From: dtucker Date: Fri, 2 Jul 2021 05:11:20 +0000 (+0000) Subject: Remove references to ChallengeResponseAuthentication in favour of X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=bdfa5c1b5082a4d5041f6737b122c85e3a4112da;p=openbsd Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it. Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@ --- diff --git a/usr.bin/ssh/auth2-kbdint.c b/usr.bin/ssh/auth2-kbdint.c index 1f7b153c5ec..1bd12cd8666 100644 --- a/usr.bin/ssh/auth2-kbdint.c +++ b/usr.bin/ssh/auth2-kbdint.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-kbdint.c,v 1.12 2020/10/18 11:32:01 djm Exp $ */ +/* $OpenBSD: auth2-kbdint.c,v 1.13 2021/07/02 05:11:20 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -54,7 +54,7 @@ userauth_kbdint(struct ssh *ssh) debug("keyboard-interactive devs %s", devs); - if (options.challenge_response_authentication) + if (options.kbd_interactive_authentication) authenticated = auth2_challenge(ssh, devs); free(devs); diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c index ceae6109f35..c457720d688 100644 --- a/usr.bin/ssh/monitor.c +++ b/usr.bin/ssh/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.226 2021/04/30 04:02:52 dtucker Exp $ */ +/* $OpenBSD: monitor.c,v 1.227 2021/07/02 05:11:20 dtucker Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -848,7 +848,7 @@ mm_answer_bsdauthrespond(struct ssh *ssh, int sock, struct sshbuf *m) if ((r = sshbuf_get_cstring(m, &response, NULL)) != 0) fatal_fr(r, "parse"); - authok = options.challenge_response_authentication && + authok = options.kbd_interactive_authentication && auth_userresponse(authctxt->as, response, 0); authctxt->as = NULL; debug3_f("<%s> = <%d>", response, authok); diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index 44c94d76954..0ba8eb48067 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.357 2021/06/08 22:06:12 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.358 2021/07/02 05:11:21 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -131,7 +131,7 @@ typedef enum { oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout, oGatewayPorts, oExitOnForwardFailure, oPasswordAuthentication, - oChallengeResponseAuthentication, oXAuthLocation, + oXAuthLocation, oIdentityFile, oHostname, oPort, oRemoteForward, oLocalForward, oPermitRemoteOpen, oCertificateFile, oAddKeysToAgent, oIdentityAgent, @@ -214,12 +214,12 @@ static struct { { "passwordauthentication", oPasswordAuthentication }, { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, { "kbdinteractivedevices", oKbdInteractiveDevices }, + { "challengeresponseauthentication", oKbdInteractiveAuthentication }, /* alias */ + { "skeyauthentication", oKbdInteractiveAuthentication }, /* alias */ + { "tisauthentication", oKbdInteractiveAuthentication }, /* alias */ { "pubkeyauthentication", oPubkeyAuthentication }, { "dsaauthentication", oPubkeyAuthentication }, /* alias */ { "hostbasedauthentication", oHostbasedAuthentication }, - { "challengeresponseauthentication", oChallengeResponseAuthentication }, - { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ - { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ { "identityfile", oIdentityFile }, { "identityfile2", oIdentityFile }, /* obsolete */ { "identitiesonly", oIdentitiesOnly }, @@ -1085,10 +1085,6 @@ parse_time: intptr = &options->hostbased_authentication; goto parse_flag; - case oChallengeResponseAuthentication: - intptr = &options->challenge_response_authentication; - goto parse_flag; - case oGssAuthentication: intptr = &options->gss_authentication; goto parse_flag; @@ -2272,7 +2268,6 @@ initialize_options(Options * options) options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; options->fwd_opts.streamlocal_bind_unlink = -1; options->pubkey_authentication = -1; - options->challenge_response_authentication = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; options->password_authentication = -1; @@ -2426,8 +2421,6 @@ fill_default_options(Options * options) options->fwd_opts.streamlocal_bind_unlink = 0; if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; - if (options->challenge_response_authentication == -1) - options->challenge_response_authentication = 1; if (options->gss_authentication == -1) options->gss_authentication = 0; if (options->gss_deleg_creds == -1) @@ -3186,7 +3179,6 @@ dump_client_config(Options *o, const char *host) dump_cfg_fmtint(oBatchMode, o->batch_mode); dump_cfg_fmtint(oCanonicalizeFallbackLocal, o->canonicalize_fallback_local); dump_cfg_fmtint(oCanonicalizeHostname, o->canonicalize_hostname); - dump_cfg_fmtint(oChallengeResponseAuthentication, o->challenge_response_authentication); dump_cfg_fmtint(oCheckHostIP, o->check_host_ip); dump_cfg_fmtint(oCompression, o->compression); dump_cfg_fmtint(oControlMaster, o->control_master); diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h index 2fba866eb53..f3d02fb388d 100644 --- a/usr.bin/ssh/readconf.h +++ b/usr.bin/ssh/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.140 2021/02/15 20:43:15 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.141 2021/07/02 05:11:21 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -38,8 +38,6 @@ typedef struct { struct ForwardOptions fwd_opts; /* forwarding options */ int pubkey_authentication; /* Try ssh2 pubkey authentication. */ int hostbased_authentication; /* ssh2's rhosts_rsa */ - int challenge_response_authentication; - /* Try S/Key or TIS, authentication. */ int gss_authentication; /* Try GSS authentication */ int gss_deleg_creds; /* Delegate GSS credentials */ int password_authentication; /* Try password diff --git a/usr.bin/ssh/scp.1 b/usr.bin/ssh/scp.1 index 5471ea31ba2..d9a9bb92bce 100644 --- a/usr.bin/ssh/scp.1 +++ b/usr.bin/ssh/scp.1 @@ -8,9 +8,9 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.95 2021/01/26 15:40:17 naddy Exp $ +.\" $OpenBSD: scp.1,v 1.96 2021/07/02 05:11:21 dtucker Exp $ .\" -.Dd $Mdocdate: January 26 2021 $ +.Dd $Mdocdate: July 2 2021 $ .Dt SCP 1 .Os .Sh NAME @@ -158,7 +158,6 @@ For full details of the options listed below, and their possible values, see .It CanonicalizePermittedCNAMEs .It CASignatureAlgorithms .It CertificateFile -.It ChallengeResponseAuthentication .It CheckHostIP .It Ciphers .It Compression diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index abdc6efdc5c..e28fa51b5f0 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.380 2021/06/08 07:09:42 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.381 2021/07/02 05:11:21 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -122,7 +122,6 @@ initialize_server_options(ServerOptions *options) options->gss_strict_acceptor = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; - options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; options->permit_user_env_allowlist = NULL; @@ -339,9 +338,7 @@ fill_default_server_options(ServerOptions *options) if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) - options->kbd_interactive_authentication = 0; - if (options->challenge_response_authentication == -1) - options->challenge_response_authentication = 1; + options->kbd_interactive_authentication = 1; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; if (options->permit_user_env == -1) { @@ -558,8 +555,8 @@ static struct { #endif { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, - { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, - { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ + { "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */ + { "skeyauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */ { "checkmail", sDeprecated, SSHCFG_GLOBAL }, { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, @@ -1538,10 +1535,6 @@ process_server_config_line_depth(ServerOptions *options, char *line, intptr = &options->kbd_interactive_authentication; goto parse_flag; - case sChallengeResponseAuthentication: - intptr = &options->challenge_response_authentication; - goto parse_flag; - case sPrintMotd: intptr = &options->print_motd; goto parse_flag; @@ -2837,8 +2830,6 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sKbdInteractiveAuthentication, o->kbd_interactive_authentication); - dump_cfg_fmtint(sChallengeResponseAuthentication, - o->challenge_response_authentication); dump_cfg_fmtint(sPrintMotd, o->print_motd); dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index 72ee588103e..1197c57f75c 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.154 2021/04/03 06:18:40 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.155 2021/07/02 05:11:21 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -146,7 +146,6 @@ typedef struct { int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ - int challenge_response_authentication; int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int permit_user_env; /* If true, read ~/.ssh/environment */ diff --git a/usr.bin/ssh/sftp.1 b/usr.bin/ssh/sftp.1 index a1a6373029a..7eebeeacbf3 100644 --- a/usr.bin/ssh/sftp.1 +++ b/usr.bin/ssh/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.137 2021/02/12 03:49:09 djm Exp $ +.\" $OpenBSD: sftp.1,v 1.138 2021/07/02 05:11:21 dtucker Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: February 12 2021 $ +.Dd $Mdocdate: July 2 2021 $ .Dt SFTP 1 .Os .Sh NAME @@ -232,7 +232,6 @@ For full details of the options listed below, and their possible values, see .It CanonicalizePermittedCNAMEs .It CASignatureAlgorithms .It CertificateFile -.It ChallengeResponseAuthentication .It CheckHostIP .It Ciphers .It Compression diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1 index dab8f38c497..e59716b9c53 100644 --- a/usr.bin/ssh/ssh.1 +++ b/usr.bin/ssh/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.420 2021/06/25 06:20:39 dtucker Exp $ -.Dd $Mdocdate: June 25 2021 $ +.\" $OpenBSD: ssh.1,v 1.421 2021/07/02 05:11:21 dtucker Exp $ +.Dd $Mdocdate: July 2 2021 $ .Dt SSH 1 .Os .Sh NAME @@ -485,7 +485,6 @@ For full details of the options listed below, and their possible values, see .It CanonicalizePermittedCNAMEs .It CASignatureAlgorithms .It CertificateFile -.It ChallengeResponseAuthentication .It CheckHostIP .It Ciphers .It ClearAllForwardings @@ -833,7 +832,7 @@ The methods available for authentication are: GSSAPI-based authentication, host-based authentication, public key authentication, -challenge-response authentication, +keyboard-interactive authentication, and password authentication. Authentication methods are tried in the order specified above, though @@ -971,11 +970,11 @@ directive in .Xr ssh_config 5 for more information. .Pp -Challenge-response authentication works as follows: +Keyboard-interactive authentication works as follows: The server sends an arbitrary .Qq challenge -text, and prompts for a response. -Examples of challenge-response authentication include +text and prompts for a response, possibly multiple times. +Examples of keyboard-interactive authentication include .Bx Authentication (see .Xr login.conf 5 ) diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5 index 9c7aa4d63ca..a34d2a0d1d9 100644 --- a/usr.bin/ssh/ssh_config.5 +++ b/usr.bin/ssh/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.354 2021/06/04 05:10:03 djm Exp $ -.Dd $Mdocdate: June 4 2021 $ +.\" $OpenBSD: ssh_config.5,v 1.355 2021/07/02 05:11:21 dtucker Exp $ +.Dd $Mdocdate: July 2 2021 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -412,13 +412,6 @@ Multiple .Cm CertificateFile directives will add to the list of certificates used for authentication. -.It Cm ChallengeResponseAuthentication -Specifies whether to use challenge-response authentication. -The argument to this keyword must be -.Cm yes -(the default) -or -.Cm no . .It Cm CheckHostIP If set to .Cm yes @@ -1085,6 +1078,8 @@ The argument to this keyword must be (the default) or .Cm no . +.Cm ChallengeResponseAuthentication +is a deprecated alias for this. .It Cm KbdInteractiveDevices Specifies the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated. diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c index e227ef20a20..465c4d37339 100644 --- a/usr.bin/ssh/sshconnect.c +++ b/usr.bin/ssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.354 2021/06/25 06:20:39 dtucker Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.355 2021/07/02 05:11:21 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1260,13 +1260,6 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, error("Keyboard-interactive authentication is disabled" " to avoid man-in-the-middle attacks."); options.kbd_interactive_authentication = 0; - options.challenge_response_authentication = 0; - cancelled_forwarding = 1; - } - if (options.challenge_response_authentication) { - error("Challenge/response authentication is disabled" - " to avoid man-in-the-middle attacks."); - options.challenge_response_authentication = 0; cancelled_forwarding = 1; } if (options.forward_agent) { diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index 2f2d6ff1f2e..3774c5a7669 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.349 2021/06/07 03:38:38 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.350 2021/07/02 05:11:21 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -435,8 +435,6 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, Authctxt authctxt; int r; - if (options.challenge_response_authentication) - options.kbd_interactive_authentication = 1; if (options.preferred_authentications == NULL) options.preferred_authentications = authmethods_get(); diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c index 69f68132856..026bc16c36c 100644 --- a/usr.bin/ssh/sshd.c +++ b/usr.bin/ssh/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.576 2021/06/10 03:14:14 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.577 2021/07/02 05:11:21 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1641,10 +1641,6 @@ main(int ac, char **av) /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); - /* challenge-response is implemented via keyboard interactive */ - if (options.challenge_response_authentication) - options.kbd_interactive_authentication = 1; - /* Check that options are sensible */ if (options.authorized_keys_command_user == NULL && (options.authorized_keys_command != NULL && diff --git a/usr.bin/ssh/sshd_config b/usr.bin/ssh/sshd_config index ac02ac659d0..01a3e1ec594 100644 --- a/usr.bin/ssh/sshd_config +++ b/usr.bin/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ +# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -56,7 +56,7 @@ AuthorizedKeysFile .ssh/authorized_keys #PermitEmptyPasswords no # Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +#KbdInteractiveAuthentication yes #AllowAgentForwarding yes #AllowTcpForwarding yes diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index bce14100421..88954f8efd4 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.331 2021/04/04 11:36:56 jmc Exp $ -.Dd $Mdocdate: April 4 2021 $ +.\" $OpenBSD: sshd_config.5,v 1.332 2021/07/02 05:11:21 dtucker Exp $ +.Dd $Mdocdate: July 2 2021 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -385,13 +385,6 @@ rsa-sha2-512,rsa-sha2-256 .Pp Certificates signed using other algorithms will not be accepted for public key or host-based authentication. -.It Cm ChallengeResponseAuthentication -Specifies whether challenge-response authentication is allowed. -All authentication styles from -.Xr login.conf 5 -are supported. -The default is -.Cm yes . .It Cm ChrootDirectory Specifies the pathname of a directory to .Xr chroot 2 @@ -876,15 +869,17 @@ for interactive sessions and for non-interactive sessions. .It Cm KbdInteractiveAuthentication Specifies whether to allow keyboard-interactive authentication. +All authentication styles from +.Xr login.conf 5 +are supported. +The default is +.Cm yes . The argument to this keyword must be .Cm yes or .Cm no . -The default is to use whatever value .Cm ChallengeResponseAuthentication -is set to -(by default -.Cm yes ) . +is a deprecated alias for this. .It Cm KerberosAuthentication Specifies whether the password provided by the user for .Cm PasswordAuthentication