bugzilla-daemon at mindrot.org
2024-Jan-18 17:20 UTC
[Bug 3657] New: AuthenticationMethods any apparently not possible after previous non-any assignment
https://bugzilla.mindrot.org/show_bug.cgi?id=3657 Bug ID: 3657 Summary: AuthenticationMethods any apparently not possible after previous non-any assignment Product: Portable OpenSSH Version: 8.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: krunoslav.sever at desy.de Put this into sshd_config: AuthenticationMethods password Match User root AuthenticationMethods any This fails for # ssh -V OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022 # sshd -T /etc/ssh/sshd_config line 124: "any" must appear alone in AuthenticationMethods It is okay for e.g. # ssh -V OpenSSH_8.2p1 Ubuntu-4ubuntu0.11, OpenSSL 1.1.1f 31 Mar 2020 I think I have narrowed it down to the code change in commit a10f929d1, between 8.6 and 8.7: servconf.c:process_server_config_line_depth(...) case sAuthenticationMethods: ... The code, before and after this change, rejects "any" if options->num_auth_methods>0. The working code ensures this to be 0 at the start of the loop with a surrounding if, so this does not trigger. The changed code misses the surrounding if. It may be that the old code resets the num_auth_count before processing the config line and the new code does not. But this seems to be a solid starting point. Best Kruno -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Feb-09 01:58 UTC
[Bug 3657] AuthenticationMethods any apparently not possible after previous non-any assignment
https://bugzilla.mindrot.org/show_bug.cgi?id=3657 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org CC| |djm at mindrot.org, | |dtucker at dtucker.net Attachment #3788| |ok?(dtucker at dtucker.net) Flags| | --- Comment #1 from Damien Miller <djm at mindrot.org> --- Created attachment 3788 --> https://bugzilla.mindrot.org/attachment.cgi?id=3788&action=edit separate parsing/verification of string array options from applying them to the config Thanks for reporting this. I think the attached patch should fix this and all similar cases. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Mar-04 02:18 UTC
[Bug 3657] AuthenticationMethods any apparently not possible after previous non-any assignment
https://bugzilla.mindrot.org/show_bug.cgi?id=3657 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Blocks| |3651 Status|NEW |RESOLVED --- Comment #2 from Damien Miller <djm at mindrot.org> --- This has been committed and will be in OpenSSH 9.7, due in a couple of weeks. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3651 [Bug 3651] tracking bug for openssh-9.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Reasonably Related Threads
- [Bug 2398] New: AuthenticationMethods doesn't have default value (inconsistency) and it accept empty value
- Very small office install
- [Bug 2663] New: [man] sshd_config(5) AuthenticationMethods segment clarification, proposal and questions
- AuthenticationMethods in sshd_config accepting empty method list
- [Bug 2502] New: using AuthenticationMethods to require s/key and pam doesn't work