Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / a6e3f01d1e230b8acfdd6b4cf3096459d2a325e0^! / . / sshd_config.5
commita6e3f01d1e230b8acfdd6b4cf3096459d2a325e0[log] [tgz]
authorDamien Miller <djm@mindrot.org>Sun Nov 04 23:21:40 2012 +1100
committerDamien Miller <djm@mindrot.org>Sun Nov 04 23:21:40 2012 +1100
tree577022d2b31e9519d26bc614c3f5396e17d58ec6
parentd0d1099b3b8a766480ce6df215631bf0af6e6bcd [diff] [blame]
   - djm@cvs.openbsd.org 2012/11/04 11:09:15
     [auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c]
     [sshd_config.5]
     Support multiple required authentication via an AuthenticationMethods
     option. This option lists one or more comma-separated lists of
     authentication method names. Successful completion of all the methods in
     any list is required for authentication to complete;
     feedback and ok markus@

diff --git a/sshd_config.5 b/sshd_config.5
index 0fb0b83..05f3374 100644
--- a/sshd_config.5
+++ b/sshd_config.5

@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.148 2012/11/04 10:38:43 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.149 2012/11/04 11:09:15 djm Exp $
 .Dd $Mdocdate: November 4 2012 $
 .Dt SSHD_CONFIG 5
 .Os
@@ -151,6 +151,28 @@
 in
 .Xr ssh_config 5
 for more information on patterns.
+.It Cm AuthenticationMethods
+Specifies the authentication methods that must be successfully completed
+for a user to be granted access.
+This option must be followed by one or more comma-separated lists of
+authentication method names.
+Successful authentication requires completion of every method in at least
+one of these lists.
+.Pp
+For example, an argument of
+.Dq publickey,password publickey,keyboard-interactive
+would require the user to complete public key authentication, followed by
+either password or keyboard interactive authentication.
+Only methods that are next in one or more lists are offered at each stage,
+so for this example, it would not be possible to attempt password or
+keyboard-interactive authentication before public key.
+.Pp
+This option is only available for SSH protocol 2 and will yield a fatal
+error if enabled if protocol 1 is also enabled.
+Note that each authentication method listed should also be explicitly enabled
+in the configuration.
+The default is not to require multiple authentication; successful completion
+of a single authentication method is sufficient.
 .It Cm AuthorizedKeysCommand
 Specifies a program to be used to look up the user's public keys.
 The program will be invoked with a single argument of the username
@@ -728,6 +750,7 @@
 .Cm AllowGroups ,
 .Cm AllowTcpForwarding ,
 .Cm AllowUsers ,
+.Cm AuthenticationMethods ,
 .Cm AuthorizedKeysCommand ,
 .Cm AuthorizedKeysCommandUser ,
 .Cm AuthorizedKeysFile ,