- djm@cvs.openbsd.org 2012/11/04 11:09:15

     [auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c]
     [sshd_config.5]
     Support multiple required authentication via an AuthenticationMethods
     option. This option lists one or more comma-separated lists of
     authentication method names. Successful completion of all the methods in
     any list is required for authentication to complete;
     feedback and ok markus@

1 files changed, 200 insertions, 18 deletions

diff --git a/auth2.c b/auth2.c
index b66bef64..8114ec86 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.124 2011/12/07 05:44:38 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.125 2012/11/04 11:09:15 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -96,8 +96,10 @@ static void input_service_request(int, u_int32_t, void *);
 static void input_userauth_request(int, u_int32_t, void *);
 
 /* helper */
-static Authmethod *authmethod_lookup(const char *);
-static char *authmethods_get(void);
+static Authmethod *authmethod_lookup(Authctxt *, const char *);
+static char *authmethods_get(Authctxt *authctxt);
+static int method_allowed(Authctxt *, const char *);
+static int list_starts_with(const char *, const char *);
 
 char *
 auth2_read_banner(void)
@@ -255,6 +257,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 		if (use_privsep)
 			mm_inform_authserv(service, style);
 		userauth_banner();
+		if (auth2_setup_methods_lists(authctxt) != 0)
+			packet_disconnect("no authentication methods enabled");
 	} else if (strcmp(user, authctxt->user) != 0 ||
 	    strcmp(service, authctxt->service) != 0) {
 		packet_disconnect("Change of username or service not allowed: "
@@ -277,7 +281,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 	authctxt->server_caused_failure = 0;
 
 	/* try to authenticate user */
-	m = authmethod_lookup(method);
+	m = authmethod_lookup(authctxt, method);
 	if (m != NULL && authctxt->failures < options.max_authtries) {
 		debug2("input_userauth_request: try method %s", method);
 		authenticated =	m->userauth(authctxt);
@@ -293,6 +297,7 @@ void
 userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 {
 	char *methods;
+	int partial = 0;
 
 	if (!authctxt->valid && authenticated)
 		fatal("INTERNAL ERROR: authenticated invalid user %s",
@@ -335,7 +340,13 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 	if (authctxt->postponed)
 		return;
 
-	/* XXX todo: check if multiple auth methods are needed */
+	if (authenticated && options.num_auth_methods != 0) {
+		if (!auth2_update_methods_lists(authctxt, method)) {
+			authenticated = 0;
+			partial = 1;
+		}
+	}
+
 	if (authenticated == 1) {
 		/* turn off userauth */
 		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
@@ -356,34 +367,61 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 #endif
 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
 		}
-		methods = authmethods_get();
+		methods = authmethods_get(authctxt);
+		debug3("%s: failure partial=%d next methods=\"%s\"", __func__,
+		    partial, methods);
 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
 		packet_put_cstring(methods);
-		packet_put_char(0);	/* XXX partial success, unused */
+		packet_put_char(partial);
 		packet_send();
 		packet_write_wait();
 		xfree(methods);
 	}
 }
 
+/*
+ * Checks whether method is allowed by at least one AuthenticationMethods
+ * methods list. Returns 1 if allowed, or no methods lists configured.
+ * 0 otherwise.
+ */
+static int
+method_allowed(Authctxt *authctxt, const char *method)
+{
+	u_int i;
+
+	/*
+	 * NB. authctxt->num_auth_methods might be zero as a result of
+	 * auth2_setup_methods_lists(), so check the configuration.
+	 */
+	if (options.num_auth_methods == 0)
+		return 1;
+	for (i = 0; i < authctxt->num_auth_methods; i++) {
+		if (list_starts_with(authctxt->auth_methods[i], method))
+			return 1;
+	}
+	return 0;
+}
+
 static char *
-authmethods_get(void)
+authmethods_get(Authctxt *authctxt)
 {
 	Buffer b;
 	char *list;
-	int i;
+	u_int i;
 
 	buffer_init(&b);
 	for (i = 0; authmethods[i] != NULL; i++) {
 		if (strcmp(authmethods[i]->name, "none") == 0)
 			continue;
-		if (authmethods[i]->enabled != NULL &&
-		    *(authmethods[i]->enabled) != 0) {
-			if (buffer_len(&b) > 0)
-				buffer_append(&b, ",", 1);
-			buffer_append(&b, authmethods[i]->name,
-			    strlen(authmethods[i]->name));
-		}
+		if (authmethods[i]->enabled == NULL ||
+		    *(authmethods[i]->enabled) == 0)
+			continue;
+		if (!method_allowed(authctxt, authmethods[i]->name))
+			continue;
+		if (buffer_len(&b) > 0)
+			buffer_append(&b, ",", 1);
+		buffer_append(&b, authmethods[i]->name,
+		    strlen(authmethods[i]->name));
 	}
 	buffer_append(&b, "\0", 1);
 	list = xstrdup(buffer_ptr(&b));
@@ -392,7 +430,7 @@ authmethods_get(void)
 }
 
 static Authmethod *
-authmethod_lookup(const char *name)
+authmethod_lookup(Authctxt *authctxt, const char *name)
 {
 	int i;
 
@@ -400,10 +438,154 @@ authmethod_lookup(const char *name)
 		for (i = 0; authmethods[i] != NULL; i++)
 			if (authmethods[i]->enabled != NULL &&
 			    *(authmethods[i]->enabled) != 0 &&
-			    strcmp(name, authmethods[i]->name) == 0)
+			    strcmp(name, authmethods[i]->name) == 0 &&
+			    method_allowed(authctxt, authmethods[i]->name))
 				return authmethods[i];
 	debug2("Unrecognized authentication method name: %s",
 	    name ? name : "NULL");
 	return NULL;
 }
 
+/*
+ * Check a comma-separated list of methods for validity. Is need_enable is
+ * non-zero, then also require that the methods are enabled.
+ * Returns 0 on success or -1 if the methods list is invalid.
+ */
+int
+auth2_methods_valid(const char *_methods, int need_enable)
+{
+	char *methods, *omethods, *method;
+	u_int i, found;
+	int ret = -1;
+
+	if (*_methods == '\0') {
+		error("empty authentication method list");
+		return -1;
+	}
+	omethods = methods = xstrdup(_methods);
+	while ((method = strsep(&methods, ",")) != NULL) {
+		for (found = i = 0; !found && authmethods[i] != NULL; i++) {
+			if (strcmp(method, authmethods[i]->name) != 0)
+				continue;
+			if (need_enable) {
+				if (authmethods[i]->enabled == NULL ||
+				    *(authmethods[i]->enabled) == 0) {
+					error("Disabled method \"%s\" in "
+					    "AuthenticationMethods list \"%s\"",
+					    method, _methods);
+					goto out;
+				}
+			}
+			found = 1;
+			break;
+		}
+		if (!found) {
+			error("Unknown authentication method \"%s\" in list",
+			    method);
+			goto out;
+		}
+	}
+	ret = 0;
+ out:
+	free(omethods);
+	return ret;
+}
+
+/*
+ * Prune the AuthenticationMethods supplied in the configuration, removing
+ * any methods lists that include disabled methods. Note that this might
+ * leave authctxt->num_auth_methods == 0, even when multiple required auth
+ * has been requested. For this reason, all tests for whether multiple is
+ * enabled should consult options.num_auth_methods directly.
+ */
+int
+auth2_setup_methods_lists(Authctxt *authctxt)
+{
+	u_int i;
+
+	if (options.num_auth_methods == 0)
+		return 0;
+	debug3("%s: checking methods", __func__);
+	authctxt->auth_methods = xcalloc(options.num_auth_methods,
+	    sizeof(*authctxt->auth_methods));
+	authctxt->num_auth_methods = 0;
+	for (i = 0; i < options.num_auth_methods; i++) {
+		if (auth2_methods_valid(options.auth_methods[i], 1) != 0) {
+			logit("Authentication methods list \"%s\" contains "
+			    "disabled method, skipping",
+			    options.auth_methods[i]);
+			continue;
+		}
+		debug("authentication methods list %d: %s",
+		    authctxt->num_auth_methods, options.auth_methods[i]);
+		authctxt->auth_methods[authctxt->num_auth_methods++] =
+		    xstrdup(options.auth_methods[i]);
+	}
+	if (authctxt->num_auth_methods == 0) {
+		error("No AuthenticationMethods left after eliminating "
+		    "disabled methods");
+		return -1;
+	}
+	return 0;
+}
+
+static int
+list_starts_with(const char *methods, const char *method)
+{
+	size_t l = strlen(method);
+
+	if (strncmp(methods, method, l) != 0)
+		return 0;
+	if (methods[l] != ',' && methods[l] != '\0')
+		return 0;
+	return 1;
+}
+
+/*
+ * Remove method from the start of a comma-separated list of methods.
+ * Returns 0 if the list of methods did not start with that method or 1
+ * if it did.
+ */
+static int
+remove_method(char **methods, const char *method)
+{
+	char *omethods = *methods;
+	size_t l = strlen(method);
+
+	if (!list_starts_with(omethods, method))
+		return 0;
+	*methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0));
+	free(omethods);
+	return 1;
+}
+
+/*
+ * Called after successful authentication. Will remove the successful method
+ * from the start of each list in which it occurs. If it was the last method
+ * in any list, then authentication is deemed successful.
+ * Returns 1 if the method completed any authentication list or 0 otherwise.
+ */
+int
+auth2_update_methods_lists(Authctxt *authctxt, const char *method)
+{
+	u_int i, found = 0;
+
+	debug3("%s: updating methods list after \"%s\"", __func__, method);
+	for (i = 0; i < authctxt->num_auth_methods; i++) {
+		if (!remove_method(&(authctxt->auth_methods[i]), method))
+			continue;
+		found = 1;
+		if (*authctxt->auth_methods[i] == '\0') {
+			debug2("authentication methods list %d complete", i);
+			return 1;
+		}
+		debug3("authentication methods list %d remaining: \"%s\"",
+		    i, authctxt->auth_methods[i]);
+	}
+	/* This should not happen, but would be bad if it did */
+	if (!found)
+		fatal("%s: method not in AuthenticationMethods", __func__);
+	return 0;
+}
+
+