[openssh-commits] [openssh] 01/01: upstream commit

Wed Aug 31 10:38:23 AEST 2016

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 7fd0ea8a1db4bcfb3d8cd9df149e5d571ebea1f4
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Tue Aug 30 07:50:21 2016 +0000

    upstream commit
    
    restrict monitor auth calls to be allowed only when their
    respective authentication methods are enabled in the configuration.
    
    prompted by Solar Designer; ok markus dtucker
    
    Upstream-ID: 6eb3f89332b3546d41d6dbf5a8e6ff920142b553
---
 monitor.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/monitor.c b/monitor.c
index b255f27..2dfe0c4 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.163 2016/08/19 03:18:06 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.164 2016/08/30 07:50:21 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos at citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus at openbsd.org>
@@ -844,6 +844,8 @@ mm_answer_authpassword(int sock, Buffer *m)
 	int authenticated;
 	u_int plen;
 
+	if (!options.password_authentication)
+		fatal("%s: password authentication not enabled", __func__);
 	passwd = buffer_get_string(m, &plen);
 	/* Only authenticate if the context is valid */
 	authenticated = options.password_authentication &&
@@ -880,6 +882,8 @@ mm_answer_bsdauthquery(int sock, Buffer *m)
 	char **prompts;
 	u_int success;
 
+	if (!options.kbd_interactive_authentication)
+		fatal("%s: kbd-int authentication not enabled", __func__);
 	success = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
 	    &prompts, &echo_on) < 0 ? 0 : 1;
 
@@ -907,6 +911,8 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
 	char *response;
 	int authok;
 
+	if (!options.kbd_interactive_authentication)
+		fatal("%s: kbd-int authentication not enabled", __func__);
 	if (authctxt->as == NULL)
 		fatal("%s: no bsd auth session", __func__);
 
@@ -1716,6 +1722,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
 	OM_uint32 major;
 	u_int len;
 
+	if (!options.gss_authentication)
+		fatal("%s: GSSAPI authentication not enabled", __func__);
+
 	goid.elements = buffer_get_string(m, &len);
 	goid.length = len;
 
@@ -1743,6 +1752,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
 	OM_uint32 flags = 0; /* GSI needs this */
 	u_int len;
 
+	if (!options.gss_authentication)
+		fatal("%s: GSSAPI authentication not enabled", __func__);
+
 	in.value = buffer_get_string(m, &len);
 	in.length = len;
 	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -1771,6 +1783,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
 	OM_uint32 ret;
 	u_int len;
 
+	if (!options.gss_authentication)
+		fatal("%s: GSSAPI authentication not enabled", __func__);
+
 	gssbuf.value = buffer_get_string(m, &len);
 	gssbuf.length = len;
 	mic.value = buffer_get_string(m, &len);
@@ -1797,6 +1812,9 @@ mm_answer_gss_userok(int sock, Buffer *m)
 {
 	int authenticated;
 
+	if (!options.gss_authentication)
+		fatal("%s: GSSAPI authentication not enabled", __func__);
+
 	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
 
 	buffer_clear(m);

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
