diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2016-06-17 05:03:40 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2016-06-24 13:35:28 +1000 |
| commit | b64faeb5eda7eff8210c754d00464f9fe9d23de5 (patch) | |
| tree | 71d280e30b29dc41cc1f46d7c688399e768622aa | |
| parent | 9816fc5daee5ca924dd5c4781825afbaab728877 (diff) | |
| download | openssh-git-b64faeb5eda7eff8210c754d00464f9fe9d23de5.tar.gz | |
upstream commit
ban AuthenticationMethods="" and accept
AuthenticationMethods=any for the default behaviour of not requiring multiple
authentication
bz#2398 from Jakub Jelen; ok dtucker@
Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27
| -rw-r--r-- | servconf.c | 34 | ||||
| -rw-r--r-- | sshd_config.5 | 17 |
2 files changed, 42 insertions, 9 deletions
@@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.290 2016/05/04 14:00:09 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.291 2016/06/17 05:03:40 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -381,6 +381,14 @@ fill_default_server_options(ServerOptions *options) CLEAR_ON_NONE(options->host_cert_files[i]); #undef CLEAR_ON_NONE + /* Similar handling for AuthenticationMethods=any */ + if (options->num_auth_methods == 1 && + strcmp(options->auth_methods[0], "any") == 0) { + free(options->auth_methods[0]); + options->auth_methods[0] = NULL; + options->num_auth_methods = 0; + } + #ifndef HAVE_MMAP if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " @@ -1804,21 +1812,39 @@ process_server_config_line(ServerOptions *options, char *line, case sAuthenticationMethods: if (options->num_auth_methods == 0) { + value = 0; /* seen "any" pseudo-method */ while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_auth_methods >= MAX_AUTH_METHODS) fatal("%s line %d: " "too many authentication methods.", filename, linenum); - if (auth2_methods_valid(arg, 0) != 0) + if (strcmp(arg, "any") == 0) { + if (options->num_auth_methods > 0) { + fatal("%s line %d: \"any\" " + "must appear alone in " + "AuthenticationMethods", + filename, linenum); + } + value = 1; + } else if (value) { + fatal("%s line %d: \"any\" must appear " + "alone in AuthenticationMethods", + filename, linenum); + } else if (auth2_methods_valid(arg, 0) != 0) { fatal("%s line %d: invalid " "authentication method list.", filename, linenum); + } if (!*activep) continue; options->auth_methods[ options->num_auth_methods++] = xstrdup(arg); } + if (options->num_auth_methods == 0) { + fatal("%s line %d: no AuthenticationMethods " + "specified", filename, linenum); + } } return 0; @@ -2195,11 +2221,13 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) { u_int i; - if (count <= 0) + if (count <= 0 && code != sAuthenticationMethods) return; printf("%s", lookup_opcode_name(code)); for (i = 0; i < count; i++) printf(" %s", vals[i]); + if (code == sAuthenticationMethods && count == 0) + printf(" any"); printf("\n"); } diff --git a/sshd_config.5 b/sshd_config.5 index 479fa38e..69079795 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.223 2016/05/04 14:29:58 markus Exp $ -.Dd $Mdocdate: May 4 2016 $ +.\" $OpenBSD: sshd_config.5,v 1.224 2016/06/17 05:03:40 djm Exp $ +.Dd $Mdocdate: June 17 2016 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -189,9 +189,12 @@ for more information on patterns. Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of -authentication method names. -Successful authentication requires completion of every method in at least -one of these lists. +authentication method names, or by the single string +.Dq any +to indicate the default behaviour of accepting any single authentication +methods. +if the default is overridden, then successful authentication requires +completion of every method in at least one of these lists. .Pp For example, an argument of .Dq publickey,password publickey,keyboard-interactive @@ -231,7 +234,9 @@ This option will yield a fatal error if enabled if protocol 1 is also enabled. Note that each authentication method listed should also be explicitly enabled in the configuration. -The default is not to require multiple authentication; successful completion +The default +.Dq any +is not to require multiple authentication; successful completion of a single authentication method is sufficient. .It Cm AuthorizedKeysCommand Specifies a program to be used to look up the user's public keys. |