removing + * any methods lists that include disabled methods. Note that this might + * leave authctxt->num_auth_methods == 0, even when multiple required auth + * has been requested. For this reason, all tests for whether multiple is + * enabled should consult options.num_auth_methods directly. + */ +int +auth2_setup_methods_lists(Authctxt *authctxt) +{ + u_int i; + + if (options.num_auth_methods == 0) + return 0; + debug3("%s: checking methods", __func__); + authctxt->auth_methods = xcalloc(options.num_auth_methods, + sizeof(*authctxt->auth_methods)); + authctxt->num_auth_methods = 0; + for (i = 0; i < options.num_auth_methods; i++) { + if (auth2_methods_valid(options.auth_methods[i], 1) != 0) { + logit("Authentication methods list \"%s\" contains " + "disabled method, skipping", + options.auth_methods[i]); + continue; + } + debug("authentication methods list %d: %s", + authctxt->num_auth_methods, options.auth_methods[i]); + authctxt->auth_methods[authctxt->num_auth_methods++] = + xstrdup(options.auth_methods[i]); + } + if (authctxt->num_auth_methods == 0) { + error("No AuthenticationMethods left after eliminating " + "disabled methods"); + return -1; + } + return 0; +} + +static int +list_starts_with(const char *methods, const char *method) +{ + size_t l = strlen(method); + + if (strncmp(methods, method, l) != 0) + return 0; + if (methods[l] != ',' && methods[l] != '\0') + return 0; + return 1; +} + +/* + * Remove method from the start of a comma-separated list of methods. + * Returns 0 if the list of methods did not start with that method or 1 + * if it did. + */ +static int +remove_method(char **methods, const char *method) +{ + char *omethods = *methods; + size_t l = strlen(method); + + if (!list_starts_with(omethods, method)) + return 0; + *methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0)); + free(omethods); + return 1; +} + +/* + * Called after successful authentication. Will remove the successful method + * from the start of each list in which it occurs. If it was the last method + * in any list, then authentication is deemed successful. + * Returns 1 if the method completed any authentication list or 0 otherwise. + */ +int +auth2_update_methods_lists(Authctxt *authctxt, const char *method) +{ + u_int i, found = 0; + + debug3("%s: updating methods list after \"%s\"", __func__, method); + for (i = 0; i < authctxt->num_auth_methods; i++) { + if (!remove_method(&(authctxt->auth_methods[i]), method)) + continue; + found = 1; + if (*authctxt->auth_methods[i] == '\0') { + debug2("authentication methods list %d complete", i); + return 1; + } + debug3("authentication methods list %d remaining: \"%s\"", + i, authctxt->auth_methods[i]); + } + /* This should not happen, but would be bad if it did */ + if (!found) + fatal("%s: method not in AuthenticationMethods", __func__); + return 0; +} diff --git a/monitor.c b/monitor.c index 1dc42f5..66f3eea 100644 --- a/monitor.c +++ b/monitor.c @@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY; static char *hostbased_cuser = NULL; static char *hostbased_chost = NULL; static char *auth_method = "unknown"; +static char *auth_submethod = NULL; static u_int session_id2_len = 0; static u_char *session_id2 = NULL; static pid_t monitor_child_pid; @@ -352,7 +353,7 @@ void monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) { struct mon_table *ent; - int authenticated = 0; + int authenticated = 0, partial = 0; debug3("preauth child monitor started"); @@ -379,8 +380,26 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) /* The first few requests do not require asynchronous access */ while (!authenticated) { + partial = 0; auth_method = "unknown"; + auth_submethod = NULL; authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); + + /* Special handling for multiple required authentications */ + if (options.num_auth_methods != 0) { + if (!compat20) + fatal("AuthenticationMethods is not supported" + "with SSH protocol 1"); + if (authenticated && + !auth2_update_methods_lists(authctxt, + auth_method)) { + debug3("%s: method %s: partial", __func__, + auth_method); + authenticated = 0; + partial = 1; + } + } + if (authenticated) { if (!(ent->flags & MON_AUTHDECIDE)) fatal("%s: unexpected authentication from %d", @@ -403,9 +422,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) } if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { - auth_log(authctxt, authenticated, auth_method, + auth_log(authctxt, authenticated, partial, + auth_method, auth_submethod, compat20 ? " ssh2" : ""); - if (!authenticated) + if (!authenticated && !partial) authctxt->failures++; } #ifdef JPAKE @@ -781,7 +801,17 @@ mm_answer_pwnamallow(int sock, Buffer *m) COPY_MATCH_STRING_OPTS(); #undef M_CP_STROPT #undef M_CP_STRARRAYOPT - + + /* Create valid auth method lists */ + if (compat20 && auth2_setup_methods_lists(authctxt) != 0) { + /* + * The monitor will continue long enough to let the child + * run to it's packet_disconnect(), but it must not allow any + * authentication to succeed. + */ + debug("%s: no valid authentication method lists", __func__); + } + debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); mm_request_send(sock, MONITOR_ANS_PWNAM, m); @@ -918,7 +948,11 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) debug3("%s: sending authenticated: %d", __func__, authok); mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); - auth_method = "bsdauth"; + if (compat20) + auth_method = "keyboard-interactive"; /* XXX auth_submethod */ + else + auth_method = "bsdauth"; + return (authok != 0); } @@ -1057,7 +1091,9 @@ mm_answer_pam_query(int sock, Buffer *m) xfree(prompts); if (echo_on != NULL) xfree(echo_on); - auth_method = "keyboard-interactive/pam"; + auth_method = "keyboard-interactive"; + auth_submethod = "pam"; + mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); return (0); } @@ -1086,7 +1122,8 @@ mm_answer_pam_respond(int sock, Buffer *m) buffer_clear(m); buffer_put_int(m, ret); mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); - auth_method = "keyboard-interactive/pam"; + auth_method = "keyboard-interactive"; + auth_submethod= "pam"; if (ret == 0) sshpam_authok = sshpam_ctxt; return (0); @@ -1100,7 +1137,8 @@ mm_answer_pam_free_ctx(int sock, Buffer *m) (sshpam_device.free_ctx)(sshpam_ctxt); buffer_clear(m); mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); - auth_method = "keyboard-interactive/pam"; + auth_method = "keyboard-interactive"; + auth_submethod = "pam"; return (sshpam_authok == sshpam_ctxt); } #endif @@ -1178,7 +1216,8 @@ mm_answer_keyallowed(int sock, Buffer *m) hostbased_chost = chost; } else { /* Log failed attempt */ - auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); + auth_log(authctxt, 0, 0, auth_method, NULL, + compat20 ? " ssh2" : ""); xfree(blob); xfree(cuser); xfree(chost); diff --git a/servconf.c b/servconf.c index 906778f..2c84993 100644 --- a/servconf.c +++ b/servconf.c @@ -48,6 +48,8 @@ #include "groupaccess.h" #include "canohost.h" #include "packet.h" +#include "hostfile.h" +#include "auth.h" static void add_listen_addr(ServerOptions *, char *, int); static void add_one_listen_addr(ServerOptions *, char *, int); @@ -329,6 +331,7 @@ typedef enum { sZeroKnowledgePasswordAuthentication, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sVersionAddendum, + sAuthenticationMethods, sDeprecated, sUnsupported } ServerOpCodes; @@ -454,6 +457,7 @@ static struct { { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "ipqos", sIPQoS, SSHCFG_ALL }, { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, + { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; @@ -1498,6 +1502,24 @@ process_server_config_line(ServerOptions *options, char *line, } return 0; + case sAuthenticationMethods: + if (*activep && options->num_auth_methods == 0) { + while ((arg = strdelim(&cp)) && *arg != '\0') { + if (options->num_auth_methods >= + MAX_AUTH_METHODS) + fatal("%s line %d: " + "too many authentication methods.", + filename, linenum); + if (auth2_methods_valid(arg, 0) != 0) + fatal("%s line %d: invalid " + "authentication method list.", + filename, linenum); + options->auth_methods[ + options->num_auth_methods++] = xstrdup(arg); + } + } + return 0; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); @@ -1925,6 +1947,8 @@ dump_config(ServerOptions *o) dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); + dump_cfg_strarray_oneline(sAuthenticationMethods, + o->num_auth_methods, o->auth_methods); /* other arguments */ for (i = 0; i < o->num_subsystems; i++) diff --git a/servconf.h b/servconf.h index 096d596..ef80eef 100644 --- a/servconf.h +++ b/servconf.h @@ -28,6 +28,7 @@ #define MAX_ACCEPT_ENV 256 /* Max # of env vars. */ #define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */ #define MAX_AUTHKEYS_FILES 256 /* Max # of authorized_keys files. */ +#define MAX_AUTH_METHODS 256 /* Max # of AuthenticationMethods. */ /* permit_root_login */ #define PERMIT_NOT_SET -1 @@ -168,6 +169,9 @@ typedef struct { char *authorized_principals_file; char *version_addendum; /* Appended to SSH banner */ + + u_int num_auth_methods; + char *auth_methods[MAX_AUTH_METHODS]; } ServerOptions; /* Information about the incoming connection as used by Match */ @@ -197,6 +201,7 @@ struct connection_info { M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \ M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \ M_CP_STRARRAYOPT(accept_env, num_accept_env); \ + M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \ } while (0) struct connection_info *get_connection_info(int, int); diff --git a/sshd.c b/sshd.c index d5ec4e6..cb4bdd3 100644 --- a/sshd.c +++ b/sshd.c @@ -1333,6 +1333,7 @@ main(int ac, char **av) int remote_port; char *line; int config_s[2] = { -1 , -1 }; + u_int n; u_int64_t ibytes, obytes; mode_t new_umask; Key *key; @@ -1555,6 +1556,26 @@ main(int ac, char **av) if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; + /* + * Check whether there is any path through configured auth methods. + * Unfortunately it is not possible to verify this generally before + * daemonisation in the presence of Match block, but this catches + * and warns for trivial misconfigurations that could break login. + */ + if (options.num_auth_methods != 0) { + if ((options.protocol & SSH_PROTO_1)) + fatal("AuthenticationMethods is not supported with " + "SSH protocol 1"); + for (n = 0; n < options.num_auth_methods; n++) { + if (auth2_methods_valid(options.auth_methods[n], + 1) == 0) + break; + } + if (n >= options.num_auth_methods) + fatal("AuthenticationMethods cannot be satisfied by " + "enabled authentication methods"); + } + /* set default channel AF */ channel_set_af(options.address_family); diff --git a/sshd_config.5 b/sshd_config.5 index 314ecfb..ed81ac8 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -151,6 +151,28 @@ See in .Xr ssh_config 5 for more information on patterns. +.It Cm AuthenticationMethods +Specifies the authentication methods that must be successfully completed +for a user to be granted access. +This option must be followed by one or more comma-separated lists of +authentication method names. +Successful authentication requires completion of every method in at least +one of these lists. +.Pp +For example, an argument of +.Dq publickey,password publickey,keyboard-interactive +would require the user to complete public key authentication, followed by +either password or keyboard interactive authentication. +Only methods that are next in one or more lists are offered at each stage, +so for this example, it would not be possible to attempt password or +keyboard-interactive authentication before public key. +.Pp +This option is only available for SSH protocol 2 and will yield a fatal +error if enabled if protocol 1 is also enabled. +Note that each authentication method listed should also be explicitly enabled +in the configuration. +The default is not to require multiple authentication; successful completion +of a single authentication method is sufficient. .It Cm AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. @@ -711,6 +733,7 @@ Available keywords are .Cm AllowGroups , .Cm AllowTcpForwarding , .Cm AllowUsers , +.Cm AuthenticationMethods , .Cm AuthorizedKeysFile , .Cm AuthorizedPrincipalsFile , .Cm Banner ,