diff options
| author |   djm <djm@openbsd.org> | 2016-06-17 05:03:40 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2016-06-17 05:03:40 +0000 |
| commit | 5bb278b7e7024c6e95a36b87b894aa9a9a0e4ca9 (patch) | |
| tree | 3a274d5ac7d4de6eb491246cb00f2b88f8a07719 | |
| parent | sync (diff) | |
| download | wireguard-openbsd-5bb278b7e7024c6e95a36b87b894aa9a9a0e4ca9.tar.xz wireguard-openbsd-5bb278b7e7024c6e95a36b87b894aa9a9a0e4ca9.zip | |
ban AuthenticationMethods="" and accept AuthenticationMethods=any
for the default behaviour of not requiring multiple authentication
bz#2398 from Jakub Jelen; ok dtucker@
| -rw-r--r-- | usr.bin/ssh/servconf.c | 35 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd_config.5 | 17 |
2 files changed, 43 insertions, 9 deletions
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index 527f54d5cdf..ad99152db7b 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.290 2016/05/04 14:00:09 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.291 2016/06/17 05:03:40 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -363,6 +363,15 @@ fill_default_server_options(ServerOptions *options) for (i = 0; i < options->num_host_cert_files; i++) CLEAR_ON_NONE(options->host_cert_files[i]); #undef CLEAR_ON_NONE + + /* Similar handling for AuthenticationMethods=any */ + if (options->num_auth_methods == 1 && + strcmp(options->auth_methods[0], "any") == 0) { + free(options->auth_methods[0]); + options->auth_methods[0] = NULL; + options->num_auth_methods = 0; + } + } /* Keyword tokens. */ @@ -1752,21 +1761,39 @@ process_server_config_line(ServerOptions *options, char *line, case sAuthenticationMethods: if (options->num_auth_methods == 0) { + value = 0; /* seen "any" pseudo-method */ while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_auth_methods >= MAX_AUTH_METHODS) fatal("%s line %d: " "too many authentication methods.", filename, linenum); - if (auth2_methods_valid(arg, 0) != 0) + if (strcmp(arg, "any") == 0) { + if (options->num_auth_methods > 0) { + fatal("%s line %d: \"any\" " + "must appear alone in " + "AuthenticationMethods", + filename, linenum); + } + value = 1; + } else if (value) { + fatal("%s line %d: \"any\" must appear " + "alone in AuthenticationMethods", + filename, linenum); + } else if (auth2_methods_valid(arg, 0) != 0) { fatal("%s line %d: invalid " "authentication method list.", filename, linenum); + } if (!*activep) continue; options->auth_methods[ options->num_auth_methods++] = xstrdup(arg); } + if (options->num_auth_methods == 0) { + fatal("%s line %d: no AuthenticationMethods " + "specified", filename, linenum); + } } return 0; @@ -2143,11 +2170,13 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) { u_int i; - if (count <= 0) + if (count <= 0 && code != sAuthenticationMethods) return; printf("%s", lookup_opcode_name(code)); for (i = 0; i < count; i++) printf(" %s", vals[i]); + if (code == sAuthenticationMethods && count == 0) + printf(" any"); printf("\n"); } diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 47b658e58e1..7c06edbb955 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.223 2016/05/04 14:29:58 markus Exp $ -.Dd $Mdocdate: May 4 2016 $ +.\" $OpenBSD: sshd_config.5,v 1.224 2016/06/17 05:03:40 djm Exp $ +.Dd $Mdocdate: June 17 2016 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -189,9 +189,12 @@ for more information on patterns. Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of -authentication method names. -Successful authentication requires completion of every method in at least -one of these lists. +authentication method names, or by the single string +.Dq any +to indicate the default behaviour of accepting any single authentication +methods. +if the default is overridden, then successful authentication requires +completion of every method in at least one of these lists. .Pp For example, an argument of .Dq publickey,password publickey,keyboard-interactive @@ -231,7 +234,9 @@ This option will yield a fatal error if enabled if protocol 1 is also enabled. Note that each authentication method listed should also be explicitly enabled in the configuration. -The default is not to require multiple authentication; successful completion +The default +.Dq any +is not to require multiple authentication; successful completion of a single authentication method is sufficient. .It Cm AuthorizedKeysCommand Specifies a program to be used to look up the user's public keys. |