|
 |
f8987c |
diff -up openssh-6.6p1/servconf.c.auth_meth openssh-6.6p1/servconf.c
|
|
|
f8987c |
--- openssh-6.6p1/servconf.c.auth_meth 2016-06-24 13:39:30.022263557 +0200
|
|
|
f8987c |
+++ openssh-6.6p1/servconf.c 2016-06-24 13:48:35.879948274 +0200
|
|
|
f8987c |
@@ -327,6 +327,14 @@ fill_default_server_options(ServerOption
|
|
|
f8987c |
if (use_privsep == -1)
|
|
|
f8987c |
use_privsep = PRIVSEP_NOSANDBOX;
|
|
|
f8987c |
|
|
|
f8987c |
+ /* Similar handling for AuthenticationMethods=any */
|
|
|
f8987c |
+ if (options->num_auth_methods == 1 &&
|
|
|
f8987c |
+ strcmp(options->auth_methods[0], "any") == 0) {
|
|
|
f8987c |
+ free(options->auth_methods[0]);
|
|
|
f8987c |
+ options->auth_methods[0] = NULL;
|
|
|
f8987c |
+ options->num_auth_methods = 0;
|
|
|
f8987c |
+ }
|
|
|
f8987c |
+
|
|
|
f8987c |
#ifndef HAVE_MMAP
|
|
|
f8987c |
if (use_privsep && options->compression == 1) {
|
|
|
f8987c |
error("This platform does not support both privilege "
|
|
|
f8987c |
@@ -1680,22 +1688,42 @@ process_server_config_line(ServerOptions
|
|
|
f8987c |
break;
|
|
|
f8987c |
|
|
|
f8987c |
case sAuthenticationMethods:
|
|
|
f8987c |
- if (cp == NULL || *cp == '\0')
|
|
|
f8987c |
- fatal("%.200s line %d: Missing argument.", filename, linenum);
|
|
|
f8987c |
- if (*activep && options->num_auth_methods == 0) {
|
|
|
f8987c |
+ if (options->num_auth_methods == 0) {
|
|
|
f8987c |
+ value = 0; /* seen "any" pseudo-method */
|
|
|
f8987c |
+ value2 = 0; /* sucessfully parsed any method */
|
|
|
f8987c |
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
|
|
f8987c |
if (options->num_auth_methods >=
|
|
|
f8987c |
MAX_AUTH_METHODS)
|
|
|
f8987c |
fatal("%s line %d: "
|
|
|
f8987c |
"too many authentication methods.",
|
|
|
f8987c |
filename, linenum);
|
|
|
f8987c |
- if (auth2_methods_valid(arg, 0) != 0)
|
|
|
f8987c |
+ if (strcmp(arg, "any") == 0) {
|
|
|
f8987c |
+ if (options->num_auth_methods > 0) {
|
|
|
f8987c |
+ fatal("%s line %d: \"any\" "
|
|
|
f8987c |
+ "must appear alone in "
|
|
|
f8987c |
+ "AuthenticationMethods",
|
|
|
f8987c |
+ filename, linenum);
|
|
|
f8987c |
+ }
|
|
|
f8987c |
+ value = 1;
|
|
|
f8987c |
+ } else if (value) {
|
|
|
f8987c |
+ fatal("%s line %d: \"any\" must appear "
|
|
|
f8987c |
+ "alone in AuthenticationMethods",
|
|
|
f8987c |
+ filename, linenum);
|
|
|
f8987c |
+ } else if (auth2_methods_valid(arg, 0) != 0) {
|
|
|
f8987c |
fatal("%s line %d: invalid "
|
|
|
f8987c |
"authentication method list.",
|
|
|
f8987c |
filename, linenum);
|
|
|
f8987c |
+ }
|
|
|
f8987c |
+ value2 = 1;
|
|
|
f8987c |
+ if (!*activep)
|
|
|
f8987c |
+ continue;
|
|
|
f8987c |
options->auth_methods[
|
|
|
f8987c |
options->num_auth_methods++] = xstrdup(arg);
|
|
|
f8987c |
}
|
|
|
f8987c |
+ if (value2 == 0) {
|
|
|
f8987c |
+ fatal("%s line %d: no AuthenticationMethods "
|
|
|
f8987c |
+ "specified", filename, linenum);
|
|
|
f8987c |
+ }
|
|
|
f8987c |
}
|
|
|
f8987c |
return 0;
|
|
|
f8987c |
|
|
|
f8987c |
@@ -2195,11 +2221,13 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
|
|
|
f8987c |
{
|
|
|
f8987c |
u_int i;
|
|
|
f8987c |
|
|
|
f8987c |
- if (count <= 0)
|
|
|
f8987c |
+ if (count <= 0 && code != sAuthenticationMethods)
|
|
|
f8987c |
return;
|
|
|
f8987c |
printf("%s", lookup_opcode_name(code));
|
|
|
f8987c |
for (i = 0; i < count; i++)
|
|
|
f8987c |
printf(" %s", vals[i]);
|
|
|
f8987c |
+ if (code == sAuthenticationMethods && count == 0)
|
|
|
f8987c |
+ printf(" any");
|
|
|
f8987c |
printf("\n");
|
|
|
f8987c |
}
|
|
|
f8987c |
|
|
|
f8987c |
diff -up openssh-6.6p1/sshd_config.5.auth_meth openssh-6.6p1/sshd_config.5
|
|
|
f8987c |
--- openssh-6.6p1/sshd_config.5.auth_meth 2016-06-24 13:39:30.007263566 +0200
|
|
|
f8987c |
+++ openssh-6.6p1/sshd_config.5 2016-06-24 13:39:30.021263557 +0200
|
|
|
f8987c |
@@ -172,9 +172,12 @@ for more information on patterns.
|
|
|
f8987c |
Specifies the authentication methods that must be successfully completed
|
|
|
f8987c |
for a user to be granted access.
|
|
|
f8987c |
This option must be followed by one or more comma-separated lists of
|
|
|
f8987c |
-authentication method names.
|
|
|
f8987c |
-Successful authentication requires completion of every method in at least
|
|
|
f8987c |
-one of these lists.
|
|
|
f8987c |
+authentication method names, or by the single string
|
|
|
f8987c |
+.Dq any
|
|
|
f8987c |
+to indicate the default behaviour of accepting any single authentication
|
|
|
f8987c |
+method.
|
|
|
f8987c |
+if the default is overridden, then successful authentication requires
|
|
|
f8987c |
+completion of every method in at least one of these lists.
|
|
|
f8987c |
.Pp
|
|
|
f8987c |
For example, an argument of
|
|
|
f8987c |
.Dq publickey,password publickey,keyboard-interactive
|
|
|
f8987c |
@@ -202,7 +205,9 @@ This option is only available for SSH pr
|
|
|
f8987c |
error if enabled if protocol 1 is also enabled.
|
|
|
f8987c |
Note that each authentication method listed should also be explicitly enabled
|
|
|
f8987c |
in the configuration.
|
|
|
f8987c |
-The default is not to require multiple authentication; successful completion
|
|
|
f8987c |
+The default
|
|
|
f8987c |
+.Dq any
|
|
|
f8987c |
+is not to require multiple authentication; successful completion
|
|
|
f8987c |
of a single authentication method is sufficient.
|
|
|
f8987c |
.It Cm AuthorizedKeysCommand
|
|
|
f8987c |
Specifies a program to be used to look up the user's public keys.
|