Remove support for S/Key

Most people will 1) be using modern multi-factor authentication methods
like TOTP/OATH etc and 2) be getting support for multi-factor
authentication via PAM or BSD Auth.

15 files changed, 9 insertions, 232 deletions

diff --git a/INSTALL b/INSTALL
index d5275113b..3fd265dbf 100644
--- a/INSTALL
+++ b/INSTALL
@@ -66,13 +66,6 @@ passphrase requester. This is maintained separately at:
 
 http://www.jmknoble.net/software/x11-ssh-askpass/
 
-S/Key Libraries:
-
-If you wish to use --with-skey then you will need the library below
-installed.  No other S/Key library is currently known to be supported.
-
-http://www.sparc.spb.su/solaris/skey/
-
 LibEdit:
 
 sftp supports command-line editing via NetBSD's libedit.  If your platform
@@ -184,9 +177,6 @@ it if lastlog is installed in a different place.
 --with-osfsia, --without-osfsia will enable or disable OSF1's Security
 Integration Architecture.  The default for OSF1 machines is enable.
 
---with-skey=PATH will enable S/Key one time password support. You will
-need the S/Key libraries and header files installed for this to work.
-
 --with-md5-passwords will enable the use of MD5 passwords. Enable this
 if your operating system uses MD5 passwords and the system crypt() does
 not support them directly (see the crypt(3/3c) man page). If enabled, the
diff --git a/Makefile.in b/Makefile.in
index c3b67aa61..ac744cbd2 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -110,7 +110,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
         sshpty.o sshlogin.o servconf.o serverloop.o \
         auth.o auth2.o auth-options.o session.o \
         auth2-chall.o groupaccess.o \
-        auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
+        auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
         auth2-none.o auth2-passwd.o auth2-pubkey.o \
         monitor.o monitor_wrap.o auth-krb5.o \
         auth2-gss.o gss-serv.o gss-serv-krb5.o \
diff --git a/TODO b/TODO
index 771162b30..b76529c96 100644
--- a/TODO
+++ b/TODO
@@ -35,7 +35,7 @@ Programming:
  - Use different PAM service name for kbdint vs regular auth (suggest from
    Solar Designer)
  - Ability to select which ChallengeResponseAuthentications may be used
-   and order to try them in e.g. "ChallengeResponseAuthentication skey, pam"
+   and order to try them in e.g. "ChallengeResponseAuthentication pam"
 
 - Complete Tru64 SIA support
  - It looks like we could merge it into the password auth code to cut down
diff --git a/auth.h b/auth.h
index 29491df98..977562f0a 100644
--- a/auth.h
+++ b/auth.h
@@ -187,8 +187,6 @@ int	auth2_challenge(struct ssh *, char *);
 void    auth2_challenge_stop(struct ssh *);
 int     bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
 int     bsdauth_respond(void *, u_int, char **);
-int     skey_query(void *, char **, char **, u_int *, char ***, u_int **);
-int     skey_respond(void *, u_int, char **);
 
 int     allowed_user(struct passwd *);
 struct passwd * getpwnamallow(const char *user);
@@ -239,8 +237,6 @@ pid_t	subprocess(const char *, struct passwd *,
 
 int      sys_auth_passwd(struct ssh *, const char *);
 
-#define SKEY_PROMPT "\nS/Key Password: "
-
 #if defined(KRB5) && !defined(HEIMDAL)
 #include <krb5.h>
 krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
diff --git a/auth2-chall.c b/auth2-chall.c
index 4fd18f467..2d5cff448 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -58,9 +58,6 @@ extern KbdintDevice bsdauth_device;
 #ifdef USE_PAM
 extern KbdintDevice sshpam_device;
 #endif
-#ifdef SKEY
-extern KbdintDevice skey_device;
-#endif
 #endif
 
 KbdintDevice *devices[] = {
@@ -70,9 +67,6 @@ KbdintDevice *devices[] = {
 #ifdef USE_PAM
         &sshpam_device,
 #endif
-#ifdef SKEY
-        &skey_device,
-#endif
 #endif
         NULL
 };
@@ -369,7 +363,7 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
 void
 privsep_challenge_enable(void)
 {
-#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY)
+#if defined(BSD_AUTH) || defined(USE_PAM)
         int n = 0;
 #endif
 #ifdef BSD_AUTH
@@ -378,9 +372,6 @@ privsep_challenge_enable(void)
 #ifdef USE_PAM
         extern KbdintDevice mm_sshpam_device;
 #endif
-#ifdef SKEY
-        extern KbdintDevice mm_skey_device;
-#endif
 
 #ifdef BSD_AUTH
         devices[n++] = &mm_bsdauth_device;
@@ -388,8 +379,5 @@ privsep_challenge_enable(void)
 #ifdef USE_PAM
         devices[n++] = &mm_sshpam_device;
 #endif
-#ifdef SKEY
-        devices[n++] = &mm_skey_device;
-#endif
 #endif
 }
diff --git a/configure.ac b/configure.ac
index 8c6827a7b..c4c759d4e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1495,55 +1495,6 @@ else
         AC_MSG_RESULT([no])
 fi
 
-# Check whether user wants S/Key support
-SKEY_MSG="no"
-AC_ARG_WITH([skey],
-        [  --with-skey[[=PATH]]      Enable S/Key support (optionally in PATH)],
-        [
-                if test "x$withval" != "xno" ; then
-
-                        if test "x$withval" != "xyes" ; then
-                                CPPFLAGS="$CPPFLAGS -I${withval}/include"
-                                LDFLAGS="$LDFLAGS -L${withval}/lib"
-                        fi
-
-                        AC_DEFINE([SKEY], [1], [Define if you want S/Key support])
-                        LIBS="-lskey $LIBS"
-                        SKEY_MSG="yes"
-
-                        AC_MSG_CHECKING([for s/key support])
-                        AC_LINK_IFELSE(
-                                [AC_LANG_PROGRAM([[
-#include <stdio.h>
-#include <skey.h>
-                                ]], [[
-        char *ff = skey_keyinfo(""); ff="";
-        exit(0);
-                                ]])],
-                                [AC_MSG_RESULT([yes])],
-                                [
-                                        AC_MSG_RESULT([no])
-                                        AC_MSG_ERROR([** Incomplete or missing s/key libraries.])
-                                ])
-                        AC_MSG_CHECKING([if skeychallenge takes 4 arguments])
-                        AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
-#include <stdio.h>
-#include <skey.h>
-                                ]], [[
-        (void)skeychallenge(NULL,"name","",0);
-                                ]])],
-                        [
-                                AC_MSG_RESULT([yes])
-                                AC_DEFINE([SKEYCHALLENGE_4ARG], [1],
-                                        [Define if your skeychallenge()
-                                        function takes 4 arguments (NetBSD)])],
-                        [
-                                AC_MSG_RESULT([no])
-                        ])
-                fi
-        ]
-)
-
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5219,7 +5170,6 @@ echo "                       PAM support: $PAM_MSG"
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
-echo "                     S/KEY support: $SKEY_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"
diff --git a/defines.h b/defines.h
index 3fa5ec5a9..8f4213062 100644
--- a/defines.h
+++ b/defines.h
@@ -660,12 +660,6 @@ struct winsize {
 #  define krb5_get_err_text(context,code) error_message(code)
 #endif
 
-#if defined(SKEYCHALLENGE_4ARG)
-# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c,d)
-#else
-# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c)
-#endif
-
 /* Maximum number of file descriptors available */
 #ifdef HAVE_SYSCONF
 # define SSH_SYSFDMAX sysconf(_SC_OPEN_MAX)
diff --git a/monitor.c b/monitor.c
index 78f9c5038..d4b4b0471 100644
--- a/monitor.c
+++ b/monitor.c
@@ -56,10 +56,6 @@
 # endif
 #endif
 
-#ifdef SKEY
-#include <skey.h>
-#endif
-
 #ifdef WITH_OPENSSL
 #include <openssl/dh.h>
 #endif
@@ -122,8 +118,6 @@ int mm_answer_authserv(int, struct sshbuf *);
 int mm_answer_authpassword(int, struct sshbuf *);
 int mm_answer_bsdauthquery(int, struct sshbuf *);
 int mm_answer_bsdauthrespond(int, struct sshbuf *);
-int mm_answer_skeyquery(int, struct sshbuf *);
-int mm_answer_skeyrespond(int, struct sshbuf *);
 int mm_answer_keyallowed(int, struct sshbuf *);
 int mm_answer_keyverify(int, struct sshbuf *);
 int mm_answer_pty(int, struct sshbuf *);
@@ -212,10 +206,6 @@ struct mon_table mon_dispatch_proto20[] = {
     {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
     {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond},
 #endif
-#ifdef SKEY
-    {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
-    {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
-#endif
     {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
     {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
 #ifdef GSSAPI
@@ -960,62 +950,6 @@ mm_answer_bsdauthrespond(int sock, struct sshbuf *m)
 }
 #endif
 
-#ifdef SKEY
-int
-mm_answer_skeyquery(int sock, struct sshbuf *m)
-{
-        struct skey skey;
-        char challenge[1024];
-        u_int success;
-        int r;
-
-        success = _compat_skeychallenge(&skey, authctxt->user, challenge,
-            sizeof(challenge)) < 0 ? 0 : 1;
-
-        sshbuf_reset(m);
-        if ((r = sshbuf_put_u32(m, success)) != 0)
-                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-        if (success) {
-                if ((r = sshbuf_put_cstring(m, challenge)) != 0)
-                        fatal("%s: buffer error: %s", __func__, ssh_err(r));
-        }
-        debug3("%s: sending challenge success: %u", __func__, success);
-        mm_request_send(sock, MONITOR_ANS_SKEYQUERY, m);
-
-        return (0);
-}
-
-int
-mm_answer_skeyrespond(int sock, struct sshbuf *m)
-{
-        char *response;
-        size_t rlen;
-        int authok, r;
-
-        if ((r = sshbuf_get_cstring(m, &response, &rlen)) != 0)
-                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-
-        authok = (options.challenge_response_authentication &&
-            authctxt->valid &&
-            skey_haskey(authctxt->pw->pw_name) == 0 &&
-            skey_passcheck(authctxt->pw->pw_name, response) != -1);
-
-        freezero(response, rlen);
-
-        sshbuf_reset(m);
-        if ((r = sshbuf_put_u32(m, authok)) != 0)
-                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-
-        debug3("%s: sending authenticated: %d", __func__, authok);
-        mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
-
-        auth_method = "keyboard-interactive";
-        auth_submethod = "skey";
-
-        return (authok != 0);
-}
-#endif
-
 #ifdef USE_PAM
 int
 mm_answer_pam_start(int sock, struct sshbuf *m)
diff --git a/monitor.h b/monitor.h
index 0c7635000..16047299f 100644
--- a/monitor.h
+++ b/monitor.h
@@ -39,8 +39,6 @@ enum monitor_reqtype {
         MONITOR_REQ_AUTHPASSWORD = 12, MONITOR_ANS_AUTHPASSWORD = 13,
         MONITOR_REQ_BSDAUTHQUERY = 14, MONITOR_ANS_BSDAUTHQUERY = 15,
         MONITOR_REQ_BSDAUTHRESPOND = 16, MONITOR_ANS_BSDAUTHRESPOND = 17,
-        MONITOR_REQ_SKEYQUERY = 18, MONITOR_ANS_SKEYQUERY = 19,
-        MONITOR_REQ_SKEYRESPOND = 20, MONITOR_ANS_SKEYRESPOND = 21,
         MONITOR_REQ_KEYALLOWED = 22, MONITOR_ANS_KEYALLOWED = 23,
         MONITOR_REQ_KEYVERIFY = 24, MONITOR_ANS_KEYVERIFY = 25,
         MONITOR_REQ_KEYEXPORT = 26,
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 3cb26c2ac..732fb3476 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -867,73 +867,6 @@ mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses)
         return ((authok == 0) ? -1 : 0);
 }
 
-#ifdef SKEY
-int
-mm_skey_query(void *ctx, char **name, char **infotxt,
-   u_int *numprompts, char ***prompts, u_int **echo_on)
-{
-        struct sshbuf *m;
-        u_int success;
-        char *challenge;
-        int r;
-
-        debug3("%s: entering", __func__);
-
-        if ((m = sshbuf_new()) == NULL)
-                fatal("%s: sshbuf_new failed", __func__);
-        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYQUERY, m);
-
-        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SKEYQUERY, m);
-        if ((r = sshbuf_get_u32(m, &success)) != 0)
-                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-        if (success == 0) {
-                debug3("%s: no challenge", __func__);
-                sshbuf_free(m);
-                return (-1);
-        }
-
-        /* Get the challenge, and format the response */
-        if ((r = sshbuf_get_cstring(m, &challenge, NULL)) != 0)
-                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-        sshbuf_free(m);
-
-        debug3("%s: received challenge: %s", __func__, challenge);
-
-        mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
-
-        xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
-        free(challenge);
-
-        return (0);
-}
-
-int
-mm_skey_respond(void *ctx, u_int numresponses, char **responses)
-{
-        struct sshbuf *m;
-        int authok, r;
-
-        debug3("%s: entering", __func__);
-        if (numresponses != 1)
-                return (-1);
-
-        if ((m = sshbuf_new()) == NULL)
-                fatal("%s: sshbuf_new failed", __func__);
-        if ((r = sshbuf_put_cstring(m, responses[0])) != 0)
-                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYRESPOND, m);
-
-        mm_request_receive_expect(pmonitor->m_recvfd,
-            MONITOR_ANS_SKEYRESPOND, m);
-
-        if ((r = sshbuf_get_u32(m, &authok)) != 0)
-                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-        sshbuf_free(m);
-
-        return ((authok == 0) ? -1 : 0);
-}
-#endif /* SKEY */
-
 #ifdef SSH_AUDIT_EVENTS
 void
 mm_audit_event(ssh_audit_event_t event)
diff --git a/monitor_wrap.h b/monitor_wrap.h
index a3ac17d1d..644da081d 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -97,8 +97,4 @@ void mm_send_keystate(struct monitor*);
 int mm_bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
 int mm_bsdauth_respond(void *, u_int, char **);
 
-/* skey */
-int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
-int mm_skey_respond(void *, u_int, char **);
-
 #endif /* _MM_WRAP_H_ */
diff --git a/readconf.c b/readconf.c
index 4ab312fff..4b11bab5e 100644
--- a/readconf.c
+++ b/readconf.c
@@ -230,7 +230,7 @@ static struct {
         { "dsaauthentication", oPubkeyAuthentication },             /* alias */
         { "hostbasedauthentication", oHostbasedAuthentication },
         { "challengeresponseauthentication", oChallengeResponseAuthentication },
-        { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
+        { "skeyauthentication", oUnsupported },
         { "tisauthentication", oChallengeResponseAuthentication },  /* alias */
         { "identityfile", oIdentityFile },
         { "identityfile2", oIdentityFile },                     /* obsolete */
diff --git a/servconf.c b/servconf.c
index aafefde93..f1010b3b9 100644
--- a/servconf.c
+++ b/servconf.c
@@ -564,7 +564,7 @@ static struct {
         { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
         { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
         { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-        { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
+        { "skeyauthentication", sDeprecated, SSHCFG_GLOBAL },
         { "checkmail", sDeprecated, SSHCFG_GLOBAL },
         { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
         { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
diff --git a/ssh_config.5 b/ssh_config.5
index fe52578f4..f499396a3 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -997,10 +997,9 @@ The default is to use the server specified list.
 The methods available vary depending on what the server supports.
 For an OpenSSH server,
 it may be zero or more of:
-.Cm bsdauth ,
-.Cm pam ,
+.Cm bsdauth
 and
-.Cm skey .
+.Cm pam .
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
diff --git a/sshd_config.5 b/sshd_config.5
index 02d8e436b..e1b54ba20 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -205,10 +205,9 @@ keyboard-interactive authentication before public key.
 For keyboard interactive authentication it is also possible to
 restrict authentication to a specific device by appending a
 colon followed by the device identifier
-.Cm bsdauth ,
-.Cm pam ,
+.Cm bsdauth
 or
-.Cm skey ,
+.Cm pam .
 depending on the server configuration.
 For example,
 .Qq keyboard-interactive:bsdauth