diff options
author | djm <djm> | 2012-11-04 12:21:40 +0000 |
---|---|---|
committer | djm <djm> | 2012-11-04 12:21:40 +0000 |
commit | 39a15d74dc1c291ec826b5cfc1c95baf8bfd3521 (patch) | |
tree | 0aaac2d6016fa92d9417a516a2748af2766b05db /sshd.c | |
parent | 98d091cb9beece7d59ef361e2e6476fe5d048d4f (diff) | |
download | openssh-39a15d74dc1c291ec826b5cfc1c95baf8bfd3521.tar.gz |
- djm@cvs.openbsd.org 2012/11/04 11:09:15
[auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c]
[sshd_config.5]
Support multiple required authentication via an AuthenticationMethods
option. This option lists one or more comma-separated lists of
authentication method names. Successful completion of all the methods in
any list is required for authentication to complete;
feedback and ok markus@
Diffstat (limited to 'sshd.c')
-rw-r--r-- | sshd.c | 23 |
1 files changed, 22 insertions, 1 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.395 2012/11/04 10:38:43 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.396 2012/11/04 11:09:15 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1337,6 +1337,7 @@ main(int ac, char **av) int remote_port; char *line; int config_s[2] = { -1 , -1 }; + u_int n; u_int64_t ibytes, obytes; mode_t new_umask; Key *key; @@ -1566,6 +1567,26 @@ main(int ac, char **av) fatal("AuthorizedKeysCommand set without " "AuthorizedKeysCommandUser"); + /* + * Check whether there is any path through configured auth methods. + * Unfortunately it is not possible to verify this generally before + * daemonisation in the presence of Match block, but this catches + * and warns for trivial misconfigurations that could break login. + */ + if (options.num_auth_methods != 0) { + if ((options.protocol & SSH_PROTO_1)) + fatal("AuthenticationMethods is not supported with " + "SSH protocol 1"); + for (n = 0; n < options.num_auth_methods; n++) { + if (auth2_methods_valid(options.auth_methods[n], + 1) == 0) + break; + } + if (n >= options.num_auth_methods) + fatal("AuthenticationMethods cannot be satisfied by " + "enabled authentication methods"); + } + /* set default channel AF */ channel_set_af(options.address_family); |