- (djm) Add new server configuration directive 'PAMAuthenticationViaKbdInt'
(default: off), implies KbdInteractiveAuthentication. Suggestion from
markus@
diff --git a/ChangeLog b/ChangeLog
index 1e1ad34..ddf385f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,9 @@
[ssh-keygen.c]
remove debug
- (bal) Whitespace resync w/ OpenBSD for uidswap.c
+ - (djm) Add new server configuration directive 'PAMAuthenticationViaKbdInt'
+ (default: off), implies KbdInteractiveAuthentication. Suggestion from
+ markus@
20010424
- OpenBSD CVS Sync
@@ -5246,4 +5249,4 @@
- Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1
-$Id: ChangeLog,v 1.1168 2001/04/25 06:27:59 mouring Exp $
+$Id: ChangeLog,v 1.1169 2001/04/25 12:44:14 djm Exp $
diff --git a/auth2.c b/auth2.c
index 5ffd43f..f357b58 100644
--- a/auth2.c
+++ b/auth2.c
@@ -127,6 +127,8 @@
/* challenge-reponse is implemented via keyboard interactive */
if (options.challenge_reponse_authentication)
options.kbd_interactive_authentication = 1;
+ if (options.pam_authentication_via_kbd_int)
+ options.kbd_interactive_authentication = 1;
dispatch_init(&protocol_error);
dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
@@ -411,7 +413,7 @@
authenticated = auth2_challenge(authctxt, devs);
#ifdef USE_PAM
- if (authenticated == 0)
+ if (authenticated == 0 && options.pam_authentication_via_kbd_int)
authenticated = auth2_pam(authctxt);
#endif
xfree(lang);
diff --git a/servconf.c b/servconf.c
index 3d0c9ef..73c07c2 100644
--- a/servconf.c
+++ b/servconf.c
@@ -101,6 +101,7 @@
options->reverse_mapping_check = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
+ options->pam_authentication_via_kbd_int = -1;
}
void
@@ -207,6 +208,8 @@
options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
options->client_alive_count_max = 3;
+ if (options->pam_authentication_via_kbd_int == -1)
+ options->pam_authentication_via_kbd_int = 0;
}
/* Keyword tokens. */
@@ -232,7 +235,7 @@
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
sBanner, sReverseMappingCheck, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
- sClientAliveCountMax
+ sClientAliveCountMax, sPAMAuthenticationViaKbdInt
} ServerOpCodes;
/* Textual representation of the tokens. */
@@ -298,6 +301,7 @@
{ "reversemappingcheck", sReverseMappingCheck },
{ "clientaliveinterval", sClientAliveInterval },
{ "clientalivecountmax", sClientAliveCountMax },
+ { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
{ NULL, 0 }
};
@@ -794,6 +798,10 @@
case sClientAliveCountMax:
intptr = &options->client_alive_count_max;
goto parse_int;
+ case sPAMAuthenticationViaKbdInt:
+ intptr = &options->pam_authentication_via_kbd_int;
+ goto parse_flag;
+
default:
fatal("%s line %d: Missing handler for opcode %s (%d)",
filename, linenum, arg, opcode);
diff --git a/servconf.h b/servconf.h
index 4c02c0f..78bca97 100644
--- a/servconf.h
+++ b/servconf.h
@@ -124,7 +124,7 @@
* for this many intervals, above
* diconnect the session
*/
-
+ int pam_authentication_via_kbd_int;
} ServerOptions;
/*
* Initializes the server options to special values that indicate that they
diff --git a/sshd.8 b/sshd.8
index 62e3de7..5672339 100644
--- a/sshd.8
+++ b/sshd.8
@@ -616,6 +616,14 @@
are refused if the number of unauthenticated connections reaches
.Dq full
(60).
+.It Cm PAMAuthenticationViaKbdInt
+Specifies whether PAM challenge response authentication is allowed. This
+allows the use of most PAM challenge response authentication modules, but
+it will allow password authentication regardless of whether
+.Cm PasswordAuthentication
+is disabled.
+The default is
+.Dq no .
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
diff --git a/sshd_config b/sshd_config
index fda1456..8c411e4 100644
--- a/sshd_config
+++ b/sshd_config
@@ -46,10 +46,12 @@
PasswordAuthentication yes
PermitEmptyPasswords no
-# Comment to enable s/key passwords or PAM interactive authentication
-# NB. Neither of these are compiled in by default. Please read the
-# notes in the sshd(8) manpage before enabling this on a PAM system.
-ChallengeResponseAuthentication no
+# Uncomment to disable s/key passwords
+#ChallengeResponseAuthentication no
+
+# Uncomment to enable PAM keyboard-interactive authentication
+# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
+#PAMAuthenticationViaKbdInt yes
# To change Kerberos options
#KerberosAuthentication no