[people/ms/ipfire-3.x.git] / openssh / patches / openssh-5.9p1-2auth.patch

diff -up openssh-5.9p1/auth.h.2auth openssh-5.9p1/auth.h
--- openssh-5.9p1/auth.h.2auth  2011-05-29 13:39:38.000000000 +0200
+++ openssh-5.9p1/auth.h        2011-09-17 11:36:54.314522599 +0200
@@ -149,6 +149,8 @@ int auth_root_allowed(char *);
 
 char   *auth2_read_banner(void);
 
+void   userauth_restart(const char *);
+
 void   privsep_challenge_enable(void);
 
 int    auth2_challenge(Authctxt *, char *);
diff -up openssh-5.9p1/auth2.c.2auth openssh-5.9p1/auth2.c
--- openssh-5.9p1/auth2.c.2auth 2011-05-05 06:04:11.000000000 +0200
+++ openssh-5.9p1/auth2.c       2011-09-17 11:36:54.402521709 +0200
@@ -290,6 +290,24 @@ input_userauth_request(int type, u_int32
 }
 
 void
+userauth_restart(const char *method)
+{
+       options.two_factor_authentication = 0;
+
+       debug2("userauth restart, method = %s", method);
+       options.pubkey_authentication = options.second_pubkey_authentication && strcmp(method, method_pubkey.name);
+#ifdef GSSAPI
+       options.gss_authentication = options.second_gss_authentication && strcmp(method, method_gssapi.name);
+#endif
+#ifdef JPAKE
+       options.zero_knowledge_password_authentication = options.second_zero_knowledge_password_authentication && strcmp(method, method_jpake.name);
+#endif
+       options.password_authentication = options.second_password_authentication && strcmp(method, method_passwd.name);
+       options.kbd_interactive_authentication = options.second_kbd_interactive_authentication && strcmp(method, method_kbdint.name);
+       options.hostbased_authentication = options.second_hostbased_authentication && strcmp(method, method_hostbased.name);
+}
+
+void
 userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 {
        char *methods;
@@ -337,6 +355,12 @@ userauth_finish(Authctxt *authctxt, int
 
        /* XXX todo: check if multiple auth methods are needed */
        if (authenticated == 1) {
+               if (options.two_factor_authentication) {
+                       userauth_restart(method);
+                       debug("1st factor authentication done go to 2nd factor");
+                       goto ask_methods;
+               }
+
                /* turn off userauth */
                dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
                packet_start(SSH2_MSG_USERAUTH_SUCCESS);
@@ -356,7 +380,9 @@ userauth_finish(Authctxt *authctxt, int
 #endif
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
                }
+ask_methods:
                methods = authmethods_get();
+               debug2("next auth methods = %s", methods);
                packet_start(SSH2_MSG_USERAUTH_FAILURE);
                packet_put_cstring(methods);
                packet_put_char(0);     /* XXX partial success, unused */
diff -up openssh-5.9p1/monitor.c.2auth openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.2auth       2011-08-05 22:15:18.000000000 +0200
+++ openssh-5.9p1/monitor.c     2011-09-17 11:36:54.513491937 +0200
@@ -417,6 +417,10 @@ monitor_child_preauth(Authctxt *_authctx
                        }
                }
 #endif
+               if (authenticated && options.two_factor_authentication) {
+                       userauth_restart(auth_method);
+                       authenticated = 0;
+               }
        }
 
        /* Drain any buffered messages from the child */
diff -up openssh-5.9p1/servconf.c.2auth openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.2auth      2011-06-23 00:30:03.000000000 +0200
+++ openssh-5.9p1/servconf.c    2011-09-17 11:36:54.632461730 +0200
@@ -92,6 +92,13 @@ initialize_server_options(ServerOptions
        options->hostbased_uses_name_from_packet_only = -1;
        options->rsa_authentication = -1;
        options->pubkey_authentication = -1;
+       options->two_factor_authentication = -1;
+       options->second_pubkey_authentication = -1;
+       options->second_gss_authentication = -1;
+       options->second_password_authentication = -1;
+       options->second_kbd_interactive_authentication = -1;
+       options->second_zero_knowledge_password_authentication = -1;
+       options->second_hostbased_authentication = -1;
        options->kerberos_authentication = -1;
        options->kerberos_or_local_passwd = -1;
        options->kerberos_ticket_cleanup = -1;
@@ -237,6 +244,20 @@ fill_default_server_options(ServerOption
                options->permit_empty_passwd = 0;
        if (options->permit_user_env == -1)
                options->permit_user_env = 0;
+       if (options->two_factor_authentication == -1)
+               options->two_factor_authentication = 0;
+       if (options->second_pubkey_authentication == -1)
+               options->second_pubkey_authentication = 1;
+       if (options->second_gss_authentication == -1)
+               options->second_gss_authentication = 0;
+       if (options->second_password_authentication == -1)
+               options->second_password_authentication = 1;
+       if (options->second_kbd_interactive_authentication == -1)
+               options->second_kbd_interactive_authentication = 0;
+       if (options->second_zero_knowledge_password_authentication == -1)
+               options->second_zero_knowledge_password_authentication = 0;
+       if (options->second_hostbased_authentication == -1)
+               options->second_hostbased_authentication = 0;
        if (options->use_login == -1)
                options->use_login = 0;
        if (options->compression == -1)
@@ -316,8 +337,11 @@ typedef enum {
        sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
        sMaxStartups, sMaxAuthTries, sMaxSessions,
        sBanner, sUseDNS, sHostbasedAuthentication,
-       sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
-       sClientAliveCountMax, sAuthorizedKeysFile,
+       sHostbasedUsesNameFromPacketOnly, sTwoFactorAuthentication,
+       sSecondPubkeyAuthentication, sSecondGssAuthentication,
+       sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication,
+       sSecondZeroKnowledgePasswordAuthentication, sSecondHostbasedAuthentication,
+       sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
        sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
        sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
        sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -395,6 +419,21 @@ static struct {
 #else
        { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
 #endif
+       { "twofactorauthentication", sTwoFactorAuthentication, SSHCFG_ALL },
+       { "secondpubkeyauthentication", sSecondPubkeyAuthentication, SSHCFG_ALL },
+#ifdef GSSAPI
+       { "secondgssapiauthentication", sSecondGssAuthentication, SSHCFG_ALL },
+#else
+       { "secondgssapiauthentication", sUnsupported, SSHCFG_ALL },
+#endif
+       { "secondpasswordauthentication", sSecondPasswordAuthentication, SSHCFG_ALL },
+       { "secondkbdinteractiveauthentication", sSecondKbdInteractiveAuthentication, SSHCFG_ALL },
+#ifdef JPAKE
+       { "secondzeroknowledgepasswordauthentication", sSecondZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
+#else
+       { "secondzeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
+#endif
+       { "secondhostbasedauthentication", sSecondHostbasedAuthentication, SSHCFG_ALL },
        { "checkmail", sDeprecated, SSHCFG_GLOBAL },
        { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
        { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
@@ -982,6 +1021,34 @@ process_server_config_line(ServerOptions
                intptr = &options->challenge_response_authentication;
                goto parse_flag;
 
+       case sTwoFactorAuthentication:
+               intptr = &options->two_factor_authentication;
+               goto parse_flag;
+
+       case sSecondPubkeyAuthentication:
+               intptr = &options->second_pubkey_authentication;
+               goto parse_flag;
+
+       case sSecondGssAuthentication:
+               intptr = &options->second_gss_authentication;
+               goto parse_flag;
+
+       case sSecondPasswordAuthentication:
+               intptr = &options->second_password_authentication;
+               goto parse_flag;
+
+       case sSecondKbdInteractiveAuthentication:
+               intptr = &options->second_kbd_interactive_authentication;
+               goto parse_flag;
+
+       case sSecondZeroKnowledgePasswordAuthentication:
+               intptr = &options->second_zero_knowledge_password_authentication;
+               goto parse_flag;
+
+       case sSecondHostbasedAuthentication:
+               intptr = &options->second_hostbased_authentication;
+               goto parse_flag;
+
        case sPrintMotd:
                intptr = &options->print_motd;
                goto parse_flag;
@@ -1491,14 +1558,21 @@ void
 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 {
        M_CP_INTOPT(password_authentication);
+       M_CP_INTOPT(second_password_authentication);
        M_CP_INTOPT(gss_authentication);
+       M_CP_INTOPT(second_gss_authentication);
        M_CP_INTOPT(rsa_authentication);
        M_CP_INTOPT(pubkey_authentication);
+       M_CP_INTOPT(second_pubkey_authentication);
        M_CP_INTOPT(kerberos_authentication);
        M_CP_INTOPT(hostbased_authentication);
+       M_CP_INTOPT(second_hostbased_authentication);
        M_CP_INTOPT(hostbased_uses_name_from_packet_only);
        M_CP_INTOPT(kbd_interactive_authentication);
+       M_CP_INTOPT(second_kbd_interactive_authentication);
        M_CP_INTOPT(zero_knowledge_password_authentication);
+       M_CP_INTOPT(second_zero_knowledge_password_authentication);
+       M_CP_INTOPT(two_factor_authentication);
        M_CP_INTOPT(permit_root_login);
        M_CP_INTOPT(permit_empty_passwd);
 
@@ -1720,17 +1794,24 @@ dump_config(ServerOptions *o)
 #endif
 #ifdef GSSAPI
        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
+       dump_cfg_fmtint(sSecondGssAuthentication, o->second_gss_authentication);
        dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
 #endif
 #ifdef JPAKE
        dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
            o->zero_knowledge_password_authentication);
+       dump_cfg_fmtint(sSecondZeroKnowledgePasswordAuthentication,
+           o->second_zero_knowledge_password_authentication);
 #endif
        dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
+       dump_cfg_fmtint(sSecondPasswordAuthentication, o->second_password_authentication);
        dump_cfg_fmtint(sKbdInteractiveAuthentication,
            o->kbd_interactive_authentication);
+       dump_cfg_fmtint(sSecondKbdInteractiveAuthentication,
+           o->second_kbd_interactive_authentication);
        dump_cfg_fmtint(sChallengeResponseAuthentication,
            o->challenge_response_authentication);
+       dump_cfg_fmtint(sTwoFactorAuthentication, o->two_factor_authentication);
        dump_cfg_fmtint(sPrintMotd, o->print_motd);
        dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
        dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
diff -up openssh-5.9p1/servconf.h.2auth openssh-5.9p1/servconf.h
--- openssh-5.9p1/servconf.h.2auth      2011-06-23 00:30:03.000000000 +0200
+++ openssh-5.9p1/servconf.h    2011-09-17 11:36:54.749584245 +0200
@@ -112,6 +112,14 @@ typedef struct {
                                        /* If true, permit jpake auth */
        int     permit_empty_passwd;    /* If false, do not permit empty
                                         * passwords. */
+       int     two_factor_authentication;      /* If true, the first sucessful authentication
+                                        * will be followed by the second one from anorher set */
+       int     second_pubkey_authentication;   /* second set of authentications */
+       int     second_gss_authentication;
+       int     second_password_authentication;
+       int     second_kbd_interactive_authentication;
+       int     second_zero_knowledge_password_authentication;
+       int     second_hostbased_authentication;
        int     permit_user_env;        /* If true, read ~/.ssh/environment */
        int     use_login;      /* If true, login(1) is used */
        int     compression;    /* If true, compression is allowed */
diff -up openssh-5.9p1/sshd_config.2auth openssh-5.9p1/sshd_config
--- openssh-5.9p1/sshd_config.2auth     2011-05-29 13:39:39.000000000 +0200
+++ openssh-5.9p1/sshd_config   2011-09-17 11:36:54.859588726 +0200
@@ -87,6 +87,13 @@ AuthorizedKeysFile   .ssh/authorized_keys
 # and ChallengeResponseAuthentication to 'no'.
 #UsePAM no
 
+#TwoFactorAuthentication no
+#SecondPubkeyAuthentication yes
+#SecondHostbasedAuthentication no
+#SecondPasswordAuthentication yes
+#SecondKBDInteractiveAuthentication yes
+#SecondGSSAPIAuthentication no
+
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
diff -up openssh-5.9p1/sshd_config.5.2auth openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.2auth   2011-08-05 22:17:33.000000000 +0200
+++ openssh-5.9p1/sshd_config.5 2011-09-17 13:45:49.022521436 +0200
@@ -726,6 +726,12 @@ Available keywords are
 .Cm PubkeyAuthentication ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
+.Cm SecondGSSAPIAuthentication ,
+.Cm SecondHostbasedAuthentication ,
+.Cm SecondKbdInteractiveAuthentication ,
+.Cm SecondPasswordAuthentication ,
+.Cm SecondPubkeyAuthentication ,
+.Cm TwoFactorAuthentication ,
 .Cm X11DisplayOffset ,
 .Cm X11Forwarding
 and
@@ -931,6 +937,45 @@ Specifies whether pure RSA authenticatio
 The default is
 .Dq yes .
 This option applies to protocol version 1 only.
+.It Cm SecondGSSAPIAuthentication
+Specifies whether the
+.Cm GSSAPIAuthentication
+may be used on the second authentication while
+.Cm TwoFactorAuthentication
+is set.
+The default is
+.Dq no .
+.It Cm SecondHostbasedAuthentication
+Specifies whether the
+.Cm HostbasedAuthentication
+may be used on the second authentication while
+.Cm TwoFactorAuthentication
+is set.
+The default is
+.Dq no .
+.It Cm SecondKbdInteractiveAuthentication
+Specifies whether the
+.Cm KbdInteractiveAuthentication
+may be used on the second authentication while
+.Cm TwoFactorAuthentication
+is set.
+The default is
+.Dq yes .
+.It Cm SecondPasswordAuthentication
+Specifies whether the
+.Cm PasswordAuthentication
+may be used on the second authentication while
+.Cm TwoFactorAuthentication
+is set.
+The default is
+.Dq yes .
+Specifies whether the
+.Cm PubkeyAuthentication
+may be used on the second authentication while
+.Cm TwoFactorAuthentication
+is set.
+The default is
+.Dq yes .
 .It Cm ServerKeyBits
 Defines the number of bits in the ephemeral protocol version 1 server key.
 The minimum value is 512, and the default is 1024.
@@ -1011,6 +1056,23 @@ For more details on certificates, see th
 .Sx CERTIFICATES
 section in
 .Xr ssh-keygen 1 .
+.It Cm TwoFactorAuthentication
+Specifies whether for a successful login is necessary to meet two independent authentications.
+If select the first method is selected from the set of allowed methods from
+.Cm GSSAPIAuthentication ,
+.Cm HostbasedAuthentication ,
+.Cm KbdInteractiveAuthentication ,
+.Cm PasswordAuthentication ,
+.Cm PubkeyAuthentication .
+And the second method is selected from the set of allowed methods from
+.Cm SecondGSSAPIAuthentication ,
+.Cm SecondHostbasedAuthentication ,
+.Cm SecondKbdInteractiveAuthentication ,
+.Cm SecondPasswordAuthentication ,
+.Cm SecondPubkeyAuthentication 
+without the method used for the first authentication.
+The default is
+.Dq no .
 .It Cm UseDNS
 Specifies whether
 .Xr sshd 8