- markus@cvs.openbsd.org 2001/01/22 23:06:39

     [auth1.c auth2.c readconf.c readconf.h servconf.c servconf.h
      sshconnect1.c sshconnect2.c sshd.c]
     rename skey -> challenge response.
     auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.

10 files changed, 57 insertions, 44 deletions

diff --git a/ChangeLog b/ChangeLog
index c8319d5ac..5052a0f12 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,11 @@
    - stevesk@cvs.openbsd.org 2001/01/22 17:22:28
      [sshconnect2.c sshd.c]
      fix memory leaks in SSH2 key exchange; ok markus@
+   - markus@cvs.openbsd.org 2001/01/22 23:06:39
+     [auth1.c auth2.c readconf.c readconf.h servconf.c servconf.h
+      sshconnect1.c sshconnect2.c sshd.c]
+     rename skey -> challenge response.
+     auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
 
 
 20010122
diff --git a/auth1.c b/auth1.c
index 50037fd83..1dc2284a7 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.13 2001/01/21 19:05:43 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.14 2001/01/22 23:06:39 markus Exp $");
 
 #ifdef HAVE_OSF_SIA
 # include <sia.h>
@@ -281,7 +281,7 @@ do_authloop(Authctxt *authctxt)
 
                 case SSH_CMSG_AUTH_TIS:
                         debug("rcvd SSH_CMSG_AUTH_TIS");
-                        if (options.skey_authentication == 1) {
+                        if (options.challenge_reponse_authentication == 1) {
                                 char *challenge = get_challenge(authctxt, authctxt->style);
                                 if (challenge != NULL) {
                                         debug("sending challenge '%s'", challenge);
@@ -296,7 +296,7 @@ do_authloop(Authctxt *authctxt)
 
                 case SSH_CMSG_AUTH_TIS_RESPONSE:
                         debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
-                        if (options.skey_authentication == 1) {
+                        if (options.challenge_reponse_authentication == 1) {
                                 char *response = packet_get_string(&dlen);
                                 debug("got response '%s'", response);
                                 packet_integrity_check(plen, 4 + dlen, type);
diff --git a/auth2.c b/auth2.c
index 768feddeb..99be9e1ba 100644
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.33 2001/01/22 08:32:53 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.34 2001/01/22 23:06:39 markus Exp $");
 
 #ifdef HAVE_OSF_SIA
 # include <sia.h>
@@ -123,6 +123,10 @@ do_authentication2()
 
         x_authctxt = authctxt;          /*XXX*/
 
+        /* challenge-reponse is implemented via keyboard interactive */
+        if (options.challenge_reponse_authentication)
+                options.kbd_interactive_authentication = 1;
+
 #ifdef AFS
         /* If machine has AFS, set process authentication group. */
         if (k_hasafs()) {
@@ -401,7 +405,8 @@ userauth_kbdint(Authctxt *authctxt)
 
         debug("keyboard-interactive language %s devs %s", lang, devs);
 
-        authenticated = auth2_challenge(authctxt, devs);
+        if (options.challenge_reponse_authentication)
+                authenticated = auth2_challenge(authctxt, devs);
 
 #ifdef USE_PAM
         if (authenticated == 0)
diff --git a/readconf.c b/readconf.c
index a10aaff1c..5c091c60c 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.58 2001/01/21 19:05:53 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.59 2001/01/22 23:06:39 markus Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -93,7 +93,7 @@ typedef enum {
         oBadOption,
         oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
         oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
-        oSkeyAuthentication, oXAuthLocation,
+        oChallengeResponseAuthentication, oXAuthLocation,
 #ifdef KRB4
         oKerberosAuthentication,
 #endif /* KRB4 */
@@ -104,7 +104,7 @@ typedef enum {
         oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
         oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
         oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
-        oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication,
+        oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,
         oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol,
         oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
         oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias
@@ -127,8 +127,10 @@ static struct {
         { "kbdinteractivedevices", oKbdInteractiveDevices },
         { "rsaauthentication", oRSAAuthentication },
         { "pubkeyauthentication", oPubkeyAuthentication },
-        { "dsaauthentication", oPubkeyAuthentication },         /* alias */
-        { "skeyauthentication", oSkeyAuthentication },
+        { "dsaauthentication", oPubkeyAuthentication },             /* alias */
+        { "challengeresponseauthentication", oChallengeResponseAuthentication },
+        { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
+        { "tisauthentication", oChallengeResponseAuthentication },  /* alias */
 #ifdef KRB4
         { "kerberosauthentication", oKerberosAuthentication },
 #endif /* KRB4 */
@@ -165,7 +167,6 @@ static struct {
         { "compressionlevel", oCompressionLevel },
         { "keepalive", oKeepAlives },
         { "numberofpasswordprompts", oNumberOfPasswordPrompts },
-        { "tisauthentication", oTISAuthentication },
         { "loglevel", oLogLevel },
         { NULL, 0 }
 };
@@ -318,10 +319,8 @@ parse_flag:
                 intptr = &options->rhosts_rsa_authentication;
                 goto parse_flag;
 
-        case oTISAuthentication:
-                /* fallthrough, there is no difference on the client side */
-        case oSkeyAuthentication:
-                intptr = &options->skey_authentication;
+        case oChallengeResponseAuthentication:
+                intptr = &options->challenge_reponse_authentication;
                 goto parse_flag;
 
 #ifdef KRB4
@@ -669,7 +668,7 @@ initialize_options(Options * options)
         options->rhosts_authentication = -1;
         options->rsa_authentication = -1;
         options->pubkey_authentication = -1;
-        options->skey_authentication = -1;
+        options->challenge_reponse_authentication = -1;
 #ifdef KRB4
         options->kerberos_authentication = -1;
 #endif
@@ -736,8 +735,8 @@ fill_default_options(Options * options)
                 options->rsa_authentication = 1;
         if (options->pubkey_authentication == -1)
                 options->pubkey_authentication = 1;
-        if (options->skey_authentication == -1)
-                options->skey_authentication = 0;
+        if (options->challenge_reponse_authentication == -1)
+                options->challenge_reponse_authentication = 0;
 #ifdef KRB4
         if (options->kerberos_authentication == -1)
                 options->kerberos_authentication = 1;
@@ -751,7 +750,7 @@ fill_default_options(Options * options)
         if (options->password_authentication == -1)
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
-                options->kbd_interactive_authentication = 0;
+                options->kbd_interactive_authentication = 1;
         if (options->rhosts_rsa_authentication == -1)
                 options->rhosts_rsa_authentication = 1;
         if (options->fallback_to_rsh == -1)
diff --git a/readconf.h b/readconf.h
index 08ff70839..241b7165c 100644
--- a/readconf.h
+++ b/readconf.h
@@ -11,7 +11,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
-/* RCSID("$OpenBSD: readconf.h,v 1.24 2000/12/27 12:30:20 markus Exp $"); */
+/* RCSID("$OpenBSD: readconf.h,v 1.25 2001/01/22 23:06:39 markus Exp $"); */
 
 #ifndef READCONF_H
 #define READCONF_H
@@ -36,7 +36,8 @@ typedef struct {
                                                  * authentication. */
         int     rsa_authentication;     /* Try RSA authentication. */
         int     pubkey_authentication;  /* Try ssh2 pubkey authentication. */
-        int     skey_authentication;    /* Try S/Key or TIS authentication. */
+        int     challenge_reponse_authentication;
+                                        /* Try S/Key or TIS, authentication. */
 #ifdef KRB4
         int     kerberos_authentication;        /* Try Kerberos
                                                  * authentication. */
diff --git a/servconf.c b/servconf.c
index 7dfd040c8..2738c62e9 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.62 2001/01/21 19:05:55 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.63 2001/01/22 23:06:39 markus Exp $");
 
 #ifdef KRB4
 #include <krb.h>
@@ -77,7 +77,7 @@ initialize_server_options(ServerOptions *options)
 #endif
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
-        options->skey_authentication = -1;
+        options->challenge_reponse_authentication = -1;
         options->permit_empty_passwd = -1;
         options->use_login = -1;
         options->allow_tcp_forwarding = -1;
@@ -171,8 +171,8 @@ fill_default_server_options(ServerOptions *options)
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
                 options->kbd_interactive_authentication = 0;
-        if (options->skey_authentication == -1)
-                options->skey_authentication = 1;
+        if (options->challenge_reponse_authentication == -1)
+                options->challenge_reponse_authentication = 1;
         if (options->permit_empty_passwd == -1)
                 options->permit_empty_passwd = 0;
         if (options->use_login == -1)
@@ -201,7 +201,7 @@ typedef enum {
 #ifdef AFS
         sKerberosTgtPassing, sAFSTokenPassing,
 #endif
-        sSkeyAuthentication,
+        sChallengeResponseAuthentication,
         sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
         sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
         sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
@@ -243,7 +243,8 @@ static struct {
 #endif
         { "passwordauthentication", sPasswordAuthentication },
         { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
-        { "skeyauthentication", sSkeyAuthentication },
+        { "challengeresponseauthentication", sChallengeResponseAuthentication },
+        { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
         { "checkmail", sCheckMail },
         { "listenaddress", sListenAddress },
         { "printmotd", sPrintMotd },
@@ -537,8 +538,8 @@ parse_flag:
                         intptr = &options->check_mail;
                         goto parse_flag;
 
-                case sSkeyAuthentication:
-                        intptr = &options->skey_authentication;
+                case sChallengeResponseAuthentication:
+                        intptr = &options->challenge_reponse_authentication;
                         goto parse_flag;
 
                 case sPrintMotd:
diff --git a/servconf.h b/servconf.h
index ea0694905..e31636701 100644
--- a/servconf.h
+++ b/servconf.h
@@ -11,7 +11,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
-/* RCSID("$OpenBSD: servconf.h,v 1.34 2001/01/19 12:45:27 markus Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.35 2001/01/22 23:06:40 markus Exp $"); */
 
 #ifndef SERVCONF_H
 #define SERVCONF_H
@@ -80,8 +80,7 @@ typedef struct {
         int     password_authentication;        /* If true, permit password
                                                  * authentication. */
         int     kbd_interactive_authentication; /* If true, permit */
-        int     skey_authentication;    /* If true, permit s/key
-                                         * authentication. */
+        int     challenge_reponse_authentication;
         int     permit_empty_passwd;    /* If false, do not permit empty
                                          * passwords. */
         int     use_login;      /* If true, login(1) is used */
diff --git a/sshconnect1.c b/sshconnect1.c
index 2c097256a..5a5a22227 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,7 +13,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.19 2001/01/22 08:15:00 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.20 2001/01/22 23:06:40 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/evp.h>
@@ -613,7 +613,7 @@ send_afs_tokens(void)
  * Note that the client code is not tied to s/key or TIS.
  */
 int
-try_skey_authentication()
+try_challenge_reponse_authentication()
 {
         int type, i;
         int payload_len;
@@ -621,7 +621,7 @@ try_skey_authentication()
         char prompt[1024];
         char *challenge, *response;
 
-        debug("Doing skey authentication.");
+        debug("Doing challenge reponse authentication.");
 
         for (i = 0; i < options.number_of_password_prompts; i++) {
                 /* request a challenge */
@@ -633,10 +633,10 @@ try_skey_authentication()
                 if (type != SSH_SMSG_FAILURE &&
                     type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
                         packet_disconnect("Protocol error: got %d in response "
-                            "to skey-auth", type);
+                            "to SSH_CMSG_AUTH_TIS", type);
                 }
                 if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
-                        debug("No challenge for skey authentication.");
+                        debug("No challenge.");
                         return 0;
                 }
                 challenge = packet_get_string(&clen);
@@ -665,7 +665,7 @@ try_skey_authentication()
                         return 1;
                 if (type != SSH_SMSG_FAILURE)
                         packet_disconnect("Protocol error: got %d in response "
-                            "to skey-auth-reponse", type);
+                            "to SSH_CMSG_AUTH_TIS_RESPONSE", type);
         }
         /* failure */
         return 0;
@@ -1018,10 +1018,10 @@ ssh_userauth(
                             try_rsa_authentication(options.identity_files[i]))
                                 return;
         }
-        /* Try skey authentication if the server supports it. */
+        /* Try challenge response authentication if the server supports it. */
         if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
-            options.skey_authentication && !options.batch_mode) {
-                if (try_skey_authentication())
+            options.challenge_reponse_authentication && !options.batch_mode) {
+                if (try_challenge_reponse_authentication())
                         return;
         }
         /* Try password authentication if the server supports it. */
diff --git a/sshconnect2.c b/sshconnect2.c
index 1b4422876..1d911b9bb 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.38 2001/01/22 17:22:28 stevesk Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.39 2001/01/22 23:06:40 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@@ -513,6 +513,9 @@ ssh_userauth2(const char *server_user, char *host)
         int type;
         int plen;
 
+        if (options.challenge_reponse_authentication)
+                options.kbd_interactive_authentication = 1;
+
         debug("send SSH2_MSG_SERVICE_REQUEST");
         packet_start(SSH2_MSG_SERVICE_REQUEST);
         packet_put_cstring("ssh-userauth");
diff --git a/sshd.c b/sshd.c
index 686e7c26b..853553592 100644
--- a/sshd.c
+++ b/sshd.c
@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.156 2001/01/22 17:22:28 stevesk Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.157 2001/01/22 23:06:40 markus Exp $");
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -1254,7 +1254,7 @@ do_ssh1_kex(void)
         if (options.afs_token_passing)
                 auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
 #endif
-        if (options.skey_authentication == 1)
+        if (options.challenge_reponse_authentication == 1)
                 auth_mask |= 1 << SSH_AUTH_TIS;
         if (options.password_authentication)
                 auth_mask |= 1 << SSH_AUTH_PASSWORD;