search for: kbd_interactive_authentication

Hello, I was chasing some unexpected behaviour from OpenSSH, and have come across an oddity in the source code which may or may not be a bug. In auth2-kbdint.c, the Authmethod struct declares options.kbd_interactive_authentication as the enabled flag for this method. However in the implementation function a few lines above, it checks options.challenge_response_authentication to decide whether to actually proceed with the authentication. This results in the behaviour of "ChallengeResponseAuthentication no" also dis...

...... */ + debug("prerequisite keyboard-interactive auth succeeded"); + + /* And disallow challenge-response authentication so + we don't just accept it twice :) */ + options.challenge_response_authentication_first = 0; + options.challenge_response_authentication = 0; + options.kbd_interactive_authentication = options.pam_authentication_via_kbd_int; + + methods = authmethods_get(); + packet_start(SSH2_MSG_USERAUTH_FAILURE); + packet_put_cstring(methods); + packet_put_char(1); /* XXX partial success, used */ + packet_send(); + packet_write_wait(); + xfree(methods); } } @@ -272,6 +289,11 @@ a...

I looked around for a while, but couldn't find any code for requiring multiple authentication mechanisms in openssh. So I wrote an implemention. I thought at first I should change the PasswordAuthentication, PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some funky stuff in auth2.c with respect to keyboard interactive auth that would make this kind of

Here is a patch that does TIS auth via PAM. It's controlled by a switch in the sshd_config. You'd use it by having a PAM module that sets PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs. The patch is against the 2.9.9p2 distribution. I'm not on the list, a reply if this patch is accepted would be great. (But not required, I know some folks have a distaste for

Hello, I have just installed OpenSSH 4.6p1 and it appears that ChallengeResponseAuthentication is not allowed unless I explicitly set it to "yes" in the sshd_config file. I am using the same config file as I did with 4.5p1 where it was allowed by default. Also, this is OpenSSH package from sunfreeware, but I believe that both versions were compiled with the same options. Is this the

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the

...!USE_PAM && !HAVE_OSF_SIA */ diff -uNr openssh-3.0.2p1.orig/servconf.c openssh-3.0.2p1/servconf.c --- openssh-3.0.2p1.orig/servconf.c Tue Nov 13 05:03:15 2001 +++ openssh-3.0.2p1/servconf.c Fri Feb 15 02:15:05 2002 @@ -88,6 +88,7 @@ options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; + options->tis_via_pam = -1; options->permit_empty_passwd = -1; options->use_login = -1; options->allow_tcp_forwarding = -1; @@ -249,7 +250,7 @@ #ifdef AFS sAFSTokenPassing, #endif - sChallengeResponseAuthentication,...

...If true, read ~/.ssh/environment */ int use_login; /* If true, login(1) is used */ int compression; /* If true, compression is allowed */ int allow_tcp_forwarding; --- servconf.c 23 Jun 2002 09:46:51 -0000 1.112 +++ servconf.c 24 Jul 2002 16:55:26 -0000 @@ -87,6 +87,7 @@ options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; + options->permit_user_env = -1; options->use_login = -1; options->compression = -1; options->allow_tcp_forwarding = -1; @@ -204,6 +205,8 @@ options->challenge_response_authen...

...Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: maxb at f2s.com I was chasing some unexpected behaviour from OpenSSH, and have come across an oddity in the source code which feels like a bug. In auth2-kbdint.c, the Authmethod struct declares options.kbd_interactive_authentication as the enabled flag for this method. However in the implementation function a few lines above, it checks options.challenge_response_authentication to decide whether to actually proceed with the authentication. This results in the behaviour of "ChallengeResponseAuthentication no" also dis...

Hello, We'd like to allow passwords only from the local network, and allow public key auth from on-campus or off-campus. The server runs SuSE Linux, and we might do the same on RHEL/CentOS & Mac OS X if we can get it to work. Unfortunately, Match allows PasswordAuthentication but not ChallengeResponseAuthentication. Is there any reason ChallengeResponseAuthentication cannot be

.../openssh/auth2.c,v retrieving revision 1.100 diff -u -r1.100 auth2.c --- auth2.c 23 Apr 2002 10:28:49 -0000 1.100 +++ auth2.c 24 Apr 2002 01:03:17 -0000 @@ -119,8 +119,6 @@ /* challenge-response is implemented via keyboard interactive */ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; - if (options.pam_authentication_via_kbd_int) - options.kbd_interactive_authentication = 1; dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); @@ -370,10 +368,6 @@ if (options.challenge_response_authentication) authentica...

...e_flag; @@ -818,6 +833,8 @@ options->challenge_response_authentication = -1; options->kerberos_authentication = -1; options->kerberos_tgt_passing = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; @@ -894,6 +911,10 @@ options->kerberos_authentication = 1; if (options->kerberos_tgt_passing == -1) options->kerberos_tgt_passing = 1; + if (options->gss_authentication == -1) + options->gss_authentication = 1; + if (option...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

...vs/openssh/auth2.c,v retrieving revision 1.107 diff -u -r1.107 auth2.c --- auth2.c 21 Jun 2002 06:21:11 -0000 1.107 +++ auth2.c 2 Jul 2002 02:19:35 -0000 @@ -85,10 +85,6 @@ /* challenge-response is implemented via keyboard interactive */ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; - if (options.pam_authentication_via_kbd_int) - options.kbd_interactive_authentication = 1; - if (use_privsep) - options.pam_authentication_via_kbd_int = 0; dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); Index: monitor.c...

...case sPrintMotd: intptr = &options->print_motd; diff -urN openssh-2.5.1p2/servconf.h openssh-2.5.1p2-tis/servconf.h --- openssh-2.5.1p2/servconf.h Thu Feb 15 04:08:27 2001 +++ openssh-2.5.1p2-tis/servconf.h Fri Mar 9 10:59:50 2001 @@ -90,6 +91,9 @@ * authentication. */ int kbd_interactive_authentication; /* If true, permit */ int challenge_reponse_authentication; +#ifdef TIS_AUTH + struct addrinfo *authserv_addrs; +#endif int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int use_login; /* If true, login(1) is used */ diff -urN openssh-2.5.1p2/tisaut...

...s/openssh/auth2.c,v retrieving revision 1.107 diff -u -r1.107 auth2.c --- auth2.c 21 Jun 2002 06:21:11 -0000 1.107 +++ auth2.c 25 Jun 2002 01:42:11 -0000 @@ -85,10 +85,6 @@ /* challenge-response is implemented via keyboard interactive */ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; - if (options.pam_authentication_via_kbd_int) - options.kbd_interactive_authentication = 1; - if (use_privsep) - options.pam_authentication_via_kbd_int = 0; dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); Index: monitor.c...

Could everyone please test the latest snapshots as we will be making a new release soon. If you have any patches you would like us to consider, please resend them to the list ASAP. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer

...list(const char *, const char *, u_int *); #endif diff -r -U 8 openssh-3.9p1.orig/servconf.c openssh-3.9p1.jpmg/servconf.c --- openssh-3.9p1.orig/servconf.c 2004-08-13 12:30:24.000000000 +0100 +++ openssh-3.9p1.jpmg/servconf.c 2005-01-20 10:11:54.385791373 +0000 @@ -78,16 +78,17 @@ options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; options->use_login = -1; options->compression = -1; options->allow_tcp_forwarding = -1; options->num_allow_users = 0; + options->num_allow_u...

...thentication: intptr = &options->skey_authentication; goto parse_flag; diff -urN openssh-2.3.0p1/servconf.c openssh-2.3.0p1-tis/servconf.c --- openssh-2.3.0p1/servconf.c Mon Oct 16 03:14:42 2000 +++ openssh-2.3.0p1-tis/servconf.c Thu Dec 7 18:41:00 2000 @@ -64,6 +64,9 @@ options->kbd_interactive_authentication = -1; #ifdef SKEY options->skey_authentication = -1; +#elif TIS_AUTH + options->tis_authentication = -1; + options->authserv_addrs = NULL; #endif options->permit_empty_passwd = -1; options->use_login = -1; @@ -155,6 +158,9 @@ #ifdef SKEY if (options->skey_authentication...