[Bug 3657] New: AuthenticationMethods any apparently not possible after previous non-any assignment
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Jan 19 04:20:47 AEDT 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3657
Bug ID: 3657
Summary: AuthenticationMethods any apparently not possible
after previous non-any assignment
Product: Portable OpenSSH
Version: 8.7p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: krunoslav.sever at desy.de
Put this into sshd_config:
AuthenticationMethods password
Match User root
AuthenticationMethods any
This fails for
# ssh -V
OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022
# sshd -T
/etc/ssh/sshd_config line 124: "any" must appear alone in
AuthenticationMethods
It is okay for e.g.
# ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.11, OpenSSL 1.1.1f 31 Mar 2020
I think I have narrowed it down to the code change in commit a10f929d1,
between 8.6 and 8.7:
servconf.c:process_server_config_line_depth(...)
case sAuthenticationMethods:
...
The code, before and after this change, rejects "any" if
options->num_auth_methods>0.
The working code ensures this to be 0 at the start of the loop with a
surrounding if, so this does not trigger.
The changed code misses the surrounding if.
It may be that the old code resets the num_auth_count before processing
the config line and the new code does not.
But this seems to be a solid starting point.
Best
Kruno
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list