bugzilla-daemon at bugzilla.mindrot.org
2011-Jul-30 20:18 UTC
[Bug 1922] New: Disabling ChallengeResponseAuthentication also disables KbdInteractiveAuthentication
https://bugzilla.mindrot.org/show_bug.cgi?id=1922 Bug #: 1922 Summary: Disabling ChallengeResponseAuthentication also disables KbdInteractiveAuthentication Classification: Unclassified Product: Portable OpenSSH Version: 5.8p2 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: maxb at f2s.com I was chasing some unexpected behaviour from OpenSSH, and have come across an oddity in the source code which feels like a bug. In auth2-kbdint.c, the Authmethod struct declares options.kbd_interactive_authentication as the enabled flag for this method. However in the implementation function a few lines above, it checks options.challenge_response_authentication to decide whether to actually proceed with the authentication. This results in the behaviour of "ChallengeResponseAuthentication no" also disabling keyboard-interactive authentication, even if "KbdInteractiveAuthentication yes" is specified. (Also, the KbdInteractiveAuthentication option isn't explicitly documented in the manpages, so I'm unsure if it's actually intended to be used or not.) -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
Reasonably Related Threads
- [RFC][PATCH] Require S/KEY before other authentication methods.
- auth2-kbdint.c: Is it a bug that it mixes references to options.kbd_interactive_authentication and options.challenge_response_authentication ?
- [Bug 118] New: Implement TIS (protocol 1) via PAM
- Match and ChallengeResponseAuthentication
- Match vs. ChallengeResponseAuthentication?