Requiring multiple auth mechanisms
Mike Dopheide
dopheide at ncsa.uiuc.edu
Wed May 26 07:49:09 EST 2004
We've ported this patch to OpenSSH 3.8.1p1 (attached). Our initial
testing indicates that it doesn't work with privilege separation and only
works with PAM (keyboard-interactive) if PAM is the first successful
authentication mechanism. Both of these issues are things we'd like to
resolve, but I'm not familiar enough with the code to know if there are
any show-stoppers. (Any thoughts from the crowd?)
To help clarify the PAM issue, when requiring multiple auth mechanisms,
PAM will automatically fail if any other mechanism before it succeeds.
However, if you force keyboard-interactive to happen first or if
everything before it fails, PAM then appears to work fine and other auth
mechanisms will continue to work after it.
-Mike
> I looked around for a while, but couldn't find any code for requiring multiple
> authentication mechanisms in openssh. So I wrote an implemention.
>
> I thought at first I should change the PasswordAuthentication,
> PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some
> funky stuff in auth2.c with respect to keyboard interactive auth that would make
> this kind of gnarly, semantics-wise.
>
> I also thought about providing a new keyword to specify a list of required
> authentication mechanisms. But then you have to make sure those mechanisms are
> also enabled, and it's easy to write conflicting configurations. In addition, if
> a list of required auth mechs is given, then enabling mechanisms that are not
> required is pointless, because they won't be sufficient.
>
> So my final decision, for the sake of simplicity, was to add a
> "NumRequiredAuthMethods" keyword, which defaults to 1. If you set it to 2, the
> client must pass at least two of the enabled auth methods. I'm using the term
> "methods" here because I'm only counting general auth methods as defined in
> auth2.c's "authmethods" array, namely publickey, password, keyboard-interactive,
> and hostbased. So there may be multiple types of keyboard-interactive auth, but
> keyboard-interactive only counts as a single method.
>
> So, for example, if you have PasswordAuthentication and PubkeyAuthentication
> enabled, and set NumRequiredAuthMethods to 2, you will have to pass both types.
> But PAMAuthenticationViaKbdInt and ChallengeResponseAuthentication are the same
> authentication method (keyboard-interactive), so if you want to require 2
> classes, you'll have to have at least one of the other methods enabled as well.
>
> I don't know much about some of the supported authentication types, particularly
> pam, so I'm not totally sure my approach makes sense for everyone's needs. My
> particular need was to require both public key and S/KEY factors so that
> one-time passwords can be combined with a strong electronic authenticator. I
> don't trust my users not to end up trojaned with a keylogger, so I need OTP, but
> I also want a public key in case someone loses his S/KEY cheat sheet.
>
> The attached patch is designed for Red Hat's openssh-3.1p1-14 SRPM (add as
> Patch14, use -p1 on patch line in %prep). It should work against openssh-3.8
> with slight tweaks (authmethods changed in auth2.c). If people need a patch
> against 3.8, I can build it; just ask.
>
> I would really appreciate it if anyone with interest could vet this for stupid
> mistakes.
>
>
--
-------------- next part --------------
diff -ur openssh-3.8.1p1/auth2.c openssh-3.8.1p1.multiauth/auth2.c
--- openssh-3.8.1p1/auth2.c 2004-03-08 06:04:07.000000000 -0600
+++ openssh-3.8.1p1.multiauth/auth2.c 2004-05-25 11:02:34.000000000 -0500
@@ -75,7 +75,7 @@
/* helper */
static Authmethod *authmethod_lookup(const char *);
-static char *authmethods_get(void);
+static char *authmethods_get(int);
int user_key_allowed(struct passwd *, Key *);
/*
@@ -205,6 +205,7 @@
userauth_finish(Authctxt *authctxt, int authenticated, char *method)
{
char *methods;
+ int success = 0;
if (!authctxt->valid && authenticated)
fatal("INTERNAL ERROR: authenticated invalid user %s",
@@ -233,41 +234,62 @@
if (authctxt->postponed)
return;
- /* XXX todo: check if multiple auth methods are needed */
+ /* Check if enough multiple auth methods have passed */
if (authenticated == 1) {
- /* turn off userauth */
- dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
- packet_start(SSH2_MSG_USERAUTH_SUCCESS);
- packet_send();
- packet_write_wait();
- /* now we can break out */
- authctxt->success = 1;
+ int passed;
+ int k;
+ int j;
+
+ for (j = 0, k = 1, passed = 0; authmethods[j] != NULL; j++, k <<= 1) {
+ if (strncmp (method, authmethods[j]->name, strlen (authmethods[j]->name)) == 0)
+ authctxt->passed |= k;
+ if (authctxt->passed & k)
+ ++passed;
+ }
+ if (passed < options.num_required_auth_methods) {
+ success = 1;
+ authenticated = 0;
+ }
} else {
- if (authctxt->failures++ > AUTH_FAIL_MAX)
- packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
- methods = authmethods_get();
- packet_start(SSH2_MSG_USERAUTH_FAILURE);
- packet_put_cstring(methods);
- packet_put_char(0); /* XXX partial success, unused */
- packet_send();
- packet_write_wait();
- xfree(methods);
+ if (authctxt->failures++ > AUTH_FAIL_MAX)
+ packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
+ }
+
+ if (authenticated == 1) {
+ /* turn off userauth */
+ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
+ packet_start(SSH2_MSG_USERAUTH_SUCCESS);
+ packet_send();
+ packet_write_wait();
+ /* now we can break out */
+ authctxt->success = 1;
+ } else {
+ methods = authmethods_get(authctxt->passed);
+ packet_start(SSH2_MSG_USERAUTH_FAILURE);
+ packet_put_cstring(methods);
+ packet_put_char(success);
+ packet_send();
+ packet_write_wait();
+ xfree(methods);
}
}
#define DELIM ","
static char *
-authmethods_get(void)
+authmethods_get(int passed)
{
Buffer b;
char *list;
+ int k;
int i;
buffer_init(&b);
- for (i = 0; authmethods[i] != NULL; i++) {
+ for (i = 0, k = 1; authmethods[i] != NULL; i++, k <<= 1) {
if (strcmp(authmethods[i]->name, "none") == 0)
continue;
+ if (passed & k)
+ continue;
if (authmethods[i]->enabled != NULL &&
*(authmethods[i]->enabled) != 0) {
if (buffer_len(&b) > 0)
diff -ur openssh-3.8.1p1/auth.h openssh-3.8.1p1.multiauth/auth.h
--- openssh-3.8.1p1/auth.h 2004-04-16 07:47:55.000000000 -0500
+++ openssh-3.8.1p1.multiauth/auth.h 2004-05-25 12:14:54.000000000 -0500
@@ -52,6 +52,7 @@
int valid; /* user exists and is allowed to login */
int attempt;
int failures;
+ int passed;
int force_pwchange;
char *user; /* username sent by the client */
char *service;
diff -ur openssh-3.8.1p1/servconf.c openssh-3.8.1p1.multiauth/servconf.c
--- openssh-3.8.1p1/servconf.c 2004-01-23 05:03:10.000000000 -0600
+++ openssh-3.8.1p1.multiauth/servconf.c 2004-05-25 12:18:11.000000000 -0500
@@ -78,6 +78,7 @@
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
+ options->num_required_auth_methods = -1;
options->permit_empty_passwd = -1;
options->permit_user_env = -1;
options->use_login = -1;
@@ -194,6 +195,8 @@
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
options->challenge_response_authentication = 1;
+ if (options->num_required_auth_methods == -1)
+ options->num_required_auth_methods = 1;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
if (options->permit_user_env == -1)
@@ -253,8 +256,8 @@
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken,
- sKerberosTgtPassing, sChallengeResponseAuthentication,
+ sKerberosGetAFSToken, sKerberosTgtPassing,
+ sNumRequiredAuthMethods, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -329,6 +332,7 @@
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
{ "challengeresponseauthentication", sChallengeResponseAuthentication },
{ "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
+ { "numrequiredauthmethods", sNumRequiredAuthMethods },
{ "checkmail", sDeprecated },
{ "listenaddress", sListenAddress },
{ "printmotd", sPrintMotd },
@@ -664,6 +668,10 @@
intptr = &options->challenge_response_authentication;
goto parse_flag;
+ case sNumRequiredAuthMethods:
+ intptr = &options->num_required_auth_methods;
+ goto parse_int;
+
case sPrintMotd:
intptr = &options->print_motd;
goto parse_flag;
diff -ur openssh-3.8.1p1/servconf.h openssh-3.8.1p1.multiauth/servconf.h
--- openssh-3.8.1p1/servconf.h 2003-12-30 18:37:34.000000000 -0600
+++ openssh-3.8.1p1.multiauth/servconf.h 2004-05-25 12:20:42.000000000 -0500
@@ -88,6 +88,8 @@
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
int challenge_response_authentication;
+ int num_required_auth_methods; /* Minimum number of auth methods
+ * that must succeed. */
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
int permit_user_env; /* If true, read ~/.ssh/environment */
diff -ur openssh-3.8.1p1/sshd_config openssh-3.8.1p1.multiauth/sshd_config
--- openssh-3.8.1p1/sshd_config 2003-12-30 18:38:32.000000000 -0600
+++ openssh-3.8.1p1.multiauth/sshd_config 2004-05-25 12:22:01.000000000 -0500
@@ -57,6 +57,10 @@
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
+# Change to require multiple authentication types, e.g. password and
+# publickey. (Currently you'll need to turn off UsePrivilegeSeparation)
+#NumRequiredAuthMethods 1
+
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
diff -ur openssh-3.8.1p1/sshd_config.5 openssh-3.8.1p1.multiauth/sshd_config.5
--- openssh-3.8.1p1/sshd_config.5 2004-04-13 22:04:36.000000000 -0500
+++ openssh-3.8.1p1.multiauth/sshd_config.5 2004-05-25 12:27:48.000000000 -0500
@@ -411,6 +411,12 @@
are refused if the number of unauthenticated connections reaches
.Dq full
(60).
+.It Cm NumRequiredAuthMethods
+Specifies how many authentication methods must succeed during ssh2
+authentication. There are four potential methods: publickey, password,
+keyboard-interactive, and hostbased. Setting this value to 2 or higher forces
+the client to successfully authenticate in multiple ways, for example, using
+both S/Key and publickey.
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
More information about the openssh-unix-dev
mailing list