upstream commit
add prohibit-password as a synonymn for without-password,
since the without-password is causing too many questions. Harden it to ban
all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
djm, ok markus
Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
diff --git a/auth.c b/auth.c
index e6c094d..fc32f6c 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.111 2015/05/01 04:17:51 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.112 2015/08/06 14:53:21 deraadt Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -352,7 +352,9 @@
case PERMIT_YES:
return 1;
case PERMIT_NO_PASSWD:
- if (strcmp(method, "password") != 0)
+ if (strcmp(method, "publickey") == 0 ||
+ strcmp(method, "hostbased") == 0 ||
+ strcmp(method, "gssapi-with-mic"))
return 1;
break;
case PERMIT_FORCED_ONLY: