vishalmishra434 / rpms / openssh

Forked from rpms/openssh 2 months ago
Clone
8f2528
diff -up openssh-7.4p1/auth2.c.expose-pam openssh-7.4p1/auth2.c
8f2528
--- openssh-7.4p1/auth2.c.expose-pam	2016-12-23 15:40:26.768447868 +0100
8f2528
+++ openssh-7.4p1/auth2.c	2016-12-23 15:40:26.818447876 +0100
8f2528
@@ -310,6 +310,7 @@ userauth_finish(Authctxt *authctxt, int
8f2528
     const char *submethod)
8f2528
 {
8f2528
 	char *methods;
8f2528
+	char *prev_auth_details;
8f2528
 	int partial = 0;
8f2528
 
8f2528
 	if (!authctxt->valid && authenticated)
8f2528
@@ -340,6 +341,18 @@ userauth_finish(Authctxt *authctxt, int
8f2528
 	if (authctxt->postponed)
8f2528
 		return;
8f2528
 
8f2528
+	if (authenticated || partial) {
8f2528
+		prev_auth_details = authctxt->auth_details;
8f2528
+		xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
8f2528
+		    prev_auth_details ? prev_auth_details : "",
8f2528
+		    prev_auth_details ? ", " : "", method,
8f2528
+		    authctxt->last_details ? ": " : "",
8f2528
+		    authctxt->last_details ? authctxt->last_details : "");
8f2528
+		free(prev_auth_details);
8f2528
+	}
8f2528
+	free(authctxt->last_details);
8f2528
+	authctxt->last_details = NULL;
8f2528
+
8f2528
 #ifdef USE_PAM
8f2528
 	if (options.use_pam && authenticated) {
8f2528
 		if (!PRIVSEP(do_pam_account())) {
8f2528
diff -up openssh-7.4p1/auth2-gss.c.expose-pam openssh-7.4p1/auth2-gss.c
8f2528
--- openssh-7.4p1/auth2-gss.c.expose-pam	2016-12-23 15:40:26.769447868 +0100
8f2528
+++ openssh-7.4p1/auth2-gss.c	2016-12-23 15:40:26.818447876 +0100
8f2528
@@ -276,6 +276,9 @@ input_gssapi_exchange_complete(int type,
8f2528
 	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
8f2528
 	    authctxt->pw));
8f2528
 
8f2528
+	if (authenticated)
8f2528
+		authctxt->last_details = ssh_gssapi_get_displayname();
8f2528
+
8f2528
 	authctxt->postponed = 0;
8f2528
 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
8f2528
 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
8f2528
@@ -322,6 +325,9 @@ input_gssapi_mic(int type, u_int32_t ple
8f2528
 	else
8f2528
 		logit("GSSAPI MIC check failed");
8f2528
 
8f2528
+	if (authenticated)
8f2528
+		authctxt->last_details = ssh_gssapi_get_displayname();
8f2528
+
8f2528
 	buffer_free(&b);
8f2528
 	if (micuser != authctxt->user)
8f2528
 		free(micuser);
8f2528
diff -up openssh-7.4p1/auth2-hostbased.c.expose-pam openssh-7.4p1/auth2-hostbased.c
8f2528
--- openssh-7.4p1/auth2-hostbased.c.expose-pam	2016-12-23 15:40:26.731447862 +0100
8f2528
+++ openssh-7.4p1/auth2-hostbased.c	2016-12-23 15:40:26.818447876 +0100
8f2528
@@ -60,7 +60,7 @@ userauth_hostbased(Authctxt *authctxt)
8f2528
 {
8f2528
 	Buffer b;
8f2528
 	Key *key = NULL;
8f2528
-	char *pkalg, *cuser, *chost, *service;
8f2528
+	char *pkalg, *cuser, *chost, *service, *pubkey;
8f2528
 	u_char *pkblob, *sig;
8f2528
 	u_int alen, blen, slen;
8f2528
 	int pktype;
8f2528
@@ -140,15 +140,21 @@ userauth_hostbased(Authctxt *authctxt)
8f2528
 	buffer_dump(&b);
8f2528
 #endif
8f2528
 
8f2528
-	pubkey_auth_info(authctxt, key,
8f2528
-	    "client user \"%.100s\", client host \"%.100s\"", cuser, chost);
8f2528
+	pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
8f2528
+	auth_info(authctxt,
8f2528
+	    "%s, client user \"%.100s\", client host \"%.100s\"",
8f2528
+	    pubkey, cuser, chost);
8f2528
 
8f2528
 	/* test for allowed key and correct signature */
8f2528
 	authenticated = 0;
8f2528
 	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
8f2528
 	    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
8f2528
-			buffer_len(&b))) == 1)
8f2528
+			buffer_len(&b))) == 1) {
8f2528
 		authenticated = 1;
8f2528
+		authctxt->last_details = pubkey;
8f2528
+	} else {
8f2528
+		free(pubkey);
8f2528
+	}
8f2528
 
8f2528
 	buffer_free(&b);
8f2528
 done:
8f2528
diff -up openssh-7.4p1/auth2-pubkey.c.expose-pam openssh-7.4p1/auth2-pubkey.c
8f2528
--- openssh-7.4p1/auth2-pubkey.c.expose-pam	2016-12-23 15:40:26.746447864 +0100
8f2528
+++ openssh-7.4p1/auth2-pubkey.c	2016-12-23 15:40:26.819447876 +0100
8f2528
@@ -79,7 +79,7 @@ userauth_pubkey(Authctxt *authctxt)
8f2528
 {
8f2528
 	Buffer b;
8f2528
 	Key *key = NULL;
8f2528
-	char *pkalg, *userstyle, *fp = NULL;
8f2528
+	char *pkalg, *userstyle, *pubkey, *fp = NULL;
8f2528
 	u_char *pkblob, *sig;
8f2528
 	u_int alen, blen, slen;
8f2528
 	int have_sig, pktype;
8f2528
@@ -177,7 +177,8 @@ userauth_pubkey(Authctxt *authctxt)
8f2528
 #ifdef DEBUG_PK
8f2528
 		buffer_dump(&b);
8f2528
 #endif
8f2528
-		pubkey_auth_info(authctxt, key, NULL);
8f2528
+		pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
8f2528
+		auth_info(authctxt, "%s", pubkey);
8f2528
 
8f2528
 		/* test for correct signature */
8f2528
 		authenticated = 0;
8f2528
@@ -185,9 +186,12 @@ userauth_pubkey(Authctxt *authctxt)
8f2528
 		    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
8f2528
 		    buffer_len(&b))) == 1) {
8f2528
 			authenticated = 1;
8f2528
+			authctxt->last_details = pubkey;
8f2528
 			/* Record the successful key to prevent reuse */
8f2528
 			auth2_record_userkey(authctxt, key);
8f2528
 			key = NULL; /* Don't free below */
8f2528
+		} else {
8f2528
+			free(pubkey);
8f2528
 		}
8f2528
 		buffer_free(&b);
8f2528
 		free(sig);
8f2528
@@ -228,7 +232,7 @@ done:
8f2528
 void
8f2528
 pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
8f2528
 {
8f2528
-	char *fp, *extra;
8f2528
+	char *extra, *pubkey;
8f2528
 	va_list ap;
8f2528
 	int i;
8f2528
 
8f2528
@@ -238,27 +242,13 @@ pubkey_auth_info(Authctxt *authctxt, con
8f2528
 		i = vasprintf(&extra, fmt, ap);
8f2528
 		va_end(ap);
8f2528
 		if (i < 0 || extra == NULL)
8f2528
-			fatal("%s: vasprintf failed", __func__);	
8f2528
+			fatal("%s: vasprintf failed", __func__);
8f2528
 	}
8f2528
 
8f2528
-	if (key_is_cert(key)) {
8f2528
-		fp = sshkey_fingerprint(key->cert->signature_key,
8f2528
-		    options.fingerprint_hash, SSH_FP_DEFAULT);
8f2528
-		auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", 
8f2528
-		    key_type(key), key->cert->key_id,
8f2528
-		    (unsigned long long)key->cert->serial,
8f2528
-		    key_type(key->cert->signature_key),
8f2528
-		    fp == NULL ? "(null)" : fp,
8f2528
-		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
8f2528
-		free(fp);
8f2528
-	} else {
8f2528
-		fp = sshkey_fingerprint(key, options.fingerprint_hash,
8f2528
-		    SSH_FP_DEFAULT);
8f2528
-		auth_info(authctxt, "%s %s%s%s", key_type(key),
8f2528
-		    fp == NULL ? "(null)" : fp,
8f2528
-		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
8f2528
-		free(fp);
8f2528
-	}
8f2528
+	pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
8f2528
+	auth_info(authctxt, "%s%s%s", pubkey, extra == NULL ? "" : ", ",
8f2528
+	    extra == NULL ? "" : extra);
8f2528
+	free(pubkey);
8f2528
 	free(extra);
8f2528
 }
8f2528
 
8f2528
diff -up openssh-7.4p1/auth.h.expose-pam openssh-7.4p1/auth.h
8f2528
--- openssh-7.4p1/auth.h.expose-pam	2016-12-23 15:40:26.782447870 +0100
8f2528
+++ openssh-7.4p1/auth.h	2016-12-23 15:40:26.819447876 +0100
8f2528
@@ -84,6 +84,9 @@ struct Authctxt {
8f2528
 
8f2528
 	struct sshkey	**prev_userkeys;
8f2528
 	u_int		 nprev_userkeys;
8f2528
+
8f2528
+	char		*last_details;
8f2528
+	char		*auth_details;
8f2528
 };
8f2528
 /*
8f2528
  * Every authentication method has to handle authentication requests for
8f2528
diff -up openssh-7.4p1/auth-pam.c.expose-pam openssh-7.4p1/auth-pam.c
8f2528
--- openssh-7.4p1/auth-pam.c.expose-pam	2016-12-23 15:40:26.731447862 +0100
8f2528
+++ openssh-7.4p1/auth-pam.c	2016-12-23 15:40:26.819447876 +0100
8f2528
@@ -688,6 +688,11 @@ sshpam_init_ctx(Authctxt *authctxt)
8f2528
 		return (NULL);
8f2528
 	}
8f2528
 
8f2528
+	/* Notify PAM about any already successful auth methods */
8f2528
+	if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMONLY &&
8f2528
+			authctxt->auth_details)
8f2528
+		do_pam_putenv("SSH_USER_AUTH", authctxt->auth_details);
8f2528
+
8f2528
 	ctxt = xcalloc(1, sizeof *ctxt);
8f2528
 
8f2528
 	/* Start the authentication thread */
8f2528
diff -up openssh-7.4p1/gss-serv.c.expose-pam openssh-7.4p1/gss-serv.c
8f2528
--- openssh-7.4p1/gss-serv.c.expose-pam	2016-12-23 15:40:26.808447874 +0100
8f2528
+++ openssh-7.4p1/gss-serv.c	2016-12-23 15:40:26.819447876 +0100
8f2528
@@ -441,6 +441,16 @@ ssh_gssapi_do_child(char ***envp, u_int
8f2528
 }
8f2528
 
8f2528
 /* Privileged */
8f2528
+char*
8f2528
+ssh_gssapi_get_displayname(void)
8f2528
+{
8f2528
+	if (gssapi_client.displayname.length != 0 &&
8f2528
+	    gssapi_client.displayname.value != NULL)
8f2528
+		return strdup((char *)gssapi_client.displayname.value);
8f2528
+	return NULL;
8f2528
+}
8f2528
+
8f2528
+/* Privileged */
8f2528
 int
8f2528
 ssh_gssapi_userok(char *user, struct passwd *pw)
8f2528
 {
8f2528
diff -up openssh-7.4p1/monitor.c.expose-pam openssh-7.4p1/monitor.c
8f2528
--- openssh-7.4p1/monitor.c.expose-pam	2016-12-23 15:40:26.794447872 +0100
8f2528
+++ openssh-7.4p1/monitor.c	2016-12-23 15:41:16.473455863 +0100
8f2528
@@ -300,6 +300,7 @@ monitor_child_preauth(Authctxt *_authctx
8f2528
 {
8f2528
 	struct mon_table *ent;
8f2528
 	int authenticated = 0, partial = 0;
8f2528
+	char *prev_auth_details;
8f2528
 
8f2528
 	debug3("preauth child monitor started");
8f2528
 
8f2528
@@ -330,6 +331,18 @@ monitor_child_preauth(Authctxt *_authctx
8f2528
 		auth_submethod = NULL;
8f2528
 		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
8f2528
 
8f2528
+		if (authenticated) {
8f2528
+			prev_auth_details = authctxt->auth_details;
8f2528
+			xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
8f2528
+			    prev_auth_details ? prev_auth_details : "",
8f2528
+			    prev_auth_details ? ", " : "", auth_method,
8f2528
+			    authctxt->last_details ? ": " : "",
8f2528
+			    authctxt->last_details ? authctxt->last_details : "");
8f2528
+			free(prev_auth_details);
8f2528
+		}
8f2528
+		free(authctxt->last_details);
8f2528
+		authctxt->last_details = NULL;
8f2528
+
8f2528
 		/* Special handling for multiple required authentications */
8f2528
 		if (options.num_auth_methods != 0) {
8f2528
 			if (authenticated &&
8f2528
@@ -1417,6 +1430,10 @@ mm_answer_keyverify(int sock, Buffer *m)
8f2528
 	debug3("%s: key %p signature %s",
8f2528
 	    __func__, key, (verified == 1) ? "verified" : "unverified");
8f2528
 
8f2528
+	if (verified == 1)
8f2528
+		authctxt->last_details = sshkey_format_oneline(key,
8f2528
+		    options.fingerprint_hash);
8f2528
+
8f2528
 	/* If auth was successful then record key to ensure it isn't reused */
8f2528
 	if (verified == 1 && key_blobtype == MM_USERKEY)
8f2528
 		auth2_record_userkey(authctxt, key);
8f2528
@@ -1860,6 +1877,9 @@ mm_answer_gss_userok(int sock, Buffer *m
8f2528
 
8f2528
 	auth_method = "gssapi-with-mic";
8f2528
 
8f2528
+	if (authenticated)
8f2528
+		authctxt->last_details = ssh_gssapi_get_displayname();
8f2528
+
8f2528
 	/* Monitor loop will terminate if authenticated */
8f2528
 	return (authenticated);
8f2528
 }
8f2528
diff -up openssh-7.4p1/servconf.c.expose-pam openssh-7.4p1/servconf.c
8f2528
--- openssh-7.4p1/servconf.c.expose-pam	2016-12-23 15:40:26.810447875 +0100
8f2528
+++ openssh-7.4p1/servconf.c	2016-12-23 15:44:04.691482920 +0100
8f2528
@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions
8f2528
 	options->version_addendum = NULL;
8f2528
 	options->use_kuserok = -1;
8f2528
 	options->enable_k5users = -1;
8f2528
+	options->expose_auth_methods = -1;
8f2528
 	options->fingerprint_hash = -1;
8f2528
 	options->disable_forwarding = -1;
8f2528
 }
8f2528
@@ -354,6 +355,8 @@ fill_default_server_options(ServerOption
8f2528
 		options->use_kuserok = 1;
8f2528
 	if (options->enable_k5users == -1)
8f2528
 		options->enable_k5users = 0;
8f2528
+	if (options->expose_auth_methods == -1)
8f2528
+		options->expose_auth_methods = EXPOSE_AUTHMETH_NEVER;
8f2528
 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
8f2528
 		options->fwd_opts.streamlocal_bind_mask = 0177;
8f2528
 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
8f2528
@@ -439,6 +442,7 @@ typedef enum {
8f2528
 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
8f2528
 	sStreamLocalBindMask, sStreamLocalBindUnlink,
8f2528
 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
8f2528
+	sExposeAuthenticationMethods,
8f2528
 	sDeprecated, sIgnore, sUnsupported
8f2528
 } ServerOpCodes;
8f2528
 
8f2528
@@ -595,6 +599,7 @@ static struct {
8f2528
 	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
8f2528
 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
8f2528
 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
8f2528
+	{ "exposeauthenticationmethods", sExposeAuthenticationMethods, SSHCFG_ALL },
8f2528
 	{ NULL, sBadOption, 0 }
8f2528
 };
8f2528
 
8f2528
@@ -984,6 +989,12 @@ static const struct multistate multistat
8f2528
 	{ "local",			FORWARD_LOCAL },
8f2528
 	{ NULL, -1 }
8f2528
 };
8f2528
+static const struct multistate multistate_exposeauthmeth[] = {
8f2528
+	{ "never",			EXPOSE_AUTHMETH_NEVER },
8f2528
+	{ "pam-only",			EXPOSE_AUTHMETH_PAMONLY },
8f2528
+	{ "pam-and-env",		EXPOSE_AUTHMETH_PAMENV },
8f2528
+	{ NULL, -1}
8f2528
+};
8f2528
 
8f2528
 int
8f2528
 process_server_config_line(ServerOptions *options, char *line,
8f2528
@@ -1902,6 +1913,11 @@ process_server_config_line(ServerOptions
8f2528
 			options->fingerprint_hash = value;
8f2528
 		break;
8f2528
 
8f2528
+	case sExposeAuthenticationMethods:
8f2528
+		intptr = &options->expose_auth_methods;
8f2528
+		multistate_ptr = multistate_exposeauthmeth;
8f2528
+		goto parse_multistate;
8f2528
+
8f2528
 	case sDeprecated:
8f2528
 	case sIgnore:
8f2528
 	case sUnsupported:
8f2528
@@ -2060,6 +2076,7 @@ copy_set_server_options(ServerOptions *d
8f2528
 	M_CP_INTOPT(enable_k5users);
8f2528
 	M_CP_INTOPT(rekey_limit);
8f2528
 	M_CP_INTOPT(rekey_interval);
8f2528
+	M_CP_INTOPT(expose_auth_methods);
8f2528
 
8f2528
 	/*
8f2528
 	 * The bind_mask is a mode_t that may be unsigned, so we can't use
8f2528
@@ -2176,6 +2193,8 @@ fmt_intarg(ServerOpCodes code, int val)
8f2528
 		return fmt_multistate_int(val, multistate_tcpfwd);
8f2528
 	case sFingerprintHash:
8f2528
 		return ssh_digest_alg_name(val);
8f2528
+	case sExposeAuthenticationMethods:
8f2528
+		return fmt_multistate_int(val, multistate_exposeauthmeth);
8f2528
 	default:
8f2528
 		switch (val) {
8f2528
 		case 0:
8f2528
@@ -2356,6 +2375,7 @@ dump_config(ServerOptions *o)
8f2528
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
8f2528
 	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
8f2528
 	dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
8f2528
+	dump_cfg_fmtint(sExposeAuthenticationMethods, o->expose_auth_methods);
8f2528
 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
8f2528
 
8f2528
 	/* string arguments */
8f2528
diff -up openssh-7.4p1/servconf.h.expose-pam openssh-7.4p1/servconf.h
8f2528
--- openssh-7.4p1/servconf.h.expose-pam	2016-12-23 15:40:26.810447875 +0100
8f2528
+++ openssh-7.4p1/servconf.h	2016-12-23 15:40:26.821447876 +0100
8f2528
@@ -48,6 +48,11 @@
8f2528
 #define FORWARD_LOCAL		(1<<1)
8f2528
 #define FORWARD_ALLOW		(FORWARD_REMOTE|FORWARD_LOCAL)
8f2528
 
8f2528
+/* Expose AuthenticationMethods */
8f2528
+#define EXPOSE_AUTHMETH_NEVER   0
8f2528
+#define EXPOSE_AUTHMETH_PAMONLY 1
8f2528
+#define EXPOSE_AUTHMETH_PAMENV  2
8f2528
+
8f2528
 #define DEFAULT_AUTH_FAIL_MAX	6	/* Default for MaxAuthTries */
8f2528
 #define DEFAULT_SESSIONS_MAX	10	/* Default for MaxSessions */
8f2528
 
8f2528
@@ -195,6 +200,8 @@ typedef struct {
8f2528
 	char   *auth_methods[MAX_AUTH_METHODS];
8f2528
 
8f2528
 	int	fingerprint_hash;
8f2528
+
8f2528
+	int	expose_auth_methods; /* EXPOSE_AUTHMETH_* above */
8f2528
 }       ServerOptions;
8f2528
 
8f2528
 /* Information about the incoming connection as used by Match */
8f2528
diff -up openssh-7.4p1/session.c.expose-pam openssh-7.4p1/session.c
8f2528
--- openssh-7.4p1/session.c.expose-pam	2016-12-23 15:40:26.794447872 +0100
8f2528
+++ openssh-7.4p1/session.c	2016-12-23 15:40:26.821447876 +0100
8f2528
@@ -997,6 +997,12 @@ copy_environment(char **source, char ***
8f2528
 		}
8f2528
 		*var_val++ = '\0';
8f2528
 
8f2528
+		if (options.expose_auth_methods < EXPOSE_AUTHMETH_PAMENV &&
8f2528
+				strcmp(var_name, "SSH_USER_AUTH") == 0) {
8f2528
+			free(var_name);
8f2528
+			continue;
8f2528
+		}
8f2528
+
8f2528
 		debug3("Copy environment: %s=%s", var_name, var_val);
8f2528
 		child_set_env(env, envsize, var_name, var_val);
8f2528
 
8f2528
@@ -1173,6 +1179,11 @@ do_setup_env(Session *s, const char *she
8f2528
 	}
8f2528
 #endif /* USE_PAM */
8f2528
 
8f2528
+	if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMENV &&
8f2528
+			s->authctxt->auth_details)
8f2528
+		child_set_env(&env, &envsize, "SSH_USER_AUTH",
8f2528
+		     s->authctxt->auth_details);
8f2528
+
8f2528
 	if (auth_sock_name != NULL)
8f2528
 		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
8f2528
 		    auth_sock_name);
8f2528
@@ -2561,6 +2572,9 @@ do_cleanup(Authctxt *authctxt)
8f2528
 	if (authctxt == NULL)
8f2528
 		return;
8f2528
 
8f2528
+	free(authctxt->auth_details);
8f2528
+	authctxt->auth_details = NULL;
8f2528
+
8f2528
 #ifdef USE_PAM
8f2528
 	if (options.use_pam) {
8f2528
 		sshpam_cleanup();
8f2528
diff -up openssh-7.4p1/ssh.1.expose-pam openssh-7.4p1/ssh.1
8f2528
--- openssh-7.4p1/ssh.1.expose-pam	2016-12-23 15:40:26.810447875 +0100
8f2528
+++ openssh-7.4p1/ssh.1	2016-12-23 15:40:26.822447877 +0100
8f2528
@@ -1421,6 +1421,10 @@ server IP address, and server port numbe
8f2528
 This variable contains the original command line if a forced command
8f2528
 is executed.
8f2528
 It can be used to extract the original arguments.
8f2528
+.It Ev SSH_USER_AUTH
8f2528
+This variable contains, for SSH2 only, a comma-separated list of authentication
8f2528
+methods that were successfuly used to authenticate. When possible, these
8f2528
+methods are extended with detailed information on the credential used.
8f2528
 .It Ev SSH_TTY
8f2528
 This is set to the name of the tty (path to the device) associated
8f2528
 with the current shell or command.
8f2528
diff -up openssh-7.4p1/sshd_config.5.expose-pam openssh-7.4p1/sshd_config.5
8f2528
--- openssh-7.4p1/sshd_config.5.expose-pam	2016-12-23 15:40:26.822447877 +0100
8f2528
+++ openssh-7.4p1/sshd_config.5	2016-12-23 15:45:22.411495421 +0100
8f2528
@@ -570,6 +570,21 @@ Disables all forwarding features, includ
8f2528
 TCP and StreamLocal.
8f2528
 This option overrides all other forwarding-related options and may
8f2528
 simplify restricted configurations.
8f2528
+.It Cm ExposeAuthenticationMethods
8f2528
+When using SSH2, this option controls the exposure of the list of
8f2528
+successful authentication methods to PAM during the authentication
8f2528
+and to the shell environment via the
8f2528
+.Cm SSH_USER_AUTH
8f2528
+variable. See the description of this variable for more details.
8f2528
+Valid options are:
8f2528
+.Cm never
8f2528
+(Do not expose successful authentication methods),
8f2528
+.Cm pam-only
8f2528
+(Only expose them to PAM during authentication, not afterwards),
8f2528
+.Cm pam-and-env
8f2528
+(Expose them to PAM and keep them in the shell environment).
8f2528
+The default is
8f2528
+.Cm never .
8f2528
 .It Cm FingerprintHash
8f2528
 Specifies the hash algorithm used when logging key fingerprints.
8f2528
 Valid options are:
8f2528
diff -up openssh-7.4p1/ssh-gss.h.expose-pam openssh-7.4p1/ssh-gss.h
8f2528
--- openssh-7.4p1/ssh-gss.h.expose-pam	2016-12-23 15:40:26.811447875 +0100
8f2528
+++ openssh-7.4p1/ssh-gss.h	2016-12-23 15:40:26.823447877 +0100
8f2528
@@ -159,6 +159,7 @@ int ssh_gssapi_server_check_mech(Gssctxt
8f2528
     const char *);
8f2528
 OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
8f2528
 int ssh_gssapi_userok(char *name, struct passwd *);
8f2528
+char* ssh_gssapi_get_displayname(void);
8f2528
 OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
8f2528
 void ssh_gssapi_do_child(char ***, u_int *);
8f2528
 void ssh_gssapi_cleanup_creds(void);
8f2528
diff -up openssh-7.4p1/sshkey.c.expose-pam openssh-7.4p1/sshkey.c
8f2528
--- openssh-7.4p1/sshkey.c.expose-pam	2016-12-23 15:40:26.777447869 +0100
8f2528
+++ openssh-7.4p1/sshkey.c	2016-12-23 15:40:26.823447877 +0100
8f2528
@@ -57,6 +57,7 @@
8f2528
 #define SSHKEY_INTERNAL
8f2528
 #include "sshkey.h"
8f2528
 #include "match.h"
8f2528
+#include "xmalloc.h"
8f2528
 
8f2528
 /* openssh private key file format */
8f2528
 #define MARK_BEGIN		"-----BEGIN OPENSSH PRIVATE KEY-----\n"
8f2528
@@ -1191,6 +1192,30 @@ sshkey_fingerprint(const struct sshkey *
8f2528
 	return retval;
8f2528
 }
8f2528
 
8f2528
+char *
8f2528
+sshkey_format_oneline(const struct sshkey *key, int dgst_alg)
8f2528
+{
8f2528
+	char *fp, *result;
8f2528
+
8f2528
+	if (sshkey_is_cert(key)) {
8f2528
+		fp = sshkey_fingerprint(key->cert->signature_key, dgst_alg,
8f2528
+		    SSH_FP_DEFAULT);
8f2528
+		xasprintf(&result, "%s ID %s (serial %llu) CA %s %s",
8f2528
+		    sshkey_type(key), key->cert->key_id,
8f2528
+		    (unsigned long long)key->cert->serial,
8f2528
+		    sshkey_type(key->cert->signature_key),
8f2528
+		    fp == NULL ? "(null)" : fp);
8f2528
+		free(fp);
8f2528
+	} else {
8f2528
+		fp = sshkey_fingerprint(key, dgst_alg, SSH_FP_DEFAULT);
8f2528
+		xasprintf(&result, "%s %s", sshkey_type(key),
8f2528
+		    fp == NULL ? "(null)" : fp);
8f2528
+		free(fp);
8f2528
+	}
8f2528
+
8f2528
+	return result;
8f2528
+}
8f2528
+
8f2528
 #ifdef WITH_SSH1
8f2528
 /*
8f2528
  * Reads a multiple-precision integer in decimal from the buffer, and advances
8f2528
diff -up openssh-7.4p1/sshkey.h.expose-pam openssh-7.4p1/sshkey.h
8f2528
--- openssh-7.4p1/sshkey.h.expose-pam	2016-12-23 15:40:26.777447869 +0100
8f2528
+++ openssh-7.4p1/sshkey.h	2016-12-23 15:40:26.823447877 +0100
8f2528
@@ -124,6 +124,7 @@ char		*sshkey_fingerprint(const struct s
8f2528
     int, enum sshkey_fp_rep);
8f2528
 int		 sshkey_fingerprint_raw(const struct sshkey *k,
8f2528
     int, u_char **retp, size_t *lenp);
8f2528
+char		*sshkey_format_oneline(const struct sshkey *k, int dgst_alg);
8f2528
 const char	*sshkey_type(const struct sshkey *);
8f2528
 const char	*sshkey_cert_type(const struct sshkey *);
8f2528
 int		 sshkey_write(const struct sshkey *, FILE *);