upstream commit

add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
author: deraadt@openbsd.org <deraadt@openbsd.org> 2015-08-06 14:53:21 +0000
committer: Damien Miller <djm@mindrot.org> 2015-08-11 18:57:29 +1000
commit: 1dc8d93ce69d6565747eb44446ed117187621b26 (patch)
tree: 68e850b1c037c7d744836000527320d11b143168 /auth.c
parent: 90a95a4745a531b62b81ce3b025e892bdc434de5 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/auth.c b/auth.c
index e6c094d1f..fc32f6c4b 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.111 2015/05/01 04:17:51 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.112 2015/08/06 14:53:21 deraadt Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -352,7 +352,9 @@ auth_root_allowed(const char *method)
        case PERMIT_YES:
                return 1;
        case PERMIT_NO_PASSWD:
-                if (strcmp(method, "password") != 0)
+                if (strcmp(method, "publickey") == 0 ||
+                    strcmp(method, "hostbased") == 0 ||
+                    strcmp(method, "gssapi-with-mic"))
                        return 1;
                break;
        case PERMIT_FORCED_ONLY:
author	deraadt@openbsd.org <deraadt@openbsd.org>	2015-08-06 14:53:21 +0000
committer	Damien Miller <djm@mindrot.org>	2015-08-11 18:57:29 +1000
commit	1dc8d93ce69d6565747eb44446ed117187621b26 (patch)
tree	68e850b1c037c7d744836000527320d11b143168 /auth.c
parent	90a95a4745a531b62b81ce3b025e892bdc434de5 (diff)