bugzilla-daemon at bugzilla.mindrot.org
2011-Jul-30 20:18 UTC
[Bug 1922] New: Disabling ChallengeResponseAuthentication also disables KbdInteractiveAuthentication
https://bugzilla.mindrot.org/show_bug.cgi?id=1922
Bug #: 1922
Summary: Disabling ChallengeResponseAuthentication also
disables KbdInteractiveAuthentication
Classification: Unclassified
Product: Portable OpenSSH
Version: 5.8p2
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: maxb at f2s.com
I was chasing some unexpected behaviour from OpenSSH, and have come
across an oddity in the source code which feels like a bug.
In auth2-kbdint.c, the Authmethod struct declares
options.kbd_interactive_authentication as the enabled flag for this
method. However in the implementation function a few lines above, it
checks options.challenge_response_authentication to decide whether to
actually proceed with the authentication.
This results in the behaviour of "ChallengeResponseAuthentication no"
also disabling keyboard-interactive authentication, even if
"KbdInteractiveAuthentication yes" is specified.
(Also, the KbdInteractiveAuthentication option isn't explicitly
documented in the manpages, so I'm unsure if it's actually intended to
be used or not.)
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
Maybe Matching Threads
- auth2-kbdint.c: Is it a bug that it mixes references to options.kbd_interactive_authentication and options.challenge_response_authentication ?
- [RFC][PATCH] Require S/KEY before other authentication methods.
- [Bug 118] New: Implement TIS (protocol 1) via PAM
- Match and ChallengeResponseAuthentication
- Match vs. ChallengeResponseAuthentication?
Wisdom of the Ancients
