diff options
| author | Damien Miller <djm@mindrot.org> | 2012-11-04 13:21:40 +0100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2012-11-04 13:21:40 +0100 |
| commit | a6e3f01d1e230b8acfdd6b4cf3096459d2a325e0 (patch) | |
| tree | 577022d2b31e9519d26bc614c3f5396e17d58ec6 /servconf.c | |
| parent | - djm@cvs.openbsd.org 2012/11/04 10:38:43 (diff) | |
| download | openssh-a6e3f01d1e230b8acfdd6b4cf3096459d2a325e0.tar.xz openssh-a6e3f01d1e230b8acfdd6b4cf3096459d2a325e0.zip | |
- djm@cvs.openbsd.org 2012/11/04 11:09:15
[auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c]
[sshd_config.5]
Support multiple required authentication via an AuthenticationMethods
option. This option lists one or more comma-separated lists of
authentication method names. Successful completion of all the methods in
any list is required for authentication to complete;
feedback and ok markus@
Diffstat (limited to 'servconf.c')
| -rw-r--r-- | servconf.c | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c index 8e69ea5ce..b90dba63b 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.231 2012/10/30 21:29:54 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.232 2012/11/04 11:09:15 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -48,6 +48,8 @@ #include "groupaccess.h" #include "canohost.h" #include "packet.h" +#include "hostfile.h" +#include "auth.h" static void add_listen_addr(ServerOptions *, char *, int); static void add_one_listen_addr(ServerOptions *, char *, int); @@ -332,6 +334,7 @@ typedef enum { sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, + sAuthenticationMethods, sDeprecated, sUnsupported } ServerOpCodes; @@ -459,6 +462,7 @@ static struct { { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, + { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; @@ -1522,6 +1526,24 @@ process_server_config_line(ServerOptions *options, char *line, *charptr = xstrdup(arg); break; + case sAuthenticationMethods: + if (*activep && options->num_auth_methods == 0) { + while ((arg = strdelim(&cp)) && *arg != '\0') { + if (options->num_auth_methods >= + MAX_AUTH_METHODS) + fatal("%s line %d: " + "too many authentication methods.", + filename, linenum); + if (auth2_methods_valid(arg, 0) != 0) + fatal("%s line %d: invalid " + "authentication method list.", + filename, linenum); + options->auth_methods[ + options->num_auth_methods++] = xstrdup(arg); + } + } + return 0; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); @@ -1953,6 +1975,8 @@ dump_config(ServerOptions *o) dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); + dump_cfg_strarray_oneline(sAuthenticationMethods, + o->num_auth_methods, o->auth_methods); /* other arguments */ for (i = 0; i < o->num_subsystems; i++) |