mirror of git://anongit.mindrot.org/openssh.git
upstream: Remove references to ChallengeResponseAuthentication in
favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it. Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@ OpenBSD-Commit-ID: 2c1bff8e5c9852cfcdab1f3ea94dfef5a22f3b7e
This commit is contained in:
dtucker@openbsd.org
Darren Tucker
parent
f841fc9c8c
commit
c73b02d92d
18
readconf.c
18
readconf.c
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: readconf.c,v 1.357 2021/06/08 22:06:12 djm Exp $ */
|
/* $OpenBSD: readconf.c,v 1.358 2021/07/02 05:11:21 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
|
@ -145,7 +145,7 @@ typedef enum {
|
||||||
oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
|
oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
|
||||||
oGatewayPorts, oExitOnForwardFailure,
|
oGatewayPorts, oExitOnForwardFailure,
|
||||||
oPasswordAuthentication,
|
oPasswordAuthentication,
|
||||||
oChallengeResponseAuthentication, oXAuthLocation,
|
oXAuthLocation,
|
||||||
oIdentityFile, oHostname, oPort, oRemoteForward, oLocalForward,
|
oIdentityFile, oHostname, oPort, oRemoteForward, oLocalForward,
|
||||||
oPermitRemoteOpen,
|
oPermitRemoteOpen,
|
||||||
oCertificateFile, oAddKeysToAgent, oIdentityAgent,
|
oCertificateFile, oAddKeysToAgent, oIdentityAgent,
|
||||||
|
|
@ -228,12 +228,12 @@ static struct {
|
||||||
{ "passwordauthentication", oPasswordAuthentication },
|
{ "passwordauthentication", oPasswordAuthentication },
|
||||||
{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
|
{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
|
||||||
{ "kbdinteractivedevices", oKbdInteractiveDevices },
|
{ "kbdinteractivedevices", oKbdInteractiveDevices },
|
||||||
|
{ "challengeresponseauthentication", oKbdInteractiveAuthentication }, /* alias */
|
||||||
|
{ "skeyauthentication", oKbdInteractiveAuthentication }, /* alias */
|
||||||
|
{ "tisauthentication", oKbdInteractiveAuthentication }, /* alias */
|
||||||
{ "pubkeyauthentication", oPubkeyAuthentication },
|
{ "pubkeyauthentication", oPubkeyAuthentication },
|
||||||
{ "dsaauthentication", oPubkeyAuthentication }, /* alias */
|
{ "dsaauthentication", oPubkeyAuthentication }, /* alias */
|
||||||
{ "hostbasedauthentication", oHostbasedAuthentication },
|
{ "hostbasedauthentication", oHostbasedAuthentication },
|
||||||
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
|
|
||||||
{ "skeyauthentication", oUnsupported },
|
|
||||||
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
|
|
||||||
{ "identityfile", oIdentityFile },
|
{ "identityfile", oIdentityFile },
|
||||||
{ "identityfile2", oIdentityFile }, /* obsolete */
|
{ "identityfile2", oIdentityFile }, /* obsolete */
|
||||||
{ "identitiesonly", oIdentitiesOnly },
|
{ "identitiesonly", oIdentitiesOnly },
|
||||||
|
|
@ -1099,10 +1099,6 @@ parse_time:
|
||||||
intptr = &options->hostbased_authentication;
|
intptr = &options->hostbased_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
case oChallengeResponseAuthentication:
|
|
||||||
intptr = &options->challenge_response_authentication;
|
|
||||||
goto parse_flag;
|
|
||||||
|
|
||||||
case oGssAuthentication:
|
case oGssAuthentication:
|
||||||
intptr = &options->gss_authentication;
|
intptr = &options->gss_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
@ -2286,7 +2282,6 @@ initialize_options(Options * options)
|
||||||
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
||||||
options->fwd_opts.streamlocal_bind_unlink = -1;
|
options->fwd_opts.streamlocal_bind_unlink = -1;
|
||||||
options->pubkey_authentication = -1;
|
options->pubkey_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
|
||||||
options->gss_authentication = -1;
|
options->gss_authentication = -1;
|
||||||
options->gss_deleg_creds = -1;
|
options->gss_deleg_creds = -1;
|
||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
|
|
@ -2440,8 +2435,6 @@ fill_default_options(Options * options)
|
||||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||||
if (options->pubkey_authentication == -1)
|
if (options->pubkey_authentication == -1)
|
||||||
options->pubkey_authentication = 1;
|
options->pubkey_authentication = 1;
|
||||||
if (options->challenge_response_authentication == -1)
|
|
||||||
options->challenge_response_authentication = 1;
|
|
||||||
if (options->gss_authentication == -1)
|
if (options->gss_authentication == -1)
|
||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
if (options->gss_deleg_creds == -1)
|
if (options->gss_deleg_creds == -1)
|
||||||
|
|
@ -3207,7 +3200,6 @@ dump_client_config(Options *o, const char *host)
|
||||||
dump_cfg_fmtint(oBatchMode, o->batch_mode);
|
dump_cfg_fmtint(oBatchMode, o->batch_mode);
|
||||||
dump_cfg_fmtint(oCanonicalizeFallbackLocal, o->canonicalize_fallback_local);
|
dump_cfg_fmtint(oCanonicalizeFallbackLocal, o->canonicalize_fallback_local);
|
||||||
dump_cfg_fmtint(oCanonicalizeHostname, o->canonicalize_hostname);
|
dump_cfg_fmtint(oCanonicalizeHostname, o->canonicalize_hostname);
|
||||||
dump_cfg_fmtint(oChallengeResponseAuthentication, o->challenge_response_authentication);
|
|
||||||
dump_cfg_fmtint(oCheckHostIP, o->check_host_ip);
|
dump_cfg_fmtint(oCheckHostIP, o->check_host_ip);
|
||||||
dump_cfg_fmtint(oCompression, o->compression);
|
dump_cfg_fmtint(oCompression, o->compression);
|
||||||
dump_cfg_fmtint(oControlMaster, o->control_master);
|
dump_cfg_fmtint(oControlMaster, o->control_master);
|
||||||
|
|
|
||||||
17
servconf.c
17
servconf.c
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
/* $OpenBSD: servconf.c,v 1.380 2021/06/08 07:09:42 djm Exp $ */
|
/* $OpenBSD: servconf.c,v 1.381 2021/07/02 05:11:21 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
* All rights reserved
|
* All rights reserved
|
||||||
|
|
@ -140,7 +140,6 @@ initialize_server_options(ServerOptions *options)
|
||||||
options->gss_strict_acceptor = -1;
|
options->gss_strict_acceptor = -1;
|
||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
|
||||||
options->permit_empty_passwd = -1;
|
options->permit_empty_passwd = -1;
|
||||||
options->permit_user_env = -1;
|
options->permit_user_env = -1;
|
||||||
options->permit_user_env_allowlist = NULL;
|
options->permit_user_env_allowlist = NULL;
|
||||||
|
|
@ -364,9 +363,7 @@ fill_default_server_options(ServerOptions *options)
|
||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
options->kbd_interactive_authentication = 0;
|
options->kbd_interactive_authentication = 1;
|
||||||
if (options->challenge_response_authentication == -1)
|
|
||||||
options->challenge_response_authentication = 1;
|
|
||||||
if (options->permit_empty_passwd == -1)
|
if (options->permit_empty_passwd == -1)
|
||||||
options->permit_empty_passwd = 0;
|
options->permit_empty_passwd = 0;
|
||||||
if (options->permit_user_env == -1) {
|
if (options->permit_user_env == -1) {
|
||||||
|
|
@ -599,8 +596,8 @@ static struct {
|
||||||
#endif
|
#endif
|
||||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||||
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
|
{ "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
|
||||||
{ "skeyauthentication", sDeprecated, SSHCFG_GLOBAL },
|
{ "skeyauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
|
||||||
{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
|
{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
|
||||||
{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
|
{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
|
||||||
{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
|
{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
|
||||||
|
|
@ -1596,10 +1593,6 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||||
intptr = &options->kbd_interactive_authentication;
|
intptr = &options->kbd_interactive_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
case sChallengeResponseAuthentication:
|
|
||||||
intptr = &options->challenge_response_authentication;
|
|
||||||
goto parse_flag;
|
|
||||||
|
|
||||||
case sPrintMotd:
|
case sPrintMotd:
|
||||||
intptr = &options->print_motd;
|
intptr = &options->print_motd;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
@ -2904,8 +2897,6 @@ dump_config(ServerOptions *o)
|
||||||
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
||||||
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
||||||
o->kbd_interactive_authentication);
|
o->kbd_interactive_authentication);
|
||||||
dump_cfg_fmtint(sChallengeResponseAuthentication,
|
|
||||||
o->challenge_response_authentication);
|
|
||||||
dump_cfg_fmtint(sPrintMotd, o->print_motd);
|
dump_cfg_fmtint(sPrintMotd, o->print_motd);
|
||||||
#ifndef DISABLE_LASTLOG
|
#ifndef DISABLE_LASTLOG
|
||||||
dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
|
dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
|
# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
|
||||||
|
|
||||||
# This is the sshd server system-wide configuration file. See
|
# This is the sshd server system-wide configuration file. See
|
||||||
# sshd_config(5) for more information.
|
# sshd_config(5) for more information.
|
||||||
|
|
@ -58,7 +58,7 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||||
#PermitEmptyPasswords no
|
#PermitEmptyPasswords no
|
||||||
|
|
||||||
# Change to no to disable s/key passwords
|
# Change to no to disable s/key passwords
|
||||||
#ChallengeResponseAuthentication yes
|
#KbdInteractiveAuthentication yes
|
||||||
|
|
||||||
# Kerberos options
|
# Kerberos options
|
||||||
#KerberosAuthentication no
|
#KerberosAuthentication no
|
||||||
|
|
|
||||||
|
|
@ -33,8 +33,8 @@
|
||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $OpenBSD: sshd_config.5,v 1.331 2021/04/04 11:36:56 jmc Exp $
|
.\" $OpenBSD: sshd_config.5,v 1.332 2021/07/02 05:11:21 dtucker Exp $
|
||||||
.Dd $Mdocdate: April 4 2021 $
|
.Dd $Mdocdate: July 2 2021 $
|
||||||
.Dt SSHD_CONFIG 5
|
.Dt SSHD_CONFIG 5
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
|
|
@ -384,12 +384,6 @@ rsa-sha2-512,rsa-sha2-256
|
||||||
.Pp
|
.Pp
|
||||||
Certificates signed using other algorithms will not be accepted for
|
Certificates signed using other algorithms will not be accepted for
|
||||||
public key or host-based authentication.
|
public key or host-based authentication.
|
||||||
.It Cm ChallengeResponseAuthentication
|
|
||||||
Specifies whether challenge-response authentication is allowed (e.g. via
|
|
||||||
PAM or through authentication styles supported in
|
|
||||||
.Xr login.conf 5 )
|
|
||||||
The default is
|
|
||||||
.Cm yes .
|
|
||||||
.It Cm ChrootDirectory
|
.It Cm ChrootDirectory
|
||||||
Specifies the pathname of a directory to
|
Specifies the pathname of a directory to
|
||||||
.Xr chroot 2
|
.Xr chroot 2
|
||||||
|
|
@ -874,15 +868,17 @@ for interactive sessions and
|
||||||
for non-interactive sessions.
|
for non-interactive sessions.
|
||||||
.It Cm KbdInteractiveAuthentication
|
.It Cm KbdInteractiveAuthentication
|
||||||
Specifies whether to allow keyboard-interactive authentication.
|
Specifies whether to allow keyboard-interactive authentication.
|
||||||
|
All authentication styles from
|
||||||
|
.Xr login.conf 5
|
||||||
|
are supported.
|
||||||
|
The default is
|
||||||
|
.Cm yes .
|
||||||
The argument to this keyword must be
|
The argument to this keyword must be
|
||||||
.Cm yes
|
.Cm yes
|
||||||
or
|
or
|
||||||
.Cm no .
|
.Cm no .
|
||||||
The default is to use whatever value
|
|
||||||
.Cm ChallengeResponseAuthentication
|
.Cm ChallengeResponseAuthentication
|
||||||
is set to
|
is a deprecated alias for this.
|
||||||
(by default
|
|
||||||
.Cm yes ) .
|
|
||||||
.It Cm KerberosAuthentication
|
.It Cm KerberosAuthentication
|
||||||
Specifies whether the password provided by the user for
|
Specifies whether the password provided by the user for
|
||||||
.Cm PasswordAuthentication
|
.Cm PasswordAuthentication
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue