[PATCH] Requiring multiple auth mechanisms (updated)

This is a multi-part message in MIME format.
--------------090400090703040205060800
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Jefferson Ogata's patch
http://marc.info/?l=openssh-unix-dev...4938701018&w=2 adds a
multiple authentication methods option to sshd. I updated the patch to
4.7p1 and added logic to allow it to work with privilege separation.

https://bugzilla.mindrot.org/show_bug.cgi?id=1435

--------------090400090703040205060800
Content-Type: text/x-patch;
name="openssh-4.7p1-multiauth.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="openssh-4.7p1-multiauth.patch"

--- openssh-4.7p1/monitor.c 2007-05-19 23:10:16.000000000 -0600
+++ openssh-4.7p1-multiauth/monitor.c 2008-02-02 13:01:45.000000000 -0700
@@ -327,6 +327,8 @@
{
struct mon_table *ent;
int authenticated = 0;
+ int num_required_auth_methods_remaining =
+ options.num_required_auth_methods-1;

debug3("preauth child monitor started");

@@ -358,6 +360,8 @@
if (authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(auth_method))
authenticated = 0;
+ if (num_required_auth_methods_remaining--)
+ authenticated = 0;
#ifdef USE_PAM
/* PAM needs to perform account checks after auth */
if (options.use_pam && authenticated) {
--- openssh-4.7p1/auth.h 2006-08-18 08:32:46.000000000 -0600
+++ openssh-4.7p1-multiauth/auth.h 2008-02-02 13:01:45.000000000 -0700
@@ -53,6 +53,7 @@
int valid; /* user exists and is allowed to login */
int attempt;
int failures;
+ int passed;
int force_pwchange;
char *user; /* username sent by the client */
char *service;
--- openssh-4.7p1/auth2.c 2007-05-19 22:58:41.000000000 -0600
+++ openssh-4.7p1-multiauth/auth2.c 2008-02-02 13:01:45.000000000 -0700
@@ -86,7 +86,7 @@

/* helper */
static Authmethod *authmethod_lookup(const char *);
-static char *authmethods_get(void);
+static char *authmethods_get(int);
int user_key_allowed(struct passwd *, Key *);

/*
@@ -213,6 +213,7 @@
userauth_finish(Authctxt *authctxt, int authenticated, char *method)
{
char *methods;
+ int success = 0;

if (!authctxt->valid && authenticated)
fatal("INTERNAL ERROR: authenticated invalid user %s",
@@ -256,6 +257,31 @@
return;

/* XXX todo: check if multiple auth methods are needed */
+ /* Check if enough multiple auth methods have passed */
+ if (authenticated == 1) {
+ int passed;
+ int k;
+ int j;
+
+ for (j = 0, k = 1, passed = 0; authmethods[j] != NULL; j++, k <<= 1) {
+ if (strncmp (method, authmethods[j]->name, strlen (authmethods[j]->name)) == 0)
+ authctxt->passed |= k;
+ if (authctxt->passed & k)
+ ++passed;
+ }
+ if (passed < options.num_required_auth_methods) {
+ success = 1;
+ authenticated = 0;
+ }
+ } else {
+ if (authctxt->failures++ > options.max_authtries) {
+#ifdef SSH_AUDIT_EVENTS
+ PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
+#endif
+ packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
+ }
+ }
+
if (authenticated == 1) {
/* turn off userauth */
dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
@@ -265,16 +291,10 @@
/* now we can break out */
authctxt->success = 1;
} else {
- if (authctxt->failures++ > options.max_authtries) {
-#ifdef SSH_AUDIT_EVENTS
- PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
-#endif
- packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
- }
- methods = authmethods_get();
+ methods = authmethods_get(authctxt->passed);
packet_start(SSH2_MSG_USERAUTH_FAILURE);
packet_put_cstring(methods);
- packet_put_char(0); /* XXX partial success, unused */
+ packet_put_char(success);
packet_send();
packet_write_wait();
xfree(methods);
@@ -282,16 +302,19 @@
}

static char *
-authmethods_get(void)
+authmethods_get(int passed)
{
Buffer b;
char *list;
int i;
+ int k;

buffer_init(&b);
- for (i = 0; authmethods[i] != NULL; i++) {
+ for (i = 0, k = 1; authmethods[i] != NULL; i++, k <<= 1) {
if (strcmp(authmethods[i]->name, "none") == 0)
continue;
+ if (passed & k)
+ continue;
if (authmethods[i]->enabled != NULL &&
*(authmethods[i]->enabled) != 0) {
if (buffer_len(&b) > 0)
--- openssh-4.7p1/servconf.h 2007-02-19 04:25:38.000000000 -0700
+++ openssh-4.7p1-multiauth/servconf.h 2008-02-02 13:01:45.000000000 -0700
@@ -92,6 +92,8 @@
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
int challenge_response_authentication;
+ int num_required_auth_methods; /* Minimum number of auth methods
+ that must succeed. */
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
int permit_user_env; /* If true, read ~/.ssh/environment */
--- openssh-4.7p1/servconf.c 2007-05-19 23:03:16.000000000 -0600
+++ openssh-4.7p1-multiauth/servconf.c 2008-02-02 13:01:45.000000000 -0700
@@ -94,6 +94,7 @@
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
+ options->num_required_auth_methods = -1;
options->permit_empty_passwd = -1;
options->permit_user_env = -1;
options->use_login = -1;
@@ -212,6 +213,8 @@
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
options->challenge_response_authentication = 1;
+ if (options->num_required_auth_methods == -1)
+ options->num_required_auth_methods = 1;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
if (options->permit_user_env == -1)
@@ -275,8 +278,8 @@
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken,
- sKerberosTgtPassing, sChallengeResponseAuthentication,
+ sKerberosGetAFSToken, sKerberosTgtPassing,
+ sNumRequiredAuthMethods, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
@@ -359,6 +362,7 @@
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
+ { "numrequiredauthmethods", sNumRequiredAuthMethods, SSHCFG_GLOBAL},
{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
@@ -887,6 +891,10 @@
intptr = &options->challenge_response_authentication;
goto parse_flag;

+ case sNumRequiredAuthMethods:
+ intptr = &options->num_required_auth_methods;
+ goto parse_int;
+
case sPrintMotd:
intptr = &options->print_motd;
goto parse_flag;
--- openssh-4.7p1/sshd_config.5 2007-06-10 22:07:13.000000000 -0600
+++ openssh-4.7p1-multiauth/sshd_config.5 2008-02-02 13:04:13.000000000 -0700
@@ -559,10 +559,19 @@
are refused if the number of unauthenticated connections reaches
.Dq full
(60).
+
+.It Cm NumRequiredAuthMethods
+Specifies how many authentication methods must succeed during ssh2
+authentication. There are four potential methods: publickey, password,
+keyboard-interactive, and hostbased. Setting this value to 2 or higher forces
+the client to successfully authenticate in multiple ways, for example, using
+both S/Key and publickey.
+
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
.Dq yes .
+
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.

--------------090400090703040205060800
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev

--------------090400090703040205060800--