[openssh-commits] [openssh] 08/17: upstream: prepare for multiple names for authmethods

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Dec 20 09:28:33 AEDT 2021


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit dbb339f015c33d63484261d140c84ad875a9e548
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun Dec 19 22:12:07 2021 +0000

    upstream: prepare for multiple names for authmethods
    
    allow authentication methods to have one additional name beyond their
    primary name.
    
    allow lookup by this synonym
    
    Use primary name for authentication decisions, e.g. for
    PermitRootLogin=publickey
    
    Pass actual invoked name to the authmethods, so they can tell whether they
    were requested via the their primary name or synonym.
    
    ok markus@
    
    OpenBSD-Commit-ID: 9e613fcb44b8168823195602ed3d09ffd7994559
---
 auth.h            |  5 +++--
 auth2-gss.c       |  5 +++--
 auth2-hostbased.c |  7 ++++---
 auth2-kbdint.c    |  5 +++--
 auth2-none.c      |  5 +++--
 auth2-passwd.c    |  5 +++--
 auth2-pubkey.c    |  7 ++++---
 auth2.c           | 28 +++++++++++++++++++---------
 8 files changed, 42 insertions(+), 25 deletions(-)

diff --git a/auth.h b/auth.h
index 43c7d3d4..a65d8fd0 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.101 2020/12/22 00:12:22 djm Exp $ */
+/* $OpenBSD: auth.h,v 1.102 2021/12/19 22:12:07 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -104,7 +104,8 @@ struct Authctxt {
 
 struct Authmethod {
 	char	*name;
-	int	(*userauth)(struct ssh *);
+	char	*synonym;
+	int	(*userauth)(struct ssh *, const char *);
 	int	*enabled;
 };
 
diff --git a/auth2-gss.c b/auth2-gss.c
index 60e36961..2062609d 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.33 2021/12/19 22:12:07 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -60,7 +60,7 @@ static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
  * how to check local user kuserok and the like)
  */
 static int
-userauth_gssapi(struct ssh *ssh)
+userauth_gssapi(struct ssh *ssh, const char *method)
 {
 	Authctxt *authctxt = ssh->authctxt;
 	gss_OID_desc goid = {0, NULL};
@@ -329,6 +329,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
 
 Authmethod method_gssapi = {
 	"gssapi-with-mic",
+	NULL,
 	userauth_gssapi,
 	&options.gss_authentication
 };
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 3a29126c..10f9ea14 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.47 2021/07/23 03:37:52 djm Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.48 2021/12/19 22:12:07 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -57,7 +57,7 @@
 extern ServerOptions options;
 
 static int
-userauth_hostbased(struct ssh *ssh)
+userauth_hostbased(struct ssh *ssh, const char *method)
 {
 	Authctxt *authctxt = ssh->authctxt;
 	struct sshbuf *b;
@@ -132,7 +132,7 @@ userauth_hostbased(struct ssh *ssh)
 	    (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
 	    (r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
 	    (r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
-	    (r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
+	    (r = sshbuf_put_cstring(b, method)) != 0 ||
 	    (r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
 	    (r = sshbuf_put_string(b, pkblob, blen)) != 0 ||
 	    (r = sshbuf_put_cstring(b, chost)) != 0 ||
@@ -255,6 +255,7 @@ hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
 
 Authmethod method_hostbased = {
 	"hostbased",
+	NULL,
 	userauth_hostbased,
 	&options.hostbased_authentication
 };
diff --git a/auth2-kbdint.c b/auth2-kbdint.c
index 037139d4..ae7eca3b 100644
--- a/auth2-kbdint.c
+++ b/auth2-kbdint.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-kbdint.c,v 1.13 2021/07/02 05:11:20 dtucker Exp $ */
+/* $OpenBSD: auth2-kbdint.c,v 1.14 2021/12/19 22:12:07 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -44,7 +44,7 @@
 extern ServerOptions options;
 
 static int
-userauth_kbdint(struct ssh *ssh)
+userauth_kbdint(struct ssh *ssh, const char *method)
 {
 	int r, authenticated = 0;
 	char *lang, *devs;
@@ -66,6 +66,7 @@ userauth_kbdint(struct ssh *ssh)
 
 Authmethod method_kbdint = {
 	"keyboard-interactive",
+	NULL,
 	userauth_kbdint,
 	&options.kbd_interactive_authentication
 };
diff --git a/auth2-none.c b/auth2-none.c
index 02d6e341..d9f97223 100644
--- a/auth2-none.c
+++ b/auth2-none.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-none.c,v 1.23 2020/10/18 11:32:01 djm Exp $ */
+/* $OpenBSD: auth2-none.c,v 1.24 2021/12/19 22:12:07 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -59,7 +59,7 @@ extern ServerOptions options;
 static int none_enabled = 1;
 
 static int
-userauth_none(struct ssh *ssh)
+userauth_none(struct ssh *ssh, const char *method)
 {
 	int r;
 
@@ -73,6 +73,7 @@ userauth_none(struct ssh *ssh)
 
 Authmethod method_none = {
 	"none",
+	NULL,
 	userauth_none,
 	&none_enabled
 };
diff --git a/auth2-passwd.c b/auth2-passwd.c
index be4b8606..f8a6dbc1 100644
--- a/auth2-passwd.c
+++ b/auth2-passwd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-passwd.c,v 1.19 2020/10/18 11:32:01 djm Exp $ */
+/* $OpenBSD: auth2-passwd.c,v 1.20 2021/12/19 22:12:07 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -49,7 +49,7 @@
 extern ServerOptions options;
 
 static int
-userauth_passwd(struct ssh *ssh)
+userauth_passwd(struct ssh *ssh, const char *method)
 {
 	char *password;
 	int authenticated = 0, r;
@@ -72,6 +72,7 @@ userauth_passwd(struct ssh *ssh)
 
 Authmethod method_passwd = {
 	"password",
+	NULL,
 	userauth_passwd,
 	&options.password_authentication
 };
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 2adbf590..ed3e74c3 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.110 2021/09/29 01:33:32 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.111 2021/12/19 22:12:07 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -86,7 +86,7 @@ format_key(const struct sshkey *key)
 }
 
 static int
-userauth_pubkey(struct ssh *ssh)
+userauth_pubkey(struct ssh *ssh, const char *method)
 {
 	Authctxt *authctxt = ssh->authctxt;
 	struct passwd *pw = authctxt->pw;
@@ -192,7 +192,7 @@ userauth_pubkey(struct ssh *ssh)
 		if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
 		    (r = sshbuf_put_cstring(b, userstyle)) != 0 ||
 		    (r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
-		    (r = sshbuf_put_cstring(b, "publickey")) != 0 ||
+		    (r = sshbuf_put_cstring(b, method)) != 0 ||
 		    (r = sshbuf_put_u8(b, have_sig)) != 0 ||
 		    (r = sshbuf_put_cstring(b, pkalg)) != 0 ||
 		    (r = sshbuf_put_string(b, pkblob, blen)) != 0)
@@ -1067,6 +1067,7 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
 
 Authmethod method_pubkey = {
 	"publickey",
+	NULL,
 	userauth_pubkey,
 	&options.pubkey_authentication
 };
diff --git a/auth2.c b/auth2.c
index 84d0ed16..bcc61196 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.161 2021/04/03 06:18:40 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.162 2021/12/19 22:12:07 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -331,7 +331,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
 	m = authmethod_lookup(authctxt, method);
 	if (m != NULL && authctxt->failures < options.max_authtries) {
 		debug2("input_userauth_request: try method %s", method);
-		authenticated =	m->userauth(ssh);
+		authenticated =	m->userauth(ssh, method);
 	}
 	if (!authctxt->authenticated)
 		ensure_minimum_time_since(tstart,
@@ -346,18 +346,26 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
 }
 
 void
-userauth_finish(struct ssh *ssh, int authenticated, const char *method,
+userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
     const char *submethod)
 {
 	Authctxt *authctxt = ssh->authctxt;
+	Authmethod *m = NULL;
+	const char *method = packet_method;
 	char *methods;
 	int r, partial = 0;
 
-	if (!authctxt->valid && authenticated)
-		fatal("INTERNAL ERROR: authenticated invalid user %s",
-		    authctxt->user);
-	if (authenticated && authctxt->postponed)
-		fatal("INTERNAL ERROR: authenticated and postponed");
+	if (authenticated) {
+		if (!authctxt->valid) {
+			fatal("INTERNAL ERROR: authenticated invalid user %s",
+			    authctxt->user);
+		}
+		if (authctxt->postponed)
+			fatal("INTERNAL ERROR: authenticated and postponed");
+		if ((m = authmethod_lookup(authctxt, method)) == NULL)
+			fatal("INTERNAL ERROR: bad method %s", method);
+		method = m->name; /* prefer primary name to possible synonym */
+	}
 
 	/* Special handling for root */
 	if (authenticated && authctxt->pw->pw_uid == 0 &&
@@ -504,7 +512,9 @@ authmethod_lookup(Authctxt *authctxt, const char *name)
 		for (i = 0; authmethods[i] != NULL; i++)
 			if (authmethods[i]->enabled != NULL &&
 			    *(authmethods[i]->enabled) != 0 &&
-			    strcmp(name, authmethods[i]->name) == 0 &&
+			    (strcmp(name, authmethods[i]->name) == 0 ||
+			    (authmethods[i]->synonym != NULL &&
+			    strcmp(name, authmethods[i]->synonym) == 0)) &&
 			    auth2_method_allowed(authctxt,
 			    authmethods[i]->name, NULL))
 				return authmethods[i];

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list