https://bugzilla.mindrot.org/show_bug.cgi?id=983
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Assignee|pgsery at swcp.com |djm at mindrot.org
--- Comment #58 from Damien Miller <djm at mindrot.org> ---
Created attachment 2192
--> https://bugzilla.mindrot.org/attachment.cgi?id=2192&action=edit
new multiple required authentication methods patch
Here's a patch I'm working on. It adds an AuthenticationMethods option
that lists the possible paths to successful authentication. E.g.
AuthenticationMethods publickey,password gssapi-with-mic,password
publickey,keyboard-interactive
When attempting to authenticate, only methods that are at the start of
one of the paths listed will be offered. Each successful authentication
removes the successful method from the head of each path.
E.g. for the example above, the client would be offered
"publickey,gssapi-with-mic" for the first round. If they completed
publickey authentication they would be offered
"password,gssapi-with-mic,keyboard-interactive". Finally, if they
completed password or keyboard-interactive then they would be
considered authenticated.
The patch is only for SSH2 and will fatal if protocol 1 is enabled. We
can't support arbitrary orders for protocol 1 and I'm not going to make
an OpenSSH-only extension for a dead protocol.
The patch also tries to warn you early if you have selected
authentication paths that are impossible to satisfy with the set of
enabled authentication methods (e.g if you asked for publickey,password
and has PasswordAuthentication=no). This warning won't catch cases
where AuthenticationMethods are set late via Match blocks though.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
You are watching the reporter of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=983
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #59 from Damien Miller <djm at mindrot.org> ---
Slightly tweaked patch committed. This will be in OpenSSH 6.2, due
early next year.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
You are watching the reporter of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=983
Petr Lautrbach <plautrba at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
--- Comment #60 from Petr Lautrbach <plautrba at redhat.com> ---
It doesn't work for me with "UsePAM yes" and
"AuthenticationMethods
password,publickey". After successful password authentication I get:
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug1: PAM: password authentication accepted for plautrba
debug3: mm_answer_authpassword: sending result 1
debug3: mm_request_send entering: type 11
debug3: auth2_update_methods_lists: updating methods list after
"password"
debug3: authentication methods list 0 remaining: "publickey"
debug3: monitor_child_preauth: method password: partial
Failed password for plautrba from 127.0.0.1 port 60646 ssh2
debug3: mm_auth_password: user authenticated [preauth]
debug3: mm_do_pam_account entering [preauth]
debug3: mm_request_send entering: type 46 [preauth]
debug3: mm_request_receive_expect entering: type 47 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 46
debug1: do_pam_account: called
debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
debug3: mm_request_send entering: type 47
debug3: auth2_update_methods_lists: updating methods list after
"unknown"
auth2_update_methods_lists: method not in AuthenticationMethods
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
You are watching the reporter of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=983 --- Comment #61 from Petr Lautrbach <plautrba at redhat.com> --- Created attachment 2196 --> https://bugzilla.mindrot.org/attachment.cgi?id=2196&action=edit fix of multiple required authentication methods auth2.c: - don't call do_pam_account() for partial authentication success - authctxt->failures shouldn't be increased for partial success - auth_log() should log "Accepted method" for partial success monitor.c: - authctxt->failures shouldn't be increased for partial success - auth_log() should log "Accepted method" for partial success -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. You are watching the reporter of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=983 --- Comment #62 from Petr Lautrbach <plautrba at redhat.com> --- I've just read the mailing list. My patch doesn't reset partial in while loop in monitor_child_preauth() and also doesn't work for keyboard-interactive. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. You are watching the reporter of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=983
Petr Lautrbach <plautrba at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2196|0 |1
is obsolete| |
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
You are watching the reporter of the bug.
Possibly Parallel Threads
- [Bug 2270] New: AuthenticationMethods - partial success is considered as failure
- SAP-2015-3-1 issues
- [Bug 983] Required authentication
- Subsystem sftp invoked even though forced command created
- [Bug 2263] New: sshd privsep monitor process doesn't handle SIGXFSZ signal