ChallengeResponseAuthentication defaults to no?

Darren Tucker dtucker at zip.com.au
Fri Mar 23 06:41:02 EST 2007


On Thu, Mar 22, 2007 at 11:12:33AM -0400, Dmitry Berezin wrote:
> I have just installed OpenSSH 4.6p1 and it appears that
> ChallengeResponseAuthentication is not allowed unless I explicitly set
> it to "yes" in the sshd_config file. I am using the same config file as
> I did with 4.5p1 where it was allowed by default. Also, this is OpenSSH
> package from sunfreeware, but I believe that both versions were compiled
> with the same options.
> 
> Is this the intended behavior?

No, it was an unintended interaction with the Match code.  The thing
that was affected was Protocol 2 KbdInteractiveAuthentication
when UsePrivilegeSeparation=yes.  This is enabled if
ChallengeResponseAuthentication is set, but it happens in the
unprivileged child.  The Match code overwrote this setting which had
the effect of changing the default.

The following patch (which will be in the next release) should fix it.
Apologies for the inconvenience.

Index: servconf.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/servconf.c,v
retrieving revision 1.161
diff -u -p -r1.161 servconf.c
--- servconf.c	1 Mar 2007 10:31:29 -0000	1.161
+++ servconf.c	22 Mar 2007 19:31:22 -0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.170 2007/03/01 10:28:02 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.171 2007/03/09 05:20:06 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -1387,8 +1387,4 @@ parse_server_config(ServerOptions *optio
 	if (bad_options > 0)
 		fatal("%s: terminating, %d bad configuration options",
 		    filename, bad_options);
-
-	/* challenge-response is implemented via keyboard interactive */
-	if (options->challenge_response_authentication == 1)
-		options->kbd_interactive_authentication = 1;
 }
Index: sshd.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/sshd.c,v
retrieving revision 1.362
diff -u -p -r1.362 sshd.c
--- sshd.c	25 Feb 2007 09:37:22 -0000	1.362
+++ sshd.c	22 Mar 2007 19:31:22 -0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.349 2007/02/21 11:00:05 dtucker Exp $ */
+/* $OpenBSD: sshd.c,v 1.350 2007/03/09 05:20:06 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1421,6 +1421,10 @@ main(int ac, char **av)
 	/* Fill in default values for those options not explicitly set. */
 	fill_default_server_options(&options);
 
+	/* challenge-response is implemented via keyboard interactive */
+	if (options.challenge_response_authentication)
+		options.kbd_interactive_authentication = 1;
+
 	/* set default channel AF */
 	channel_set_af(options.address_family);
 

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list