Attachment 2838 Details for Bug 2398 – really with manual bits

[patch] really with manual bits

bz2398.diff (text/plain), 3.33 KB, created by Damien Miller on 2016-06-17 14:56:12 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Damien Miller

Created: 2016-06-17 14:56:12 AEST

Size: 3.33 KB

patch

obsolete

>diff --git a/servconf.c b/servconf.c
>index 527f54d..5914de6 100644
>--- a/servconf.c
>+++ b/servconf.c
>@@ -363,6 +363,15 @@ fill_default_server_options(ServerOptions *options)
> 	for (i = 0; i < options->num_host_cert_files; i++)
> 		CLEAR_ON_NONE(options->host_cert_files[i]);
> #undef CLEAR_ON_NONE
>+
>+	/* Similar handling for AuthenticationMethods=any */
>+	if (options->num_auth_methods == 1 &&
>+	    strcmp(options->auth_methods[0], "any") == 0) {
>+		free(options->auth_methods[0]);
>+		options->auth_methods[0] = NULL;
>+		options->num_auth_methods = 0;
>+	}
>+
> }
> 
> /* Keyword tokens. */
>@@ -1752,16 +1761,30 @@ process_server_config_line(ServerOptions *options, char *line,
> 
> 	case sAuthenticationMethods:
> 		if (options->num_auth_methods == 0) {
>+			value = 0; /* seen "any" pseudo-method */
> 			while ((arg = strdelim(&cp)) && *arg != '\0') {
> 				if (options->num_auth_methods >=
> 				    MAX_AUTH_METHODS)
> 					fatal("%s line %d: "
> 					    "too many authentication methods.",
> 					    filename, linenum);
>-				if (auth2_methods_valid(arg, 0) != 0)
>+				if (strcmp(arg, "any") == 0) {
>+					if (options->num_auth_methods > 0) {
>+						fatal("%s line %d: \"any\" "
>+						    "must appear alone in "
>+						    "AuthenticationMethods",
>+						    filename, linenum);
>+					}
>+					value = 1;
>+				} else if (value) {
>+					fatal("%s line %d: \"any\" must appear "
>+					    "alone in AuthenticationMethods",
>+					    filename, linenum);
>+				} else if (auth2_methods_valid(arg, 0) != 0) {
> 					fatal("%s line %d: invalid "
> 					    "authentication method list.",
> 					    filename, linenum);
>+				}
> 				if (!*activep)
> 					continue;
> 				options->auth_methods[
>@@ -2143,11 +2166,13 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
> {
> 	u_int i;
> 
>-	if (count <= 0)
>+	if (count <= 0 && code != sAuthenticationMethods)
> 		return;
> 	printf("%s", lookup_opcode_name(code));
> 	for (i = 0; i < count; i++)
> 		printf(" %s",  vals[i]);
>+	if (code == sAuthenticationMethods && count == 0)
>+		printf(" any");
> 	printf("\n");
> }
> 
>diff --git a/sshd_config.5 b/sshd_config.5
>index 47b658e..74c670d 100644
>--- a/sshd_config.5
>+++ b/sshd_config.5
>@@ -189,9 +189,12 @@ for more information on patterns.
> Specifies the authentication methods that must be successfully completed
> for a user to be granted access.
> This option must be followed by one or more comma-separated lists of
>-authentication method names.
>-Successful authentication requires completion of every method in at least
>-one of these lists.
>+authentication method names, or by the single string
>+.Dq any
>+to indicate the default behaviour of accepting any single authentication
>+methods.
>+if the default is overridden, then successful authentication requires
>+completion of every method in at least one of these lists.
> .Pp
> For example, an argument of
> .Dq publickey,password publickey,keyboard-interactive
>@@ -231,7 +234,9 @@ This option will yield a fatal
> error if enabled if protocol 1 is also enabled.
> Note that each authentication method listed should also be explicitly enabled
> in the configuration.
>-The default is not to require multiple authentication; successful completion
>+The default
>+.Dq any
>+is not to require multiple authentication; successful completion
> of a single authentication method is sufficient.
> .It Cm AuthorizedKeysCommand
> Specifies a program to be used to look up the user's public keys.

Flags:

dtucker: ok+

Actions: View | Diff

Attachments on bug 2398: 2620 | 2836 | 2837 | 2838