diff --git a/servconf.c b/servconf.c index 1cb45f536..a411bfb6e 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.290 2016/05/04 14:00:09 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.291 2016/06/17 05:03:40 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -381,6 +381,14 @@ fill_default_server_options(ServerOptions *options) CLEAR_ON_NONE(options->host_cert_files[i]); #undef CLEAR_ON_NONE + /* Similar handling for AuthenticationMethods=any */ + if (options->num_auth_methods == 1 && + strcmp(options->auth_methods[0], "any") == 0) { + free(options->auth_methods[0]); + options->auth_methods[0] = NULL; + options->num_auth_methods = 0; + } + #ifndef HAVE_MMAP if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " @@ -1804,21 +1812,39 @@ process_server_config_line(ServerOptions *options, char *line, case sAuthenticationMethods: if (options->num_auth_methods == 0) { + value = 0; /* seen "any" pseudo-method */ while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_auth_methods >= MAX_AUTH_METHODS) fatal("%s line %d: " "too many authentication methods.", filename, linenum); - if (auth2_methods_valid(arg, 0) != 0) + if (strcmp(arg, "any") == 0) { + if (options->num_auth_methods > 0) { + fatal("%s line %d: \"any\" " + "must appear alone in " + "AuthenticationMethods", + filename, linenum); + } + value = 1; + } else if (value) { + fatal("%s line %d: \"any\" must appear " + "alone in AuthenticationMethods", + filename, linenum); + } else if (auth2_methods_valid(arg, 0) != 0) { fatal("%s line %d: invalid " "authentication method list.", filename, linenum); + } if (!*activep) continue; options->auth_methods[ options->num_auth_methods++] = xstrdup(arg); } + if (options->num_auth_methods == 0) { + fatal("%s line %d: no AuthenticationMethods " + "specified", filename, linenum); + } } return 0; @@ -2195,11 +2221,13 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) { u_int i; - if (count <= 0) + if (count <= 0 && code != sAuthenticationMethods) return; printf("%s", lookup_opcode_name(code)); for (i = 0; i < count; i++) printf(" %s", vals[i]); + if (code == sAuthenticationMethods && count == 0) + printf(" any"); printf("\n"); } diff --git a/sshd_config.5 b/sshd_config.5 index 479fa38eb..690797958 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.223 2016/05/04 14:29:58 markus Exp $ -.Dd $Mdocdate: May 4 2016 $ +.\" $OpenBSD: sshd_config.5,v 1.224 2016/06/17 05:03:40 djm Exp $ +.Dd $Mdocdate: June 17 2016 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -189,9 +189,12 @@ for more information on patterns. Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of -authentication method names. -Successful authentication requires completion of every method in at least -one of these lists. +authentication method names, or by the single string +.Dq any +to indicate the default behaviour of accepting any single authentication +methods. +if the default is overridden, then successful authentication requires +completion of every method in at least one of these lists. .Pp For example, an argument of .Dq publickey,password publickey,keyboard-interactive @@ -231,7 +234,9 @@ This option will yield a fatal error if enabled if protocol 1 is also enabled. Note that each authentication method listed should also be explicitly enabled in the configuration. -The default is not to require multiple authentication; successful completion +The default +.Dq any +is not to require multiple authentication; successful completion of a single authentication method is sufficient. .It Cm AuthorizedKeysCommand Specifies a program to be used to look up the user's public keys.