diff options
-rw-r--r-- | INSTALL | 10 | ||||
-rw-r--r-- | Makefile.in | 2 | ||||
-rw-r--r-- | TODO | 2 | ||||
-rw-r--r-- | auth.h | 4 | ||||
-rw-r--r-- | auth2-chall.c | 14 | ||||
-rw-r--r-- | configure.ac | 50 | ||||
-rw-r--r-- | defines.h | 6 | ||||
-rw-r--r-- | monitor.c | 66 | ||||
-rw-r--r-- | monitor.h | 2 | ||||
-rw-r--r-- | monitor_wrap.c | 67 | ||||
-rw-r--r-- | monitor_wrap.h | 4 | ||||
-rw-r--r-- | readconf.c | 2 | ||||
-rw-r--r-- | servconf.c | 2 | ||||
-rw-r--r-- | ssh_config.5 | 5 | ||||
-rw-r--r-- | sshd_config.5 | 5 |
15 files changed, 9 insertions, 232 deletions
@@ -66,13 +66,6 @@ passphrase requester. This is maintained separately at: | |||
66 | 66 | ||
67 | http://www.jmknoble.net/software/x11-ssh-askpass/ | 67 | http://www.jmknoble.net/software/x11-ssh-askpass/ |
68 | 68 | ||
69 | S/Key Libraries: | ||
70 | |||
71 | If you wish to use --with-skey then you will need the library below | ||
72 | installed. No other S/Key library is currently known to be supported. | ||
73 | |||
74 | http://www.sparc.spb.su/solaris/skey/ | ||
75 | |||
76 | LibEdit: | 69 | LibEdit: |
77 | 70 | ||
78 | sftp supports command-line editing via NetBSD's libedit. If your platform | 71 | sftp supports command-line editing via NetBSD's libedit. If your platform |
@@ -184,9 +177,6 @@ it if lastlog is installed in a different place. | |||
184 | --with-osfsia, --without-osfsia will enable or disable OSF1's Security | 177 | --with-osfsia, --without-osfsia will enable or disable OSF1's Security |
185 | Integration Architecture. The default for OSF1 machines is enable. | 178 | Integration Architecture. The default for OSF1 machines is enable. |
186 | 179 | ||
187 | --with-skey=PATH will enable S/Key one time password support. You will | ||
188 | need the S/Key libraries and header files installed for this to work. | ||
189 | |||
190 | --with-md5-passwords will enable the use of MD5 passwords. Enable this | 180 | --with-md5-passwords will enable the use of MD5 passwords. Enable this |
191 | if your operating system uses MD5 passwords and the system crypt() does | 181 | if your operating system uses MD5 passwords and the system crypt() does |
192 | not support them directly (see the crypt(3/3c) man page). If enabled, the | 182 | not support them directly (see the crypt(3/3c) man page). If enabled, the |
diff --git a/Makefile.in b/Makefile.in index c3b67aa61..ac744cbd2 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -110,7 +110,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ | |||
110 | sshpty.o sshlogin.o servconf.o serverloop.o \ | 110 | sshpty.o sshlogin.o servconf.o serverloop.o \ |
111 | auth.o auth2.o auth-options.o session.o \ | 111 | auth.o auth2.o auth-options.o session.o \ |
112 | auth2-chall.o groupaccess.o \ | 112 | auth2-chall.o groupaccess.o \ |
113 | auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ | 113 | auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ |
114 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ | 114 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ |
115 | monitor.o monitor_wrap.o auth-krb5.o \ | 115 | monitor.o monitor_wrap.o auth-krb5.o \ |
116 | auth2-gss.o gss-serv.o gss-serv-krb5.o \ | 116 | auth2-gss.o gss-serv.o gss-serv-krb5.o \ |
@@ -35,7 +35,7 @@ Programming: | |||
35 | - Use different PAM service name for kbdint vs regular auth (suggest from | 35 | - Use different PAM service name for kbdint vs regular auth (suggest from |
36 | Solar Designer) | 36 | Solar Designer) |
37 | - Ability to select which ChallengeResponseAuthentications may be used | 37 | - Ability to select which ChallengeResponseAuthentications may be used |
38 | and order to try them in e.g. "ChallengeResponseAuthentication skey, pam" | 38 | and order to try them in e.g. "ChallengeResponseAuthentication pam" |
39 | 39 | ||
40 | - Complete Tru64 SIA support | 40 | - Complete Tru64 SIA support |
41 | - It looks like we could merge it into the password auth code to cut down | 41 | - It looks like we could merge it into the password auth code to cut down |
@@ -187,8 +187,6 @@ int auth2_challenge(struct ssh *, char *); | |||
187 | void auth2_challenge_stop(struct ssh *); | 187 | void auth2_challenge_stop(struct ssh *); |
188 | int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **); | 188 | int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **); |
189 | int bsdauth_respond(void *, u_int, char **); | 189 | int bsdauth_respond(void *, u_int, char **); |
190 | int skey_query(void *, char **, char **, u_int *, char ***, u_int **); | ||
191 | int skey_respond(void *, u_int, char **); | ||
192 | 190 | ||
193 | int allowed_user(struct passwd *); | 191 | int allowed_user(struct passwd *); |
194 | struct passwd * getpwnamallow(const char *user); | 192 | struct passwd * getpwnamallow(const char *user); |
@@ -239,8 +237,6 @@ pid_t subprocess(const char *, struct passwd *, | |||
239 | 237 | ||
240 | int sys_auth_passwd(struct ssh *, const char *); | 238 | int sys_auth_passwd(struct ssh *, const char *); |
241 | 239 | ||
242 | #define SKEY_PROMPT "\nS/Key Password: " | ||
243 | |||
244 | #if defined(KRB5) && !defined(HEIMDAL) | 240 | #if defined(KRB5) && !defined(HEIMDAL) |
245 | #include <krb5.h> | 241 | #include <krb5.h> |
246 | krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *); | 242 | krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *); |
diff --git a/auth2-chall.c b/auth2-chall.c index 4fd18f467..2d5cff448 100644 --- a/auth2-chall.c +++ b/auth2-chall.c | |||
@@ -58,9 +58,6 @@ extern KbdintDevice bsdauth_device; | |||
58 | #ifdef USE_PAM | 58 | #ifdef USE_PAM |
59 | extern KbdintDevice sshpam_device; | 59 | extern KbdintDevice sshpam_device; |
60 | #endif | 60 | #endif |
61 | #ifdef SKEY | ||
62 | extern KbdintDevice skey_device; | ||
63 | #endif | ||
64 | #endif | 61 | #endif |
65 | 62 | ||
66 | KbdintDevice *devices[] = { | 63 | KbdintDevice *devices[] = { |
@@ -70,9 +67,6 @@ KbdintDevice *devices[] = { | |||
70 | #ifdef USE_PAM | 67 | #ifdef USE_PAM |
71 | &sshpam_device, | 68 | &sshpam_device, |
72 | #endif | 69 | #endif |
73 | #ifdef SKEY | ||
74 | &skey_device, | ||
75 | #endif | ||
76 | #endif | 70 | #endif |
77 | NULL | 71 | NULL |
78 | }; | 72 | }; |
@@ -369,7 +363,7 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh) | |||
369 | void | 363 | void |
370 | privsep_challenge_enable(void) | 364 | privsep_challenge_enable(void) |
371 | { | 365 | { |
372 | #if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY) | 366 | #if defined(BSD_AUTH) || defined(USE_PAM) |
373 | int n = 0; | 367 | int n = 0; |
374 | #endif | 368 | #endif |
375 | #ifdef BSD_AUTH | 369 | #ifdef BSD_AUTH |
@@ -378,9 +372,6 @@ privsep_challenge_enable(void) | |||
378 | #ifdef USE_PAM | 372 | #ifdef USE_PAM |
379 | extern KbdintDevice mm_sshpam_device; | 373 | extern KbdintDevice mm_sshpam_device; |
380 | #endif | 374 | #endif |
381 | #ifdef SKEY | ||
382 | extern KbdintDevice mm_skey_device; | ||
383 | #endif | ||
384 | 375 | ||
385 | #ifdef BSD_AUTH | 376 | #ifdef BSD_AUTH |
386 | devices[n++] = &mm_bsdauth_device; | 377 | devices[n++] = &mm_bsdauth_device; |
@@ -388,8 +379,5 @@ privsep_challenge_enable(void) | |||
388 | #ifdef USE_PAM | 379 | #ifdef USE_PAM |
389 | devices[n++] = &mm_sshpam_device; | 380 | devices[n++] = &mm_sshpam_device; |
390 | #endif | 381 | #endif |
391 | #ifdef SKEY | ||
392 | devices[n++] = &mm_skey_device; | ||
393 | #endif | ||
394 | #endif | 382 | #endif |
395 | } | 383 | } |
diff --git a/configure.ac b/configure.ac index 8c6827a7b..c4c759d4e 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1495,55 +1495,6 @@ else | |||
1495 | AC_MSG_RESULT([no]) | 1495 | AC_MSG_RESULT([no]) |
1496 | fi | 1496 | fi |
1497 | 1497 | ||
1498 | # Check whether user wants S/Key support | ||
1499 | SKEY_MSG="no" | ||
1500 | AC_ARG_WITH([skey], | ||
1501 | [ --with-skey[[=PATH]] Enable S/Key support (optionally in PATH)], | ||
1502 | [ | ||
1503 | if test "x$withval" != "xno" ; then | ||
1504 | |||
1505 | if test "x$withval" != "xyes" ; then | ||
1506 | CPPFLAGS="$CPPFLAGS -I${withval}/include" | ||
1507 | LDFLAGS="$LDFLAGS -L${withval}/lib" | ||
1508 | fi | ||
1509 | |||
1510 | AC_DEFINE([SKEY], [1], [Define if you want S/Key support]) | ||
1511 | LIBS="-lskey $LIBS" | ||
1512 | SKEY_MSG="yes" | ||
1513 | |||
1514 | AC_MSG_CHECKING([for s/key support]) | ||
1515 | AC_LINK_IFELSE( | ||
1516 | [AC_LANG_PROGRAM([[ | ||
1517 | #include <stdio.h> | ||
1518 | #include <skey.h> | ||
1519 | ]], [[ | ||
1520 | char *ff = skey_keyinfo(""); ff=""; | ||
1521 | exit(0); | ||
1522 | ]])], | ||
1523 | [AC_MSG_RESULT([yes])], | ||
1524 | [ | ||
1525 | AC_MSG_RESULT([no]) | ||
1526 | AC_MSG_ERROR([** Incomplete or missing s/key libraries.]) | ||
1527 | ]) | ||
1528 | AC_MSG_CHECKING([if skeychallenge takes 4 arguments]) | ||
1529 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ | ||
1530 | #include <stdio.h> | ||
1531 | #include <skey.h> | ||
1532 | ]], [[ | ||
1533 | (void)skeychallenge(NULL,"name","",0); | ||
1534 | ]])], | ||
1535 | [ | ||
1536 | AC_MSG_RESULT([yes]) | ||
1537 | AC_DEFINE([SKEYCHALLENGE_4ARG], [1], | ||
1538 | [Define if your skeychallenge() | ||
1539 | function takes 4 arguments (NetBSD)])], | ||
1540 | [ | ||
1541 | AC_MSG_RESULT([no]) | ||
1542 | ]) | ||
1543 | fi | ||
1544 | ] | ||
1545 | ) | ||
1546 | |||
1547 | # Check whether user wants to use ldns | 1498 | # Check whether user wants to use ldns |
1548 | LDNS_MSG="no" | 1499 | LDNS_MSG="no" |
1549 | AC_ARG_WITH(ldns, | 1500 | AC_ARG_WITH(ldns, |
@@ -5219,7 +5170,6 @@ echo " PAM support: $PAM_MSG" | |||
5219 | echo " OSF SIA support: $SIA_MSG" | 5170 | echo " OSF SIA support: $SIA_MSG" |
5220 | echo " KerberosV support: $KRB5_MSG" | 5171 | echo " KerberosV support: $KRB5_MSG" |
5221 | echo " SELinux support: $SELINUX_MSG" | 5172 | echo " SELinux support: $SELINUX_MSG" |
5222 | echo " S/KEY support: $SKEY_MSG" | ||
5223 | echo " MD5 password support: $MD5_MSG" | 5173 | echo " MD5 password support: $MD5_MSG" |
5224 | echo " libedit support: $LIBEDIT_MSG" | 5174 | echo " libedit support: $LIBEDIT_MSG" |
5225 | echo " libldns support: $LDNS_MSG" | 5175 | echo " libldns support: $LDNS_MSG" |
@@ -660,12 +660,6 @@ struct winsize { | |||
660 | # define krb5_get_err_text(context,code) error_message(code) | 660 | # define krb5_get_err_text(context,code) error_message(code) |
661 | #endif | 661 | #endif |
662 | 662 | ||
663 | #if defined(SKEYCHALLENGE_4ARG) | ||
664 | # define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c,d) | ||
665 | #else | ||
666 | # define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c) | ||
667 | #endif | ||
668 | |||
669 | /* Maximum number of file descriptors available */ | 663 | /* Maximum number of file descriptors available */ |
670 | #ifdef HAVE_SYSCONF | 664 | #ifdef HAVE_SYSCONF |
671 | # define SSH_SYSFDMAX sysconf(_SC_OPEN_MAX) | 665 | # define SSH_SYSFDMAX sysconf(_SC_OPEN_MAX) |
@@ -56,10 +56,6 @@ | |||
56 | # endif | 56 | # endif |
57 | #endif | 57 | #endif |
58 | 58 | ||
59 | #ifdef SKEY | ||
60 | #include <skey.h> | ||
61 | #endif | ||
62 | |||
63 | #ifdef WITH_OPENSSL | 59 | #ifdef WITH_OPENSSL |
64 | #include <openssl/dh.h> | 60 | #include <openssl/dh.h> |
65 | #endif | 61 | #endif |
@@ -122,8 +118,6 @@ int mm_answer_authserv(int, struct sshbuf *); | |||
122 | int mm_answer_authpassword(int, struct sshbuf *); | 118 | int mm_answer_authpassword(int, struct sshbuf *); |
123 | int mm_answer_bsdauthquery(int, struct sshbuf *); | 119 | int mm_answer_bsdauthquery(int, struct sshbuf *); |
124 | int mm_answer_bsdauthrespond(int, struct sshbuf *); | 120 | int mm_answer_bsdauthrespond(int, struct sshbuf *); |
125 | int mm_answer_skeyquery(int, struct sshbuf *); | ||
126 | int mm_answer_skeyrespond(int, struct sshbuf *); | ||
127 | int mm_answer_keyallowed(int, struct sshbuf *); | 121 | int mm_answer_keyallowed(int, struct sshbuf *); |
128 | int mm_answer_keyverify(int, struct sshbuf *); | 122 | int mm_answer_keyverify(int, struct sshbuf *); |
129 | int mm_answer_pty(int, struct sshbuf *); | 123 | int mm_answer_pty(int, struct sshbuf *); |
@@ -212,10 +206,6 @@ struct mon_table mon_dispatch_proto20[] = { | |||
212 | {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, | 206 | {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, |
213 | {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond}, | 207 | {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond}, |
214 | #endif | 208 | #endif |
215 | #ifdef SKEY | ||
216 | {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, | ||
217 | {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, | ||
218 | #endif | ||
219 | {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, | 209 | {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, |
220 | {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, | 210 | {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, |
221 | #ifdef GSSAPI | 211 | #ifdef GSSAPI |
@@ -960,62 +950,6 @@ mm_answer_bsdauthrespond(int sock, struct sshbuf *m) | |||
960 | } | 950 | } |
961 | #endif | 951 | #endif |
962 | 952 | ||
963 | #ifdef SKEY | ||
964 | int | ||
965 | mm_answer_skeyquery(int sock, struct sshbuf *m) | ||
966 | { | ||
967 | struct skey skey; | ||
968 | char challenge[1024]; | ||
969 | u_int success; | ||
970 | int r; | ||
971 | |||
972 | success = _compat_skeychallenge(&skey, authctxt->user, challenge, | ||
973 | sizeof(challenge)) < 0 ? 0 : 1; | ||
974 | |||
975 | sshbuf_reset(m); | ||
976 | if ((r = sshbuf_put_u32(m, success)) != 0) | ||
977 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
978 | if (success) { | ||
979 | if ((r = sshbuf_put_cstring(m, challenge)) != 0) | ||
980 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
981 | } | ||
982 | debug3("%s: sending challenge success: %u", __func__, success); | ||
983 | mm_request_send(sock, MONITOR_ANS_SKEYQUERY, m); | ||
984 | |||
985 | return (0); | ||
986 | } | ||
987 | |||
988 | int | ||
989 | mm_answer_skeyrespond(int sock, struct sshbuf *m) | ||
990 | { | ||
991 | char *response; | ||
992 | size_t rlen; | ||
993 | int authok, r; | ||
994 | |||
995 | if ((r = sshbuf_get_cstring(m, &response, &rlen)) != 0) | ||
996 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
997 | |||
998 | authok = (options.challenge_response_authentication && | ||
999 | authctxt->valid && | ||
1000 | skey_haskey(authctxt->pw->pw_name) == 0 && | ||
1001 | skey_passcheck(authctxt->pw->pw_name, response) != -1); | ||
1002 | |||
1003 | freezero(response, rlen); | ||
1004 | |||
1005 | sshbuf_reset(m); | ||
1006 | if ((r = sshbuf_put_u32(m, authok)) != 0) | ||
1007 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
1008 | |||
1009 | debug3("%s: sending authenticated: %d", __func__, authok); | ||
1010 | mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m); | ||
1011 | |||
1012 | auth_method = "keyboard-interactive"; | ||
1013 | auth_submethod = "skey"; | ||
1014 | |||
1015 | return (authok != 0); | ||
1016 | } | ||
1017 | #endif | ||
1018 | |||
1019 | #ifdef USE_PAM | 953 | #ifdef USE_PAM |
1020 | int | 954 | int |
1021 | mm_answer_pam_start(int sock, struct sshbuf *m) | 955 | mm_answer_pam_start(int sock, struct sshbuf *m) |
@@ -39,8 +39,6 @@ enum monitor_reqtype { | |||
39 | MONITOR_REQ_AUTHPASSWORD = 12, MONITOR_ANS_AUTHPASSWORD = 13, | 39 | MONITOR_REQ_AUTHPASSWORD = 12, MONITOR_ANS_AUTHPASSWORD = 13, |
40 | MONITOR_REQ_BSDAUTHQUERY = 14, MONITOR_ANS_BSDAUTHQUERY = 15, | 40 | MONITOR_REQ_BSDAUTHQUERY = 14, MONITOR_ANS_BSDAUTHQUERY = 15, |
41 | MONITOR_REQ_BSDAUTHRESPOND = 16, MONITOR_ANS_BSDAUTHRESPOND = 17, | 41 | MONITOR_REQ_BSDAUTHRESPOND = 16, MONITOR_ANS_BSDAUTHRESPOND = 17, |
42 | MONITOR_REQ_SKEYQUERY = 18, MONITOR_ANS_SKEYQUERY = 19, | ||
43 | MONITOR_REQ_SKEYRESPOND = 20, MONITOR_ANS_SKEYRESPOND = 21, | ||
44 | MONITOR_REQ_KEYALLOWED = 22, MONITOR_ANS_KEYALLOWED = 23, | 42 | MONITOR_REQ_KEYALLOWED = 22, MONITOR_ANS_KEYALLOWED = 23, |
45 | MONITOR_REQ_KEYVERIFY = 24, MONITOR_ANS_KEYVERIFY = 25, | 43 | MONITOR_REQ_KEYVERIFY = 24, MONITOR_ANS_KEYVERIFY = 25, |
46 | MONITOR_REQ_KEYEXPORT = 26, | 44 | MONITOR_REQ_KEYEXPORT = 26, |
diff --git a/monitor_wrap.c b/monitor_wrap.c index 3cb26c2ac..732fb3476 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -867,73 +867,6 @@ mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses) | |||
867 | return ((authok == 0) ? -1 : 0); | 867 | return ((authok == 0) ? -1 : 0); |
868 | } | 868 | } |
869 | 869 | ||
870 | #ifdef SKEY | ||
871 | int | ||
872 | mm_skey_query(void *ctx, char **name, char **infotxt, | ||
873 | u_int *numprompts, char ***prompts, u_int **echo_on) | ||
874 | { | ||
875 | struct sshbuf *m; | ||
876 | u_int success; | ||
877 | char *challenge; | ||
878 | int r; | ||
879 | |||
880 | debug3("%s: entering", __func__); | ||
881 | |||
882 | if ((m = sshbuf_new()) == NULL) | ||
883 | fatal("%s: sshbuf_new failed", __func__); | ||
884 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYQUERY, m); | ||
885 | |||
886 | mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SKEYQUERY, m); | ||
887 | if ((r = sshbuf_get_u32(m, &success)) != 0) | ||
888 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
889 | if (success == 0) { | ||
890 | debug3("%s: no challenge", __func__); | ||
891 | sshbuf_free(m); | ||
892 | return (-1); | ||
893 | } | ||
894 | |||
895 | /* Get the challenge, and format the response */ | ||
896 | if ((r = sshbuf_get_cstring(m, &challenge, NULL)) != 0) | ||
897 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
898 | sshbuf_free(m); | ||
899 | |||
900 | debug3("%s: received challenge: %s", __func__, challenge); | ||
901 | |||
902 | mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); | ||
903 | |||
904 | xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT); | ||
905 | free(challenge); | ||
906 | |||
907 | return (0); | ||
908 | } | ||
909 | |||
910 | int | ||
911 | mm_skey_respond(void *ctx, u_int numresponses, char **responses) | ||
912 | { | ||
913 | struct sshbuf *m; | ||
914 | int authok, r; | ||
915 | |||
916 | debug3("%s: entering", __func__); | ||
917 | if (numresponses != 1) | ||
918 | return (-1); | ||
919 | |||
920 | if ((m = sshbuf_new()) == NULL) | ||
921 | fatal("%s: sshbuf_new failed", __func__); | ||
922 | if ((r = sshbuf_put_cstring(m, responses[0])) != 0) | ||
923 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
924 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYRESPOND, m); | ||
925 | |||
926 | mm_request_receive_expect(pmonitor->m_recvfd, | ||
927 | MONITOR_ANS_SKEYRESPOND, m); | ||
928 | |||
929 | if ((r = sshbuf_get_u32(m, &authok)) != 0) | ||
930 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
931 | sshbuf_free(m); | ||
932 | |||
933 | return ((authok == 0) ? -1 : 0); | ||
934 | } | ||
935 | #endif /* SKEY */ | ||
936 | |||
937 | #ifdef SSH_AUDIT_EVENTS | 870 | #ifdef SSH_AUDIT_EVENTS |
938 | void | 871 | void |
939 | mm_audit_event(ssh_audit_event_t event) | 872 | mm_audit_event(ssh_audit_event_t event) |
diff --git a/monitor_wrap.h b/monitor_wrap.h index a3ac17d1d..644da081d 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h | |||
@@ -97,8 +97,4 @@ void mm_send_keystate(struct monitor*); | |||
97 | int mm_bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **); | 97 | int mm_bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **); |
98 | int mm_bsdauth_respond(void *, u_int, char **); | 98 | int mm_bsdauth_respond(void *, u_int, char **); |
99 | 99 | ||
100 | /* skey */ | ||
101 | int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **); | ||
102 | int mm_skey_respond(void *, u_int, char **); | ||
103 | |||
104 | #endif /* _MM_WRAP_H_ */ | 100 | #endif /* _MM_WRAP_H_ */ |
diff --git a/readconf.c b/readconf.c index 4ab312fff..4b11bab5e 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -230,7 +230,7 @@ static struct { | |||
230 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | 230 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ |
231 | { "hostbasedauthentication", oHostbasedAuthentication }, | 231 | { "hostbasedauthentication", oHostbasedAuthentication }, |
232 | { "challengeresponseauthentication", oChallengeResponseAuthentication }, | 232 | { "challengeresponseauthentication", oChallengeResponseAuthentication }, |
233 | { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ | 233 | { "skeyauthentication", oUnsupported }, |
234 | { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ | 234 | { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ |
235 | { "identityfile", oIdentityFile }, | 235 | { "identityfile", oIdentityFile }, |
236 | { "identityfile2", oIdentityFile }, /* obsolete */ | 236 | { "identityfile2", oIdentityFile }, /* obsolete */ |
diff --git a/servconf.c b/servconf.c index aafefde93..f1010b3b9 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -564,7 +564,7 @@ static struct { | |||
564 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 564 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
565 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 565 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
566 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 566 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
567 | { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ | 567 | { "skeyauthentication", sDeprecated, SSHCFG_GLOBAL }, |
568 | { "checkmail", sDeprecated, SSHCFG_GLOBAL }, | 568 | { "checkmail", sDeprecated, SSHCFG_GLOBAL }, |
569 | { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, | 569 | { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, |
570 | { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, | 570 | { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, |
diff --git a/ssh_config.5 b/ssh_config.5 index fe52578f4..f499396a3 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -997,10 +997,9 @@ The default is to use the server specified list. | |||
997 | The methods available vary depending on what the server supports. | 997 | The methods available vary depending on what the server supports. |
998 | For an OpenSSH server, | 998 | For an OpenSSH server, |
999 | it may be zero or more of: | 999 | it may be zero or more of: |
1000 | .Cm bsdauth , | 1000 | .Cm bsdauth |
1001 | .Cm pam , | ||
1002 | and | 1001 | and |
1003 | .Cm skey . | 1002 | .Cm pam . |
1004 | .It Cm KexAlgorithms | 1003 | .It Cm KexAlgorithms |
1005 | Specifies the available KEX (Key Exchange) algorithms. | 1004 | Specifies the available KEX (Key Exchange) algorithms. |
1006 | Multiple algorithms must be comma-separated. | 1005 | Multiple algorithms must be comma-separated. |
diff --git a/sshd_config.5 b/sshd_config.5 index 02d8e436b..e1b54ba20 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -205,10 +205,9 @@ keyboard-interactive authentication before public key. | |||
205 | For keyboard interactive authentication it is also possible to | 205 | For keyboard interactive authentication it is also possible to |
206 | restrict authentication to a specific device by appending a | 206 | restrict authentication to a specific device by appending a |
207 | colon followed by the device identifier | 207 | colon followed by the device identifier |
208 | .Cm bsdauth , | 208 | .Cm bsdauth |
209 | .Cm pam , | ||
210 | or | 209 | or |
211 | .Cm skey , | 210 | .Cm pam . |
212 | depending on the server configuration. | 211 | depending on the server configuration. |
213 | For example, | 212 | For example, |
214 | .Qq keyboard-interactive:bsdauth | 213 | .Qq keyboard-interactive:bsdauth |