upstream commit

ban AuthenticationMethods="" and accept
AuthenticationMethods=any for the default behaviour of not requiring multiple
authentication

bz#2398 from Jakub Jelen; ok dtucker@

Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27

2 files changed, 42 insertions, 9 deletions

diff --git a/servconf.c b/servconf.c
index 1cb45f536..a411bfb6e 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.290 2016/05/04 14:00:09 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.291 2016/06/17 05:03:40 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -381,6 +381,14 @@ fill_default_server_options(ServerOptions *options)
                 CLEAR_ON_NONE(options->host_cert_files[i]);
 #undef CLEAR_ON_NONE
 
+        /* Similar handling for AuthenticationMethods=any */
+        if (options->num_auth_methods == 1 &&
+            strcmp(options->auth_methods[0], "any") == 0) {
+                free(options->auth_methods[0]);
+                options->auth_methods[0] = NULL;
+                options->num_auth_methods = 0;
+        }
+
 #ifndef HAVE_MMAP
         if (use_privsep && options->compression == 1) {
                 error("This platform does not support both privilege "
@@ -1804,21 +1812,39 @@ process_server_config_line(ServerOptions *options, char *line,
 
         case sAuthenticationMethods:
                 if (options->num_auth_methods == 0) {
+                        value = 0; /* seen "any" pseudo-method */
                         while ((arg = strdelim(&cp)) && *arg != '\0') {
                                 if (options->num_auth_methods >=
                                     MAX_AUTH_METHODS)
                                         fatal("%s line %d: "
                                             "too many authentication methods.",
                                             filename, linenum);
-                                if (auth2_methods_valid(arg, 0) != 0)
+                                if (strcmp(arg, "any") == 0) {
+                                        if (options->num_auth_methods > 0) {
+                                                fatal("%s line %d: \"any\" "
+                                                    "must appear alone in "
+                                                    "AuthenticationMethods",
+                                                    filename, linenum);
+                                        }
+                                        value = 1;
+                                } else if (value) {
+                                        fatal("%s line %d: \"any\" must appear "
+                                            "alone in AuthenticationMethods",
+                                            filename, linenum);
+                                } else if (auth2_methods_valid(arg, 0) != 0) {
                                         fatal("%s line %d: invalid "
                                             "authentication method list.",
                                             filename, linenum);
+                                }
                                 if (!*activep)
                                         continue;
                                 options->auth_methods[
                                     options->num_auth_methods++] = xstrdup(arg);
                         }
+                        if (options->num_auth_methods == 0) {
+                                fatal("%s line %d: no AuthenticationMethods "
+                                    "specified", filename, linenum);
+                        }
                 }
                 return 0;
 
@@ -2195,11 +2221,13 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
 {
         u_int i;
 
-        if (count <= 0)
+        if (count <= 0 && code != sAuthenticationMethods)
                 return;
         printf("%s", lookup_opcode_name(code));
         for (i = 0; i < count; i++)
                 printf(" %s",  vals[i]);
+        if (code == sAuthenticationMethods && count == 0)
+                printf(" any");
         printf("\n");
 }
 
diff --git a/sshd_config.5 b/sshd_config.5
index 479fa38eb..690797958 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.223 2016/05/04 14:29:58 markus Exp $
-.Dd $Mdocdate: May 4 2016 $
+.\" $OpenBSD: sshd_config.5,v 1.224 2016/06/17 05:03:40 djm Exp $
+.Dd $Mdocdate: June 17 2016 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -189,9 +189,12 @@ for more information on patterns.
 Specifies the authentication methods that must be successfully completed
 for a user to be granted access.
 This option must be followed by one or more comma-separated lists of
-authentication method names.
-Successful authentication requires completion of every method in at least
-one of these lists.
+authentication method names, or by the single string
+.Dq any
+to indicate the default behaviour of accepting any single authentication
+methods.
+if the default is overridden, then successful authentication requires
+completion of every method in at least one of these lists.
 .Pp
 For example, an argument of
 .Dq publickey,password publickey,keyboard-interactive
@@ -231,7 +234,9 @@ This option will yield a fatal
 error if enabled if protocol 1 is also enabled.
 Note that each authentication method listed should also be explicitly enabled
 in the configuration.
-The default is not to require multiple authentication; successful completion
+The default
+.Dq any
+is not to require multiple authentication; successful completion
 of a single authentication method is sufficient.
 .It Cm AuthorizedKeysCommand
 Specifies a program to be used to look up the user's public keys.