diff -up openssh-6.6p1/servconf.c.auth_meth openssh-6.6p1/servconf.c --- openssh-6.6p1/servconf.c.auth_meth 2016-06-24 13:39:30.022263557 +0200 +++ openssh-6.6p1/servconf.c 2016-06-24 13:48:35.879948274 +0200 @@ -327,6 +327,14 @@ fill_default_server_options(ServerOption if (use_privsep == -1) use_privsep = PRIVSEP_NOSANDBOX; + /* Similar handling for AuthenticationMethods=any */ + if (options->num_auth_methods == 1 && + strcmp(options->auth_methods[0], "any") == 0) { + free(options->auth_methods[0]); + options->auth_methods[0] = NULL; + options->num_auth_methods = 0; + } + #ifndef HAVE_MMAP if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " @@ -1680,22 +1688,42 @@ process_server_config_line(ServerOptions break; case sAuthenticationMethods: - if (cp == NULL || *cp == '\0') - fatal("%.200s line %d: Missing argument.", filename, linenum); - if (*activep && options->num_auth_methods == 0) { + if (options->num_auth_methods == 0) { + value = 0; /* seen "any" pseudo-method */ + value2 = 0; /* sucessfully parsed any method */ while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_auth_methods >= MAX_AUTH_METHODS) fatal("%s line %d: " "too many authentication methods.", filename, linenum); - if (auth2_methods_valid(arg, 0) != 0) + if (strcmp(arg, "any") == 0) { + if (options->num_auth_methods > 0) { + fatal("%s line %d: \"any\" " + "must appear alone in " + "AuthenticationMethods", + filename, linenum); + } + value = 1; + } else if (value) { + fatal("%s line %d: \"any\" must appear " + "alone in AuthenticationMethods", + filename, linenum); + } else if (auth2_methods_valid(arg, 0) != 0) { fatal("%s line %d: invalid " "authentication method list.", filename, linenum); + } + value2 = 1; + if (!*activep) + continue; options->auth_methods[ options->num_auth_methods++] = xstrdup(arg); } + if (value2 == 0) { + fatal("%s line %d: no AuthenticationMethods " + "specified", filename, linenum); + } } return 0; @@ -2195,11 +2221,13 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) { u_int i; - if (count <= 0) + if (count <= 0 && code != sAuthenticationMethods) return; printf("%s", lookup_opcode_name(code)); for (i = 0; i < count; i++) printf(" %s", vals[i]); + if (code == sAuthenticationMethods && count == 0) + printf(" any"); printf("\n"); } diff -up openssh-6.6p1/sshd_config.5.auth_meth openssh-6.6p1/sshd_config.5 --- openssh-6.6p1/sshd_config.5.auth_meth 2016-06-24 13:39:30.007263566 +0200 +++ openssh-6.6p1/sshd_config.5 2016-06-24 13:39:30.021263557 +0200 @@ -172,9 +172,12 @@ for more information on patterns. Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of -authentication method names. -Successful authentication requires completion of every method in at least -one of these lists. +authentication method names, or by the single string +.Dq any +to indicate the default behaviour of accepting any single authentication +method. +if the default is overridden, then successful authentication requires +completion of every method in at least one of these lists. .Pp For example, an argument of .Dq publickey,password publickey,keyboard-interactive @@ -202,7 +205,9 @@ This option is only available for SSH pr error if enabled if protocol 1 is also enabled. Note that each authentication method listed should also be explicitly enabled in the configuration. -The default is not to require multiple authentication; successful completion +The default +.Dq any +is not to require multiple authentication; successful completion of a single authentication method is sufficient. .It Cm AuthorizedKeysCommand Specifies a program to be used to look up the user's public keys.