[people/arne_f/ipfire-3.x.git] / openssh / patches / openssh-5.9p1-2auth.patch

diff -up openssh-5.9p1/auth.h.2auth openssh-5.9p1/auth.h
--- openssh-5.9p1/auth.h.2auth	2011-05-29 13:39:38.000000000 +0200
+++ openssh-5.9p1/auth.h	2011-09-17 11:36:54.314522599 +0200
@@ -149,6 +149,8 @@ int	auth_root_allowed(char *);
 
 char	*auth2_read_banner(void);
 
+void	userauth_restart(const char *);
+
 void	privsep_challenge_enable(void);
 
 int	auth2_challenge(Authctxt *, char *);
diff -up openssh-5.9p1/auth2.c.2auth openssh-5.9p1/auth2.c
--- openssh-5.9p1/auth2.c.2auth	2011-05-05 06:04:11.000000000 +0200
+++ openssh-5.9p1/auth2.c	2011-09-17 11:36:54.402521709 +0200
@@ -290,6 +290,24 @@ input_userauth_request(int type, u_int32
 }
 
 void
+userauth_restart(const char *method)
+{
+	options.two_factor_authentication = 0;
+
+	debug2("userauth restart, method = %s", method);
+	options.pubkey_authentication = options.second_pubkey_authentication && strcmp(method, method_pubkey.name);
+#ifdef GSSAPI
+	options.gss_authentication = options.second_gss_authentication && strcmp(method, method_gssapi.name);
+#endif
+#ifdef JPAKE
+	options.zero_knowledge_password_authentication = options.second_zero_knowledge_password_authentication && strcmp(method, method_jpake.name);
+#endif
+	options.password_authentication = options.second_password_authentication && strcmp(method, method_passwd.name);
+	options.kbd_interactive_authentication = options.second_kbd_interactive_authentication && strcmp(method, method_kbdint.name);
+	options.hostbased_authentication = options.second_hostbased_authentication && strcmp(method, method_hostbased.name);
+}
+
+void
 userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 {
 	char *methods;
@@ -337,6 +355,12 @@ userauth_finish(Authctxt *authctxt, int
 
 	/* XXX todo: check if multiple auth methods are needed */
 	if (authenticated == 1) {
+		if (options.two_factor_authentication) {
+			userauth_restart(method);
+			debug("1st factor authentication done go to 2nd factor");
+			goto ask_methods;
+		}
+
 		/* turn off userauth */
 		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
 		packet_start(SSH2_MSG_USERAUTH_SUCCESS);
@@ -356,7 +380,9 @@ userauth_finish(Authctxt *authctxt, int
 #endif
 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
 		}
+ask_methods:
 		methods = authmethods_get();
+		debug2("next auth methods = %s", methods);
 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
 		packet_put_cstring(methods);
 		packet_put_char(0);	/* XXX partial success, unused */
diff -up openssh-5.9p1/monitor.c.2auth openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.2auth	2011-08-05 22:15:18.000000000 +0200
+++ openssh-5.9p1/monitor.c	2011-09-17 11:36:54.513491937 +0200
@@ -417,6 +417,10 @@ monitor_child_preauth(Authctxt *_authctx
 			}
 		}
 #endif
+		if (authenticated && options.two_factor_authentication) {
+			userauth_restart(auth_method);
+			authenticated = 0;
+		}
 	}
 
 	/* Drain any buffered messages from the child */
diff -up openssh-5.9p1/servconf.c.2auth openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.2auth	2011-06-23 00:30:03.000000000 +0200
+++ openssh-5.9p1/servconf.c	2011-09-17 11:36:54.632461730 +0200
@@ -92,6 +92,13 @@ initialize_server_options(ServerOptions
 	options->hostbased_uses_name_from_packet_only = -1;
 	options->rsa_authentication = -1;
 	options->pubkey_authentication = -1;
+	options->two_factor_authentication = -1;
+	options->second_pubkey_authentication = -1;
+	options->second_gss_authentication = -1;
+	options->second_password_authentication = -1;
+	options->second_kbd_interactive_authentication = -1;
+	options->second_zero_knowledge_password_authentication = -1;
+	options->second_hostbased_authentication = -1;
 	options->kerberos_authentication = -1;
 	options->kerberos_or_local_passwd = -1;
 	options->kerberos_ticket_cleanup = -1;
@@ -237,6 +244,20 @@ fill_default_server_options(ServerOption
 		options->permit_empty_passwd = 0;
 	if (options->permit_user_env == -1)
 		options->permit_user_env = 0;
+	if (options->two_factor_authentication == -1)
+		options->two_factor_authentication = 0;
+	if (options->second_pubkey_authentication == -1)
+		options->second_pubkey_authentication = 1;
+	if (options->second_gss_authentication == -1)
+		options->second_gss_authentication = 0;
+	if (options->second_password_authentication == -1)
+		options->second_password_authentication = 1;
+	if (options->second_kbd_interactive_authentication == -1)
+		options->second_kbd_interactive_authentication = 0;
+	if (options->second_zero_knowledge_password_authentication == -1)
+		options->second_zero_knowledge_password_authentication = 0;
+	if (options->second_hostbased_authentication == -1)
+		options->second_hostbased_authentication = 0;
 	if (options->use_login == -1)
 		options->use_login = 0;
 	if (options->compression == -1)
@@ -316,8 +337,11 @@ typedef enum {
 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
 	sMaxStartups, sMaxAuthTries, sMaxSessions,
 	sBanner, sUseDNS, sHostbasedAuthentication,
-	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
-	sClientAliveCountMax, sAuthorizedKeysFile,
+	sHostbasedUsesNameFromPacketOnly, sTwoFactorAuthentication,
+	sSecondPubkeyAuthentication, sSecondGssAuthentication,
+	sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication,
+	sSecondZeroKnowledgePasswordAuthentication, sSecondHostbasedAuthentication,
+	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -395,6 +419,21 @@ static struct {
 #else
 	{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
 #endif
+	{ "twofactorauthentication", sTwoFactorAuthentication, SSHCFG_ALL },
+	{ "secondpubkeyauthentication", sSecondPubkeyAuthentication, SSHCFG_ALL },
+#ifdef GSSAPI
+	{ "secondgssapiauthentication", sSecondGssAuthentication, SSHCFG_ALL },
+#else
+	{ "secondgssapiauthentication", sUnsupported, SSHCFG_ALL },
+#endif
+	{ "secondpasswordauthentication", sSecondPasswordAuthentication, SSHCFG_ALL },
+	{ "secondkbdinteractiveauthentication", sSecondKbdInteractiveAuthentication, SSHCFG_ALL },
+#ifdef JPAKE
+	{ "secondzeroknowledgepasswordauthentication", sSecondZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
+#else
+	{ "secondzeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
+#endif
+	{ "secondhostbasedauthentication", sSecondHostbasedAuthentication, SSHCFG_ALL },
 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
@@ -982,6 +1021,34 @@ process_server_config_line(ServerOptions
 		intptr = &options->challenge_response_authentication;
 		goto parse_flag;
 
+	case sTwoFactorAuthentication:
+		intptr = &options->two_factor_authentication;
+		goto parse_flag;
+
+	case sSecondPubkeyAuthentication:
+		intptr = &options->second_pubkey_authentication;
+		goto parse_flag;
+
+	case sSecondGssAuthentication:
+		intptr = &options->second_gss_authentication;
+		goto parse_flag;
+
+	case sSecondPasswordAuthentication:
+		intptr = &options->second_password_authentication;
+		goto parse_flag;
+
+	case sSecondKbdInteractiveAuthentication:
+		intptr = &options->second_kbd_interactive_authentication;
+		goto parse_flag;
+
+	case sSecondZeroKnowledgePasswordAuthentication:
+		intptr = &options->second_zero_knowledge_password_authentication;
+		goto parse_flag;
+
+	case sSecondHostbasedAuthentication:
+		intptr = &options->second_hostbased_authentication;
+		goto parse_flag;
+
 	case sPrintMotd:
 		intptr = &options->print_motd;
 		goto parse_flag;
@@ -1491,14 +1558,21 @@ void
 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 {
 	M_CP_INTOPT(password_authentication);
+	M_CP_INTOPT(second_password_authentication);
 	M_CP_INTOPT(gss_authentication);
+	M_CP_INTOPT(second_gss_authentication);
 	M_CP_INTOPT(rsa_authentication);
 	M_CP_INTOPT(pubkey_authentication);
+	M_CP_INTOPT(second_pubkey_authentication);
 	M_CP_INTOPT(kerberos_authentication);
 	M_CP_INTOPT(hostbased_authentication);
+	M_CP_INTOPT(second_hostbased_authentication);
 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
 	M_CP_INTOPT(kbd_interactive_authentication);
+	M_CP_INTOPT(second_kbd_interactive_authentication);
 	M_CP_INTOPT(zero_knowledge_password_authentication);
+	M_CP_INTOPT(second_zero_knowledge_password_authentication);
+	M_CP_INTOPT(two_factor_authentication);
 	M_CP_INTOPT(permit_root_login);
 	M_CP_INTOPT(permit_empty_passwd);
 
@@ -1720,17 +1794,24 @@ dump_config(ServerOptions *o)
 #endif
 #ifdef GSSAPI
 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
+	dump_cfg_fmtint(sSecondGssAuthentication, o->second_gss_authentication);
 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
 #endif
 #ifdef JPAKE
 	dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
 	    o->zero_knowledge_password_authentication);
+	dump_cfg_fmtint(sSecondZeroKnowledgePasswordAuthentication,
+	    o->second_zero_knowledge_password_authentication);
 #endif
 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
+	dump_cfg_fmtint(sSecondPasswordAuthentication, o->second_password_authentication);
 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
 	    o->kbd_interactive_authentication);
+	dump_cfg_fmtint(sSecondKbdInteractiveAuthentication,
+	    o->second_kbd_interactive_authentication);
 	dump_cfg_fmtint(sChallengeResponseAuthentication,
 	    o->challenge_response_authentication);
+	dump_cfg_fmtint(sTwoFactorAuthentication, o->two_factor_authentication);
 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
diff -up openssh-5.9p1/servconf.h.2auth openssh-5.9p1/servconf.h
--- openssh-5.9p1/servconf.h.2auth	2011-06-23 00:30:03.000000000 +0200
+++ openssh-5.9p1/servconf.h	2011-09-17 11:36:54.749584245 +0200
@@ -112,6 +112,14 @@ typedef struct {
 					/* If true, permit jpake auth */
 	int     permit_empty_passwd;	/* If false, do not permit empty
 					 * passwords. */
+	int	two_factor_authentication;	/* If true, the first sucessful authentication
+					 * will be followed by the second one from anorher set */
+	int	second_pubkey_authentication;	/* second set of authentications */
+	int	second_gss_authentication;
+	int	second_password_authentication;
+	int	second_kbd_interactive_authentication;
+	int	second_zero_knowledge_password_authentication;
+	int	second_hostbased_authentication;
 	int     permit_user_env;	/* If true, read ~/.ssh/environment */
 	int     use_login;	/* If true, login(1) is used */
 	int     compression;	/* If true, compression is allowed */
diff -up openssh-5.9p1/sshd_config.2auth openssh-5.9p1/sshd_config
--- openssh-5.9p1/sshd_config.2auth	2011-05-29 13:39:39.000000000 +0200
+++ openssh-5.9p1/sshd_config	2011-09-17 11:36:54.859588726 +0200
@@ -87,6 +87,13 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # and ChallengeResponseAuthentication to 'no'.
 #UsePAM no
 
+#TwoFactorAuthentication no
+#SecondPubkeyAuthentication yes
+#SecondHostbasedAuthentication no
+#SecondPasswordAuthentication yes
+#SecondKBDInteractiveAuthentication yes
+#SecondGSSAPIAuthentication no
+
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
diff -up openssh-5.9p1/sshd_config.5.2auth openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.2auth	2011-08-05 22:17:33.000000000 +0200
+++ openssh-5.9p1/sshd_config.5	2011-09-17 13:45:49.022521436 +0200
@@ -726,6 +726,12 @@ Available keywords are
 .Cm PubkeyAuthentication ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
+.Cm SecondGSSAPIAuthentication ,
+.Cm SecondHostbasedAuthentication ,
+.Cm SecondKbdInteractiveAuthentication ,
+.Cm SecondPasswordAuthentication ,
+.Cm SecondPubkeyAuthentication ,
+.Cm TwoFactorAuthentication ,
 .Cm X11DisplayOffset ,
 .Cm X11Forwarding
 and
@@ -931,6 +937,45 @@ Specifies whether pure RSA authenticatio
 The default is
 .Dq yes .
 This option applies to protocol version 1 only.
+.It Cm SecondGSSAPIAuthentication
+Specifies whether the
+.Cm GSSAPIAuthentication
+may be used on the second authentication while
+.Cm TwoFactorAuthentication
+is set.
+The default is
+.Dq no .
+.It Cm SecondHostbasedAuthentication
+Specifies whether the
+.Cm HostbasedAuthentication
+may be used on the second authentication while
+.Cm TwoFactorAuthentication
+is set.
+The default is
+.Dq no .
+.It Cm SecondKbdInteractiveAuthentication
+Specifies whether the
+.Cm KbdInteractiveAuthentication
+may be used on the second authentication while
+.Cm TwoFactorAuthentication
+is set.
+The default is
+.Dq yes .
+.It Cm SecondPasswordAuthentication
+Specifies whether the
+.Cm PasswordAuthentication
+may be used on the second authentication while
+.Cm TwoFactorAuthentication
+is set.
+The default is
+.Dq yes .
+Specifies whether the
+.Cm PubkeyAuthentication
+may be used on the second authentication while
+.Cm TwoFactorAuthentication
+is set.
+The default is
+.Dq yes .
 .It Cm ServerKeyBits
 Defines the number of bits in the ephemeral protocol version 1 server key.
 The minimum value is 512, and the default is 1024.
@@ -1011,6 +1056,23 @@ For more details on certificates, see th
 .Sx CERTIFICATES
 section in
 .Xr ssh-keygen 1 .
+.It Cm TwoFactorAuthentication
+Specifies whether for a successful login is necessary to meet two independent authentications.
+If select the first method is selected from the set of allowed methods from
+.Cm GSSAPIAuthentication ,
+.Cm HostbasedAuthentication ,
+.Cm KbdInteractiveAuthentication ,
+.Cm PasswordAuthentication ,
+.Cm PubkeyAuthentication .
+And the second method is selected from the set of allowed methods from
+.Cm SecondGSSAPIAuthentication ,
+.Cm SecondHostbasedAuthentication ,
+.Cm SecondKbdInteractiveAuthentication ,
+.Cm SecondPasswordAuthentication ,
+.Cm SecondPubkeyAuthentication 
+without the method used for the first authentication.
+The default is
+.Dq no .
 .It Cm UseDNS
 Specifies whether
 .Xr sshd 8
Commit	Line	Data
9d8fd3ad SS	1	diff -up openssh-5.9p1/auth.h.2auth openssh-5.9p1/auth.h
	2	--- openssh-5.9p1/auth.h.2auth 2011-05-29 13:39:38.000000000 +0200
	3	+++ openssh-5.9p1/auth.h 2011-09-17 11:36:54.314522599 +0200
	4	@@ -149,6 +149,8 @@ int auth_root_allowed(char *);
	5
	6	char *auth2_read_banner(void);
	7
	8	+void userauth_restart(const char *);
	9	+
	10	void privsep_challenge_enable(void);
	11
	12	int auth2_challenge(Authctxt , char );
	13	diff -up openssh-5.9p1/auth2.c.2auth openssh-5.9p1/auth2.c
	14	--- openssh-5.9p1/auth2.c.2auth 2011-05-05 06:04:11.000000000 +0200
	15	+++ openssh-5.9p1/auth2.c 2011-09-17 11:36:54.402521709 +0200
	16	@@ -290,6 +290,24 @@ input_userauth_request(int type, u_int32
	17	}
	18
	19	void
	20	+userauth_restart(const char *method)
	21	+{
	22	+ options.two_factor_authentication = 0;
	23	+
	24	+ debug2("userauth restart, method = %s", method);
	25	+ options.pubkey_authentication = options.second_pubkey_authentication && strcmp(method, method_pubkey.name);
	26	+#ifdef GSSAPI
	27	+ options.gss_authentication = options.second_gss_authentication && strcmp(method, method_gssapi.name);
	28	+#endif
	29	+#ifdef JPAKE
	30	+ options.zero_knowledge_password_authentication = options.second_zero_knowledge_password_authentication && strcmp(method, method_jpake.name);
	31	+#endif
	32	+ options.password_authentication = options.second_password_authentication && strcmp(method, method_passwd.name);
	33	+ options.kbd_interactive_authentication = options.second_kbd_interactive_authentication && strcmp(method, method_kbdint.name);
	34	+ options.hostbased_authentication = options.second_hostbased_authentication && strcmp(method, method_hostbased.name);
	35	+}
	36	+
	37	+void
	38	userauth_finish(Authctxt authctxt, int authenticated, char method)
	39	{
	40	char *methods;
	41	@@ -337,6 +355,12 @@ userauth_finish(Authctxt *authctxt, int
	42
	43	/* XXX todo: check if multiple auth methods are needed */
	44	if (authenticated == 1) {
	45	+ if (options.two_factor_authentication) {
	46	+ userauth_restart(method);
	47	+ debug("1st factor authentication done go to 2nd factor");
	48	+ goto ask_methods;
	49	+ }
	50	+
	51	/* turn off userauth */
	52	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
	53	packet_start(SSH2_MSG_USERAUTH_SUCCESS);
	54	@@ -356,7 +380,9 @@ userauth_finish(Authctxt *authctxt, int
	55	#endif
	56	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
	57	}
	58	+ask_methods:
	59	methods = authmethods_get();
	60	+ debug2("next auth methods = %s", methods);
	61	packet_start(SSH2_MSG_USERAUTH_FAILURE);
	62	packet_put_cstring(methods);
	63	packet_put_char(0); /* XXX partial success, unused */
	64	diff -up openssh-5.9p1/monitor.c.2auth openssh-5.9p1/monitor.c
65	--- openssh-5.9p1/monitor.c.2auth 2011-08-05 22:15:18.000000000 +0200
66	+++ openssh-5.9p1/monitor.c 2011-09-17 11:36:54.513491937 +0200
67	@@ -417,6 +417,10 @@ monitor_child_preauth(Authctxt *_authctx
68	}
69	}
70	#endif
71	+ if (authenticated && options.two_factor_authentication) {
72	+ userauth_restart(auth_method);
73	+ authenticated = 0;
74	+ }
75	}
76
77	/* Drain any buffered messages from the child */
78	diff -up openssh-5.9p1/servconf.c.2auth openssh-5.9p1/servconf.c
79	--- openssh-5.9p1/servconf.c.2auth 2011-06-23 00:30:03.000000000 +0200
80	+++ openssh-5.9p1/servconf.c 2011-09-17 11:36:54.632461730 +0200
81	@@ -92,6 +92,13 @@ initialize_server_options(ServerOptions
82	options->hostbased_uses_name_from_packet_only = -1;
83	options->rsa_authentication = -1;
84	options->pubkey_authentication = -1;
85	+ options->two_factor_authentication = -1;
86	+ options->second_pubkey_authentication = -1;
87	+ options->second_gss_authentication = -1;
88	+ options->second_password_authentication = -1;
89	+ options->second_kbd_interactive_authentication = -1;
90	+ options->second_zero_knowledge_password_authentication = -1;
91	+ options->second_hostbased_authentication = -1;
92	options->kerberos_authentication = -1;
93	options->kerberos_or_local_passwd = -1;
94	options->kerberos_ticket_cleanup = -1;
95	@@ -237,6 +244,20 @@ fill_default_server_options(ServerOption
96	options->permit_empty_passwd = 0;
97	if (options->permit_user_env == -1)
98	options->permit_user_env = 0;
99	+ if (options->two_factor_authentication == -1)
100	+ options->two_factor_authentication = 0;
101	+ if (options->second_pubkey_authentication == -1)
102	+ options->second_pubkey_authentication = 1;
103	+ if (options->second_gss_authentication == -1)
104	+ options->second_gss_authentication = 0;
105	+ if (options->second_password_authentication == -1)
106	+ options->second_password_authentication = 1;
107	+ if (options->second_kbd_interactive_authentication == -1)
108	+ options->second_kbd_interactive_authentication = 0;
109	+ if (options->second_zero_knowledge_password_authentication == -1)
110	+ options->second_zero_knowledge_password_authentication = 0;
111	+ if (options->second_hostbased_authentication == -1)
112	+ options->second_hostbased_authentication = 0;
113	if (options->use_login == -1)
114	options->use_login = 0;
115	if (options->compression == -1)
116	@@ -316,8 +337,11 @@ typedef enum {
117	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
118	sMaxStartups, sMaxAuthTries, sMaxSessions,
119	sBanner, sUseDNS, sHostbasedAuthentication,
120	- sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
121	- sClientAliveCountMax, sAuthorizedKeysFile,
122	+ sHostbasedUsesNameFromPacketOnly, sTwoFactorAuthentication,
123	+ sSecondPubkeyAuthentication, sSecondGssAuthentication,
124	+ sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication,
125	+ sSecondZeroKnowledgePasswordAuthentication, sSecondHostbasedAuthentication,
126	+ sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
127	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
128	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
129	sUsePrivilegeSeparation, sAllowAgentForwarding,
130	@@ -395,6 +419,21 @@ static struct {
131	#else
132	{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
133	#endif
134	+ { "twofactorauthentication", sTwoFactorAuthentication, SSHCFG_ALL },
135	+ { "secondpubkeyauthentication", sSecondPubkeyAuthentication, SSHCFG_ALL },
136	+#ifdef GSSAPI
137	+ { "secondgssapiauthentication", sSecondGssAuthentication, SSHCFG_ALL },
138	+#else
139	+ { "secondgssapiauthentication", sUnsupported, SSHCFG_ALL },
140	+#endif
141	+ { "secondpasswordauthentication", sSecondPasswordAuthentication, SSHCFG_ALL },
142	+ { "secondkbdinteractiveauthentication", sSecondKbdInteractiveAuthentication, SSHCFG_ALL },
143	+#ifdef JPAKE
144	+ { "secondzeroknowledgepasswordauthentication", sSecondZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
145	+#else
146	+ { "secondzeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
147	+#endif
148	+ { "secondhostbasedauthentication", sSecondHostbasedAuthentication, SSHCFG_ALL },
149	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
150	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
151	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
152	@@ -982,6 +1021,34 @@ process_server_config_line(ServerOptions
153	intptr = &options->challenge_response_authentication;
154	goto parse_flag;
155
156	+ case sTwoFactorAuthentication:
157	+ intptr = &options->two_factor_authentication;
158	+ goto parse_flag;
159	+
160	+ case sSecondPubkeyAuthentication:
161	+ intptr = &options->second_pubkey_authentication;
162	+ goto parse_flag;
163	+
164	+ case sSecondGssAuthentication:
165	+ intptr = &options->second_gss_authentication;
166	+ goto parse_flag;
167	+
168	+ case sSecondPasswordAuthentication:
169	+ intptr = &options->second_password_authentication;
170	+ goto parse_flag;
171	+
172	+ case sSecondKbdInteractiveAuthentication:
173	+ intptr = &options->second_kbd_interactive_authentication;
174	+ goto parse_flag;
175	+
176	+ case sSecondZeroKnowledgePasswordAuthentication:
177	+ intptr = &options->second_zero_knowledge_password_authentication;
178	+ goto parse_flag;
179	+
180	+ case sSecondHostbasedAuthentication:
181	+ intptr = &options->second_hostbased_authentication;
182	+ goto parse_flag;
183	+
184	case sPrintMotd:
185	intptr = &options->print_motd;
186	goto parse_flag;
187	@@ -1491,14 +1558,21 @@ void
188	copy_set_server_options(ServerOptions dst, ServerOptions src, int preauth)
189	{
190	M_CP_INTOPT(password_authentication);
191	+ M_CP_INTOPT(second_password_authentication);
192	M_CP_INTOPT(gss_authentication);
193	+ M_CP_INTOPT(second_gss_authentication);
194	M_CP_INTOPT(rsa_authentication);
195	M_CP_INTOPT(pubkey_authentication);
196	+ M_CP_INTOPT(second_pubkey_authentication);
197	M_CP_INTOPT(kerberos_authentication);
198	M_CP_INTOPT(hostbased_authentication);
199	+ M_CP_INTOPT(second_hostbased_authentication);
200	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
201	M_CP_INTOPT(kbd_interactive_authentication);
202	+ M_CP_INTOPT(second_kbd_interactive_authentication);
203	M_CP_INTOPT(zero_knowledge_password_authentication);
204	+ M_CP_INTOPT(second_zero_knowledge_password_authentication);
205	+ M_CP_INTOPT(two_factor_authentication);
206	M_CP_INTOPT(permit_root_login);
207	M_CP_INTOPT(permit_empty_passwd);
208
209	@@ -1720,17 +1794,24 @@ dump_config(ServerOptions *o)
210	#endif
211	#ifdef GSSAPI
212	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
213	+ dump_cfg_fmtint(sSecondGssAuthentication, o->second_gss_authentication);
214	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
215	#endif
216	#ifdef JPAKE
217	dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
218	o->zero_knowledge_password_authentication);
219	+ dump_cfg_fmtint(sSecondZeroKnowledgePasswordAuthentication,
220	+ o->second_zero_knowledge_password_authentication);
221	#endif
222	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
223	+ dump_cfg_fmtint(sSecondPasswordAuthentication, o->second_password_authentication);
224	dump_cfg_fmtint(sKbdInteractiveAuthentication,
225	o->kbd_interactive_authentication);
226	+ dump_cfg_fmtint(sSecondKbdInteractiveAuthentication,
227	+ o->second_kbd_interactive_authentication);
228	dump_cfg_fmtint(sChallengeResponseAuthentication,
229	o->challenge_response_authentication);
230	+ dump_cfg_fmtint(sTwoFactorAuthentication, o->two_factor_authentication);
231	dump_cfg_fmtint(sPrintMotd, o->print_motd);
232	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
233	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
234	diff -up openssh-5.9p1/servconf.h.2auth openssh-5.9p1/servconf.h
235	--- openssh-5.9p1/servconf.h.2auth 2011-06-23 00:30:03.000000000 +0200
236	+++ openssh-5.9p1/servconf.h 2011-09-17 11:36:54.749584245 +0200
237	@@ -112,6 +112,14 @@ typedef struct {
238	/* If true, permit jpake auth */
239	int permit_empty_passwd; /* If false, do not permit empty
240	* passwords. */
241	+ int two_factor_authentication; /* If true, the first sucessful authentication
242	+ * will be followed by the second one from anorher set */
243	+ int second_pubkey_authentication; /* second set of authentications */
244	+ int second_gss_authentication;
245	+ int second_password_authentication;
246	+ int second_kbd_interactive_authentication;
247	+ int second_zero_knowledge_password_authentication;
248	+ int second_hostbased_authentication;
249	int permit_user_env; /* If true, read ~/.ssh/environment */
250	int use_login; /* If true, login(1) is used */
251	int compression; /* If true, compression is allowed */
252	diff -up openssh-5.9p1/sshd_config.2auth openssh-5.9p1/sshd_config
253	--- openssh-5.9p1/sshd_config.2auth 2011-05-29 13:39:39.000000000 +0200
254	+++ openssh-5.9p1/sshd_config 2011-09-17 11:36:54.859588726 +0200
255	@@ -87,6 +87,13 @@ AuthorizedKeysFile .ssh/authorized_keys
256	# and ChallengeResponseAuthentication to 'no'.
257	#UsePAM no
258
259	+#TwoFactorAuthentication no
260	+#SecondPubkeyAuthentication yes
261	+#SecondHostbasedAuthentication no
262	+#SecondPasswordAuthentication yes
263	+#SecondKBDInteractiveAuthentication yes
264	+#SecondGSSAPIAuthentication no
265	+
266	#AllowAgentForwarding yes
267	#AllowTcpForwarding yes
268	#GatewayPorts no
269	diff -up openssh-5.9p1/sshd_config.5.2auth openssh-5.9p1/sshd_config.5
270	--- openssh-5.9p1/sshd_config.5.2auth 2011-08-05 22:17:33.000000000 +0200
271	+++ openssh-5.9p1/sshd_config.5 2011-09-17 13:45:49.022521436 +0200
272	@@ -726,6 +726,12 @@ Available keywords are
273	.Cm PubkeyAuthentication ,
274	.Cm RhostsRSAAuthentication ,
275	.Cm RSAAuthentication ,
276	+.Cm SecondGSSAPIAuthentication ,
277	+.Cm SecondHostbasedAuthentication ,
278	+.Cm SecondKbdInteractiveAuthentication ,
279	+.Cm SecondPasswordAuthentication ,
280	+.Cm SecondPubkeyAuthentication ,
281	+.Cm TwoFactorAuthentication ,
282	.Cm X11DisplayOffset ,
283	.Cm X11Forwarding
284	and
285	@@ -931,6 +937,45 @@ Specifies whether pure RSA authenticatio
286	The default is
287	.Dq yes .
288	This option applies to protocol version 1 only.
289	+.It Cm SecondGSSAPIAuthentication
290	+Specifies whether the
291	+.Cm GSSAPIAuthentication
292	+may be used on the second authentication while
293	+.Cm TwoFactorAuthentication
294	+is set.
295	+The default is
296	+.Dq no .
297	+.It Cm SecondHostbasedAuthentication
298	+Specifies whether the
299	+.Cm HostbasedAuthentication
300	+may be used on the second authentication while
301	+.Cm TwoFactorAuthentication
302	+is set.
303	+The default is
304	+.Dq no .
305	+.It Cm SecondKbdInteractiveAuthentication
306	+Specifies whether the
307	+.Cm KbdInteractiveAuthentication
308	+may be used on the second authentication while
309	+.Cm TwoFactorAuthentication
310	+is set.
311	+The default is
312	+.Dq yes .
313	+.It Cm SecondPasswordAuthentication
314	+Specifies whether the
315	+.Cm PasswordAuthentication
316	+may be used on the second authentication while
317	+.Cm TwoFactorAuthentication
318	+is set.
319	+The default is
320	+.Dq yes .
321	+Specifies whether the
322	+.Cm PubkeyAuthentication
323	+may be used on the second authentication while
324	+.Cm TwoFactorAuthentication
325	+is set.
326	+The default is
327	+.Dq yes .
328	.It Cm ServerKeyBits
329	Defines the number of bits in the ephemeral protocol version 1 server key.
330	The minimum value is 512, and the default is 1024.
331	@@ -1011,6 +1056,23 @@ For more details on certificates, see th
332	.Sx CERTIFICATES
333	section in
334	.Xr ssh-keygen 1 .
335	+.It Cm TwoFactorAuthentication
336	+Specifies whether for a successful login is necessary to meet two independent authentications.
337	+If select the first method is selected from the set of allowed methods from
338	+.Cm GSSAPIAuthentication ,
339	+.Cm HostbasedAuthentication ,
340	+.Cm KbdInteractiveAuthentication ,
341	+.Cm PasswordAuthentication ,
342	+.Cm PubkeyAuthentication .
343	+And the second method is selected from the set of allowed methods from
344	+.Cm SecondGSSAPIAuthentication ,
345	+.Cm SecondHostbasedAuthentication ,
346	+.Cm SecondKbdInteractiveAuthentication ,
347	+.Cm SecondPasswordAuthentication ,
348	+.Cm SecondPubkeyAuthentication
349	+without the method used for the first authentication.
350	+The default is
351	+.Dq no .
352	.It Cm UseDNS
353	Specifies whether
354	.Xr sshd 8