221 lines
7.2 KiB
Diff
221 lines
7.2 KiB
Diff
Conflict:NA
|
|
Reference:https://github.com/openssh/openssh-portable/pull/258/files
|
|
|
|
---
|
|
readconf.c | 11 ++++++++++-
|
|
readconf.h | 2 ++
|
|
scp.1 | 1 +
|
|
sftp.1 | 1 +
|
|
ssh.1 | 1 +
|
|
ssh_config | 1 +
|
|
ssh_config.5 | 7 +++++++
|
|
sshconnect2.c | 13 ++++++++++++-
|
|
8 files changed, 35 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/readconf.c b/readconf.c
|
|
index d25f983..45c1c22 100644
|
|
--- a/readconf.c
|
|
+++ b/readconf.c
|
|
@@ -157,7 +157,7 @@ typedef enum {
|
|
oLogFacility, oLogLevel, oLogVerbose, oCiphers, oMacs,
|
|
oPubkeyAuthentication,
|
|
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
|
|
- oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
|
|
+ oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, oDisableTrivialAuth,
|
|
oHostKeyAlgorithms, oBindAddress, oBindInterface, oPKCS11Provider,
|
|
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
|
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
|
@@ -250,6 +250,7 @@ static struct {
|
|
{ "pubkeyauthentication", oPubkeyAuthentication },
|
|
{ "dsaauthentication", oPubkeyAuthentication }, /* alias */
|
|
{ "hostbasedauthentication", oHostbasedAuthentication },
|
|
+ { "disabletrivialauth", oDisableTrivialAuth},
|
|
{ "identityfile", oIdentityFile },
|
|
{ "identityfile2", oIdentityFile }, /* obsolete */
|
|
{ "identitiesonly", oIdentitiesOnly },
|
|
@@ -1124,6 +1125,10 @@ parse_time:
|
|
intptr = &options->hostbased_authentication;
|
|
goto parse_flag;
|
|
|
|
+ case oDisableTrivialAuth:
|
|
+ intptr = &options->disable_trivial_auth;
|
|
+ goto parse_flag;
|
|
+
|
|
case oGssAuthentication:
|
|
intptr = &options->gss_authentication;
|
|
goto parse_flag;
|
|
@@ -2392,6 +2397,7 @@ initialize_options(Options * options)
|
|
options->kbd_interactive_authentication = -1;
|
|
options->kbd_interactive_devices = NULL;
|
|
options->hostbased_authentication = -1;
|
|
+ options->disable_trivial_auth = -1;
|
|
options->batch_mode = -1;
|
|
options->check_host_ip = -1;
|
|
options->strict_host_key_checking = -1;
|
|
@@ -2562,6 +2568,8 @@ fill_default_options(Options * options)
|
|
options->kbd_interactive_authentication = 1;
|
|
if (options->hostbased_authentication == -1)
|
|
options->hostbased_authentication = 0;
|
|
+ if (options->disable_trivial_auth == -1)
|
|
+ options->disable_trivial_auth = 0;
|
|
if (options->batch_mode == -1)
|
|
options->batch_mode = 0;
|
|
if (options->check_host_ip == -1)
|
|
@@ -3362,6 +3370,7 @@ dump_client_config(Options *o, const char *host)
|
|
#endif /* GSSAPI */
|
|
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
|
|
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
|
|
+ dump_cfg_fmtint(oDisableTrivialAuth, o->disable_trivial_auth);
|
|
dump_cfg_fmtint(oIdentitiesOnly, o->identities_only);
|
|
dump_cfg_fmtint(oKbdInteractiveAuthentication, o->kbd_interactive_authentication);
|
|
dump_cfg_fmtint(oNoHostAuthenticationForLocalhost, o->no_host_authentication_for_localhost);
|
|
diff --git a/readconf.h b/readconf.h
|
|
index 00895ad..b391bd6 100644
|
|
--- a/readconf.h
|
|
+++ b/readconf.h
|
|
@@ -38,6 +38,8 @@ typedef struct {
|
|
struct ForwardOptions fwd_opts; /* forwarding options */
|
|
int pubkey_authentication; /* Try ssh2 pubkey authentication. */
|
|
int hostbased_authentication; /* ssh2's rhosts_rsa */
|
|
+
|
|
+ int disable_trivial_auth; /* disable trivial authentications */
|
|
int gss_authentication; /* Try GSS authentication */
|
|
int gss_keyex; /* Try GSS key exchange */
|
|
int gss_deleg_creds; /* Delegate GSS credentials */
|
|
diff --git a/scp.1 b/scp.1
|
|
index 874c5c2..e1f8191 100644
|
|
--- a/scp.1
|
|
+++ b/scp.1
|
|
@@ -187,6 +187,7 @@ For full details of the options listed below, and their possible values, see
|
|
.It Host
|
|
.It HostbasedAcceptedAlgorithms
|
|
.It HostbasedAuthentication
|
|
+.It DisableTrivialAuth
|
|
.It HostKeyAlgorithms
|
|
.It HostKeyAlias
|
|
.It Hostname
|
|
diff --git a/sftp.1 b/sftp.1
|
|
index 7eebeea..89b6773 100644
|
|
--- a/sftp.1
|
|
+++ b/sftp.1
|
|
@@ -247,6 +247,7 @@ For full details of the options listed below, and their possible values, see
|
|
.It Host
|
|
.It HostbasedAcceptedAlgorithms
|
|
.It HostbasedAuthentication
|
|
+.It DisableTrivialAuth
|
|
.It HostKeyAlgorithms
|
|
.It HostKeyAlias
|
|
.It Hostname
|
|
diff --git a/ssh.1 b/ssh.1
|
|
index 975ab39..1cb8d5c 100644
|
|
--- a/ssh.1
|
|
+++ b/ssh.1
|
|
@@ -541,6 +541,7 @@ For full details of the options listed below, and their possible values, see
|
|
.It Host
|
|
.It HostbasedAcceptedAlgorithms
|
|
.It HostbasedAuthentication
|
|
+.It DisableTrivialAuth
|
|
.It HostKeyAlgorithms
|
|
.It HostKeyAlias
|
|
.It Hostname
|
|
diff --git a/ssh_config b/ssh_config
|
|
index b3a4922..169f30c 100644
|
|
--- a/ssh_config
|
|
+++ b/ssh_config
|
|
@@ -22,6 +22,7 @@
|
|
# ForwardX11 no
|
|
# PasswordAuthentication yes
|
|
# HostbasedAuthentication no
|
|
+# DisableTrivialAuth no
|
|
# GSSAPIAuthentication no
|
|
# GSSAPIDelegateCredentials no
|
|
# GSSAPIKeyExchange no
|
|
diff --git a/ssh_config.5 b/ssh_config.5
|
|
index 6735401..fd82e05 100644
|
|
--- a/ssh_config.5
|
|
+++ b/ssh_config.5
|
|
@@ -955,6 +955,13 @@ The argument must be
|
|
or
|
|
.Cm no
|
|
(the default).
|
|
+.It Cm DisableTrivialAuth
|
|
+Disables trivial or incomplete authentications.
|
|
+The argument must be
|
|
+.Cm yes
|
|
+or
|
|
+.Cm no
|
|
+(the default).
|
|
.It Cm HostKeyAlgorithms
|
|
Specifies the host key signature algorithms
|
|
that the client wants to use in order of preference.
|
|
diff --git a/sshconnect2.c b/sshconnect2.c
|
|
index e90eb89..150d419 100644
|
|
--- a/sshconnect2.c
|
|
+++ b/sshconnect2.c
|
|
@@ -403,6 +403,7 @@ struct identity {
|
|
TAILQ_HEAD(idlist, identity);
|
|
|
|
struct cauthctxt {
|
|
+ int is_trivial_auth;
|
|
const char *server_user;
|
|
const char *local_user;
|
|
const char *host;
|
|
@@ -531,6 +532,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
|
|
/* setup authentication context */
|
|
memset(&authctxt, 0, sizeof(authctxt));
|
|
authctxt.server_user = server_user;
|
|
+ authctxt.is_trivial_auth = 1;
|
|
authctxt.local_user = local_user;
|
|
authctxt.host = host;
|
|
authctxt.service = "ssh-connection"; /* service name */
|
|
@@ -570,6 +572,10 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
|
|
|
|
if (!authctxt.success)
|
|
fatal("Authentication failed.");
|
|
+ if (authctxt.is_trivial_auth == 1 && options.disable_trivial_auth == 1) {
|
|
+ fatal("Trivial authentication disabled.");
|
|
+ }
|
|
+ debug("Authentication succeeded (%s).", authctxt.method->name);
|
|
if (ssh_packet_connection_is_on_socket(ssh)) {
|
|
verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
|
|
ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
|
|
@@ -968,6 +974,7 @@ process_gssapi_token(struct ssh *ssh, gss_buffer_t recv_tok)
|
|
fatal_fr(r, "send %u packet", type);
|
|
|
|
gss_release_buffer(&ms, &send_tok);
|
|
+ authctxt->is_trivial_auth = 0;
|
|
}
|
|
|
|
if (status == GSS_S_COMPLETE) {
|
|
@@ -1213,6 +1220,7 @@ static int
|
|
userauth_passwd(struct ssh *ssh)
|
|
{
|
|
Authctxt *authctxt = (Authctxt *)ssh->authctxt;
|
|
+ authctxt->is_trivial_auth = 0;
|
|
char *password, *prompt = NULL;
|
|
const char *host = options.host_key_alias ? options.host_key_alias :
|
|
authctxt->host;
|
|
@@ -2023,8 +2031,10 @@ userauth_pubkey(struct ssh *ssh)
|
|
id->isprivate = 0;
|
|
}
|
|
}
|
|
- if (sent)
|
|
+ if (sent) {
|
|
+ authctxt->is_trivial_auth = 0;
|
|
return (sent);
|
|
+ }
|
|
}
|
|
return (0);
|
|
}
|
|
@@ -2105,6 +2115,7 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
|
|
|
|
debug2_f("num_prompts %d", num_prompts);
|
|
for (i = 0; i < num_prompts; i++) {
|
|
+ authctxt->is_trivial_auth = 0;
|
|
if ((r = sshpkt_get_cstring(ssh, &prompt, NULL)) != 0 ||
|
|
(r = sshpkt_get_u8(ssh, &echo)) != 0)
|
|
goto out;
|
|
--
|
|
2.27.0
|
|
|