- dtucker@cvs.openbsd.org 2007/03/01 10:28:02

[auth2.c sshd_config.5 servconf.c]
     Remove ChallengeResponseAuthentication support inside a Match
     block as its interaction with KbdInteractive makes it difficult to
     support.  Also, relocate the CR/kbdint option special-case code into
     servconf.  "please commit" djm@, ok markus@ for the relocation.

ChangeLog

@@ -1,3 +1,12 @@
+20070301
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2007/03/01 10:28:02
+     [auth2.c sshd_config.5 servconf.c]
+     Remove ChallengeResponseAuthentication support inside a Match
+     block as its interaction with KbdInteractive makes it difficult to
+     support.  Also, relocate the CR/kbdint option special-case code into
+     servconf.  "please commit" djm@, ok markus@ for the relocation.
+
 20070228
  - (dtucker) OpenBSD CVS Sync
    - dtucker@cvs.openbsd.org 2007/02/28 00:55:30
@@ -2773,4 +2782,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.4624 2007/02/28 10:19:58 dtucker Exp $
+$Id: ChangeLog,v 1.4625 2007/03/01 10:31:28 dtucker Exp $

auth2.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.113 2006/08/03 03:34:41 deraadt Exp $ */
+/* $OpenBSD: auth2.c,v 1.114 2007/03/01 10:28:02 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -96,10 +96,6 @@ int user_key_allowed(struct passwd *, Key *);
 void
 do_authentication2(Authctxt *authctxt)
 {
-	/* challenge-response is implemented via keyboard interactive */
-	if (options.challenge_response_authentication)
-		options.kbd_interactive_authentication = 1;
-
 	dispatch_init(&dispatch_protocol_error);
 	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
 	dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);

servconf.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.169 2007/02/22 12:58:40 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.170 2007/03/01 10:28:02 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -357,7 +357,7 @@ static struct {
 #endif
 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_ALL },
+	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
 	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
@@ -1350,7 +1350,6 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 	M_CP_INTOPT(kerberos_authentication);
 	M_CP_INTOPT(hostbased_authentication);
 	M_CP_INTOPT(kbd_interactive_authentication);
-	M_CP_INTOPT(challenge_response_authentication);
 
 	M_CP_INTOPT(allow_tcp_forwarding);
 	M_CP_INTOPT(gateway_ports);
@@ -1388,4 +1387,8 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
 	if (bad_options > 0)
 		fatal("%s: terminating, %d bad configuration options",
 		    filename, bad_options);
+
+	/* challenge-response is implemented via keyboard interactive */
+	if (options->challenge_response_authentication == 1)
+		options->kbd_interactive_authentication = 1;
 }

sshd_config.5

@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.72 2007/02/19 10:45:58 dtucker Exp $
+.\" $OpenBSD: sshd_config.5,v 1.73 2007/03/01 10:28:02 dtucker Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -513,12 +513,11 @@ keyword.
 Available keywords are
 .Cm AllowTcpForwarding ,
 .Cm Banner ,
-.Cm ChallengeResponseAuthentication ,
 .Cm ForceCommand ,
 .Cm GatewayPorts ,
 .Cm GSSApiAuthentication ,
 .Cm KerberosAuthentication ,
-.Cm KeyboardInteractiveAuthentication ,
+.Cm KbdInteractiveAuthentication ,
 .Cm PasswordAuthentication ,
 .Cm PermitOpen ,
 .Cm RhostsRSAAuthentication ,