mirror of git://anongit.mindrot.org/openssh.git
upstream commit
ban AuthenticationMethods="" and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication bz#2398 from Jakub Jelen; ok dtucker@ Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27
This commit is contained in:
parent
9816fc5dae
commit
b64faeb5ed
34
servconf.c
34
servconf.c
|
@ -1,5 +1,5 @@
|
|||
|
||||
/* $OpenBSD: servconf.c,v 1.290 2016/05/04 14:00:09 dtucker Exp $ */
|
||||
/* $OpenBSD: servconf.c,v 1.291 2016/06/17 05:03:40 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
@ -381,6 +381,14 @@ fill_default_server_options(ServerOptions *options)
|
|||
CLEAR_ON_NONE(options->host_cert_files[i]);
|
||||
#undef CLEAR_ON_NONE
|
||||
|
||||
/* Similar handling for AuthenticationMethods=any */
|
||||
if (options->num_auth_methods == 1 &&
|
||||
strcmp(options->auth_methods[0], "any") == 0) {
|
||||
free(options->auth_methods[0]);
|
||||
options->auth_methods[0] = NULL;
|
||||
options->num_auth_methods = 0;
|
||||
}
|
||||
|
||||
#ifndef HAVE_MMAP
|
||||
if (use_privsep && options->compression == 1) {
|
||||
error("This platform does not support both privilege "
|
||||
|
@ -1804,21 +1812,39 @@ process_server_config_line(ServerOptions *options, char *line,
|
|||
|
||||
case sAuthenticationMethods:
|
||||
if (options->num_auth_methods == 0) {
|
||||
value = 0; /* seen "any" pseudo-method */
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_auth_methods >=
|
||||
MAX_AUTH_METHODS)
|
||||
fatal("%s line %d: "
|
||||
"too many authentication methods.",
|
||||
filename, linenum);
|
||||
if (auth2_methods_valid(arg, 0) != 0)
|
||||
if (strcmp(arg, "any") == 0) {
|
||||
if (options->num_auth_methods > 0) {
|
||||
fatal("%s line %d: \"any\" "
|
||||
"must appear alone in "
|
||||
"AuthenticationMethods",
|
||||
filename, linenum);
|
||||
}
|
||||
value = 1;
|
||||
} else if (value) {
|
||||
fatal("%s line %d: \"any\" must appear "
|
||||
"alone in AuthenticationMethods",
|
||||
filename, linenum);
|
||||
} else if (auth2_methods_valid(arg, 0) != 0) {
|
||||
fatal("%s line %d: invalid "
|
||||
"authentication method list.",
|
||||
filename, linenum);
|
||||
}
|
||||
if (!*activep)
|
||||
continue;
|
||||
options->auth_methods[
|
||||
options->num_auth_methods++] = xstrdup(arg);
|
||||
}
|
||||
if (options->num_auth_methods == 0) {
|
||||
fatal("%s line %d: no AuthenticationMethods "
|
||||
"specified", filename, linenum);
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
|
||||
|
@ -2195,11 +2221,13 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
|
|||
{
|
||||
u_int i;
|
||||
|
||||
if (count <= 0)
|
||||
if (count <= 0 && code != sAuthenticationMethods)
|
||||
return;
|
||||
printf("%s", lookup_opcode_name(code));
|
||||
for (i = 0; i < count; i++)
|
||||
printf(" %s", vals[i]);
|
||||
if (code == sAuthenticationMethods && count == 0)
|
||||
printf(" any");
|
||||
printf("\n");
|
||||
}
|
||||
|
||||
|
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.223 2016/05/04 14:29:58 markus Exp $
|
||||
.Dd $Mdocdate: May 4 2016 $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.224 2016/06/17 05:03:40 djm Exp $
|
||||
.Dd $Mdocdate: June 17 2016 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -189,9 +189,12 @@ for more information on patterns.
|
|||
Specifies the authentication methods that must be successfully completed
|
||||
for a user to be granted access.
|
||||
This option must be followed by one or more comma-separated lists of
|
||||
authentication method names.
|
||||
Successful authentication requires completion of every method in at least
|
||||
one of these lists.
|
||||
authentication method names, or by the single string
|
||||
.Dq any
|
||||
to indicate the default behaviour of accepting any single authentication
|
||||
methods.
|
||||
if the default is overridden, then successful authentication requires
|
||||
completion of every method in at least one of these lists.
|
||||
.Pp
|
||||
For example, an argument of
|
||||
.Dq publickey,password publickey,keyboard-interactive
|
||||
|
@ -231,7 +234,9 @@ This option will yield a fatal
|
|||
error if enabled if protocol 1 is also enabled.
|
||||
Note that each authentication method listed should also be explicitly enabled
|
||||
in the configuration.
|
||||
The default is not to require multiple authentication; successful completion
|
||||
The default
|
||||
.Dq any
|
||||
is not to require multiple authentication; successful completion
|
||||
of a single authentication method is sufficient.
|
||||
.It Cm AuthorizedKeysCommand
|
||||
Specifies a program to be used to look up the user's public keys.
|
||||
|
|
Loading…
Reference in New Issue