upstream commit

ban AuthenticationMethods="" and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication bz#2398 from Jakub Jelen; ok dtucker@ Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27
author: djm@openbsd.org <djm@openbsd.org> 2016-06-17 05:03:40 +0000
committer: Damien Miller <djm@mindrot.org> 2016-06-24 13:35:28 +1000
commit: b64faeb5eda7eff8210c754d00464f9fe9d23de5 (patch)
tree: 71d280e30b29dc41cc1f46d7c688399e768622aa /sshd_config.5
parent: 9816fc5daee5ca924dd5c4781825afbaab728877 (diff)
1 files changed, 11 insertions, 6 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 479fa38eb..690797958 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.223 2016/05/04 14:29:58 markus Exp $
+.\" $OpenBSD: sshd_config.5,v 1.224 2016/06/17 05:03:40 djm Exp $
-.Dd $Mdocdate: May 4 2016 $
+.Dd $Mdocdate: June 17 2016 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -189,9 +189,12 @@ for more information on patterns.
 Specifies the authentication methods that must be successfully completed
 for a user to be granted access.
 This option must be followed by one or more comma-separated lists of
-authentication method names.
+authentication method names, or by the single string
-Successful authentication requires completion of every method in at least
+.Dq any
-one of these lists.
+to indicate the default behaviour of accepting any single authentication
+methods.
+if the default is overridden, then successful authentication requires
+completion of every method in at least one of these lists.
 .Pp
 For example, an argument of
 .Dq publickey,password publickey,keyboard-interactive
@@ -231,7 +234,9 @@ This option will yield a fatal
 error if enabled if protocol 1 is also enabled.
 Note that each authentication method listed should also be explicitly enabled
 in the configuration.
-The default is not to require multiple authentication; successful completion
+The default
+.Dq any
+is not to require multiple authentication; successful completion
 of a single authentication method is sufficient.
 .It Cm AuthorizedKeysCommand
 Specifies a program to be used to look up the user's public keys.
author	djm@openbsd.org <djm@openbsd.org>	2016-06-17 05:03:40 +0000
committer	Damien Miller <djm@mindrot.org>	2016-06-24 13:35:28 +1000
commit	b64faeb5eda7eff8210c754d00464f9fe9d23de5 (patch)
tree	71d280e30b29dc41cc1f46d7c688399e768622aa /sshd_config.5
parent	9816fc5daee5ca924dd5c4781825afbaab728877 (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 479fa38eb..690797958 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.223 2016/05/04 14:29:58 markus Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.224 2016/06/17 05:03:40 djm Exp $
37	.Dd $Mdocdate: May 4 2016 $	37	.Dd $Mdocdate: June 17 2016 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -189,9 +189,12 @@ for more information on patterns.
189	Specifies the authentication methods that must be successfully completed	189	Specifies the authentication methods that must be successfully completed
190	for a user to be granted access.	190	for a user to be granted access.
191	This option must be followed by one or more comma-separated lists of	191	This option must be followed by one or more comma-separated lists of
192	authentication method names.	192	authentication method names, or by the single string
193	Successful authentication requires completion of every method in at least	193	.Dq any
194	one of these lists.	194	to indicate the default behaviour of accepting any single authentication
		195	methods.
		196	if the default is overridden, then successful authentication requires
		197	completion of every method in at least one of these lists.
195	.Pp	198	.Pp
196	For example, an argument of	199	For example, an argument of
197	.Dq publickey,password publickey,keyboard-interactive	200	.Dq publickey,password publickey,keyboard-interactive
@@ -231,7 +234,9 @@ This option will yield a fatal
231	error if enabled if protocol 1 is also enabled.	234	error if enabled if protocol 1 is also enabled.
232	Note that each authentication method listed should also be explicitly enabled	235	Note that each authentication method listed should also be explicitly enabled
233	in the configuration.	236	in the configuration.
234	The default is not to require multiple authentication; successful completion	237	The default
		238	.Dq any
		239	is not to require multiple authentication; successful completion
235	of a single authentication method is sufficient.	240	of a single authentication method is sufficient.
236	.It Cm AuthorizedKeysCommand	241	.It Cm AuthorizedKeysCommand
237	Specifies a program to be used to look up the user's public keys.	242	Specifies a program to be used to look up the user's public keys.