From 1dc8d93ce69d6565747eb44446ed117187621b26 Mon Sep 17 00:00:00 2001
From: "deraadt@openbsd.org" <deraadt@openbsd.org>
Date: Thu, 6 Aug 2015 14:53:21 +0000
Subject: upstream commit

add prohibit-password as a synonymn for without-password,
 since the without-password is causing too many questions.  Harden it to ban
 all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
 djm, ok markus

Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
---
 auth.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'auth.c')

diff --git a/auth.c b/auth.c
index e6c094d1..fc32f6c4 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.111 2015/05/01 04:17:51 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.112 2015/08/06 14:53:21 deraadt Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -352,7 +352,9 @@ auth_root_allowed(const char *method)
 	case PERMIT_YES:
 		return 1;
 	case PERMIT_NO_PASSWD:
-		if (strcmp(method, "password") != 0)
+		if (strcmp(method, "publickey") == 0 ||
+		    strcmp(method, "hostbased") == 0 ||
+		    strcmp(method, "gssapi-with-mic"))
 			return 1;
 		break;
 	case PERMIT_FORCED_ONLY:
-- 
cgit v1.2.3