Attached is a patch which adds a new config option, AuthOrder2, to sshd_config.c. The syntax is: AuthOrder2 AuthMethod1[:SubAuthMethod1[:SubAuthMethod2...]][,AuthMethod2...] An example, requiring users to enter a public key _and_ a password, in that order: AuthOrder2 publickey:password The current default behaviour: AuthOrder2 password,publickey,keyboard-interactive Require a public key, then either a password or keyboard-interactive: AuthOrder2 publickey:password,publickey:keyboard-interactive It's still a rough patch, and has not been heavily tested. I'd appreciate any feedback people have. I'd like to get this committed to the main tree at some point, so if the maintainers have any architectural changes they'd like in order to accomplish that, I'd be happy to comply. -- Carson -------------- next part -------------- A non-text attachment was scrubbed... Name: partialauth.patch Type: application/octet-stream Size: 10272 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010328/27425593/attachment.obj
Circa 2001-Mar-28 00:59:12 -0800 dixit Carson Gaspar: : Attached is a patch which adds a new config option, AuthOrder2, to : sshd_config.c. The syntax is: [...] : It's still a rough patch, and has not been heavily tested. I'd : appreciate any feedback people have. I'd like to get this committed : to the main tree at some point, so if the maintainers have any : architectural changes they'd like in order to accomplish that, I'd : be happy to comply. What version is this patch against? Are you aware of the PreferredAuthentications directive, new in 2.5.2(pN)? They seem very similar. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/
bukys at cs.rochester.edu
2001-Mar-28 13:00 UTC
Initial patch to implement partial auth with SSH2
Allowing the server to require more than one form of authentication is GOOD.
Hi All... I am using the CygWin port of OpenSSH with NT/Win2k servers. I was looking at this issue and was advised of this thread. With the CygWin port, a password is required to do the setuid if you log in with a different user-id than the server. CygWin solves this by only allowing password authentication if the user-id must be changed. I am concerned about password only authentication and wanted to require RSA first then password authentication. (The password authentication is then used to feed the password to sshd for the setuid.) This patch is a nice generalization of what I am looking for. I think that multiple authentications would be a big plus in the WinNT/Win2k environemt. I would love to be able to do RSA + Password authentication. Thanks, ...Karl _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com
Hi All... I've been experimenting with the partial authorization patch for OpenSSH-2.5.2. I'm using CygWin on a Windows 2000 (SP1) box. I noticed a bug in the patch that shows up for CygWin users. The problem is that publickey authentication only works if sshd is running with the same user-id as the ssh client. When I run sshd as a service with a user-id of LocalSystem publickey authentication fails. This is because the check_nt_auth call in userauth-pubkey fails if the ssh user-id is different from the sshd user-id. It looks to me like userauth_pubkey needs to "suspend disbelief" (and not call check_nt_auth and auth_password) for partial authentication, in the hope that a password may come later. Then somewhere check_nt_auth auth_password need to be called to make sure that we don't forget to set the sshd user-id to the ssh user-id. Thanks, ...Karl _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com
From: "Karl M" <karlm30 at hotmail.com> To: cygwin at cygwin.com Subject: Re: Initial patch to implement partial auth with SSH2 Date: Fri, 20 Apr 2001 07:32:39 -0700 Hi Corinna... I was thinking...for the CygWin environment (on WinNT and Win2k) we could avoid the problem of where to place a new call to check_nt_auth and auth_password by requiring that if the ssh and sshd user-ids are different, that password authentication is required (which was the reason I was interested in this in the first place). I can do that for now by using Authorder2 publickey:password and commenting out the check in userauth_publickey. Thanks, ...Karl>From: Corinna Vinschen <vinschen at redhat.com> >To: cygwin at cygwin.com, openssh-unix-dev at mindrot.org >Subject: Re: Initial patch to implement partial auth with SSH2 >Date: Fri, 20 Apr 2001 13:13:54 +0200 > >On Fri, Apr 20, 2001 at 01:29:42AM -0700, Karl M wrote: > > Hi All... > > > > I've been experimenting with the partial authorization patch for > > OpenSSH-2.5.2. I'm using CygWin on a Windows 2000 (SP1) box. > > > > I noticed a bug in the patch that shows up for CygWin users. The problem >is > > that publickey authentication only works if sshd is running with the >same > > user-id as the ssh client. When I run sshd as a service with a user-id >of > > LocalSystem publickey authentication fails. > > > > This is because the check_nt_auth call in userauth-pubkey fails if the >ssh > > user-id is different from the sshd user-id. > > > > It looks to me like userauth_pubkey needs to "suspend disbelief" (and >not > > call check_nt_auth and auth_password) for partial authentication, in the > > hope that a password may come later. Then somewhere check_nt_auth > > auth_password need to be called to make sure that we don't forget to set >the > > sshd user-id to the ssh user-id. > >Since the original partial authorization patch isn't applied yet, >you're somwhat on your own. Why don't you simply override the >check in `check_ntsec' for now? > >Corinna > >-- >Corinna Vinschen >Cygwin Developer >Red Hat, Inc. >mailto:vinschen at redhat.com_________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com
Reasonably Related Threads
- Updated partial auth patch against CVS
- possible bug + patch : OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + P asswordAuthentication no + PermitEmptyPasswords yes
- New initial patch to implement partial auth with SSH2
- [PATCH]: Fix potential security hole in Cygwin version
- OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + PasswordAuthentication no + PermitEmptyPasswords yes (followup)