diff options
author | Markus Friedl <markus@cvs.openbsd.org> | 2002-06-04 19:42:36 +0000 |
---|---|---|
committer | Markus Friedl <markus@cvs.openbsd.org> | 2002-06-04 19:42:36 +0000 |
commit | 1ab6ab6bacb3350a67d1f48e4d3aec2759e9b0e4 (patch) | |
tree | 0bd70617bae343a55eba4f05451d505fd736d1e2 | |
parent | c0b6545ae136c085c6425427f3ee8915eb126e66 (diff) |
only allow enabled authentication methods; ok provos@
-rw-r--r-- | usr.bin/ssh/monitor.c | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c index 53f958b246a..7502207b57b 100644 --- a/usr.bin/ssh/monitor.c +++ b/usr.bin/ssh/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.11 2002/05/15 15:47:49 mouring Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.12 2002/06/04 19:42:35 markus Exp $"); #include <openssl/dh.h> @@ -559,7 +559,8 @@ mm_answer_authpassword(int socket, Buffer *m) passwd = buffer_get_string(m, &plen); /* Only authenticate if the context is valid */ - authenticated = authctxt->valid && auth_password(authctxt, passwd); + authenticated = options.password_authentication && + authctxt->valid && auth_password(authctxt, passwd); memset(passwd, 0, strlen(passwd)); xfree(passwd); @@ -620,7 +621,8 @@ mm_answer_bsdauthrespond(int socket, Buffer *m) fatal("%s: no bsd auth session", __FUNCTION__); response = buffer_get_string(m, NULL); - authok = auth_userresponse(authctxt->as, response, 0); + authok = options.challenge_response_authentication && + auth_userresponse(authctxt->as, response, 0); authctxt->as = NULL; debug3("%s: <%s> = <%d>", __FUNCTION__, response, authok); xfree(response); @@ -666,7 +668,8 @@ mm_answer_skeyrespond(int socket, Buffer *m) response = buffer_get_string(m, NULL); - authok = (authctxt->valid && + authok = (options.challenge_response_authentication && + authctxt->valid && skey_haskey(authctxt->pw->pw_name) == 0 && skey_passcheck(authctxt->pw->pw_name, response) != -1); @@ -722,15 +725,18 @@ mm_answer_keyallowed(int socket, Buffer *m) if (key != NULL && authctxt->pw != NULL) { switch(type) { case MM_USERKEY: - allowed = user_key_allowed(authctxt->pw, key); + allowed = options.pubkey_authentication && + user_key_allowed(authctxt->pw, key); break; case MM_HOSTKEY: - allowed = hostbased_key_allowed(authctxt->pw, + allowed = options.hostbased_authentication && + hostbased_key_allowed(authctxt->pw, cuser, chost, key); break; case MM_RSAHOSTKEY: key->type = KEY_RSA1; /* XXX */ - allowed = auth_rhosts_rsa_key_allowed(authctxt->pw, + allowed = options.rhosts_rsa_authentication && + auth_rhosts_rsa_key_allowed(authctxt->pw, cuser, chost, key); break; default: @@ -920,7 +926,7 @@ mm_answer_keyverify(int socket, Buffer *m) buffer_put_int(m, verified); mm_request_send(socket, MONITOR_ANS_KEYVERIFY, m); - auth_method = "publickey"; + auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased"; return (verified); } @@ -1099,7 +1105,7 @@ mm_answer_rsa_keyallowed(int socket, Buffer *m) debug3("%s entering", __FUNCTION__); - if (authctxt->valid) { + if (options.rsa_authentication && authctxt->valid) { if ((client_n = BN_new()) == NULL) fatal("%s: BN_new", __FUNCTION__); buffer_get_bignum2(m, client_n); |