upstream: Remove references to ChallengeResponseAuthentication in

favour of KbdInteractiveAuthentication.  The former is what was in SSHv1, the
latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but
not entirely equivalent.  We retain the old name as deprecated alias so
config files continue to work and a reference in the man page for people
looking for it.

Prompted by bz#3303 which pointed out the discrepancy between the two
when used with Match.  Man page help & ok jmc@, with & ok djm@

OpenBSD-Commit-ID: 2c1bff8e5c9852cfcdab1f3ea94dfef5a22f3b7e

diff --git a/readconf.c b/readconf.c
index 22e69cb332a07b26a295196210fc0fd3de06ae8c..3bec3a9fb55c566924ec1957dd6d6dbce72d6ebd 100644 (file)
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.357 2021/06/08 22:06:12 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.358 2021/07/02 05:11:21 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -145,7 +145,7 @@ typedef enum {
        oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
        oGatewayPorts, oExitOnForwardFailure,
        oPasswordAuthentication,
-       oChallengeResponseAuthentication, oXAuthLocation,
+       oXAuthLocation,
        oIdentityFile, oHostname, oPort, oRemoteForward, oLocalForward,
        oPermitRemoteOpen,
        oCertificateFile, oAddKeysToAgent, oIdentityAgent,
@@ -228,12 +228,12 @@ static struct {
        { "passwordauthentication", oPasswordAuthentication },
        { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
        { "kbdinteractivedevices", oKbdInteractiveDevices },
+       { "challengeresponseauthentication", oKbdInteractiveAuthentication }, /* alias */
+       { "skeyauthentication", oKbdInteractiveAuthentication }, /* alias */
+       { "tisauthentication", oKbdInteractiveAuthentication },  /* alias */
        { "pubkeyauthentication", oPubkeyAuthentication },
        { "dsaauthentication", oPubkeyAuthentication },             /* alias */
        { "hostbasedauthentication", oHostbasedAuthentication },
-       { "challengeresponseauthentication", oChallengeResponseAuthentication },
-       { "skeyauthentication", oUnsupported },
-       { "tisauthentication", oChallengeResponseAuthentication },  /* alias */
        { "identityfile", oIdentityFile },
        { "identityfile2", oIdentityFile },                     /* obsolete */
        { "identitiesonly", oIdentitiesOnly },
@@ -1099,10 +1099,6 @@ parse_time:
                intptr = &options->hostbased_authentication;
                goto parse_flag;
 
-       case oChallengeResponseAuthentication:
-               intptr = &options->challenge_response_authentication;
-               goto parse_flag;
-
        case oGssAuthentication:
                intptr = &options->gss_authentication;
                goto parse_flag;
@@ -2286,7 +2282,6 @@ initialize_options(Options * options)
        options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
        options->fwd_opts.streamlocal_bind_unlink = -1;
        options->pubkey_authentication = -1;
-       options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
        options->gss_deleg_creds = -1;
        options->password_authentication = -1;
@@ -2440,8 +2435,6 @@ fill_default_options(Options * options)
                options->fwd_opts.streamlocal_bind_unlink = 0;
        if (options->pubkey_authentication == -1)
                options->pubkey_authentication = 1;
-       if (options->challenge_response_authentication == -1)
-               options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
        if (options->gss_deleg_creds == -1)
@@ -3207,7 +3200,6 @@ dump_client_config(Options *o, const char *host)
        dump_cfg_fmtint(oBatchMode, o->batch_mode);
        dump_cfg_fmtint(oCanonicalizeFallbackLocal, o->canonicalize_fallback_local);
        dump_cfg_fmtint(oCanonicalizeHostname, o->canonicalize_hostname);
-       dump_cfg_fmtint(oChallengeResponseAuthentication, o->challenge_response_authentication);
        dump_cfg_fmtint(oCheckHostIP, o->check_host_ip);
        dump_cfg_fmtint(oCompression, o->compression);
        dump_cfg_fmtint(oControlMaster, o->control_master);

diff --git a/servconf.c b/servconf.c
index 543e834a0d097cfe1547071e58e724aa42f9448e..c43bda8f7d5579d027ace5266fa303ed8262c365 100644 (file)
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.380 2021/06/08 07:09:42 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.381 2021/07/02 05:11:21 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -140,7 +140,6 @@ initialize_server_options(ServerOptions *options)
        options->gss_strict_acceptor = -1;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
-       options->challenge_response_authentication = -1;
        options->permit_empty_passwd = -1;
        options->permit_user_env = -1;
        options->permit_user_env_allowlist = NULL;
@@ -364,9 +363,7 @@ fill_default_server_options(ServerOptions *options)
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
-               options->kbd_interactive_authentication = 0;
-       if (options->challenge_response_authentication == -1)
-               options->challenge_response_authentication = 1;
+               options->kbd_interactive_authentication = 1;
        if (options->permit_empty_passwd == -1)
                options->permit_empty_passwd = 0;
        if (options->permit_user_env == -1) {
@@ -599,8 +596,8 @@ static struct {
 #endif
        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-       { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-       { "skeyauthentication", sDeprecated, SSHCFG_GLOBAL },
+       { "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
+       { "skeyauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
        { "checkmail", sDeprecated, SSHCFG_GLOBAL },
        { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
        { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
@@ -1596,10 +1593,6 @@ process_server_config_line_depth(ServerOptions *options, char *line,
                intptr = &options->kbd_interactive_authentication;
                goto parse_flag;
 
-       case sChallengeResponseAuthentication:
-               intptr = &options->challenge_response_authentication;
-               goto parse_flag;
-
        case sPrintMotd:
                intptr = &options->print_motd;
                goto parse_flag;
@@ -2904,8 +2897,6 @@ dump_config(ServerOptions *o)
        dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
        dump_cfg_fmtint(sKbdInteractiveAuthentication,
            o->kbd_interactive_authentication);
-       dump_cfg_fmtint(sChallengeResponseAuthentication,
-           o->challenge_response_authentication);
        dump_cfg_fmtint(sPrintMotd, o->print_motd);
 #ifndef DISABLE_LASTLOG
        dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);

diff --git a/sshd_config b/sshd_config
index 19b7c91a154b4c315da64cb6cc52beabe360fca4..4b3011ec362335780d7eb5256f964bda9b461243 100644 (file)
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-#      $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+#      $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -58,7 +58,7 @@ AuthorizedKeysFile    .ssh/authorized_keys
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+#KbdInteractiveAuthentication yes
 
 # Kerberos options
 #KerberosAuthentication no

diff --git a/sshd_config.5 b/sshd_config.5
index 3b339aafbc142ef46e59012e70a5f0f4b9f72e55..07635932c617adbbd1220c61260d5c3cc4df7003 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.331 2021/04/04 11:36:56 jmc Exp $
-.Dd $Mdocdate: April 4 2021 $
+.\" $OpenBSD: sshd_config.5,v 1.332 2021/07/02 05:11:21 dtucker Exp $
+.Dd $Mdocdate: July 2 2021 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -384,12 +384,6 @@ rsa-sha2-512,rsa-sha2-256
 .Pp
 Certificates signed using other algorithms will not be accepted for
 public key or host-based authentication.
-.It Cm ChallengeResponseAuthentication
-Specifies whether challenge-response authentication is allowed (e.g. via
-PAM or through authentication styles supported in
-.Xr login.conf 5 )
-The default is
-.Cm yes .
 .It Cm ChrootDirectory
 Specifies the pathname of a directory to
 .Xr chroot 2
@@ -874,15 +868,17 @@ for interactive sessions and
 for non-interactive sessions.
 .It Cm KbdInteractiveAuthentication
 Specifies whether to allow keyboard-interactive authentication.
+All authentication styles from
+.Xr login.conf 5
+are supported.
+The default is
+.Cm yes .
 The argument to this keyword must be
 .Cm yes
 or
 .Cm no .
-The default is to use whatever value
 .Cm ChallengeResponseAuthentication
-is set to
-(by default
-.Cm yes ) .
+is a deprecated alias for this.
 .It Cm KerberosAuthentication
 Specifies whether the password provided by the user for
 .Cm PasswordAuthentication