AuthenticationMethods in sshd_config accepting empty method list

Thu Sep 25 00:30:20 EST 2014

On Thu, Jun 19, 2014 at 02:56:49PM +0200, mvadkert wrote:
> Hi everyone,
> 
> I just came across a contradiction between the man page of AuthenticationMethods and the accepted
> methods list.
> 
> According to the sshd_config manual page:
> """
> AuthenticationMethods
> 
> Specifies the authentication methods that must be successfully completed for a user to be granted
> access. This option must be followed by one or more comma-separated lists of authentication method
> names. Successful authentication requires completion of every method in at least one of these lists.
> """"
> 
> But in reality the also an empty list is accepted by sshd (servconf.c:1605).
> 
> What is the reason to accept an empty method list? Does the man page need an update?
> 

Hi,

I believe that this is a bug in the parsing code which doesn't handle empty list correctly. The following patch
fixes it.

--- a/servconf.c
+++ b/servconf.c
@@ -1630,6 +1630,8 @@ process_server_config_line(ServerOptions *options, char *line,
                break;
 
        case sAuthenticationMethods:
+               if (cp == NULL || *cp == '\0')
+                       fatal("%.200s line %d: Missing argument.", filename, linenum);
                if (*activep && options->num_auth_methods == 0) {
                        while ((arg = strdelim(&cp)) && *arg != '\0') {
                                if (options->num_auth_methods >=


-- 
Petr Lautrbach
