https://bugzilla.mindrot.org/show_bug.cgi?id=983
Damien Miller <d...@mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Assignee|pgs...@swcp.com |d...@mindrot.org --- Comment #58 from Damien Miller <d...@mindrot.org> --- Created attachment 2192 --> https://bugzilla.mindrot.org/attachment.cgi?id=2192&action=edit new multiple required authentication methods patch Here's a patch I'm working on. It adds an AuthenticationMethods option that lists the possible paths to successful authentication. E.g. AuthenticationMethods publickey,password gssapi-with-mic,password publickey,keyboard-interactive When attempting to authenticate, only methods that are at the start of one of the paths listed will be offered. Each successful authentication removes the successful method from the head of each path. E.g. for the example above, the client would be offered "publickey,gssapi-with-mic" for the first round. If they completed publickey authentication they would be offered "password,gssapi-with-mic,keyboard-interactive". Finally, if they completed password or keyboard-interactive then they would be considered authenticated. The patch is only for SSH2 and will fatal if protocol 1 is enabled. We can't support arbitrary orders for protocol 1 and I'm not going to make an OpenSSH-only extension for a dead protocol. The patch also tries to warn you early if you have selected authentication paths that are impossible to satisfy with the set of enabled authentication methods (e.g if you asked for publickey,password and has PasswordAuthentication=no). This warning won't catch cases where AuthenticationMethods are set late via Match blocks though. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. You are watching the reporter of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs