https://bugzilla.mindrot.org/show_bug.cgi?id=2398
Bug ID: 2398
Summary: AuthenticationMethods doesn't have default value
(inconsistency) and it accept empty value
Product: Portable OpenSSH
Version: 6.8p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-b...@mindrot.org
Reporter: jje...@redhat.com
Created attachment 2620
--> https://bugzilla.mindrot.org/attachment.cgi?id=2620&action=edit
proposed patch
Based on previous bugzilla, we realized that it would be useful to have
default value for this server option, because of:
* First of all, it is inconsistent with all other options that are
available in openssh.
* Another issue is usability. You can't reset this option in match
block to it's default value if other match block or default config
changed this option.
Ex: I want to have all users to authenticate using public key and
password, but I want exception for localhost to use any authentication
method available. It would be nice, if we could do something like this:
>Match Address ::1
> AuthenticationMethods any
>Match Address *
> AuthenticationMethods publickey,password
There can be used workaround:
>Match Address !::1
> AuthenticationMethods publickey,password
but it doesn't work, as stated in bz2397. Also it can get quite messy
if you have more blocks like that.
To have this feature working, we need to choose value for ANY (proposed
"any"), use this value as default (enforced by
fill_default_server_options) and make sure that it is handled
everywhere in the code consistently. There are few design
consideration, before posting a patch:
* We can't use just num_auth_methods == 0, because this is considered
as not-defined and it can't override previously definde authentication
methods
* We can use enforce num_auth_methods == 1 && strcmp(auth_methods[0],
"any"), but it is not much elegant from my POV, but best I have got.
* We can use num_auth_methods == -1, but it would require few changes
in more data types in application (currently defined as u_int, so we
can't store here -1).
Also as I can see, there was not properly propagated change to bz2281
from our bugzilla which covered also empty values of
AuthenticationMethods (also covered in attached patch).
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
