Conflict:NA
Reference:https://github.com/openssh/openssh-portable/pull/258/files

---
 readconf.c    | 11 ++++++++++-
 readconf.h    |  2 ++
 scp.1         |  1 +
 sftp.1        |  1 +
 ssh.1         |  1 +
 ssh_config    |  1 +
 ssh_config.5  |  7 +++++++
 sshconnect2.c | 13 ++++++++++++-
 8 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/readconf.c b/readconf.c
index d25f983..45c1c22 100644
--- a/readconf.c
+++ b/readconf.c
@@ -157,7 +157,7 @@ typedef enum {
 	oLogFacility, oLogLevel, oLogVerbose, oCiphers, oMacs,
 	oPubkeyAuthentication,
 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
-	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
+	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, oDisableTrivialAuth,
 	oHostKeyAlgorithms, oBindAddress, oBindInterface, oPKCS11Provider,
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@@ -250,6 +250,7 @@ static struct {
 	{ "pubkeyauthentication", oPubkeyAuthentication },
 	{ "dsaauthentication", oPubkeyAuthentication },		    /* alias */
 	{ "hostbasedauthentication", oHostbasedAuthentication },
+	{ "disabletrivialauth", oDisableTrivialAuth},
 	{ "identityfile", oIdentityFile },
 	{ "identityfile2", oIdentityFile },			/* obsolete */
 	{ "identitiesonly", oIdentitiesOnly },
@@ -1124,6 +1125,10 @@ parse_time:
 		intptr = &options->hostbased_authentication;
 		goto parse_flag;
 
+	case oDisableTrivialAuth:
+		intptr = &options->disable_trivial_auth;
+		goto parse_flag;
+
 	case oGssAuthentication:
 		intptr = &options->gss_authentication;
 		goto parse_flag;
@@ -2392,6 +2397,7 @@ initialize_options(Options * options)
 	options->kbd_interactive_authentication = -1;
 	options->kbd_interactive_devices = NULL;
 	options->hostbased_authentication = -1;
+	options->disable_trivial_auth = -1;
 	options->batch_mode = -1;
 	options->check_host_ip = -1;
 	options->strict_host_key_checking = -1;
@@ -2562,6 +2568,8 @@ fill_default_options(Options * options)
 		options->kbd_interactive_authentication = 1;
 	if (options->hostbased_authentication == -1)
 		options->hostbased_authentication = 0;
+	if (options->disable_trivial_auth == -1)
+		options->disable_trivial_auth = 0;
 	if (options->batch_mode == -1)
 		options->batch_mode = 0;
 	if (options->check_host_ip == -1)
@@ -3362,6 +3370,7 @@ dump_client_config(Options *o, const char *host)
 #endif /* GSSAPI */
 	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
 	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
+	dump_cfg_fmtint(oDisableTrivialAuth, o->disable_trivial_auth);
 	dump_cfg_fmtint(oIdentitiesOnly, o->identities_only);
 	dump_cfg_fmtint(oKbdInteractiveAuthentication, o->kbd_interactive_authentication);
 	dump_cfg_fmtint(oNoHostAuthenticationForLocalhost, o->no_host_authentication_for_localhost);
diff --git a/readconf.h b/readconf.h
index 00895ad..b391bd6 100644
--- a/readconf.h
+++ b/readconf.h
@@ -38,6 +38,8 @@ typedef struct {
 	struct ForwardOptions fwd_opts;	/* forwarding options */
 	int     pubkey_authentication;	/* Try ssh2 pubkey authentication. */
 	int     hostbased_authentication;	/* ssh2's rhosts_rsa */
+
+	int 	disable_trivial_auth; /* disable trivial authentications */
 	int     gss_authentication;	/* Try GSS authentication */
 	int     gss_keyex;		/* Try GSS key exchange */
 	int     gss_deleg_creds;	/* Delegate GSS credentials */
diff --git a/scp.1 b/scp.1
index 874c5c2..e1f8191 100644
--- a/scp.1
+++ b/scp.1
@@ -187,6 +187,7 @@ For full details of the options listed below, and their possible values, see
 .It Host
 .It HostbasedAcceptedAlgorithms
 .It HostbasedAuthentication
+.It DisableTrivialAuth
 .It HostKeyAlgorithms
 .It HostKeyAlias
 .It Hostname
diff --git a/sftp.1 b/sftp.1
index 7eebeea..89b6773 100644
--- a/sftp.1
+++ b/sftp.1
@@ -247,6 +247,7 @@ For full details of the options listed below, and their possible values, see
 .It Host
 .It HostbasedAcceptedAlgorithms
 .It HostbasedAuthentication
+.It DisableTrivialAuth
 .It HostKeyAlgorithms
 .It HostKeyAlias
 .It Hostname
diff --git a/ssh.1 b/ssh.1
index 975ab39..1cb8d5c 100644
--- a/ssh.1
+++ b/ssh.1
@@ -541,6 +541,7 @@ For full details of the options listed below, and their possible values, see
 .It Host
 .It HostbasedAcceptedAlgorithms
 .It HostbasedAuthentication
+.It DisableTrivialAuth
 .It HostKeyAlgorithms
 .It HostKeyAlias
 .It Hostname
diff --git a/ssh_config b/ssh_config
index b3a4922..169f30c 100644
--- a/ssh_config
+++ b/ssh_config
@@ -22,6 +22,7 @@
 #   ForwardX11 no
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
+#   DisableTrivialAuth no
 #   GSSAPIAuthentication no
 #   GSSAPIDelegateCredentials no
 #   GSSAPIKeyExchange no
diff --git a/ssh_config.5 b/ssh_config.5
index 6735401..fd82e05 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -955,6 +955,13 @@ The argument must be
 or
 .Cm no
 (the default).
+.It Cm DisableTrivialAuth
+Disables trivial or incomplete authentications.
+The argument must be
+.Cm yes
+or
+.Cm no
+(the default).
 .It Cm HostKeyAlgorithms
 Specifies the host key signature algorithms
 that the client wants to use in order of preference.
diff --git a/sshconnect2.c b/sshconnect2.c
index e90eb89..150d419 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -403,6 +403,7 @@ struct identity {
 TAILQ_HEAD(idlist, identity);
 
 struct cauthctxt {
+	int is_trivial_auth;
 	const char *server_user;
 	const char *local_user;
 	const char *host;
@@ -531,6 +532,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
 	/* setup authentication context */
 	memset(&authctxt, 0, sizeof(authctxt));
 	authctxt.server_user = server_user;
+	authctxt.is_trivial_auth = 1;
 	authctxt.local_user = local_user;
 	authctxt.host = host;
 	authctxt.service = "ssh-connection";		/* service name */
@@ -570,6 +572,10 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
 
 	if (!authctxt.success)
 		fatal("Authentication failed.");
+	if (authctxt.is_trivial_auth == 1 && options.disable_trivial_auth == 1) {
+		fatal("Trivial authentication disabled.");
+	}
+	debug("Authentication succeeded (%s).", authctxt.method->name);
 	if (ssh_packet_connection_is_on_socket(ssh)) {
 		verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
@@ -968,6 +974,7 @@ process_gssapi_token(struct ssh *ssh, gss_buffer_t recv_tok)
 			fatal_fr(r, "send %u packet", type);
 
 		gss_release_buffer(&ms, &send_tok);
+		authctxt->is_trivial_auth = 0;
 	}
 
 	if (status == GSS_S_COMPLETE) {
@@ -1213,6 +1220,7 @@ static int
 userauth_passwd(struct ssh *ssh)
 {
 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
+	authctxt->is_trivial_auth = 0;
 	char *password, *prompt = NULL;
 	const char *host = options.host_key_alias ?  options.host_key_alias :
 	    authctxt->host;
@@ -2023,8 +2031,10 @@ userauth_pubkey(struct ssh *ssh)
 				id->isprivate = 0;
 			}
 		}
-		if (sent)
+		if (sent) {
+			authctxt->is_trivial_auth = 0;
 			return (sent);
+		}
 	}
 	return (0);
 }
@@ -2105,6 +2115,7 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
 
 	debug2_f("num_prompts %d", num_prompts);
 	for (i = 0; i < num_prompts; i++) {
+		authctxt->is_trivial_auth = 0;
 		if ((r = sshpkt_get_cstring(ssh, &prompt, NULL)) != 0 ||
 		    (r = sshpkt_get_u8(ssh, &echo)) != 0)
 			goto out;
-- 
2.27.0