diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2023-12-18 15:45:49 +0100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2023-12-18 15:51:46 +0100 |
| commit | a7ed931caeb68947d30af8a795f4108b6efad761 (patch) | |
| tree | 05b9c1e413acee36b37cbe5a0c4b938d19be595d /auth2.c | |
| parent | upstream: implement "strict key exchange" in ssh and sshd (diff) | |
| download | openssh-a7ed931caeb68947d30af8a795f4108b6efad761.tar.xz openssh-a7ed931caeb68947d30af8a795f4108b6efad761.zip | |
upstream: add "ext-info-in-auth@openssh.com" extension
This adds another transport protocol extension to allow a sshd to send
SSH2_MSG_EXT_INFO during user authentication, after the server has
learned the username that is being logged in to.
This lets sshd to update the acceptable signature algoritms for public
key authentication, and allows these to be varied via sshd_config(5)
"Match" directives, which are evaluated after the server learns the
username being authenticated.
Full details in the PROTOCOL file
OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779
Diffstat (limited to 'auth2.c')
| -rw-r--r-- | auth2.c | 8 |
1 files changed, 7 insertions, 1 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.167 2023/08/28 09:48:11 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.168 2023/12/18 14:45:49 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -57,6 +57,7 @@ #endif #include "monitor_wrap.h" #include "digest.h" +#include "kex.h" /* import */ extern ServerOptions options; @@ -172,6 +173,8 @@ do_authentication2(struct ssh *ssh) Authctxt *authctxt = ssh->authctxt; ssh_dispatch_init(ssh, &dispatch_protocol_error); + if (ssh->kex->ext_info_c) + ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_input_ext_info); ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_REQUEST, &input_service_request); ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt->success); ssh->authctxt = NULL; @@ -211,6 +214,7 @@ input_service_request(int type, u_int32_t seq, struct ssh *ssh) debug("bad service request %s", service); ssh_packet_disconnect(ssh, "bad service request %s", service); } + ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &dispatch_protocol_error); r = 0; out: free(service); @@ -313,6 +317,8 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) if (use_privsep) mm_inform_authserv(service, style); userauth_banner(ssh); + if ((r = kex_server_update_ext_info(ssh)) != 0) + fatal_fr(r, "kex_server_update_ext_info failed"); if (auth2_setup_methods_lists(authctxt) != 0) ssh_packet_disconnect(ssh, "no authentication methods enabled"); |