[Bug 2398] New: AuthenticationMethods doesn't have default value (inconsistency) and it accept empty value

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu May 14 00:20:11 AEST 2015 

https://bugzilla.mindrot.org/show_bug.cgi?id=2398

            Bug ID: 2398
           Summary: AuthenticationMethods doesn't have default value
                    (inconsistency) and it accept empty value
           Product: Portable OpenSSH
           Version: 6.8p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 2620
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2620&action=edit
proposed patch

Based on previous bugzilla, we realized that it would be useful to have
default value for this server option, because of:

 * First of all, it is inconsistent with all other options that are
available in openssh.

 * Another issue is usability. You can't reset this option in match
block to it's default value if other match block or default config
changed this option.

Ex: I want to have all users to authenticate using public key and
password, but I want exception for localhost to use any authentication
method available. It would be nice, if we could do something like this:

>Match Address ::1
>    AuthenticationMethods any
>Match Address *
>    AuthenticationMethods publickey,password

There can be used workaround:
>Match Address !::1
>    AuthenticationMethods publickey,password

but it doesn't work, as stated in bz2397. Also it can get quite messy
if you have more blocks like that.

To have this feature working, we need to choose value for ANY (proposed
"any"), use this value as default (enforced by
fill_default_server_options) and make sure that it is handled
everywhere in the code consistently. There are few design
consideration, before posting a patch:
 * We can't use just num_auth_methods == 0, because this is considered
as not-defined and it can't override previously definde authentication
methods
 * We can use enforce num_auth_methods == 1 && strcmp(auth_methods[0],
"any"), but it is not much elegant from my POV, but best I have got.
 * We can use num_auth_methods == -1, but it would require few changes
in more data types in application (currently defined as u_int, so we
can't store here -1).


Also as I can see, there was not properly propagated change to bz2281
from our bugzilla which covered also empty values of
AuthenticationMethods (also covered in attached patch).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list