openssh unix dev - Mar 2001 - Initial patch to implement partial auth with SSH2

Attached is a patch which adds a new config option, AuthOrder2, to 
sshd_config.c. The syntax is:

AuthOrder2 AuthMethod1[:SubAuthMethod1[:SubAuthMethod2...]][,AuthMethod2...]

An example, requiring users to enter a public key _and_ a password, in that 
order:

AuthOrder2 publickey:password

The current default behaviour:

AuthOrder2 password,publickey,keyboard-interactive

Require a public key, then either a password or keyboard-interactive:

AuthOrder2 publickey:password,publickey:keyboard-interactive

It's still a rough patch, and has not been heavily tested. I'd
appreciate
any feedback people have. I'd like to get this committed to the main tree 
at some point, so if the maintainers have any architectural changes they'd 
like in order to accomplish that, I'd be happy to comply.

-- 
Carson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: partialauth.patch
Type: application/octet-stream
Size: 10272 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010328/27425593/attachment.obj

Circa 2001-Mar-28 00:59:12 -0800 dixit Carson Gaspar:

: Attached is a patch which adds a new config option, AuthOrder2, to 
: sshd_config.c. The syntax is:

  [...]

: It's still a rough patch, and has not been heavily tested. I'd
: appreciate any feedback people have. I'd like to get this committed
: to the main tree at some point, so if the maintainers have any
: architectural changes they'd like in order to accomplish that, I'd
: be happy to comply.

What version is this patch against?  Are you aware of the
PreferredAuthentications directive, new in 2.5.2(pN)?  They seem very
similar.

-- 
jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/

Allowing the server to require more than one form of authentication is GOOD.

Hi All...

I am using the CygWin port of OpenSSH with NT/Win2k servers. I was looking 
at this issue and was advised of this thread.

With the CygWin port, a password is required to do the setuid if you log in 
with a different user-id than the server. CygWin solves this by only 
allowing password authentication if the user-id must be changed. I am 
concerned about password only authentication and wanted to require RSA first 
then password authentication. (The password authentication is then used to 
feed the password to sshd for the setuid.)

This patch is a nice generalization of what I am looking for. I think that 
multiple authentications would be a big plus in the WinNT/Win2k environemt. 
I would love to be able to do RSA + Password authentication.

Thanks,

...Karl

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com

Hi All...

I've been experimenting with the partial authorization patch for 
OpenSSH-2.5.2. I'm using CygWin on a Windows 2000 (SP1) box.

I noticed a bug in the patch that shows up for CygWin users. The problem is 
that publickey authentication only works if sshd is running with the same 
user-id as the ssh client. When I run sshd as a service with a user-id of 
LocalSystem publickey authentication fails.

This is because the check_nt_auth call in userauth-pubkey fails if the ssh 
user-id is different from the sshd user-id.

It looks to me like userauth_pubkey needs to "suspend disbelief" (and
not
call check_nt_auth and auth_password) for partial authentication, in the 
hope that a password may come later. Then somewhere check_nt_auth 
auth_password need to be called to make sure that we don't forget to set the
sshd user-id to the ssh user-id.

Thanks,

...Karl
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com

From: "Karl M" <karlm30 at hotmail.com>
To: cygwin at cygwin.com
Subject: Re: Initial patch to implement partial auth with SSH2
Date: Fri, 20 Apr 2001 07:32:39 -0700

Hi Corinna...

I was thinking...for the CygWin environment (on WinNT and Win2k) we
could
avoid the problem of where to place a new call to check_nt_auth and
auth_password by requiring that if the ssh and sshd user-ids are
different,
that password authentication is required (which was the reason I was
interested in this in the first place). I can do that for now by
using

Authorder2 publickey:password

and commenting out the check in userauth_publickey.

Thanks,

...Karl

>From: Corinna Vinschen <vinschen at redhat.com>
>To: cygwin at cygwin.com, openssh-unix-dev at mindrot.org
>Subject: Re: Initial patch to implement partial auth with SSH2
>Date: Fri, 20 Apr 2001 13:13:54 +0200
>
>On Fri, Apr 20, 2001 at 01:29:42AM -0700, Karl M wrote:
> > Hi All...
> >
> > I've been experimenting with the partial authorization patch for
> > OpenSSH-2.5.2. I'm using CygWin on a Windows 2000 (SP1) box.
> >
> > I noticed a bug in the patch that shows up for CygWin users. The
problem
>is
> > that publickey authentication only works if sshd is running with the
>same
> > user-id as the ssh client. When I run sshd as a service with a user-id
>of
> > LocalSystem publickey authentication fails.
> >
> > This is because the check_nt_auth call in userauth-pubkey fails if the
>ssh
> > user-id is different from the sshd user-id.
> >
> > It looks to me like userauth_pubkey needs to "suspend
disbelief" (and
>not
> > call check_nt_auth and auth_password) for partial authentication, in
the
> > hope that a password may come later. Then somewhere check_nt_auth
> > auth_password need to be called to make sure that we don't forget
to set
>the
> > sshd user-id to the ssh user-id.
>
>Since the original partial authorization patch isn't applied yet,
>you're somwhat on your own. Why don't you simply override the
>check in `check_ntsec' for now?
>
>Corinna
>
>--
>Corinna Vinschen
>Cygwin Developer
>Red Hat, Inc.
>mailto:vinschen at redhat.com
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com