summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2002-06-04 19:42:36 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2002-06-04 19:42:36 +0000
commit1ab6ab6bacb3350a67d1f48e4d3aec2759e9b0e4 (patch)
tree0bd70617bae343a55eba4f05451d505fd736d1e2
parentc0b6545ae136c085c6425427f3ee8915eb126e66 (diff)
only allow enabled authentication methods; ok provos@
-rw-r--r--usr.bin/ssh/monitor.c24
1 files changed, 15 insertions, 9 deletions
diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c
index 53f958b246a..7502207b57b 100644
--- a/usr.bin/ssh/monitor.c
+++ b/usr.bin/ssh/monitor.c
@@ -25,7 +25,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.11 2002/05/15 15:47:49 mouring Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.12 2002/06/04 19:42:35 markus Exp $");
#include <openssl/dh.h>
@@ -559,7 +559,8 @@ mm_answer_authpassword(int socket, Buffer *m)
passwd = buffer_get_string(m, &plen);
/* Only authenticate if the context is valid */
- authenticated = authctxt->valid && auth_password(authctxt, passwd);
+ authenticated = options.password_authentication &&
+ authctxt->valid && auth_password(authctxt, passwd);
memset(passwd, 0, strlen(passwd));
xfree(passwd);
@@ -620,7 +621,8 @@ mm_answer_bsdauthrespond(int socket, Buffer *m)
fatal("%s: no bsd auth session", __FUNCTION__);
response = buffer_get_string(m, NULL);
- authok = auth_userresponse(authctxt->as, response, 0);
+ authok = options.challenge_response_authentication &&
+ auth_userresponse(authctxt->as, response, 0);
authctxt->as = NULL;
debug3("%s: <%s> = <%d>", __FUNCTION__, response, authok);
xfree(response);
@@ -666,7 +668,8 @@ mm_answer_skeyrespond(int socket, Buffer *m)
response = buffer_get_string(m, NULL);
- authok = (authctxt->valid &&
+ authok = (options.challenge_response_authentication &&
+ authctxt->valid &&
skey_haskey(authctxt->pw->pw_name) == 0 &&
skey_passcheck(authctxt->pw->pw_name, response) != -1);
@@ -722,15 +725,18 @@ mm_answer_keyallowed(int socket, Buffer *m)
if (key != NULL && authctxt->pw != NULL) {
switch(type) {
case MM_USERKEY:
- allowed = user_key_allowed(authctxt->pw, key);
+ allowed = options.pubkey_authentication &&
+ user_key_allowed(authctxt->pw, key);
break;
case MM_HOSTKEY:
- allowed = hostbased_key_allowed(authctxt->pw,
+ allowed = options.hostbased_authentication &&
+ hostbased_key_allowed(authctxt->pw,
cuser, chost, key);
break;
case MM_RSAHOSTKEY:
key->type = KEY_RSA1; /* XXX */
- allowed = auth_rhosts_rsa_key_allowed(authctxt->pw,
+ allowed = options.rhosts_rsa_authentication &&
+ auth_rhosts_rsa_key_allowed(authctxt->pw,
cuser, chost, key);
break;
default:
@@ -920,7 +926,7 @@ mm_answer_keyverify(int socket, Buffer *m)
buffer_put_int(m, verified);
mm_request_send(socket, MONITOR_ANS_KEYVERIFY, m);
- auth_method = "publickey";
+ auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
return (verified);
}
@@ -1099,7 +1105,7 @@ mm_answer_rsa_keyallowed(int socket, Buffer *m)
debug3("%s entering", __FUNCTION__);
- if (authctxt->valid) {
+ if (options.rsa_authentication && authctxt->valid) {
if ((client_n = BN_new()) == NULL)
fatal("%s: BN_new", __FUNCTION__);
buffer_get_bignum2(m, client_n);