6 files changed, 31 insertions, 8 deletions
diff --git a/ChangeLog b/ChangeLog
index 1e1ad344c..ddf385f8a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,9 @@
     [ssh-keygen.c]
     remove debug
 - (bal) Whitespace resync w/ OpenBSD for uidswap.c
+ - (djm) Add new server configuration directive 'PAMAuthenticationViaKbdInt'
+   (default: off), implies KbdInteractiveAuthentication. Suggestion from 
+   markus@
 20010424
 - OpenBSD CVS Sync
@@ -5246,4 +5249,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1
-$Id: ChangeLog,v 1.1168 2001/04/25 06:27:59 mouring Exp $
+$Id: ChangeLog,v 1.1169 2001/04/25 12:44:14 djm Exp $
diff --git a/auth2.c b/auth2.c
index 5ffd43fe5..f357b5826 100644
--- a/auth2.c
+++ b/auth2.c
@@ -127,6 +127,8 @@ do_authentication2()
        /* challenge-reponse is implemented via keyboard interactive */
        if (options.challenge_reponse_authentication)
                options.kbd_interactive_authentication = 1;
+        if (options.pam_authentication_via_kbd_int)
+                options.kbd_interactive_authentication = 1;
        dispatch_init(&protocol_error);
        dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
@@ -411,7 +413,7 @@ userauth_kbdint(Authctxt *authctxt)
                authenticated = auth2_challenge(authctxt, devs);
 #ifdef USE_PAM
-        if (authenticated == 0)
+        if (authenticated == 0 && options.pam_authentication_via_kbd_int)
                authenticated = auth2_pam(authctxt);
 #endif
        xfree(lang);
diff --git a/servconf.c b/servconf.c
index 3d0c9efa6..73c07c2fe 100644
--- a/servconf.c
+++ b/servconf.c
@@ -101,6 +101,7 @@ initialize_server_options(ServerOptions *options)
        options->reverse_mapping_check = -1;
        options->client_alive_interval = -1;
        options->client_alive_count_max = -1;
+        options->pam_authentication_via_kbd_int = -1;
 }
 void
@@ -207,6 +208,8 @@ fill_default_server_options(ServerOptions *options)
                options->client_alive_interval = 0;  
        if (options->client_alive_count_max == -1)
                options->client_alive_count_max = 3;
+        if (options->pam_authentication_via_kbd_int == -1)
+                options->pam_authentication_via_kbd_int = 0;
 }
 /* Keyword tokens. */
@@ -232,7 +235,7 @@ typedef enum {
        sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
        sBanner, sReverseMappingCheck, sHostbasedAuthentication,
        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 
-        sClientAliveCountMax
+        sClientAliveCountMax, sPAMAuthenticationViaKbdInt
 } ServerOpCodes;
 /* Textual representation of the tokens. */
@@ -298,6 +301,7 @@ static struct {
        { "reversemappingcheck", sReverseMappingCheck },
        { "clientaliveinterval", sClientAliveInterval },
        { "clientalivecountmax", sClientAliveCountMax },
+        { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
        { NULL, 0 }
 };
@@ -794,6 +798,10 @@ parse_flag:
                case sClientAliveCountMax:
                        intptr = &options->client_alive_count_max;
                        goto parse_int;
+                case sPAMAuthenticationViaKbdInt:
+                        intptr = &options->pam_authentication_via_kbd_int;
+                        goto parse_flag;
                default:
                        fatal("%s line %d: Missing handler for opcode %s (%d)",
                            filename, linenum, arg, opcode);
diff --git a/servconf.h b/servconf.h
index 4c02c0f52..78bca97f3 100644
--- a/servconf.h
+++ b/servconf.h
@@ -124,7 +124,7 @@ typedef struct {
                                         * for this many intervals, above
                                         * diconnect the session 
                                         */
+        int     pam_authentication_via_kbd_int;
 }       ServerOptions;
 /*
 * Initializes the server options to special values that indicate that they
diff --git a/sshd.8 b/sshd.8
index 62e3de7c6..56723392a 100644
--- a/sshd.8
+++ b/sshd.8
@@ -616,6 +616,14 @@ The probability increases linearly and all connection attempts
 are refused if the number of unauthenticated connections reaches
 .Dq full
 (60).
+.It Cm PAMAuthenticationViaKbdInt
+Specifies whether PAM challenge response authentication is allowed. This
+allows the use of most PAM challenge response authentication modules, but 
+it will allow password authentication regardless of whether 
+.Cm PasswordAuthentication
+is disabled.
+The default is
+.Dq no .
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is
diff --git a/sshd_config b/sshd_config
index fda1456e6..8c411e476 100644
--- a/sshd_config
+++ b/sshd_config
@@ -46,10 +46,12 @@ RSAAuthentication yes
 PasswordAuthentication yes
 PermitEmptyPasswords no
-# Comment to enable s/key passwords or PAM interactive authentication
+# Uncomment to disable s/key passwords 
-# NB. Neither of these are compiled in by default. Please read the
+#ChallengeResponseAuthentication no
-# notes in the sshd(8) manpage before enabling this on a PAM system.
-ChallengeResponseAuthentication no
+# Uncomment to enable PAM keyboard-interactive authentication 
+# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
+#PAMAuthenticationViaKbdInt yes
 # To change Kerberos options
 #KerberosAuthentication no

diff --git a/ChangeLog b/ChangeLog index 1e1ad344c..ddf385f8a 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -7,6 +7,9 @@
7	[ssh-keygen.c]	7	[ssh-keygen.c]
8	remove debug	8	remove debug
9	- (bal) Whitespace resync w/ OpenBSD for uidswap.c	9	- (bal) Whitespace resync w/ OpenBSD for uidswap.c
		10	- (djm) Add new server configuration directive 'PAMAuthenticationViaKbdInt'
		11	(default: off), implies KbdInteractiveAuthentication. Suggestion from
		12	markus@
10		13
11	20010424	14	20010424
12	- OpenBSD CVS Sync	15	- OpenBSD CVS Sync
@@ -5246,4 +5249,4 @@
5246	- Wrote replacements for strlcpy and mkdtemp	5249	- Wrote replacements for strlcpy and mkdtemp
5247	- Released 1.0pre1	5250	- Released 1.0pre1
5248		5251
5249	$Id: ChangeLog,v 1.1168 2001/04/25 06:27:59 mouring Exp $	5252	$Id: ChangeLog,v 1.1169 2001/04/25 12:44:14 djm Exp $


diff --git a/auth2.c b/auth2.c index 5ffd43fe5..f357b5826 100644 --- a/auth2.c +++ b/auth2.c
@@ -127,6 +127,8 @@ do_authentication2()
127	/* challenge-reponse is implemented via keyboard interactive */	127	/* challenge-reponse is implemented via keyboard interactive */
128	if (options.challenge_reponse_authentication)	128	if (options.challenge_reponse_authentication)
129	options.kbd_interactive_authentication = 1;	129	options.kbd_interactive_authentication = 1;
		130	if (options.pam_authentication_via_kbd_int)
		131	options.kbd_interactive_authentication = 1;
130		132
131	dispatch_init(&protocol_error);	133	dispatch_init(&protocol_error);
132	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);	134	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
@@ -411,7 +413,7 @@ userauth_kbdint(Authctxt *authctxt)
411	authenticated = auth2_challenge(authctxt, devs);	413	authenticated = auth2_challenge(authctxt, devs);
412		414
413	#ifdef USE_PAM	415	#ifdef USE_PAM
414	if (authenticated == 0)	416	if (authenticated == 0 && options.pam_authentication_via_kbd_int)
415	authenticated = auth2_pam(authctxt);	417	authenticated = auth2_pam(authctxt);
416	#endif	418	#endif
417	xfree(lang);	419	xfree(lang);


diff --git a/servconf.c b/servconf.c index 3d0c9efa6..73c07c2fe 100644 --- a/servconf.c +++ b/servconf.c
@@ -101,6 +101,7 @@ initialize_server_options(ServerOptions *options)
101	options->reverse_mapping_check = -1;	101	options->reverse_mapping_check = -1;
102	options->client_alive_interval = -1;	102	options->client_alive_interval = -1;
103	options->client_alive_count_max = -1;	103	options->client_alive_count_max = -1;
		104	options->pam_authentication_via_kbd_int = -1;
104	}	105	}
105		106
106	void	107	void
@@ -207,6 +208,8 @@ fill_default_server_options(ServerOptions *options)
207	options->client_alive_interval = 0;	208	options->client_alive_interval = 0;
208	if (options->client_alive_count_max == -1)	209	if (options->client_alive_count_max == -1)
209	options->client_alive_count_max = 3;	210	options->client_alive_count_max = 3;
		211	if (options->pam_authentication_via_kbd_int == -1)
		212	options->pam_authentication_via_kbd_int = 0;
210	}	213	}
211		214
212	/* Keyword tokens. */	215	/* Keyword tokens. */
@@ -232,7 +235,7 @@ typedef enum {
232	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,	235	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
233	sBanner, sReverseMappingCheck, sHostbasedAuthentication,	236	sBanner, sReverseMappingCheck, sHostbasedAuthentication,
234	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	237	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
235	sClientAliveCountMax	238	sClientAliveCountMax, sPAMAuthenticationViaKbdInt
236	} ServerOpCodes;	239	} ServerOpCodes;
237		240
238	/* Textual representation of the tokens. */	241	/* Textual representation of the tokens. */
@@ -298,6 +301,7 @@ static struct {
298	{ "reversemappingcheck", sReverseMappingCheck },	301	{ "reversemappingcheck", sReverseMappingCheck },
299	{ "clientaliveinterval", sClientAliveInterval },	302	{ "clientaliveinterval", sClientAliveInterval },
300	{ "clientalivecountmax", sClientAliveCountMax },	303	{ "clientalivecountmax", sClientAliveCountMax },
		304	{ "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
301	{ NULL, 0 }	305	{ NULL, 0 }
302	};	306	};
303		307
@@ -794,6 +798,10 @@ parse_flag:
794	case sClientAliveCountMax:	798	case sClientAliveCountMax:
795	intptr = &options->client_alive_count_max;	799	intptr = &options->client_alive_count_max;
796	goto parse_int;	800	goto parse_int;
		801	case sPAMAuthenticationViaKbdInt:
		802	intptr = &options->pam_authentication_via_kbd_int;
		803	goto parse_flag;
		804
797	default:	805	default:
798	fatal("%s line %d: Missing handler for opcode %s (%d)",	806	fatal("%s line %d: Missing handler for opcode %s (%d)",
799	filename, linenum, arg, opcode);	807	filename, linenum, arg, opcode);


diff --git a/servconf.h b/servconf.h index 4c02c0f52..78bca97f3 100644 --- a/servconf.h +++ b/servconf.h
@@ -124,7 +124,7 @@ typedef struct {
124	* for this many intervals, above	124	* for this many intervals, above
125	* diconnect the session	125	* diconnect the session
126	*/	126	*/
127		127	int pam_authentication_via_kbd_int;
128	} ServerOptions;	128	} ServerOptions;
129	/*	129	/*
130	* Initializes the server options to special values that indicate that they	130	* Initializes the server options to special values that indicate that they


diff --git a/sshd.8 b/sshd.8 index 62e3de7c6..56723392a 100644 --- a/sshd.8 +++ b/sshd.8
@@ -616,6 +616,14 @@ The probability increases linearly and all connection attempts
616	are refused if the number of unauthenticated connections reaches	616	are refused if the number of unauthenticated connections reaches
617	.Dq full	617	.Dq full
618	(60).	618	(60).
		619	.It Cm PAMAuthenticationViaKbdInt
		620	Specifies whether PAM challenge response authentication is allowed. This
		621	allows the use of most PAM challenge response authentication modules, but
		622	it will allow password authentication regardless of whether
		623	.Cm PasswordAuthentication
		624	is disabled.
		625	The default is
		626	.Dq no .
619	.It Cm PasswordAuthentication	627	.It Cm PasswordAuthentication
620	Specifies whether password authentication is allowed.	628	Specifies whether password authentication is allowed.
621	The default is	629	The default is


diff --git a/sshd_config b/sshd_config index fda1456e6..8c411e476 100644 --- a/sshd_config +++ b/sshd_config
@@ -46,10 +46,12 @@ RSAAuthentication yes
46	PasswordAuthentication yes	46	PasswordAuthentication yes
47	PermitEmptyPasswords no	47	PermitEmptyPasswords no
48		48
49	# Comment to enable s/key passwords or PAM interactive authentication	49	# Uncomment to disable s/key passwords
50	# NB. Neither of these are compiled in by default. Please read the	50	#ChallengeResponseAuthentication no
51	# notes in the sshd(8) manpage before enabling this on a PAM system.	51
52	ChallengeResponseAuthentication no	52	# Uncomment to enable PAM keyboard-interactive authentication
		53	# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
		54	#PAMAuthenticationViaKbdInt yes
53		55
54	# To change Kerberos options	56	# To change Kerberos options
55	#KerberosAuthentication no	57	#KerberosAuthentication no