Mailing List Archive: OpenSSH: Bugs

[Bug 983] Required authentication

Index | Next | Previous | View Threaded

bugzilla-daemon at bugzilla

Sep 5, 2011, 5:34 PM

Post #1 of 17 (305 views)
Permalink

[Bug 983] Required authentication

https://bugzilla.mindrot.org/show_bug.cgi?id=983

Damien Miller <djm [at] mindrot> changed:

What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1930

--- Comment #34 from Damien Miller <djm [at] mindrot> 2011-09-06 10:34:24 EST ---
Retarget unresolved bugs/features to 6.0 release

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Sep 5, 2011, 5:36 PM

Post #2 of 17 (298 views)
Permalink

[Bug 983] Required authentication [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #35 from Damien Miller <djm [at] mindrot> 2011-09-06 10:36:35 EST ---
Retarget unresolved bugs/features to 6.0 release

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Sep 5, 2011, 5:39 PM

Post #3 of 17 (300 views)
Permalink

[Bug 983] Required authentication [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=983

Damien Miller <djm [at] mindrot> changed:

What |Removed |Added
----------------------------------------------------------------------------
Blocks|1845 |

--- Comment #36 from Damien Miller <djm [at] mindrot> 2011-09-06 10:39:11 EST ---
Retarget unresolved bugs/features to 6.0 release

(try again - bugzilla's "change several" isn't)

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Sep 6, 2011, 9:51 PM

Post #4 of 17 (292 views)
Permalink

[Bug 983] Required authentication [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #37 from jchadima [at] redhat 2011-09-07 14:51:20 EST ---
Created attachment 2079
--> https://bugzilla.mindrot.org/attachment.cgi?id=2079
Another approach to solution of the problem

I've created another patch which solves the similar problem.
There is new configuration items TwoFactorAuthentication and
Second.*Authentication.

If the TwoFactorAuthentication is not set the sshd work as usual.

If is set then after the successful authentication the Second set
without the method successfully used in first authentication is enabled
and then is the second authentication cycle started. There is no need
to work with short names like "kbdint" in the configuration file. This
schema may be easily enlarged to new potential authentication method.

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Sep 6, 2011, 9:52 PM

Post #5 of 17 (291 views)
Permalink

[Bug 983] Required authentication [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=983

jchadima [at] redhat changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |jchadima [at] redhat

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Sep 8, 2011, 3:59 PM

Post #6 of 17 (286 views)
Permalink

[Bug 983] Required authentication [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=983

David Woodhouse <dwmw2 [at] infradead> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |dwmw2 [at] infradead

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Sep 8, 2011, 4:43 PM

Post #7 of 17 (287 views)
Permalink

[Bug 983] Required authentication [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #38 from David Woodhouse <dwmw2 [at] infradead> 2011-09-09 09:43:31 EST ---
Paul, why do you say (in comment #30) that the patch doesn't work with
SELinux? I tried your latest patch from comment #33, which I think is
just updated to apply to the latest OpenSSH rather than really
changed... and it seems to work fine. Is there something known to be
wrong?

What remains to be fixed before this patch can be merged?

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Sep 8, 2011, 9:21 PM

Post #8 of 17 (285 views)
Permalink

[Bug 983] Required authentication [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #39 from Paul Sery <pgsery [at] swcp> 2011-09-09 14:21:17 EST ---
The patch didn't work for me when I tested it with SELinux at that
time. SELinux policy is constantly updated, so I'm not surprised it's
working now. I'll check it out on my systems now.

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Sep 12, 2011, 12:49 PM

Post #9 of 17 (280 views)
Permalink

[Bug 983] Required authentication [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #40 from David Woodhouse <dwmw2 [at] infradead> 2011-09-13 05:49:16 EST ---
(In reply to comment #33)
> Created attachment 1999 [details]
> Updated to -current
>
> Updated patch to -current and 5.8p1. Appears to work with
> sshd_config->RequiredAuthentications2 publickey,password.

I take it we've dropped the 'necessary but not sufficient' bit?

This looks wrong: Don't we want SSHCFG_ALL in each of the new additions
here?:

@@ -451,6 +456,8 @@ static struct {
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile,
SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ { "requiredauthentications1", sRequiredAuthentications1 },
+ { "requiredauthentications2", sRequiredAuthentications2 },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Sep 12, 2011, 8:39 PM

Post #10 of 17 (280 views)
Permalink

[Bug 983] Required authentication [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #41 from Paul Sery <pgsery [at] swcp> 2011-09-13 13:39:23 EST ---
Yes, my mistake. I'll add it in the next patch.

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Sep 17, 2011, 3:00 AM

Post #11 of 17 (267 views)
Permalink

[Bug 983] Required authentication [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=983

jchadima [at] redhat changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #2079|0 |1
is obsolete| |

--- Comment #42 from jchadima [at] redhat 2011-09-17 20:00:32 EST ---
Created attachment 2084
--> https://bugzilla.mindrot.org/attachment.cgi?id=2084
Another approach to solution of the problem (updated)

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Sep 17, 2011, 4:39 AM

Post #12 of 17 (267 views)
Permalink

[Bug 983] Required authentication [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #43 from David Woodhouse <dwmw2 [at] infradead> 2011-09-17 21:39:50 EST ---
My use case for this is to run a PAM stack *after* pubkey
authentication, and one environment in which I want to do that is for
something like gitolite — where multiple people each have their own SSH
key installed, but there is only one local user. We want to use keys
*and* a one-time password.

It would be really useful if the PAM stack could know *which* SSH key
was used to authenticate. Then we can have an OTP setup for each human
being rather than just having a single shared one.

This kind of thing should probably do it. This makes the two-step
authentication much more useful for us.

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 137887e..68f1a6a 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -350,6 +350,12 @@ user_key_allowed2(struct passwd *pw, Key *key,
char *file)
verbose("Accepted certificate ID \"%s\" "
"signed by %s CA %s via %s", key->cert->key_id,
key_type(found), fp, file);
+#ifdef USE_PAM
+ if (options.use_pam) {
+ do_pam_putenv("SSH_PUBKEY_TYPE", "X509");
+ do_pam_putenv("SSH_PUBKEY", key->cert->key_id);
+ }
+#endif
xfree(fp);
found_key = 1;
break;
@@ -365,6 +371,12 @@ user_key_allowed2(struct passwd *pw, Key *key,
char *file)
fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
verbose("Found matching %s key: %s",
key_type(found), fp);
+#ifdef USE_PAM
+ if (options.use_pam) {
+ do_pam_putenv("SSH_PUBKEY_TYPE", key_type(found));
+ do_pam_putenv("SSH_PUBKEY", fp);
+ }
+#endif
xfree(fp);
break;
}

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Sep 24, 2011, 10:25 PM

Post #13 of 17 (251 views)
Permalink

[Bug 983] Required authentication [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=983

Jan F. Chadima <jfch [at] jagda> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |jfch [at] jagda

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Sep 26, 2011, 2:22 PM

Post #14 of 17 (246 views)
Permalink

[Bug 983] Required authentication [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #44 from David Woodhouse <dwmw2 [at] infradead> 2011-09-27 07:22:44 EST ---
(In reply to comment #33)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7f3f7e0 (LWP 3257)]
0x00007ffff7f9c32a in input_userauth_info_response (type=<optimized
out>,
seq=<optimized out>, ctxt=0x7ffff8213b90) at auth2-chall.c:344
344 userauth_finish(authctxt, authenticated,
"keyboard-interactive",

(gdb) p kbdintctxt->device->name
Cannot access memory at address 0x0
(gdb) p kbdintctxt->device
$7 = (KbdintDevice *) 0x0

I don't quite understand how the extra 'submethod' argument to
userauth_finish() and auth_log() are relevant to this patch. Normally I
would expect them to be part of a separate patch. It appears to be
entirely cosmetic... part from the SEGV that it causes. So I fixed it
thus without worrying too much about what it *should* have been:

--- auth2-chall.c~ 2011-09-26 20:50:00.741593219 +0100
+++ auth2-chall.c 2011-09-26 22:18:41.119608430 +0100
@@ -342,7 +342,7 @@ input_userauth_info_response(int type, u
}
}
userauth_finish(authctxt, authenticated, "keyboard-interactive",
- kbdintctxt->device->name);
+ kbdintctxt->device?kbdintctxt->device->name:NULL);
}

void

Note: This SEGV wasn't trivial to find. The symptom was just that
mm_request_receive() got -EPIPE after the child process died. No hint
about the SEGV was visible because a handler was installed. Even when
running it in gdb it didn't show up until I set 'follow-fork-mode
child'. Is this not a really bad thing?

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Sep 26, 2011, 2:40 PM

Post #15 of 17 (242 views)
Permalink

[Bug 983] Required authentication [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #45 from David Woodhouse <dwmw2 [at] infradead> 2011-09-27 07:40:08 EST ---
Oh, that fixes the fact that the patch breaks keyboard-interactive
authentication when it's the only form of authentication. But
RequiredAuthentications2 publickey,keyboard-interactive
still doesn't work:

INTERNAL ERROR: authenticated method "keyboard-interactive/pam" not in
required list "keyboard-interactive"

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Sep 26, 2011, 3:02 PM

Post #16 of 17 (243 views)
Permalink

[Bug 983] Required authentication [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=983

David Woodhouse <dwmw2 [at] infradead> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #1955|0 |1
is obsolete| |
Attachment #1999|0 |1
is obsolete| |

--- Comment #46 from David Woodhouse <dwmw2 [at] infradead> 2011-09-27 08:02:11 EST ---
Created attachment 2096
--> https://bugzilla.mindrot.org/attachment.cgi?id=2096
Updated version of original patch.

Oh, *now* I see why we were splitting 'keyboard-interactive/pam' into
the method 'keyboard-interactive' and the submethod 'pam', and why it's
a necessary part of this patch. I've been spoiled by git users who put
that kind of information into the commit comments.

Here's an updated patch against the current git mirror, which should
fix that by doing the same thing in monitor.c.

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Sep 27, 2011, 1:26 AM

Post #17 of 17 (239 views)
Permalink

[Bug 983] Required authentication [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=983

David Sickmiller <david [at] sickmiller> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC|david [at] sickmiller |

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads