]>
Commit | Line | Data |
---|---|---|
9d8fd3ad SS |
1 | diff -up openssh-5.9p1/auth.h.2auth openssh-5.9p1/auth.h |
2 | --- openssh-5.9p1/auth.h.2auth 2011-05-29 13:39:38.000000000 +0200 | |
3 | +++ openssh-5.9p1/auth.h 2011-09-17 11:36:54.314522599 +0200 | |
4 | @@ -149,6 +149,8 @@ int auth_root_allowed(char *); | |
5 | ||
6 | char *auth2_read_banner(void); | |
7 | ||
8 | +void userauth_restart(const char *); | |
9 | + | |
10 | void privsep_challenge_enable(void); | |
11 | ||
12 | int auth2_challenge(Authctxt *, char *); | |
13 | diff -up openssh-5.9p1/auth2.c.2auth openssh-5.9p1/auth2.c | |
14 | --- openssh-5.9p1/auth2.c.2auth 2011-05-05 06:04:11.000000000 +0200 | |
15 | +++ openssh-5.9p1/auth2.c 2011-09-17 11:36:54.402521709 +0200 | |
16 | @@ -290,6 +290,24 @@ input_userauth_request(int type, u_int32 | |
17 | } | |
18 | ||
19 | void | |
20 | +userauth_restart(const char *method) | |
21 | +{ | |
22 | + options.two_factor_authentication = 0; | |
23 | + | |
24 | + debug2("userauth restart, method = %s", method); | |
25 | + options.pubkey_authentication = options.second_pubkey_authentication && strcmp(method, method_pubkey.name); | |
26 | +#ifdef GSSAPI | |
27 | + options.gss_authentication = options.second_gss_authentication && strcmp(method, method_gssapi.name); | |
28 | +#endif | |
29 | +#ifdef JPAKE | |
30 | + options.zero_knowledge_password_authentication = options.second_zero_knowledge_password_authentication && strcmp(method, method_jpake.name); | |
31 | +#endif | |
32 | + options.password_authentication = options.second_password_authentication && strcmp(method, method_passwd.name); | |
33 | + options.kbd_interactive_authentication = options.second_kbd_interactive_authentication && strcmp(method, method_kbdint.name); | |
34 | + options.hostbased_authentication = options.second_hostbased_authentication && strcmp(method, method_hostbased.name); | |
35 | +} | |
36 | + | |
37 | +void | |
38 | userauth_finish(Authctxt *authctxt, int authenticated, char *method) | |
39 | { | |
40 | char *methods; | |
41 | @@ -337,6 +355,12 @@ userauth_finish(Authctxt *authctxt, int | |
42 | ||
43 | /* XXX todo: check if multiple auth methods are needed */ | |
44 | if (authenticated == 1) { | |
45 | + if (options.two_factor_authentication) { | |
46 | + userauth_restart(method); | |
47 | + debug("1st factor authentication done go to 2nd factor"); | |
48 | + goto ask_methods; | |
49 | + } | |
50 | + | |
51 | /* turn off userauth */ | |
52 | dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); | |
53 | packet_start(SSH2_MSG_USERAUTH_SUCCESS); | |
54 | @@ -356,7 +380,9 @@ userauth_finish(Authctxt *authctxt, int | |
55 | #endif | |
56 | packet_disconnect(AUTH_FAIL_MSG, authctxt->user); | |
57 | } | |
58 | +ask_methods: | |
59 | methods = authmethods_get(); | |
60 | + debug2("next auth methods = %s", methods); | |
61 | packet_start(SSH2_MSG_USERAUTH_FAILURE); | |
62 | packet_put_cstring(methods); | |
63 | packet_put_char(0); /* XXX partial success, unused */ | |
64 | diff -up openssh-5.9p1/monitor.c.2auth openssh-5.9p1/monitor.c | |
65 | --- openssh-5.9p1/monitor.c.2auth 2011-08-05 22:15:18.000000000 +0200 | |
66 | +++ openssh-5.9p1/monitor.c 2011-09-17 11:36:54.513491937 +0200 | |
67 | @@ -417,6 +417,10 @@ monitor_child_preauth(Authctxt *_authctx | |
68 | } | |
69 | } | |
70 | #endif | |
71 | + if (authenticated && options.two_factor_authentication) { | |
72 | + userauth_restart(auth_method); | |
73 | + authenticated = 0; | |
74 | + } | |
75 | } | |
76 | ||
77 | /* Drain any buffered messages from the child */ | |
78 | diff -up openssh-5.9p1/servconf.c.2auth openssh-5.9p1/servconf.c | |
79 | --- openssh-5.9p1/servconf.c.2auth 2011-06-23 00:30:03.000000000 +0200 | |
80 | +++ openssh-5.9p1/servconf.c 2011-09-17 11:36:54.632461730 +0200 | |
81 | @@ -92,6 +92,13 @@ initialize_server_options(ServerOptions | |
82 | options->hostbased_uses_name_from_packet_only = -1; | |
83 | options->rsa_authentication = -1; | |
84 | options->pubkey_authentication = -1; | |
85 | + options->two_factor_authentication = -1; | |
86 | + options->second_pubkey_authentication = -1; | |
87 | + options->second_gss_authentication = -1; | |
88 | + options->second_password_authentication = -1; | |
89 | + options->second_kbd_interactive_authentication = -1; | |
90 | + options->second_zero_knowledge_password_authentication = -1; | |
91 | + options->second_hostbased_authentication = -1; | |
92 | options->kerberos_authentication = -1; | |
93 | options->kerberos_or_local_passwd = -1; | |
94 | options->kerberos_ticket_cleanup = -1; | |
95 | @@ -237,6 +244,20 @@ fill_default_server_options(ServerOption | |
96 | options->permit_empty_passwd = 0; | |
97 | if (options->permit_user_env == -1) | |
98 | options->permit_user_env = 0; | |
99 | + if (options->two_factor_authentication == -1) | |
100 | + options->two_factor_authentication = 0; | |
101 | + if (options->second_pubkey_authentication == -1) | |
102 | + options->second_pubkey_authentication = 1; | |
103 | + if (options->second_gss_authentication == -1) | |
104 | + options->second_gss_authentication = 0; | |
105 | + if (options->second_password_authentication == -1) | |
106 | + options->second_password_authentication = 1; | |
107 | + if (options->second_kbd_interactive_authentication == -1) | |
108 | + options->second_kbd_interactive_authentication = 0; | |
109 | + if (options->second_zero_knowledge_password_authentication == -1) | |
110 | + options->second_zero_knowledge_password_authentication = 0; | |
111 | + if (options->second_hostbased_authentication == -1) | |
112 | + options->second_hostbased_authentication = 0; | |
113 | if (options->use_login == -1) | |
114 | options->use_login = 0; | |
115 | if (options->compression == -1) | |
116 | @@ -316,8 +337,11 @@ typedef enum { | |
117 | sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, | |
118 | sMaxStartups, sMaxAuthTries, sMaxSessions, | |
119 | sBanner, sUseDNS, sHostbasedAuthentication, | |
120 | - sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | |
121 | - sClientAliveCountMax, sAuthorizedKeysFile, | |
122 | + sHostbasedUsesNameFromPacketOnly, sTwoFactorAuthentication, | |
123 | + sSecondPubkeyAuthentication, sSecondGssAuthentication, | |
124 | + sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication, | |
125 | + sSecondZeroKnowledgePasswordAuthentication, sSecondHostbasedAuthentication, | |
126 | + sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | |
127 | sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, | |
128 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | |
129 | sUsePrivilegeSeparation, sAllowAgentForwarding, | |
130 | @@ -395,6 +419,21 @@ static struct { | |
131 | #else | |
132 | { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL }, | |
133 | #endif | |
134 | + { "twofactorauthentication", sTwoFactorAuthentication, SSHCFG_ALL }, | |
135 | + { "secondpubkeyauthentication", sSecondPubkeyAuthentication, SSHCFG_ALL }, | |
136 | +#ifdef GSSAPI | |
137 | + { "secondgssapiauthentication", sSecondGssAuthentication, SSHCFG_ALL }, | |
138 | +#else | |
139 | + { "secondgssapiauthentication", sUnsupported, SSHCFG_ALL }, | |
140 | +#endif | |
141 | + { "secondpasswordauthentication", sSecondPasswordAuthentication, SSHCFG_ALL }, | |
142 | + { "secondkbdinteractiveauthentication", sSecondKbdInteractiveAuthentication, SSHCFG_ALL }, | |
143 | +#ifdef JPAKE | |
144 | + { "secondzeroknowledgepasswordauthentication", sSecondZeroKnowledgePasswordAuthentication, SSHCFG_ALL }, | |
145 | +#else | |
146 | + { "secondzeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL }, | |
147 | +#endif | |
148 | + { "secondhostbasedauthentication", sSecondHostbasedAuthentication, SSHCFG_ALL }, | |
149 | { "checkmail", sDeprecated, SSHCFG_GLOBAL }, | |
150 | { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, | |
151 | { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, | |
152 | @@ -982,6 +1021,34 @@ process_server_config_line(ServerOptions | |
153 | intptr = &options->challenge_response_authentication; | |
154 | goto parse_flag; | |
155 | ||
156 | + case sTwoFactorAuthentication: | |
157 | + intptr = &options->two_factor_authentication; | |
158 | + goto parse_flag; | |
159 | + | |
160 | + case sSecondPubkeyAuthentication: | |
161 | + intptr = &options->second_pubkey_authentication; | |
162 | + goto parse_flag; | |
163 | + | |
164 | + case sSecondGssAuthentication: | |
165 | + intptr = &options->second_gss_authentication; | |
166 | + goto parse_flag; | |
167 | + | |
168 | + case sSecondPasswordAuthentication: | |
169 | + intptr = &options->second_password_authentication; | |
170 | + goto parse_flag; | |
171 | + | |
172 | + case sSecondKbdInteractiveAuthentication: | |
173 | + intptr = &options->second_kbd_interactive_authentication; | |
174 | + goto parse_flag; | |
175 | + | |
176 | + case sSecondZeroKnowledgePasswordAuthentication: | |
177 | + intptr = &options->second_zero_knowledge_password_authentication; | |
178 | + goto parse_flag; | |
179 | + | |
180 | + case sSecondHostbasedAuthentication: | |
181 | + intptr = &options->second_hostbased_authentication; | |
182 | + goto parse_flag; | |
183 | + | |
184 | case sPrintMotd: | |
185 | intptr = &options->print_motd; | |
186 | goto parse_flag; | |
187 | @@ -1491,14 +1558,21 @@ void | |
188 | copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |
189 | { | |
190 | M_CP_INTOPT(password_authentication); | |
191 | + M_CP_INTOPT(second_password_authentication); | |
192 | M_CP_INTOPT(gss_authentication); | |
193 | + M_CP_INTOPT(second_gss_authentication); | |
194 | M_CP_INTOPT(rsa_authentication); | |
195 | M_CP_INTOPT(pubkey_authentication); | |
196 | + M_CP_INTOPT(second_pubkey_authentication); | |
197 | M_CP_INTOPT(kerberos_authentication); | |
198 | M_CP_INTOPT(hostbased_authentication); | |
199 | + M_CP_INTOPT(second_hostbased_authentication); | |
200 | M_CP_INTOPT(hostbased_uses_name_from_packet_only); | |
201 | M_CP_INTOPT(kbd_interactive_authentication); | |
202 | + M_CP_INTOPT(second_kbd_interactive_authentication); | |
203 | M_CP_INTOPT(zero_knowledge_password_authentication); | |
204 | + M_CP_INTOPT(second_zero_knowledge_password_authentication); | |
205 | + M_CP_INTOPT(two_factor_authentication); | |
206 | M_CP_INTOPT(permit_root_login); | |
207 | M_CP_INTOPT(permit_empty_passwd); | |
208 | ||
209 | @@ -1720,17 +1794,24 @@ dump_config(ServerOptions *o) | |
210 | #endif | |
211 | #ifdef GSSAPI | |
212 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | |
213 | + dump_cfg_fmtint(sSecondGssAuthentication, o->second_gss_authentication); | |
214 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); | |
215 | #endif | |
216 | #ifdef JPAKE | |
217 | dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, | |
218 | o->zero_knowledge_password_authentication); | |
219 | + dump_cfg_fmtint(sSecondZeroKnowledgePasswordAuthentication, | |
220 | + o->second_zero_knowledge_password_authentication); | |
221 | #endif | |
222 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | |
223 | + dump_cfg_fmtint(sSecondPasswordAuthentication, o->second_password_authentication); | |
224 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | |
225 | o->kbd_interactive_authentication); | |
226 | + dump_cfg_fmtint(sSecondKbdInteractiveAuthentication, | |
227 | + o->second_kbd_interactive_authentication); | |
228 | dump_cfg_fmtint(sChallengeResponseAuthentication, | |
229 | o->challenge_response_authentication); | |
230 | + dump_cfg_fmtint(sTwoFactorAuthentication, o->two_factor_authentication); | |
231 | dump_cfg_fmtint(sPrintMotd, o->print_motd); | |
232 | dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); | |
233 | dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); | |
234 | diff -up openssh-5.9p1/servconf.h.2auth openssh-5.9p1/servconf.h | |
235 | --- openssh-5.9p1/servconf.h.2auth 2011-06-23 00:30:03.000000000 +0200 | |
236 | +++ openssh-5.9p1/servconf.h 2011-09-17 11:36:54.749584245 +0200 | |
237 | @@ -112,6 +112,14 @@ typedef struct { | |
238 | /* If true, permit jpake auth */ | |
239 | int permit_empty_passwd; /* If false, do not permit empty | |
240 | * passwords. */ | |
241 | + int two_factor_authentication; /* If true, the first sucessful authentication | |
242 | + * will be followed by the second one from anorher set */ | |
243 | + int second_pubkey_authentication; /* second set of authentications */ | |
244 | + int second_gss_authentication; | |
245 | + int second_password_authentication; | |
246 | + int second_kbd_interactive_authentication; | |
247 | + int second_zero_knowledge_password_authentication; | |
248 | + int second_hostbased_authentication; | |
249 | int permit_user_env; /* If true, read ~/.ssh/environment */ | |
250 | int use_login; /* If true, login(1) is used */ | |
251 | int compression; /* If true, compression is allowed */ | |
252 | diff -up openssh-5.9p1/sshd_config.2auth openssh-5.9p1/sshd_config | |
253 | --- openssh-5.9p1/sshd_config.2auth 2011-05-29 13:39:39.000000000 +0200 | |
254 | +++ openssh-5.9p1/sshd_config 2011-09-17 11:36:54.859588726 +0200 | |
255 | @@ -87,6 +87,13 @@ AuthorizedKeysFile .ssh/authorized_keys | |
256 | # and ChallengeResponseAuthentication to 'no'. | |
257 | #UsePAM no | |
258 | ||
259 | +#TwoFactorAuthentication no | |
260 | +#SecondPubkeyAuthentication yes | |
261 | +#SecondHostbasedAuthentication no | |
262 | +#SecondPasswordAuthentication yes | |
263 | +#SecondKBDInteractiveAuthentication yes | |
264 | +#SecondGSSAPIAuthentication no | |
265 | + | |
266 | #AllowAgentForwarding yes | |
267 | #AllowTcpForwarding yes | |
268 | #GatewayPorts no | |
269 | diff -up openssh-5.9p1/sshd_config.5.2auth openssh-5.9p1/sshd_config.5 | |
270 | --- openssh-5.9p1/sshd_config.5.2auth 2011-08-05 22:17:33.000000000 +0200 | |
271 | +++ openssh-5.9p1/sshd_config.5 2011-09-17 13:45:49.022521436 +0200 | |
272 | @@ -726,6 +726,12 @@ Available keywords are | |
273 | .Cm PubkeyAuthentication , | |
274 | .Cm RhostsRSAAuthentication , | |
275 | .Cm RSAAuthentication , | |
276 | +.Cm SecondGSSAPIAuthentication , | |
277 | +.Cm SecondHostbasedAuthentication , | |
278 | +.Cm SecondKbdInteractiveAuthentication , | |
279 | +.Cm SecondPasswordAuthentication , | |
280 | +.Cm SecondPubkeyAuthentication , | |
281 | +.Cm TwoFactorAuthentication , | |
282 | .Cm X11DisplayOffset , | |
283 | .Cm X11Forwarding | |
284 | and | |
285 | @@ -931,6 +937,45 @@ Specifies whether pure RSA authenticatio | |
286 | The default is | |
287 | .Dq yes . | |
288 | This option applies to protocol version 1 only. | |
289 | +.It Cm SecondGSSAPIAuthentication | |
290 | +Specifies whether the | |
291 | +.Cm GSSAPIAuthentication | |
292 | +may be used on the second authentication while | |
293 | +.Cm TwoFactorAuthentication | |
294 | +is set. | |
295 | +The default is | |
296 | +.Dq no . | |
297 | +.It Cm SecondHostbasedAuthentication | |
298 | +Specifies whether the | |
299 | +.Cm HostbasedAuthentication | |
300 | +may be used on the second authentication while | |
301 | +.Cm TwoFactorAuthentication | |
302 | +is set. | |
303 | +The default is | |
304 | +.Dq no . | |
305 | +.It Cm SecondKbdInteractiveAuthentication | |
306 | +Specifies whether the | |
307 | +.Cm KbdInteractiveAuthentication | |
308 | +may be used on the second authentication while | |
309 | +.Cm TwoFactorAuthentication | |
310 | +is set. | |
311 | +The default is | |
312 | +.Dq yes . | |
313 | +.It Cm SecondPasswordAuthentication | |
314 | +Specifies whether the | |
315 | +.Cm PasswordAuthentication | |
316 | +may be used on the second authentication while | |
317 | +.Cm TwoFactorAuthentication | |
318 | +is set. | |
319 | +The default is | |
320 | +.Dq yes . | |
321 | +Specifies whether the | |
322 | +.Cm PubkeyAuthentication | |
323 | +may be used on the second authentication while | |
324 | +.Cm TwoFactorAuthentication | |
325 | +is set. | |
326 | +The default is | |
327 | +.Dq yes . | |
328 | .It Cm ServerKeyBits | |
329 | Defines the number of bits in the ephemeral protocol version 1 server key. | |
330 | The minimum value is 512, and the default is 1024. | |
331 | @@ -1011,6 +1056,23 @@ For more details on certificates, see th | |
332 | .Sx CERTIFICATES | |
333 | section in | |
334 | .Xr ssh-keygen 1 . | |
335 | +.It Cm TwoFactorAuthentication | |
336 | +Specifies whether for a successful login is necessary to meet two independent authentications. | |
337 | +If select the first method is selected from the set of allowed methods from | |
338 | +.Cm GSSAPIAuthentication , | |
339 | +.Cm HostbasedAuthentication , | |
340 | +.Cm KbdInteractiveAuthentication , | |
341 | +.Cm PasswordAuthentication , | |
342 | +.Cm PubkeyAuthentication . | |
343 | +And the second method is selected from the set of allowed methods from | |
344 | +.Cm SecondGSSAPIAuthentication , | |
345 | +.Cm SecondHostbasedAuthentication , | |
346 | +.Cm SecondKbdInteractiveAuthentication , | |
347 | +.Cm SecondPasswordAuthentication , | |
348 | +.Cm SecondPubkeyAuthentication | |
349 | +without the method used for the first authentication. | |
350 | +The default is | |
351 | +.Dq no . | |
352 | .It Cm UseDNS | |
353 | Specifies whether | |
354 | .Xr sshd 8 |