diff --git a/readconf.c b/readconf.c index 22e69cb33..3bec3a9fb 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.357 2021/06/08 22:06:12 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.358 2021/07/02 05:11:21 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -145,7 +145,7 @@ typedef enum { oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout, oGatewayPorts, oExitOnForwardFailure, oPasswordAuthentication, - oChallengeResponseAuthentication, oXAuthLocation, + oXAuthLocation, oIdentityFile, oHostname, oPort, oRemoteForward, oLocalForward, oPermitRemoteOpen, oCertificateFile, oAddKeysToAgent, oIdentityAgent, @@ -228,12 +228,12 @@ static struct { { "passwordauthentication", oPasswordAuthentication }, { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, { "kbdinteractivedevices", oKbdInteractiveDevices }, + { "challengeresponseauthentication", oKbdInteractiveAuthentication }, /* alias */ + { "skeyauthentication", oKbdInteractiveAuthentication }, /* alias */ + { "tisauthentication", oKbdInteractiveAuthentication }, /* alias */ { "pubkeyauthentication", oPubkeyAuthentication }, { "dsaauthentication", oPubkeyAuthentication }, /* alias */ { "hostbasedauthentication", oHostbasedAuthentication }, - { "challengeresponseauthentication", oChallengeResponseAuthentication }, - { "skeyauthentication", oUnsupported }, - { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ { "identityfile", oIdentityFile }, { "identityfile2", oIdentityFile }, /* obsolete */ { "identitiesonly", oIdentitiesOnly }, @@ -1099,10 +1099,6 @@ parse_time: intptr = &options->hostbased_authentication; goto parse_flag; - case oChallengeResponseAuthentication: - intptr = &options->challenge_response_authentication; - goto parse_flag; - case oGssAuthentication: intptr = &options->gss_authentication; goto parse_flag; @@ -2286,7 +2282,6 @@ initialize_options(Options * options) options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; options->fwd_opts.streamlocal_bind_unlink = -1; options->pubkey_authentication = -1; - options->challenge_response_authentication = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; options->password_authentication = -1; @@ -2440,8 +2435,6 @@ fill_default_options(Options * options) options->fwd_opts.streamlocal_bind_unlink = 0; if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; - if (options->challenge_response_authentication == -1) - options->challenge_response_authentication = 1; if (options->gss_authentication == -1) options->gss_authentication = 0; if (options->gss_deleg_creds == -1) @@ -3207,7 +3200,6 @@ dump_client_config(Options *o, const char *host) dump_cfg_fmtint(oBatchMode, o->batch_mode); dump_cfg_fmtint(oCanonicalizeFallbackLocal, o->canonicalize_fallback_local); dump_cfg_fmtint(oCanonicalizeHostname, o->canonicalize_hostname); - dump_cfg_fmtint(oChallengeResponseAuthentication, o->challenge_response_authentication); dump_cfg_fmtint(oCheckHostIP, o->check_host_ip); dump_cfg_fmtint(oCompression, o->compression); dump_cfg_fmtint(oControlMaster, o->control_master); diff --git a/servconf.c b/servconf.c index 543e834a0..c43bda8f7 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.380 2021/06/08 07:09:42 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.381 2021/07/02 05:11:21 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -140,7 +140,6 @@ initialize_server_options(ServerOptions *options) options->gss_strict_acceptor = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; - options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; options->permit_user_env_allowlist = NULL; @@ -364,9 +363,7 @@ fill_default_server_options(ServerOptions *options) if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) - options->kbd_interactive_authentication = 0; - if (options->challenge_response_authentication == -1) - options->challenge_response_authentication = 1; + options->kbd_interactive_authentication = 1; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; if (options->permit_user_env == -1) { @@ -599,8 +596,8 @@ static struct { #endif { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, - { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, - { "skeyauthentication", sDeprecated, SSHCFG_GLOBAL }, + { "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */ + { "skeyauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */ { "checkmail", sDeprecated, SSHCFG_GLOBAL }, { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, @@ -1596,10 +1593,6 @@ process_server_config_line_depth(ServerOptions *options, char *line, intptr = &options->kbd_interactive_authentication; goto parse_flag; - case sChallengeResponseAuthentication: - intptr = &options->challenge_response_authentication; - goto parse_flag; - case sPrintMotd: intptr = &options->print_motd; goto parse_flag; @@ -2904,8 +2897,6 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sKbdInteractiveAuthentication, o->kbd_interactive_authentication); - dump_cfg_fmtint(sChallengeResponseAuthentication, - o->challenge_response_authentication); dump_cfg_fmtint(sPrintMotd, o->print_motd); #ifndef DISABLE_LASTLOG dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); diff --git a/sshd_config b/sshd_config index 19b7c91a1..4b3011ec3 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ +# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -58,7 +58,7 @@ AuthorizedKeysFile .ssh/authorized_keys #PermitEmptyPasswords no # Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +#KbdInteractiveAuthentication yes # Kerberos options #KerberosAuthentication no diff --git a/sshd_config.5 b/sshd_config.5 index 3b339aafb..07635932c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.331 2021/04/04 11:36:56 jmc Exp $ -.Dd $Mdocdate: April 4 2021 $ +.\" $OpenBSD: sshd_config.5,v 1.332 2021/07/02 05:11:21 dtucker Exp $ +.Dd $Mdocdate: July 2 2021 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -384,12 +384,6 @@ rsa-sha2-512,rsa-sha2-256 .Pp Certificates signed using other algorithms will not be accepted for public key or host-based authentication. -.It Cm ChallengeResponseAuthentication -Specifies whether challenge-response authentication is allowed (e.g. via -PAM or through authentication styles supported in -.Xr login.conf 5 ) -The default is -.Cm yes . .It Cm ChrootDirectory Specifies the pathname of a directory to .Xr chroot 2 @@ -874,15 +868,17 @@ for interactive sessions and for non-interactive sessions. .It Cm KbdInteractiveAuthentication Specifies whether to allow keyboard-interactive authentication. +All authentication styles from +.Xr login.conf 5 +are supported. +The default is +.Cm yes . The argument to this keyword must be .Cm yes or .Cm no . -The default is to use whatever value .Cm ChallengeResponseAuthentication -is set to -(by default -.Cm yes ) . +is a deprecated alias for this. .It Cm KerberosAuthentication Specifies whether the password provided by the user for .Cm PasswordAuthentication