bugzilla-daemon at mindrot.org
2024-Jan-18 17:20 UTC
[Bug 3657] New: AuthenticationMethods any apparently not possible after previous non-any assignment
https://bugzilla.mindrot.org/show_bug.cgi?id=3657
Bug ID: 3657
Summary: AuthenticationMethods any apparently not possible
after previous non-any assignment
Product: Portable OpenSSH
Version: 8.7p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: krunoslav.sever at desy.de
Put this into sshd_config:
AuthenticationMethods password
Match User root
AuthenticationMethods any
This fails for
# ssh -V
OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022
# sshd -T
/etc/ssh/sshd_config line 124: "any" must appear alone in
AuthenticationMethods
It is okay for e.g.
# ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.11, OpenSSL 1.1.1f 31 Mar 2020
I think I have narrowed it down to the code change in commit a10f929d1,
between 8.6 and 8.7:
servconf.c:process_server_config_line_depth(...)
case sAuthenticationMethods:
...
The code, before and after this change, rejects "any" if
options->num_auth_methods>0.
The working code ensures this to be 0 at the start of the loop with a
surrounding if, so this does not trigger.
The changed code misses the surrounding if.
It may be that the old code resets the num_auth_count before processing
the config line and the new code does not.
But this seems to be a solid starting point.
Best
Kruno
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Feb-09 01:58 UTC
[Bug 3657] AuthenticationMethods any apparently not possible after previous non-any assignment
https://bugzilla.mindrot.org/show_bug.cgi?id=3657
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
CC| |djm at mindrot.org,
| |dtucker at dtucker.net
Attachment #3788| |ok?(dtucker at dtucker.net)
Flags| |
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 3788
--> https://bugzilla.mindrot.org/attachment.cgi?id=3788&action=edit
separate parsing/verification of string array options from applying
them to the config
Thanks for reporting this. I think the attached patch should fix this
and all similar cases.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Mar-04 02:18 UTC
[Bug 3657] AuthenticationMethods any apparently not possible after previous non-any assignment
https://bugzilla.mindrot.org/show_bug.cgi?id=3657
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Blocks| |3651
Status|NEW |RESOLVED
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
This has been committed and will be in OpenSSH 9.7, due in a couple of
weeks.
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3651
[Bug 3651] tracking bug for openssh-9.7
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- Very small office install
- [Bug 2663] New: [man] sshd_config(5) AuthenticationMethods segment clarification, proposal and questions
- [Bug 2398] New: AuthenticationMethods doesn't have default value (inconsistency) and it accept empty value
- AuthenticationMethods in sshd_config accepting empty method list
- [Bug 2502] New: using AuthenticationMethods to require s/key and pam doesn't work