diff options
| -rw-r--r-- | usr.bin/ssh/auth2-kbdint.c | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/monitor.c | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/readconf.c | 18 | ||||
| -rw-r--r-- | usr.bin/ssh/readconf.h | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/scp.1 | 5 | ||||
| -rw-r--r-- | usr.bin/ssh/servconf.c | 17 | ||||
| -rw-r--r-- | usr.bin/ssh/servconf.h | 3 | ||||
| -rw-r--r-- | usr.bin/ssh/sftp.1 | 5 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh.1 | 13 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh_config.5 | 13 | ||||
| -rw-r--r-- | usr.bin/ssh/sshconnect.c | 9 | ||||
| -rw-r--r-- | usr.bin/ssh/sshconnect2.c | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd.c | 6 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd_config | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd_config.5 | 21 |
15 files changed, 42 insertions, 88 deletions
diff --git a/usr.bin/ssh/auth2-kbdint.c b/usr.bin/ssh/auth2-kbdint.c index 1f7b153c5ec..1bd12cd8666 100644 --- a/usr.bin/ssh/auth2-kbdint.c +++ b/usr.bin/ssh/auth2-kbdint.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-kbdint.c,v 1.12 2020/10/18 11:32:01 djm Exp $ */ +/* $OpenBSD: auth2-kbdint.c,v 1.13 2021/07/02 05:11:20 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -54,7 +54,7 @@ userauth_kbdint(struct ssh *ssh) debug("keyboard-interactive devs %s", devs); - if (options.challenge_response_authentication) + if (options.kbd_interactive_authentication) authenticated = auth2_challenge(ssh, devs); free(devs); diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c index ceae6109f35..c457720d688 100644 --- a/usr.bin/ssh/monitor.c +++ b/usr.bin/ssh/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.226 2021/04/30 04:02:52 dtucker Exp $ */ +/* $OpenBSD: monitor.c,v 1.227 2021/07/02 05:11:20 dtucker Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Markus Friedl <markus@openbsd.org> @@ -848,7 +848,7 @@ mm_answer_bsdauthrespond(struct ssh *ssh, int sock, struct sshbuf *m) if ((r = sshbuf_get_cstring(m, &response, NULL)) != 0) fatal_fr(r, "parse"); - authok = options.challenge_response_authentication && + authok = options.kbd_interactive_authentication && auth_userresponse(authctxt->as, response, 0); authctxt->as = NULL; debug3_f("<%s> = <%d>", response, authok); diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index 44c94d76954..0ba8eb48067 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.357 2021/06/08 22:06:12 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.358 2021/07/02 05:11:21 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -131,7 +131,7 @@ typedef enum { oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout, oGatewayPorts, oExitOnForwardFailure, oPasswordAuthentication, - oChallengeResponseAuthentication, oXAuthLocation, + oXAuthLocation, oIdentityFile, oHostname, oPort, oRemoteForward, oLocalForward, oPermitRemoteOpen, oCertificateFile, oAddKeysToAgent, oIdentityAgent, @@ -214,12 +214,12 @@ static struct { { "passwordauthentication", oPasswordAuthentication }, { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, { "kbdinteractivedevices", oKbdInteractiveDevices }, + { "challengeresponseauthentication", oKbdInteractiveAuthentication }, /* alias */ + { "skeyauthentication", oKbdInteractiveAuthentication }, /* alias */ + { "tisauthentication", oKbdInteractiveAuthentication }, /* alias */ { "pubkeyauthentication", oPubkeyAuthentication }, { "dsaauthentication", oPubkeyAuthentication }, /* alias */ { "hostbasedauthentication", oHostbasedAuthentication }, - { "challengeresponseauthentication", oChallengeResponseAuthentication }, - { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ - { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ { "identityfile", oIdentityFile }, { "identityfile2", oIdentityFile }, /* obsolete */ { "identitiesonly", oIdentitiesOnly }, @@ -1085,10 +1085,6 @@ parse_time: intptr = &options->hostbased_authentication; goto parse_flag; - case oChallengeResponseAuthentication: - intptr = &options->challenge_response_authentication; - goto parse_flag; - case oGssAuthentication: intptr = &options->gss_authentication; goto parse_flag; @@ -2272,7 +2268,6 @@ initialize_options(Options * options) options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; options->fwd_opts.streamlocal_bind_unlink = -1; options->pubkey_authentication = -1; - options->challenge_response_authentication = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; options->password_authentication = -1; @@ -2426,8 +2421,6 @@ fill_default_options(Options * options) options->fwd_opts.streamlocal_bind_unlink = 0; if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; - if (options->challenge_response_authentication == -1) - options->challenge_response_authentication = 1; if (options->gss_authentication == -1) options->gss_authentication = 0; if (options->gss_deleg_creds == -1) @@ -3186,7 +3179,6 @@ dump_client_config(Options *o, const char *host) dump_cfg_fmtint(oBatchMode, o->batch_mode); dump_cfg_fmtint(oCanonicalizeFallbackLocal, o->canonicalize_fallback_local); dump_cfg_fmtint(oCanonicalizeHostname, o->canonicalize_hostname); - dump_cfg_fmtint(oChallengeResponseAuthentication, o->challenge_response_authentication); dump_cfg_fmtint(oCheckHostIP, o->check_host_ip); dump_cfg_fmtint(oCompression, o->compression); dump_cfg_fmtint(oControlMaster, o->control_master); diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h index 2fba866eb53..f3d02fb388d 100644 --- a/usr.bin/ssh/readconf.h +++ b/usr.bin/ssh/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.140 2021/02/15 20:43:15 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.141 2021/07/02 05:11:21 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -38,8 +38,6 @@ typedef struct { struct ForwardOptions fwd_opts; /* forwarding options */ int pubkey_authentication; /* Try ssh2 pubkey authentication. */ int hostbased_authentication; /* ssh2's rhosts_rsa */ - int challenge_response_authentication; - /* Try S/Key or TIS, authentication. */ int gss_authentication; /* Try GSS authentication */ int gss_deleg_creds; /* Delegate GSS credentials */ int password_authentication; /* Try password diff --git a/usr.bin/ssh/scp.1 b/usr.bin/ssh/scp.1 index 5471ea31ba2..d9a9bb92bce 100644 --- a/usr.bin/ssh/scp.1 +++ b/usr.bin/ssh/scp.1 @@ -8,9 +8,9 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.95 2021/01/26 15:40:17 naddy Exp $ +.\" $OpenBSD: scp.1,v 1.96 2021/07/02 05:11:21 dtucker Exp $ .\" -.Dd $Mdocdate: January 26 2021 $ +.Dd $Mdocdate: July 2 2021 $ .Dt SCP 1 .Os .Sh NAME @@ -158,7 +158,6 @@ For full details of the options listed below, and their possible values, see .It CanonicalizePermittedCNAMEs .It CASignatureAlgorithms .It CertificateFile -.It ChallengeResponseAuthentication .It CheckHostIP .It Ciphers .It Compression diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index abdc6efdc5c..e28fa51b5f0 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.380 2021/06/08 07:09:42 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.381 2021/07/02 05:11:21 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -122,7 +122,6 @@ initialize_server_options(ServerOptions *options) options->gss_strict_acceptor = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; - options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; options->permit_user_env_allowlist = NULL; @@ -339,9 +338,7 @@ fill_default_server_options(ServerOptions *options) if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) - options->kbd_interactive_authentication = 0; - if (options->challenge_response_authentication == -1) - options->challenge_response_authentication = 1; + options->kbd_interactive_authentication = 1; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; if (options->permit_user_env == -1) { @@ -558,8 +555,8 @@ static struct { #endif { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, - { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, - { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ + { "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */ + { "skeyauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */ { "checkmail", sDeprecated, SSHCFG_GLOBAL }, { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, @@ -1538,10 +1535,6 @@ process_server_config_line_depth(ServerOptions *options, char *line, intptr = &options->kbd_interactive_authentication; goto parse_flag; - case sChallengeResponseAuthentication: - intptr = &options->challenge_response_authentication; - goto parse_flag; - case sPrintMotd: intptr = &options->print_motd; goto parse_flag; @@ -2837,8 +2830,6 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sKbdInteractiveAuthentication, o->kbd_interactive_authentication); - dump_cfg_fmtint(sChallengeResponseAuthentication, - o->challenge_response_authentication); dump_cfg_fmtint(sPrintMotd, o->print_motd); dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index 72ee588103e..1197c57f75c 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.154 2021/04/03 06:18:40 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.155 2021/07/02 05:11:21 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -146,7 +146,6 @@ typedef struct { int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ - int challenge_response_authentication; int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int permit_user_env; /* If true, read ~/.ssh/environment */ diff --git a/usr.bin/ssh/sftp.1 b/usr.bin/ssh/sftp.1 index a1a6373029a..7eebeeacbf3 100644 --- a/usr.bin/ssh/sftp.1 +++ b/usr.bin/ssh/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.137 2021/02/12 03:49:09 djm Exp $ +.\" $OpenBSD: sftp.1,v 1.138 2021/07/02 05:11:21 dtucker Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: February 12 2021 $ +.Dd $Mdocdate: July 2 2021 $ .Dt SFTP 1 .Os .Sh NAME @@ -232,7 +232,6 @@ For full details of the options listed below, and their possible values, see .It CanonicalizePermittedCNAMEs .It CASignatureAlgorithms .It CertificateFile -.It ChallengeResponseAuthentication .It CheckHostIP .It Ciphers .It Compression diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1 index dab8f38c497..e59716b9c53 100644 --- a/usr.bin/ssh/ssh.1 +++ b/usr.bin/ssh/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.420 2021/06/25 06:20:39 dtucker Exp $ -.Dd $Mdocdate: June 25 2021 $ +.\" $OpenBSD: ssh.1,v 1.421 2021/07/02 05:11:21 dtucker Exp $ +.Dd $Mdocdate: July 2 2021 $ .Dt SSH 1 .Os .Sh NAME @@ -485,7 +485,6 @@ For full details of the options listed below, and their possible values, see .It CanonicalizePermittedCNAMEs .It CASignatureAlgorithms .It CertificateFile -.It ChallengeResponseAuthentication .It CheckHostIP .It Ciphers .It ClearAllForwardings @@ -833,7 +832,7 @@ The methods available for authentication are: GSSAPI-based authentication, host-based authentication, public key authentication, -challenge-response authentication, +keyboard-interactive authentication, and password authentication. Authentication methods are tried in the order specified above, though @@ -971,11 +970,11 @@ directive in .Xr ssh_config 5 for more information. .Pp -Challenge-response authentication works as follows: +Keyboard-interactive authentication works as follows: The server sends an arbitrary .Qq challenge -text, and prompts for a response. -Examples of challenge-response authentication include +text and prompts for a response, possibly multiple times. +Examples of keyboard-interactive authentication include .Bx Authentication (see .Xr login.conf 5 ) diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5 index 9c7aa4d63ca..a34d2a0d1d9 100644 --- a/usr.bin/ssh/ssh_config.5 +++ b/usr.bin/ssh/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.354 2021/06/04 05:10:03 djm Exp $ -.Dd $Mdocdate: June 4 2021 $ +.\" $OpenBSD: ssh_config.5,v 1.355 2021/07/02 05:11:21 dtucker Exp $ +.Dd $Mdocdate: July 2 2021 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -412,13 +412,6 @@ Multiple .Cm CertificateFile directives will add to the list of certificates used for authentication. -.It Cm ChallengeResponseAuthentication -Specifies whether to use challenge-response authentication. -The argument to this keyword must be -.Cm yes -(the default) -or -.Cm no . .It Cm CheckHostIP If set to .Cm yes @@ -1085,6 +1078,8 @@ The argument to this keyword must be (the default) or .Cm no . +.Cm ChallengeResponseAuthentication +is a deprecated alias for this. .It Cm KbdInteractiveDevices Specifies the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated. diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c index e227ef20a20..465c4d37339 100644 --- a/usr.bin/ssh/sshconnect.c +++ b/usr.bin/ssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.354 2021/06/25 06:20:39 dtucker Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.355 2021/07/02 05:11:21 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1260,13 +1260,6 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, error("Keyboard-interactive authentication is disabled" " to avoid man-in-the-middle attacks."); options.kbd_interactive_authentication = 0; - options.challenge_response_authentication = 0; - cancelled_forwarding = 1; - } - if (options.challenge_response_authentication) { - error("Challenge/response authentication is disabled" - " to avoid man-in-the-middle attacks."); - options.challenge_response_authentication = 0; cancelled_forwarding = 1; } if (options.forward_agent) { diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index 2f2d6ff1f2e..3774c5a7669 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.349 2021/06/07 03:38:38 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.350 2021/07/02 05:11:21 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -435,8 +435,6 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, Authctxt authctxt; int r; - if (options.challenge_response_authentication) - options.kbd_interactive_authentication = 1; if (options.preferred_authentications == NULL) options.preferred_authentications = authmethods_get(); diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c index 69f68132856..026bc16c36c 100644 --- a/usr.bin/ssh/sshd.c +++ b/usr.bin/ssh/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.576 2021/06/10 03:14:14 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.577 2021/07/02 05:11:21 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1641,10 +1641,6 @@ main(int ac, char **av) /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); - /* challenge-response is implemented via keyboard interactive */ - if (options.challenge_response_authentication) - options.kbd_interactive_authentication = 1; - /* Check that options are sensible */ if (options.authorized_keys_command_user == NULL && (options.authorized_keys_command != NULL && diff --git a/usr.bin/ssh/sshd_config b/usr.bin/ssh/sshd_config index ac02ac659d0..01a3e1ec594 100644 --- a/usr.bin/ssh/sshd_config +++ b/usr.bin/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ +# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -56,7 +56,7 @@ AuthorizedKeysFile .ssh/authorized_keys #PermitEmptyPasswords no # Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +#KbdInteractiveAuthentication yes #AllowAgentForwarding yes #AllowTcpForwarding yes diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index bce14100421..88954f8efd4 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.331 2021/04/04 11:36:56 jmc Exp $ -.Dd $Mdocdate: April 4 2021 $ +.\" $OpenBSD: sshd_config.5,v 1.332 2021/07/02 05:11:21 dtucker Exp $ +.Dd $Mdocdate: July 2 2021 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -385,13 +385,6 @@ rsa-sha2-512,rsa-sha2-256 .Pp Certificates signed using other algorithms will not be accepted for public key or host-based authentication. -.It Cm ChallengeResponseAuthentication -Specifies whether challenge-response authentication is allowed. -All authentication styles from -.Xr login.conf 5 -are supported. -The default is -.Cm yes . .It Cm ChrootDirectory Specifies the pathname of a directory to .Xr chroot 2 @@ -876,15 +869,17 @@ for interactive sessions and for non-interactive sessions. .It Cm KbdInteractiveAuthentication Specifies whether to allow keyboard-interactive authentication. +All authentication styles from +.Xr login.conf 5 +are supported. +The default is +.Cm yes . The argument to this keyword must be .Cm yes or .Cm no . -The default is to use whatever value .Cm ChallengeResponseAuthentication -is set to -(by default -.Cm yes ) . +is a deprecated alias for this. .It Cm KerberosAuthentication Specifies whether the password provided by the user for .Cm PasswordAuthentication |