Max Bowsher
2011-Jul-22 00:04 UTC
auth2-kbdint.c: Is it a bug that it mixes references to options.kbd_interactive_authentication and options.challenge_response_authentication ?
Hello, I was chasing some unexpected behaviour from OpenSSH, and have come across an oddity in the source code which may or may not be a bug. In auth2-kbdint.c, the Authmethod struct declares options.kbd_interactive_authentication as the enabled flag for this method. However in the implementation function a few lines above, it checks options.challenge_response_authentication to decide whether to actually proceed with the authentication. This results in the behaviour of "ChallengeResponseAuthentication no" also disabling keyboard-interactive authentication, even if "KbdInteractiveAuthentication yes" is specified. I'd call this a bug, but other places in the source code have interactions between these options, so I'm not sure whether it is intended or not. Also, the KbdInteractiveAuthentication option isn't explicitly documented in the manpages, so I'm unsure if it's actually intended to be used or not. Hoping someone can shed some light on this, Max. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110722/4d85bd23/attachment.bin>
Apparently Analagous Threads
- [RFC][PATCH] Require S/KEY before other authentication methods.
- [Bug 1922] New: Disabling ChallengeResponseAuthentication also disables KbdInteractiveAuthentication
- [Bug 118] New: Implement TIS (protocol 1) via PAM
- [PATCH] prevent users from changing their environment
- New PAM kbd-int diff