mvadkert
2014-Jun-19 12:56 UTC
AuthenticationMethods in sshd_config accepting empty method list
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everyone, I just came across a contradiction between the man page of AuthenticationMethods and the accepted methods list. According to the sshd_config manual page: """ AuthenticationMethods Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of authentication method names. Successful authentication requires completion of every method in at least one of these lists. """" But in reality the also an empty list is accepted by sshd (servconf.c:1605). What is the reason to accept an empty method list? Does the man page need an update? Thanks and best regards, /M - -- Miroslav Vadkerti :: Red Hat s.r.o, Purky?ova 99/71, 612 45, Brno, Czech Republic -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTot4RAAoJEBliWhMliBCHoHsH/21Z8JGah1BByms9mO4dkT9k YLmykqWcUjopNwk2FykYVPm3K8RFO4zV45hha26v8Qdh3TpNjuQED0HuqBrtfY5H 8qZOsz1FNb9Ayi/+k3+Sgo7IJtO71XkLGFphsQLhnbntbD+wQt1nqIYRdBmZzN1n aV6KJOUaBVoVllFuAv9vINMQtMSc98Jas4ZPeShoTtzvEoRxrEP81PbNvXVHy6d8 zk8il2YUPPtd03k2CuDHmou+Lhb9NtG4PepsD3e1loLMwSqgT6X3Y5AGMkBmJ/2m bzuqJlxLOZ8k/b0PeBtixAMUbgS2Z0Ku2NsAxID+4iEBxIVOD5AZj6ZUKAX6yMI=Ogu3 -----END PGP SIGNATURE-----
Petr Lautrbach
2014-Sep-24 14:30 UTC
AuthenticationMethods in sshd_config accepting empty method list
On Thu, Jun 19, 2014 at 02:56:49PM +0200, mvadkert wrote:> Hi everyone, > > I just came across a contradiction between the man page of AuthenticationMethods and the accepted > methods list. > > According to the sshd_config manual page: > """ > AuthenticationMethods > > Specifies the authentication methods that must be successfully completed for a user to be granted > access. This option must be followed by one or more comma-separated lists of authentication method > names. Successful authentication requires completion of every method in at least one of these lists. > """" > > But in reality the also an empty list is accepted by sshd (servconf.c:1605). > > What is the reason to accept an empty method list? Does the man page need an update? >Hi, I believe that this is a bug in the parsing code which doesn't handle empty list correctly. The following patch fixes it. --- a/servconf.c +++ b/servconf.c @@ -1630,6 +1630,8 @@ process_server_config_line(ServerOptions *options, char *line, break; case sAuthenticationMethods: + if (cp == NULL || *cp == '\0') + fatal("%.200s line %d: Missing argument.", filename, linenum); if (*activep && options->num_auth_methods == 0) { while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_auth_methods > -- Petr Lautrbach
Possibly Parallel Threads
- AuthenticationMethods option.
- [Bug 2270] New: AuthenticationMethods - partial success is considered as failure
- [Bug 3657] New: AuthenticationMethods any apparently not possible after previous non-any assignment
- [Bug 2502] New: using AuthenticationMethods to require s/key and pam doesn't work
- [Bug 2663] New: [man] sshd_config(5) AuthenticationMethods segment clarification, proposal and questions