kentpeacock / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
f8987c
diff -up openssh-6.6p1/servconf.c.auth_meth openssh-6.6p1/servconf.c
f8987c
--- openssh-6.6p1/servconf.c.auth_meth	2016-06-24 13:39:30.022263557 +0200
f8987c
+++ openssh-6.6p1/servconf.c	2016-06-24 13:48:35.879948274 +0200
f8987c
@@ -327,6 +327,14 @@ fill_default_server_options(ServerOption
f8987c
 	if (use_privsep == -1)
f8987c
 		use_privsep = PRIVSEP_NOSANDBOX;
f8987c
 
f8987c
+	/* Similar handling for AuthenticationMethods=any */
f8987c
+	if (options->num_auth_methods == 1 &&
f8987c
+	    strcmp(options->auth_methods[0], "any") == 0) {
f8987c
+		free(options->auth_methods[0]);
f8987c
+		options->auth_methods[0] = NULL;
f8987c
+		options->num_auth_methods = 0;
f8987c
+	}
f8987c
+
f8987c
 #ifndef HAVE_MMAP
f8987c
 	if (use_privsep && options->compression == 1) {
f8987c
 		error("This platform does not support both privilege "
f8987c
@@ -1680,22 +1688,42 @@ process_server_config_line(ServerOptions
f8987c
 		break;
f8987c
 
f8987c
 	case sAuthenticationMethods:
f8987c
-		if (cp == NULL || *cp == '\0')
f8987c
-			fatal("%.200s line %d: Missing argument.", filename, linenum);
f8987c
-		if (*activep && options->num_auth_methods == 0) {
f8987c
+		if (options->num_auth_methods == 0) {
f8987c
+			value = 0; /* seen "any" pseudo-method */
f8987c
+			value2 = 0; /* sucessfully parsed any method */
f8987c
 			while ((arg = strdelim(&cp)) && *arg != '\0') {
f8987c
 				if (options->num_auth_methods >=
f8987c
 				    MAX_AUTH_METHODS)
f8987c
 					fatal("%s line %d: "
f8987c
 					    "too many authentication methods.",
f8987c
 					    filename, linenum);
f8987c
-				if (auth2_methods_valid(arg, 0) != 0)
f8987c
+				if (strcmp(arg, "any") == 0) {
f8987c
+					if (options->num_auth_methods > 0) {
f8987c
+						fatal("%s line %d: \"any\" "
f8987c
+						    "must appear alone in "
f8987c
+						    "AuthenticationMethods",
f8987c
+						    filename, linenum);
f8987c
+					}
f8987c
+					value = 1;
f8987c
+				} else if (value) {
f8987c
+					fatal("%s line %d: \"any\" must appear "
f8987c
+					    "alone in AuthenticationMethods",
f8987c
+					    filename, linenum);
f8987c
+				} else if (auth2_methods_valid(arg, 0) != 0) {
f8987c
 					fatal("%s line %d: invalid "
f8987c
 					    "authentication method list.",
f8987c
 					    filename, linenum);
f8987c
+				}
f8987c
+				value2 = 1;
f8987c
+ 				if (!*activep)
f8987c
+ 					continue;
f8987c
 				options->auth_methods[
f8987c
 				    options->num_auth_methods++] = xstrdup(arg);
f8987c
 			}
f8987c
+			if (value2 == 0) {
f8987c
+				fatal("%s line %d: no AuthenticationMethods "
f8987c
+				    "specified", filename, linenum);
f8987c
+			}
f8987c
 		}
f8987c
 		return 0;
f8987c
 
f8987c
@@ -2195,11 +2221,13 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
f8987c
 {
f8987c
 	u_int i;
f8987c
 
f8987c
-	if (count <= 0)
f8987c
+	if (count <= 0 && code != sAuthenticationMethods)
f8987c
 		return;
f8987c
 	printf("%s", lookup_opcode_name(code));
f8987c
 	for (i = 0; i < count; i++)
f8987c
 		printf(" %s",  vals[i]);
f8987c
+	if (code == sAuthenticationMethods && count == 0)
f8987c
+		printf(" any");
f8987c
 	printf("\n");
f8987c
 }
f8987c
 
f8987c
diff -up openssh-6.6p1/sshd_config.5.auth_meth openssh-6.6p1/sshd_config.5
f8987c
--- openssh-6.6p1/sshd_config.5.auth_meth	2016-06-24 13:39:30.007263566 +0200
f8987c
+++ openssh-6.6p1/sshd_config.5	2016-06-24 13:39:30.021263557 +0200
f8987c
@@ -172,9 +172,12 @@ for more information on patterns.
f8987c
 Specifies the authentication methods that must be successfully completed
f8987c
 for a user to be granted access.
f8987c
 This option must be followed by one or more comma-separated lists of
f8987c
-authentication method names.
f8987c
-Successful authentication requires completion of every method in at least
f8987c
-one of these lists.
f8987c
+authentication method names, or by the single string
f8987c
+.Dq any
f8987c
+to indicate the default behaviour of accepting any single authentication
f8987c
+method.
f8987c
+if the default is overridden, then successful authentication requires
f8987c
+completion of every method in at least one of these lists.
f8987c
 .Pp
f8987c
 For example, an argument of
f8987c
 .Dq publickey,password publickey,keyboard-interactive
f8987c
@@ -202,7 +205,9 @@ This option is only available for SSH pr
f8987c
 error if enabled if protocol 1 is also enabled.
f8987c
 Note that each authentication method listed should also be explicitly enabled
f8987c
 in the configuration.
f8987c
-The default is not to require multiple authentication; successful completion
f8987c
+The default
f8987c
+.Dq any
f8987c
+is not to require multiple authentication; successful completion
f8987c
 of a single authentication method is sufficient.
f8987c
 .It Cm AuthorizedKeysCommand
f8987c
 Specifies a program to be used to look up the user's public keys.