[PATCH] Expose authentication information

Vincent Brillault vincent.brillault at lerya.net
Fri Nov 27 07:32:05 AEDT 2015 

Hi all,

Following a discussion of last June and the resulting bug (2408), in
order to improve 2 factor authentication, I've worked on a set of
patches to expose at least basic authentication information and more
when possible. By exposing such information to PAM, it would be possible
to differentiate the cases when PAM is called first and when it is
called after a valid authentication (e.g. when using
AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam
publickey,keyboard-interactive:pam keyboard-interactive:pam)

The design of these patches is rather simple:
- Authentication method can "publish" detailed information about the
  client, if the authentication was successful
- In the main auth 2 loop, after a successful authentication, the
  authentication method is recorded, including details if provided
- When calling PAM or a shell, export this information via an
  environment variable

I've tried to keep the patches as small and atomic as possible.
The larger change is probably the introduction of 'pubkey_format' in
order to only have one function to print a public key.

This set of patch could be extended to cover more ground, but I not sure
how and thus I'm open to suggestions and ideas on how:
- to expose the same kind of detailed information from the priviledged
  thread in case of priviledge separation
- to produce the same kind of information from other authentication
  methods (I'm particularly interested in getting the kerbors principal
  from gss-serv-krb5 for example)

Resolving such questions would probably make this feature complete, but
I fear that they need complex modifications of the existing code. Do you
think that this design and this first step could be considered and
merged first, without closing the door for further improvement?

Thanks in advance,
Vincent

PS: I've posted these patches as a single patch on the bugzilla, but as
I didn't get any feedback, I'm trying my luck here directly
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Store-details-about-successful-auth-methods.patch
Type: text/x-diff
Size: 1954 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151126/2a26a6ba/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Export-auth_details-to-child-env-as-SSH_USER_AUTH.patch
Type: text/x-diff
Size: 717 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151126/2a26a6ba/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Expose-auth_details-to-pam-via-SSH_USER_AUTH.patch
Type: text/x-diff
Size: 1196 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151126/2a26a6ba/attachment-0010.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Extract-pubkey_format-from-pubkey_auth_info.patch
Type: text/x-diff
Size: 2889 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151126/2a26a6ba/attachment-0011.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-auth2-pubkey-fill-last_details-on-success.patch
Type: text/x-diff
Size: 1334 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151126/2a26a6ba/attachment-0012.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-auth2-hostbased-fill-last_details-on-success.patch
Type: text/x-diff
Size: 1414 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151126/2a26a6ba/attachment-0013.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-privsep-Expose-success-auth-methods.patch
Type: text/x-diff
Size: 1537 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151126/2a26a6ba/attachment-0014.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0008-Mention-SSH_USER_AUTH-in-the-man-page.patch
Type: text/x-diff
Size: 927 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151126/2a26a6ba/attachment-0015.bin>

More information about the openssh-unix-dev mailing list