diff options
-rw-r--r-- | servconf.c | 34 | ||||
-rw-r--r-- | sshd_config.5 | 17 |
2 files changed, 42 insertions, 9 deletions
diff --git a/servconf.c b/servconf.c index 1cb45f536..a411bfb6e 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.290 2016/05/04 14:00:09 dtucker Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.291 2016/06/17 05:03:40 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -381,6 +381,14 @@ fill_default_server_options(ServerOptions *options) | |||
381 | CLEAR_ON_NONE(options->host_cert_files[i]); | 381 | CLEAR_ON_NONE(options->host_cert_files[i]); |
382 | #undef CLEAR_ON_NONE | 382 | #undef CLEAR_ON_NONE |
383 | 383 | ||
384 | /* Similar handling for AuthenticationMethods=any */ | ||
385 | if (options->num_auth_methods == 1 && | ||
386 | strcmp(options->auth_methods[0], "any") == 0) { | ||
387 | free(options->auth_methods[0]); | ||
388 | options->auth_methods[0] = NULL; | ||
389 | options->num_auth_methods = 0; | ||
390 | } | ||
391 | |||
384 | #ifndef HAVE_MMAP | 392 | #ifndef HAVE_MMAP |
385 | if (use_privsep && options->compression == 1) { | 393 | if (use_privsep && options->compression == 1) { |
386 | error("This platform does not support both privilege " | 394 | error("This platform does not support both privilege " |
@@ -1804,21 +1812,39 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1804 | 1812 | ||
1805 | case sAuthenticationMethods: | 1813 | case sAuthenticationMethods: |
1806 | if (options->num_auth_methods == 0) { | 1814 | if (options->num_auth_methods == 0) { |
1815 | value = 0; /* seen "any" pseudo-method */ | ||
1807 | while ((arg = strdelim(&cp)) && *arg != '\0') { | 1816 | while ((arg = strdelim(&cp)) && *arg != '\0') { |
1808 | if (options->num_auth_methods >= | 1817 | if (options->num_auth_methods >= |
1809 | MAX_AUTH_METHODS) | 1818 | MAX_AUTH_METHODS) |
1810 | fatal("%s line %d: " | 1819 | fatal("%s line %d: " |
1811 | "too many authentication methods.", | 1820 | "too many authentication methods.", |
1812 | filename, linenum); | 1821 | filename, linenum); |
1813 | if (auth2_methods_valid(arg, 0) != 0) | 1822 | if (strcmp(arg, "any") == 0) { |
1823 | if (options->num_auth_methods > 0) { | ||
1824 | fatal("%s line %d: \"any\" " | ||
1825 | "must appear alone in " | ||
1826 | "AuthenticationMethods", | ||
1827 | filename, linenum); | ||
1828 | } | ||
1829 | value = 1; | ||
1830 | } else if (value) { | ||
1831 | fatal("%s line %d: \"any\" must appear " | ||
1832 | "alone in AuthenticationMethods", | ||
1833 | filename, linenum); | ||
1834 | } else if (auth2_methods_valid(arg, 0) != 0) { | ||
1814 | fatal("%s line %d: invalid " | 1835 | fatal("%s line %d: invalid " |
1815 | "authentication method list.", | 1836 | "authentication method list.", |
1816 | filename, linenum); | 1837 | filename, linenum); |
1838 | } | ||
1817 | if (!*activep) | 1839 | if (!*activep) |
1818 | continue; | 1840 | continue; |
1819 | options->auth_methods[ | 1841 | options->auth_methods[ |
1820 | options->num_auth_methods++] = xstrdup(arg); | 1842 | options->num_auth_methods++] = xstrdup(arg); |
1821 | } | 1843 | } |
1844 | if (options->num_auth_methods == 0) { | ||
1845 | fatal("%s line %d: no AuthenticationMethods " | ||
1846 | "specified", filename, linenum); | ||
1847 | } | ||
1822 | } | 1848 | } |
1823 | return 0; | 1849 | return 0; |
1824 | 1850 | ||
@@ -2195,11 +2221,13 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) | |||
2195 | { | 2221 | { |
2196 | u_int i; | 2222 | u_int i; |
2197 | 2223 | ||
2198 | if (count <= 0) | 2224 | if (count <= 0 && code != sAuthenticationMethods) |
2199 | return; | 2225 | return; |
2200 | printf("%s", lookup_opcode_name(code)); | 2226 | printf("%s", lookup_opcode_name(code)); |
2201 | for (i = 0; i < count; i++) | 2227 | for (i = 0; i < count; i++) |
2202 | printf(" %s", vals[i]); | 2228 | printf(" %s", vals[i]); |
2229 | if (code == sAuthenticationMethods && count == 0) | ||
2230 | printf(" any"); | ||
2203 | printf("\n"); | 2231 | printf("\n"); |
2204 | } | 2232 | } |
2205 | 2233 | ||
diff --git a/sshd_config.5 b/sshd_config.5 index 479fa38eb..690797958 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.223 2016/05/04 14:29:58 markus Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.224 2016/06/17 05:03:40 djm Exp $ |
37 | .Dd $Mdocdate: May 4 2016 $ | 37 | .Dd $Mdocdate: June 17 2016 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -189,9 +189,12 @@ for more information on patterns. | |||
189 | Specifies the authentication methods that must be successfully completed | 189 | Specifies the authentication methods that must be successfully completed |
190 | for a user to be granted access. | 190 | for a user to be granted access. |
191 | This option must be followed by one or more comma-separated lists of | 191 | This option must be followed by one or more comma-separated lists of |
192 | authentication method names. | 192 | authentication method names, or by the single string |
193 | Successful authentication requires completion of every method in at least | 193 | .Dq any |
194 | one of these lists. | 194 | to indicate the default behaviour of accepting any single authentication |
195 | methods. | ||
196 | if the default is overridden, then successful authentication requires | ||
197 | completion of every method in at least one of these lists. | ||
195 | .Pp | 198 | .Pp |
196 | For example, an argument of | 199 | For example, an argument of |
197 | .Dq publickey,password publickey,keyboard-interactive | 200 | .Dq publickey,password publickey,keyboard-interactive |
@@ -231,7 +234,9 @@ This option will yield a fatal | |||
231 | error if enabled if protocol 1 is also enabled. | 234 | error if enabled if protocol 1 is also enabled. |
232 | Note that each authentication method listed should also be explicitly enabled | 235 | Note that each authentication method listed should also be explicitly enabled |
233 | in the configuration. | 236 | in the configuration. |
234 | The default is not to require multiple authentication; successful completion | 237 | The default |
238 | .Dq any | ||
239 | is not to require multiple authentication; successful completion | ||
235 | of a single authentication method is sufficient. | 240 | of a single authentication method is sufficient. |
236 | .It Cm AuthorizedKeysCommand | 241 | .It Cm AuthorizedKeysCommand |
237 | Specifies a program to be used to look up the user's public keys. | 242 | Specifies a program to be used to look up the user's public keys. |