Created attachment 2620 [details]
proposed patch

Based on previous bugzilla, we realized that it would be useful to have default value for this server option, because of:

 * First of all, it is inconsistent with all other options that are available in openssh.

 * Another issue is usability. You can't reset this option in match block to it's default value if other match block or default config changed this option.

Ex: I want to have all users to authenticate using public key and password, but I want exception for localhost to use any authentication method available. It would be nice, if we could do something like this:

>Match Address ::1
>    AuthenticationMethods any
>Match Address *
>    AuthenticationMethods publickey,password

There can be used workaround:
>Match Address !::1
>    AuthenticationMethods publickey,password

but it doesn't work, as stated in bz2397. Also it can get quite messy if you have more blocks like that.

To have this feature working, we need to choose value for ANY (proposed "any"), use this value as default (enforced by fill_default_server_options) and make sure that it is handled everywhere in the code consistently. There are few design consideration, before posting a patch:
 * We can't use just num_auth_methods == 0, because this is considered as not-defined and it can't override previously definde authentication methods
 * We can use enforce num_auth_methods == 1 && strcmp(auth_methods[0], "any"), but it is not much elegant from my POV, but best I have got.
 * We can use num_auth_methods == -1, but it would require few changes in more data types in application (currently defined as u_int, so we can't store here -1).


Also as I can see, there was not properly propagated change to bz2281 from our bugzilla which covered also empty values of AuthenticationMethods (also covered in attached patch).