auth2-kbdint.c: Is it a bug that it mixes references to options.kbd_interactive_authentication and options.challenge_response_authentication ?

Max Bowsher _ at
Fri Jul 22 10:04:21 EST 2011


I was chasing some unexpected behaviour from OpenSSH, and have come
across an oddity in the source code which may or may not be a bug.

In auth2-kbdint.c, the Authmethod struct declares
options.kbd_interactive_authentication as the enabled flag for this
method. However in the implementation function a few lines above, it
checks options.challenge_response_authentication to decide whether to
actually proceed with the authentication.

This results in the behaviour of "ChallengeResponseAuthentication no"
also disabling keyboard-interactive authentication, even if
"KbdInteractiveAuthentication yes" is specified.

I'd call this a bug, but other places in the source code have
interactions between these options, so I'm not sure whether it is
intended or not.

Also, the KbdInteractiveAuthentication option isn't explicitly
documented in the manpages, so I'm unsure if it's actually intended to
be used or not.

Hoping someone can shed some light on this,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openssh-unix-dev mailing list