tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream commit 

ban AuthenticationMethods="" and accept
AuthenticationMethods=any for the default behaviour of not requiring multiple
authentication

bz#2398 from Jakub Jelen; ok dtucker@

Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27
This commit is contained in:
djm@openbsd.org 2016-06-17 05:03:40 +00:00 committed by Damien Miller
parent 9816fc5dae
commit b64faeb5ed
2 changed files with 42 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
servconf.c
View File

@ -1,5 +1,5 @@
/* $OpenBSD: servconf.c,v 1.290 2016/05/04 14:00:09 dtucker Exp $ */ /* $OpenBSD: servconf.c,v 1.291 2016/06/17 05:03:40 djm Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -381,6 +381,14 @@ fill_default_server_options(ServerOptions *options)
CLEAR_ON_NONE(options->host_cert_files[i]); CLEAR_ON_NONE(options->host_cert_files[i]);
#undef CLEAR_ON_NONE #undef CLEAR_ON_NONE
/* Similar handling for AuthenticationMethods=any */
if (options->num_auth_methods == 1 &&
strcmp(options->auth_methods[0], "any") == 0) {
free(options->auth_methods[0]);
options->auth_methods[0] = NULL;
options->num_auth_methods = 0;
}
#ifndef HAVE_MMAP #ifndef HAVE_MMAP
if (use_privsep && options->compression == 1) { if (use_privsep && options->compression == 1) {
error("This platform does not support both privilege " error("This platform does not support both privilege "
@ -1804,21 +1812,39 @@ process_server_config_line(ServerOptions *options, char *line,
case sAuthenticationMethods: case sAuthenticationMethods:
if (options->num_auth_methods == 0) { if (options->num_auth_methods == 0) {
value = 0; /* seen "any" pseudo-method */
while ((arg = strdelim(&cp)) && *arg != '\0') { while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_auth_methods >= if (options->num_auth_methods >=
MAX_AUTH_METHODS) MAX_AUTH_METHODS)
fatal("%s line %d: " fatal("%s line %d: "
"too many authentication methods.", "too many authentication methods.",
filename, linenum); filename, linenum);
if (auth2_methods_valid(arg, 0) != 0) if (strcmp(arg, "any") == 0) {
if (options->num_auth_methods > 0) {
fatal("%s line %d: \"any\" "
"must appear alone in "
"AuthenticationMethods",
filename, linenum);
}
value = 1;
} else if (value) {
fatal("%s line %d: \"any\" must appear "
"alone in AuthenticationMethods",
filename, linenum);
} else if (auth2_methods_valid(arg, 0) != 0) {
fatal("%s line %d: invalid " fatal("%s line %d: invalid "
"authentication method list.", "authentication method list.",
filename, linenum); filename, linenum);
}
if (!*activep) if (!*activep)
continue; continue;
options->auth_methods[ options->auth_methods[
options->num_auth_methods++] = xstrdup(arg); options->num_auth_methods++] = xstrdup(arg);
} }
if (options->num_auth_methods == 0) {
fatal("%s line %d: no AuthenticationMethods "
"specified", filename, linenum);
}
} }
return 0; return 0;
@ -2195,11 +2221,13 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
{ {
u_int i; u_int i;
if (count <= 0) if (count <= 0 && code != sAuthenticationMethods)
return; return;
printf("%s", lookup_opcode_name(code)); printf("%s", lookup_opcode_name(code));
for (i = 0; i < count; i++) for (i = 0; i < count; i++)
printf(" %s", vals[i]); printf(" %s", vals[i]);
if (code == sAuthenticationMethods && count == 0)
printf(" any");
printf("\n"); printf("\n");
} }

17
sshd_config.5
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.223 2016/05/04 14:29:58 markus Exp $ .\" $OpenBSD: sshd_config.5,v 1.224 2016/06/17 05:03:40 djm Exp $
.Dd $Mdocdate: May 4 2016 $ .Dd $Mdocdate: June 17 2016 $
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@ -189,9 +189,12 @@ for more information on patterns.
Specifies the authentication methods that must be successfully completed Specifies the authentication methods that must be successfully completed
for a user to be granted access. for a user to be granted access.
This option must be followed by one or more comma-separated lists of This option must be followed by one or more comma-separated lists of
authentication method names. authentication method names, or by the single string
Successful authentication requires completion of every method in at least .Dq any
one of these lists. to indicate the default behaviour of accepting any single authentication
methods.
if the default is overridden, then successful authentication requires
completion of every method in at least one of these lists.
.Pp .Pp
For example, an argument of For example, an argument of
.Dq publickey,password publickey,keyboard-interactive .Dq publickey,password publickey,keyboard-interactive
@ -231,7 +234,9 @@ This option will yield a fatal
error if enabled if protocol 1 is also enabled. error if enabled if protocol 1 is also enabled.
Note that each authentication method listed should also be explicitly enabled Note that each authentication method listed should also be explicitly enabled
in the configuration. in the configuration.
The default is not to require multiple authentication; successful completion The default
.Dq any
is not to require multiple authentication; successful completion
of a single authentication method is sufficient. of a single authentication method is sufficient.
.It Cm AuthorizedKeysCommand .It Cm AuthorizedKeysCommand
Specifies a program to be used to look up the user's public keys. Specifies a program to be used to look up the user's public keys.