openssh bugs - Sep 2011 - [Bug 983] Required authentication

https://bugzilla.mindrot.org/show_bug.cgi?id=983

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1930

--- Comment #34 from Damien Miller <djm at mindrot.org> 2011-09-06
10:34:24 EST ---
Retarget unresolved bugs/features to 6.0 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #35 from Damien Miller <djm at mindrot.org> 2011-09-06
10:36:35 EST ---
Retarget unresolved bugs/features to 6.0 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=983

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1845                        |

--- Comment #36 from Damien Miller <djm at mindrot.org> 2011-09-06
10:39:11 EST ---
Retarget unresolved bugs/features to 6.0 release

(try again - bugzilla's "change several" isn't)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #37 from jchadima at redhat.com 2011-09-07 14:51:20 EST ---
Created attachment 2079
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2079
Another approach to solution of the problem

I've created another patch which solves the similar problem.
There is new configuration items TwoFactorAuthentication and
Second.*Authentication.

If the TwoFactorAuthentication is not set the sshd work as usual.

If is set then after the successful authentication the Second set
without the method successfully used in first authentication is enabled
and then is the second authentication cycle started. There is no need
to work with short names like "kbdint" in the configuration file. This
schema may be easily enlarged to new potential authentication method.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=983

jchadima at redhat.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jchadima at redhat.com

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=983

David Woodhouse <dwmw2 at infradead.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dwmw2 at infradead.org

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #38 from David Woodhouse <dwmw2 at infradead.org> 2011-09-09
09:43:31 EST ---
Paul, why do you say (in comment #30) that the patch doesn't work with
SELinux? I tried your latest patch from comment #33, which I think is
just updated to apply to the latest OpenSSH rather than really
changed... and it seems to work fine. Is there something known to be
wrong?

What remains to be fixed before this patch can be merged?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #39 from Paul Sery <pgsery at swcp.com> 2011-09-09 14:21:17
EST ---
The patch didn't work for me when I tested it with SELinux at that
time. SELinux policy is constantly updated, so I'm not surprised it's
working now. I'll check it out on my systems now.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #40 from David Woodhouse <dwmw2 at infradead.org> 2011-09-13
05:49:16 EST ---
(In reply to comment #33)
> Created attachment 1999 [details]
> Updated to -current
> 
> Updated patch to -current and 5.8p1. Appears to work with
> sshd_config->RequiredAuthentications2 publickey,password.
I take it we've dropped the 'necessary but not sufficient' bit?

This looks wrong: Don't we want SSHCFG_ALL in each of the new additions
here?:

@@ -451,6 +456,8 @@ static struct {
     { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
     { "authorizedprincipalsfile", sAuthorizedPrincipalsFile,
SSHCFG_ALL },
     { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+    { "requiredauthentications1", sRequiredAuthentications1 },
+    { "requiredauthentications2", sRequiredAuthentications2 },
     { "ipqos", sIPQoS, SSHCFG_ALL },
     { NULL, sBadOption, 0 }
 };

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #41 from Paul Sery <pgsery at swcp.com> 2011-09-13 13:39:23
EST ---
Yes, my mistake. I'll add it in the next patch.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=983

jchadima at redhat.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2079|0                           |1
        is obsolete|                            |

--- Comment #42 from jchadima at redhat.com 2011-09-17 20:00:32 EST ---
Created attachment 2084
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2084
Another approach to solution of the problem (updated)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #43 from David Woodhouse <dwmw2 at infradead.org> 2011-09-17
21:39:50 EST ---
My use case for this is to run a PAM stack *after* pubkey
authentication, and one environment in which I want to do that is for
something like gitolite ? where multiple people each have their own SSH
key installed, but there is only one local user. We want to use keys
*and* a one-time password.

It would be really useful if the PAM stack could know *which* SSH key
was used to authenticate. Then we can have an OTP setup for each human
being rather than just having a single shared one.

This kind of thing should probably do it. This makes the two-step
authentication much more useful for us.

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 137887e..68f1a6a 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -350,6 +350,12 @@ user_key_allowed2(struct passwd *pw, Key *key,
char *file)
             verbose("Accepted certificate ID \"%s\" "
                 "signed by %s CA %s via %s", key->cert->key_id,
                 key_type(found), fp, file);
+#ifdef USE_PAM
+            if (options.use_pam) {
+                do_pam_putenv("SSH_PUBKEY_TYPE", "X509");
+                do_pam_putenv("SSH_PUBKEY", key->cert->key_id);
+            }
+#endif
             xfree(fp);
             found_key = 1;
             break;
@@ -365,6 +371,12 @@ user_key_allowed2(struct passwd *pw, Key *key,
char *file)
             fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
             verbose("Found matching %s key: %s",
                 key_type(found), fp);
+#ifdef USE_PAM
+            if (options.use_pam) {
+                do_pam_putenv("SSH_PUBKEY_TYPE", key_type(found));
+                do_pam_putenv("SSH_PUBKEY", fp);
+            }
+#endif
             xfree(fp);
             break;
         }

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=983

Jan F. Chadima <jfch at jagda.eu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jfch at jagda.eu

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #44 from David Woodhouse <dwmw2 at infradead.org> 2011-09-27
07:22:44 EST ---
(In reply to comment #33)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7f3f7e0 (LWP 3257)]
0x00007ffff7f9c32a in input_userauth_info_response (type=<optimized
out>, 
    seq=<optimized out>, ctxt=0x7ffff8213b90) at auth2-chall.c:344
344        userauth_finish(authctxt, authenticated,
"keyboard-interactive",

(gdb) p kbdintctxt->device->name
Cannot access memory at address 0x0
(gdb) p kbdintctxt->device
$7 = (KbdintDevice *) 0x0


I don't quite understand how the extra 'submethod' argument to
userauth_finish() and auth_log() are relevant to this patch. Normally I
would expect them to be part of a separate patch. It appears to be
entirely cosmetic... part from the SEGV that it causes. So I fixed it
thus without worrying too much about what it *should* have been:

--- auth2-chall.c~    2011-09-26 20:50:00.741593219 +0100
+++ auth2-chall.c    2011-09-26 22:18:41.119608430 +0100
@@ -342,7 +342,7 @@ input_userauth_info_response(int type, u
         }
     }
     userauth_finish(authctxt, authenticated, "keyboard-interactive",
-        kbdintctxt->device->name);
+            kbdintctxt->device?kbdintctxt->device->name:NULL);
 }

 void

Note: This SEGV wasn't trivial to find. The symptom was just that
mm_request_receive() got -EPIPE after the child process died. No hint
about the SEGV was visible because a handler was installed. Even when
running it in gdb it didn't show up until I set 'follow-fork-mode
child'. Is this not a really bad thing?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #45 from David Woodhouse <dwmw2 at infradead.org> 2011-09-27
07:40:08 EST ---
Oh, that fixes the fact that the patch breaks keyboard-interactive
authentication when it's the only form of authentication. But 
RequiredAuthentications2 publickey,keyboard-interactive
still doesn't work:

INTERNAL ERROR: authenticated method "keyboard-interactive/pam" not in
required list "keyboard-interactive"

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=983

David Woodhouse <dwmw2 at infradead.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1955|0                           |1
        is obsolete|                            |
   Attachment #1999|0                           |1
        is obsolete|                            |

--- Comment #46 from David Woodhouse <dwmw2 at infradead.org> 2011-09-27
08:02:11 EST ---
Created attachment 2096
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2096
Updated version of original patch.

Oh, *now* I see why we were splitting 'keyboard-interactive/pam' into
the method 'keyboard-interactive' and the submethod 'pam', and
why it's
a necessary part of this patch. I've been spoiled by git users who put
that kind of information into the commit comments.

Here's an updated patch against the current git mirror, which should
fix that by doing the same thing in monitor.c.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=983

David Sickmiller <david at sickmiller.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|david at sickmiller.com        |

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.