[Bug 983] Required authentication

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Nov 1 11:50:53 EST 2012 

https://bugzilla.mindrot.org/show_bug.cgi?id=983

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|pgsery at swcp.com             |djm at mindrot.org

--- Comment #58 from Damien Miller <djm at mindrot.org> ---
Created attachment 2192
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2192&action=edit
new multiple required authentication methods patch

Here's a patch I'm working on. It adds an AuthenticationMethods option
that lists the possible paths to successful authentication. E.g.

AuthenticationMethods publickey,password gssapi-with-mic,password
publickey,keyboard-interactive

When attempting to authenticate, only methods that are at the start of
one of the paths listed will be offered. Each successful authentication
removes the successful method from the head of each path.

E.g. for the example above, the client would be offered
"publickey,gssapi-with-mic" for the first round. If they completed
publickey authentication they would be offered
"password,gssapi-with-mic,keyboard-interactive". Finally, if they
completed password or keyboard-interactive then they would be
considered authenticated.

The patch is only for SSH2 and will fatal if protocol 1 is enabled. We
can't support arbitrary orders for protocol 1 and I'm not going to make
an OpenSSH-only extension for a dead protocol.

The patch also tries to warn you early if you have selected
authentication paths that are impossible to satisfy with the set of
enabled authentication methods (e.g if you asked for publickey,password
and has PasswordAuthentication=no). This warning won't catch cases
where AuthenticationMethods are set late via Match blocks though.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
You are watching the reporter of the bug.

More information about the openssh-bugs mailing list