Attachment #2838 for bug #2398




	for (i = 0; i < options->num_host_cert_files; i++)
		CLEAR_ON_NONE(options->host_cert_files[i]);
#undef CLEAR_ON_NONE

	/* Similar handling for AuthenticationMethods=any */
	if (options->num_auth_methods == 1 &&
	    strcmp(options->auth_methods[0], "any") == 0) {
		free(options->auth_methods[0]);
		options->auth_methods[0] = NULL;
		options->num_auth_methods = 0;
	}

}

/* Keyword tokens. */


	case sAuthenticationMethods:
		if (options->num_auth_methods == 0) {
			value = 0; /* seen "any" pseudo-method */
			while ((arg = strdelim(&cp)) && *arg != '\0') {
				if (options->num_auth_methods >=
				    MAX_AUTH_METHODS)
					fatal("%s line %d: "
					    "too many authentication methods.",
					    filename, linenum);
				if (strcmp(arg, "any") == 0) {
					if (options->num_auth_methods > 0) {
						fatal("%s line %d: \"any\" "
						    "must appear alone in "
						    "AuthenticationMethods",
						    filename, linenum);
					}
					value = 1;
				} else if (value) {
					fatal("%s line %d: \"any\" must appear "
					    "alone in AuthenticationMethods",
					    filename, linenum);
				} else if (auth2_methods_valid(arg, 0) != 0) {
					fatal("%s line %d: invalid "
					    "authentication method list.",
					    filename, linenum);
				}
				if (!*activep)
					continue;
				options->auth_methods[

{
	u_int i;

	if (count <= 0 && code != sAuthenticationMethods)
		return;
	printf("%s", lookup_opcode_name(code));
	for (i = 0; i < count; i++)
		printf(" %s",  vals[i]);
	if (code == sAuthenticationMethods && count == 0)
		printf(" any");
	printf("\n");
}


Lines 189-197 for more information on patterns. Link Here

(-)a/sshd_config.5 (-4 / +9 lines)
189	Specifies the authentication methods that must be successfully completed	189	Specifies the authentication methods that must be successfully completed
190	for a user to be granted access.	190	for a user to be granted access.
191	This option must be followed by one or more comma-separated lists of	191	This option must be followed by one or more comma-separated lists of
192	authentication method names.	192	authentication method names, or by the single string
193	Successful authentication requires completion of every method in at least	193	.Dq any
194	one of these lists.	194	to indicate the default behaviour of accepting any single authentication
		195	methods.
		196	if the default is overridden, then successful authentication requires
		197	completion of every method in at least one of these lists.
195	.Pp	198	.Pp
196	For example, an argument of	199	For example, an argument of
197	.Dq publickey,password publickey,keyboard-interactive	200	.Dq publickey,password publickey,keyboard-interactive
Lines 231-237 This option will yield a fatal Link Here
231	error if enabled if protocol 1 is also enabled.	234	error if enabled if protocol 1 is also enabled.
232	Note that each authentication method listed should also be explicitly enabled	235	Note that each authentication method listed should also be explicitly enabled
233	in the configuration.	236	in the configuration.
234	The default is not to require multiple authentication; successful completion	237	The default
		238	.Dq any
		239	is not to require multiple authentication; successful completion
235	of a single authentication method is sufficient.	240	of a single authentication method is sufficient.
236	.It Cm AuthorizedKeysCommand	241	.It Cm AuthorizedKeysCommand
237	Specifies a program to be used to look up the user's public keys.	242	Specifies a program to be used to look up the user's public keys.

Return to bug 2398

Lines 363-368 fill_default_server_options(ServerOptions *options) Link Here

(-)a/servconf.c (-2 / +27 lines)
363	for (i = 0; i < options->num_host_cert_files; i++)	363	for (i = 0; i < options->num_host_cert_files; i++)
364	CLEAR_ON_NONE(options->host_cert_files[i]);	364	CLEAR_ON_NONE(options->host_cert_files[i]);
365	#undef CLEAR_ON_NONE	365	#undef CLEAR_ON_NONE
		366
		367	/* Similar handling for AuthenticationMethods=any */
		368	if (options->num_auth_methods == 1 &&
		369	strcmp(options->auth_methods[0], "any") == 0) {
		370	free(options->auth_methods[0]);
		371	options->auth_methods[0] = NULL;
		372	options->num_auth_methods = 0;
		373	}
		374
366	}	375	}
367		376
368	/* Keyword tokens. */	377	/* Keyword tokens. */
Lines 1752-1767 process_server_config_line(ServerOptions options, char line, Link Here
1752		1761
1753	case sAuthenticationMethods:	1762	case sAuthenticationMethods:
1754	if (options->num_auth_methods == 0) {	1763	if (options->num_auth_methods == 0) {
		1764	value = 0; /* seen "any" pseudo-method */
1755	while ((arg = strdelim(&cp)) && *arg != '\0') {	1765	while ((arg = strdelim(&cp)) && *arg != '\0') {
1756	if (options->num_auth_methods >=	1766	if (options->num_auth_methods >=
1757	MAX_AUTH_METHODS)	1767	MAX_AUTH_METHODS)
1758	fatal("%s line %d: "	1768	fatal("%s line %d: "
1759	"too many authentication methods.",	1769	"too many authentication methods.",
1760	filename, linenum);	1770	filename, linenum);
1761	if (auth2_methods_valid(arg, 0) != 0)	1771	if (strcmp(arg, "any") == 0) {
		1772	if (options->num_auth_methods > 0) {
		1773	fatal("%s line %d: \"any\" "
		1774	"must appear alone in "
		1775	"AuthenticationMethods",
		1776	filename, linenum);
		1777	}
		1778	value = 1;
		1779	} else if (value) {
		1780	fatal("%s line %d: \"any\" must appear "
		1781	"alone in AuthenticationMethods",
		1782	filename, linenum);
		1783	} else if (auth2_methods_valid(arg, 0) != 0) {
1762	fatal("%s line %d: invalid "	1784	fatal("%s line %d: invalid "
1763	"authentication method list.",	1785	"authentication method list.",
1764	filename, linenum);	1786	filename, linenum);
		1787	}
1765	if (!*activep)	1788	if (!*activep)
1766	continue;	1789	continue;
1767	options->auth_methods[	1790	options->auth_methods[
Lines 2143-2153 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) Link Here
2143	{	2166	{
2144	u_int i;	2167	u_int i;
2145		2168
2146	if (count <= 0)	2169	if (count <= 0 && code != sAuthenticationMethods)
2147	return;	2170	return;
2148	printf("%s", lookup_opcode_name(code));	2171	printf("%s", lookup_opcode_name(code));
2149	for (i = 0; i < count; i++)	2172	for (i = 0; i < count; i++)
2150	printf(" %s", vals[i]);	2173	printf(" %s", vals[i]);
		2174	if (code == sAuthenticationMethods && count == 0)
		2175	printf(" any");
2151	printf("\n");	2176	printf("\n");
2152	}	2177	}
2153		2178