bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06 00:34 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1930
--- Comment #34 from Damien Miller <djm at mindrot.org> 2011-09-06
10:34:24 EST ---
Retarget unresolved bugs/features to 6.0 release
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06 00:36 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983 --- Comment #35 from Damien Miller <djm at mindrot.org> 2011-09-06 10:36:35 EST --- Retarget unresolved bugs/features to 6.0 release -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching someone on the CC list of the bug. You are watching the reporter of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06 00:39 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|1845 |
--- Comment #36 from Damien Miller <djm at mindrot.org> 2011-09-06
10:39:11 EST ---
Retarget unresolved bugs/features to 6.0 release
(try again - bugzilla's "change several" isn't)
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-07 04:51 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983 --- Comment #37 from jchadima at redhat.com 2011-09-07 14:51:20 EST --- Created attachment 2079 --> https://bugzilla.mindrot.org/attachment.cgi?id=2079 Another approach to solution of the problem I've created another patch which solves the similar problem. There is new configuration items TwoFactorAuthentication and Second.*Authentication. If the TwoFactorAuthentication is not set the sshd work as usual. If is set then after the successful authentication the Second set without the method successfully used in first authentication is enabled and then is the second authentication cycle started. There is no need to work with short names like "kbdint" in the configuration file. This schema may be easily enlarged to new potential authentication method. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching someone on the CC list of the bug. You are watching the reporter of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-07 04:52 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983
jchadima at redhat.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jchadima at redhat.com
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-08 22:59 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983
David Woodhouse <dwmw2 at infradead.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dwmw2 at infradead.org
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-08 23:43 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983 --- Comment #38 from David Woodhouse <dwmw2 at infradead.org> 2011-09-09 09:43:31 EST --- Paul, why do you say (in comment #30) that the patch doesn't work with SELinux? I tried your latest patch from comment #33, which I think is just updated to apply to the latest OpenSSH rather than really changed... and it seems to work fine. Is there something known to be wrong? What remains to be fixed before this patch can be merged? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching someone on the CC list of the bug. You are watching the reporter of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-09 04:21 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983 --- Comment #39 from Paul Sery <pgsery at swcp.com> 2011-09-09 14:21:17 EST --- The patch didn't work for me when I tested it with SELinux at that time. SELinux policy is constantly updated, so I'm not surprised it's working now. I'll check it out on my systems now. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching someone on the CC list of the bug. You are watching the reporter of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-12 19:49 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983 --- Comment #40 from David Woodhouse <dwmw2 at infradead.org> 2011-09-13 05:49:16 EST --- (In reply to comment #33)> Created attachment 1999 [details] > Updated to -current > > Updated patch to -current and 5.8p1. Appears to work with > sshd_config->RequiredAuthentications2 publickey,password.I take it we've dropped the 'necessary but not sufficient' bit? This looks wrong: Don't we want SSHCFG_ALL in each of the new additions here?: @@ -451,6 +456,8 @@ static struct { { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, + { "requiredauthentications1", sRequiredAuthentications1 }, + { "requiredauthentications2", sRequiredAuthentications2 }, { "ipqos", sIPQoS, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching someone on the CC list of the bug. You are watching the reporter of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-13 03:39 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983 --- Comment #41 from Paul Sery <pgsery at swcp.com> 2011-09-13 13:39:23 EST --- Yes, my mistake. I'll add it in the next patch. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching someone on the CC list of the bug. You are watching the reporter of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-17 10:00 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983
jchadima at redhat.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2079|0 |1
is obsolete| |
--- Comment #42 from jchadima at redhat.com 2011-09-17 20:00:32 EST ---
Created attachment 2084
--> https://bugzilla.mindrot.org/attachment.cgi?id=2084
Another approach to solution of the problem (updated)
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-17 11:39 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983
--- Comment #43 from David Woodhouse <dwmw2 at infradead.org> 2011-09-17
21:39:50 EST ---
My use case for this is to run a PAM stack *after* pubkey
authentication, and one environment in which I want to do that is for
something like gitolite ? where multiple people each have their own SSH
key installed, but there is only one local user. We want to use keys
*and* a one-time password.
It would be really useful if the PAM stack could know *which* SSH key
was used to authenticate. Then we can have an OTP setup for each human
being rather than just having a single shared one.
This kind of thing should probably do it. This makes the two-step
authentication much more useful for us.
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 137887e..68f1a6a 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -350,6 +350,12 @@ user_key_allowed2(struct passwd *pw, Key *key,
char *file)
verbose("Accepted certificate ID \"%s\" "
"signed by %s CA %s via %s", key->cert->key_id,
key_type(found), fp, file);
+#ifdef USE_PAM
+ if (options.use_pam) {
+ do_pam_putenv("SSH_PUBKEY_TYPE", "X509");
+ do_pam_putenv("SSH_PUBKEY", key->cert->key_id);
+ }
+#endif
xfree(fp);
found_key = 1;
break;
@@ -365,6 +371,12 @@ user_key_allowed2(struct passwd *pw, Key *key,
char *file)
fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
verbose("Found matching %s key: %s",
key_type(found), fp);
+#ifdef USE_PAM
+ if (options.use_pam) {
+ do_pam_putenv("SSH_PUBKEY_TYPE", key_type(found));
+ do_pam_putenv("SSH_PUBKEY", fp);
+ }
+#endif
xfree(fp);
break;
}
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-25 05:25 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983
Jan F. Chadima <jfch at jagda.eu> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jfch at jagda.eu
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-26 21:22 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983
--- Comment #44 from David Woodhouse <dwmw2 at infradead.org> 2011-09-27
07:22:44 EST ---
(In reply to comment #33)
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7f3f7e0 (LWP 3257)]
0x00007ffff7f9c32a in input_userauth_info_response (type=<optimized
out>,
seq=<optimized out>, ctxt=0x7ffff8213b90) at auth2-chall.c:344
344 userauth_finish(authctxt, authenticated,
"keyboard-interactive",
(gdb) p kbdintctxt->device->name
Cannot access memory at address 0x0
(gdb) p kbdintctxt->device
$7 = (KbdintDevice *) 0x0
I don't quite understand how the extra 'submethod' argument to
userauth_finish() and auth_log() are relevant to this patch. Normally I
would expect them to be part of a separate patch. It appears to be
entirely cosmetic... part from the SEGV that it causes. So I fixed it
thus without worrying too much about what it *should* have been:
--- auth2-chall.c~ 2011-09-26 20:50:00.741593219 +0100
+++ auth2-chall.c 2011-09-26 22:18:41.119608430 +0100
@@ -342,7 +342,7 @@ input_userauth_info_response(int type, u
}
}
userauth_finish(authctxt, authenticated, "keyboard-interactive",
- kbdintctxt->device->name);
+ kbdintctxt->device?kbdintctxt->device->name:NULL);
}
void
Note: This SEGV wasn't trivial to find. The symptom was just that
mm_request_receive() got -EPIPE after the child process died. No hint
about the SEGV was visible because a handler was installed. Even when
running it in gdb it didn't show up until I set 'follow-fork-mode
child'. Is this not a really bad thing?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-26 21:40 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983 --- Comment #45 from David Woodhouse <dwmw2 at infradead.org> 2011-09-27 07:40:08 EST --- Oh, that fixes the fact that the patch breaks keyboard-interactive authentication when it's the only form of authentication. But RequiredAuthentications2 publickey,keyboard-interactive still doesn't work: INTERNAL ERROR: authenticated method "keyboard-interactive/pam" not in required list "keyboard-interactive" -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching someone on the CC list of the bug. You are watching the reporter of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-26 22:02 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983
David Woodhouse <dwmw2 at infradead.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1955|0 |1
is obsolete| |
Attachment #1999|0 |1
is obsolete| |
--- Comment #46 from David Woodhouse <dwmw2 at infradead.org> 2011-09-27
08:02:11 EST ---
Created attachment 2096
--> https://bugzilla.mindrot.org/attachment.cgi?id=2096
Updated version of original patch.
Oh, *now* I see why we were splitting 'keyboard-interactive/pam' into
the method 'keyboard-interactive' and the submethod 'pam', and
why it's
a necessary part of this patch. I've been spoiled by git users who put
that kind of information into the commit comments.
Here's an updated patch against the current git mirror, which should
fix that by doing the same thing in monitor.c.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-27 08:26 UTC
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983
David Sickmiller <david at sickmiller.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC|david at sickmiller.com |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.