Remove support for S/Key

Most people will 1) be using modern multi-factor authentication methods
like TOTP/OATH etc and 2) be getting support for multi-factor
authentication via PAM or BSD Auth.

INSTALL

@@ -66,13 +66,6 @@ passphrase requester. This is maintained separately at:
 
 http://www.jmknoble.net/software/x11-ssh-askpass/
 
-S/Key Libraries:
-
-If you wish to use --with-skey then you will need the library below
-installed.  No other S/Key library is currently known to be supported.
-
-http://www.sparc.spb.su/solaris/skey/
-
 LibEdit:
 
 sftp supports command-line editing via NetBSD's libedit.  If your platform
@@ -184,9 +177,6 @@ it if lastlog is installed in a different place.
 --with-osfsia, --without-osfsia will enable or disable OSF1's Security
 Integration Architecture.  The default for OSF1 machines is enable.
 
---with-skey=PATH will enable S/Key one time password support. You will
-need the S/Key libraries and header files installed for this to work.
-
 --with-md5-passwords will enable the use of MD5 passwords. Enable this
 if your operating system uses MD5 passwords and the system crypt() does
 not support them directly (see the crypt(3/3c) man page). If enabled, the

Makefile.in

@@ -110,7 +110,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
 	sshpty.o sshlogin.o servconf.o serverloop.o \
 	auth.o auth2.o auth-options.o session.o \
 	auth2-chall.o groupaccess.o \
-	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
+	auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
 	auth2-none.o auth2-passwd.o auth2-pubkey.o \
 	monitor.o monitor_wrap.o auth-krb5.o \
 	auth2-gss.o gss-serv.o gss-serv-krb5.o \

TODO

@@ -35,7 +35,7 @@ Programming:
  - Use different PAM service name for kbdint vs regular auth (suggest from
    Solar Designer)
  - Ability to select which ChallengeResponseAuthentications may be used
-   and order to try them in e.g. "ChallengeResponseAuthentication skey, pam"
+   and order to try them in e.g. "ChallengeResponseAuthentication pam"
 
 - Complete Tru64 SIA support
  - It looks like we could merge it into the password auth code to cut down

auth.h

@@ -187,8 +187,6 @@ int	auth2_challenge(struct ssh *, char *);
 void	auth2_challenge_stop(struct ssh *);
 int	bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
 int	bsdauth_respond(void *, u_int, char **);
-int	skey_query(void *, char **, char **, u_int *, char ***, u_int **);
-int	skey_respond(void *, u_int, char **);
 
 int	allowed_user(struct passwd *);
 struct passwd * getpwnamallow(const char *user);
@@ -239,8 +237,6 @@ pid_t	subprocess(const char *, struct passwd *,
 
 int	 sys_auth_passwd(struct ssh *, const char *);
 
-#define SKEY_PROMPT "\nS/Key Password: "
-
 #if defined(KRB5) && !defined(HEIMDAL)
 #include <krb5.h>
 krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);

auth2-chall.c

@@ -58,9 +58,6 @@ extern KbdintDevice bsdauth_device;
 #ifdef USE_PAM
 extern KbdintDevice sshpam_device;
 #endif
-#ifdef SKEY
-extern KbdintDevice skey_device;
-#endif
 #endif
 
 KbdintDevice *devices[] = {
@@ -70,9 +67,6 @@ KbdintDevice *devices[] = {
 #ifdef USE_PAM
 	&sshpam_device,
 #endif
-#ifdef SKEY
-	&skey_device,
-#endif
 #endif
 	NULL
 };
@@ -369,7 +363,7 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
 void
 privsep_challenge_enable(void)
 {
-#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY)
+#if defined(BSD_AUTH) || defined(USE_PAM)
 	int n = 0;
 #endif
 #ifdef BSD_AUTH
@@ -378,9 +372,6 @@ privsep_challenge_enable(void)
 #ifdef USE_PAM
 	extern KbdintDevice mm_sshpam_device;
 #endif
-#ifdef SKEY
-	extern KbdintDevice mm_skey_device;
-#endif
 
 #ifdef BSD_AUTH
 	devices[n++] = &mm_bsdauth_device;
@@ -388,8 +379,5 @@ privsep_challenge_enable(void)
 #ifdef USE_PAM
 	devices[n++] = &mm_sshpam_device;
 #endif
-#ifdef SKEY
-	devices[n++] = &mm_skey_device;
-#endif
 #endif
 }

configure.ac

@@ -1495,55 +1495,6 @@ else
 	AC_MSG_RESULT([no])
 fi
 
-# Check whether user wants S/Key support
-SKEY_MSG="no"
-AC_ARG_WITH([skey],
-	[  --with-skey[[=PATH]]      Enable S/Key support (optionally in PATH)],
-	[
-		if test "x$withval" != "xno" ; then
-
-			if test "x$withval" != "xyes" ; then
-				CPPFLAGS="$CPPFLAGS -I${withval}/include"
-				LDFLAGS="$LDFLAGS -L${withval}/lib"
-			fi
-
-			AC_DEFINE([SKEY], [1], [Define if you want S/Key support])
-			LIBS="-lskey $LIBS"
-			SKEY_MSG="yes"
-
-			AC_MSG_CHECKING([for s/key support])
-			AC_LINK_IFELSE(
-				[AC_LANG_PROGRAM([[
-#include <stdio.h>
-#include <skey.h>
-				]], [[
-	char *ff = skey_keyinfo(""); ff="";
-	exit(0);
-				]])],
-				[AC_MSG_RESULT([yes])],
-				[
-					AC_MSG_RESULT([no])
-					AC_MSG_ERROR([** Incomplete or missing s/key libraries.])
-				])
-			AC_MSG_CHECKING([if skeychallenge takes 4 arguments])
-			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
-#include <stdio.h>
-#include <skey.h>
-				]], [[
-	(void)skeychallenge(NULL,"name","",0);
-				]])],
-			[
-				AC_MSG_RESULT([yes])
-				AC_DEFINE([SKEYCHALLENGE_4ARG], [1],
-					[Define if your skeychallenge()
-					function takes 4 arguments (NetBSD)])],
-			[
-				AC_MSG_RESULT([no])
-			])
-		fi
-	]
-)
-
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -5219,7 +5170,6 @@ echo "                       PAM support: $PAM_MSG"
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
-echo "                     S/KEY support: $SKEY_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"

defines.h

@@ -660,12 +660,6 @@ struct winsize {
 #  define krb5_get_err_text(context,code) error_message(code)
 #endif
 
-#if defined(SKEYCHALLENGE_4ARG)
-# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c,d)
-#else
-# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c)
-#endif
-
 /* Maximum number of file descriptors available */
 #ifdef HAVE_SYSCONF
 # define SSH_SYSFDMAX sysconf(_SC_OPEN_MAX)

monitor.c

@@ -56,10 +56,6 @@
 # endif
 #endif
 
-#ifdef SKEY
-#include <skey.h>
-#endif
-
 #ifdef WITH_OPENSSL
 #include <openssl/dh.h>
 #endif
@@ -122,8 +118,6 @@ int mm_answer_authserv(int, struct sshbuf *);
 int mm_answer_authpassword(int, struct sshbuf *);
 int mm_answer_bsdauthquery(int, struct sshbuf *);
 int mm_answer_bsdauthrespond(int, struct sshbuf *);
-int mm_answer_skeyquery(int, struct sshbuf *);
-int mm_answer_skeyrespond(int, struct sshbuf *);
 int mm_answer_keyallowed(int, struct sshbuf *);
 int mm_answer_keyverify(int, struct sshbuf *);
 int mm_answer_pty(int, struct sshbuf *);
@@ -211,10 +205,6 @@ struct mon_table mon_dispatch_proto20[] = {
 #ifdef BSD_AUTH
     {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
     {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond},
-#endif
-#ifdef SKEY
-    {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
-    {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
 #endif
     {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
     {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
@@ -960,62 +950,6 @@ mm_answer_bsdauthrespond(int sock, struct sshbuf *m)
 }
 #endif
 
-#ifdef SKEY
-int
-mm_answer_skeyquery(int sock, struct sshbuf *m)
-{
-	struct skey skey;
-	char challenge[1024];
-	u_int success;
-	int r;
-
-	success = _compat_skeychallenge(&skey, authctxt->user, challenge,
-	    sizeof(challenge)) < 0 ? 0 : 1;
-
-	sshbuf_reset(m);
-	if ((r = sshbuf_put_u32(m, success)) != 0)
-		fatal("%s: buffer error: %s", __func__, ssh_err(r));
-	if (success) {
-		if ((r = sshbuf_put_cstring(m, challenge)) != 0)
-			fatal("%s: buffer error: %s", __func__, ssh_err(r));
-	}
-	debug3("%s: sending challenge success: %u", __func__, success);
-	mm_request_send(sock, MONITOR_ANS_SKEYQUERY, m);
-
-	return (0);
-}
-
-int
-mm_answer_skeyrespond(int sock, struct sshbuf *m)
-{
-	char *response;
-	size_t rlen;
-	int authok, r;
-
-	if ((r = sshbuf_get_cstring(m, &response, &rlen)) != 0)
-		fatal("%s: buffer error: %s", __func__, ssh_err(r));
-
-	authok = (options.challenge_response_authentication &&
-	    authctxt->valid &&
-	    skey_haskey(authctxt->pw->pw_name) == 0 &&
-	    skey_passcheck(authctxt->pw->pw_name, response) != -1);
-
-	freezero(response, rlen);
-
-	sshbuf_reset(m);
-	if ((r = sshbuf_put_u32(m, authok)) != 0)
-		fatal("%s: buffer error: %s", __func__, ssh_err(r));
-
-	debug3("%s: sending authenticated: %d", __func__, authok);
-	mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
-
-	auth_method = "keyboard-interactive";
-	auth_submethod = "skey";
-
-	return (authok != 0);
-}
-#endif
-
 #ifdef USE_PAM
 int
 mm_answer_pam_start(int sock, struct sshbuf *m)

monitor.h

@@ -39,8 +39,6 @@ enum monitor_reqtype {
 	MONITOR_REQ_AUTHPASSWORD = 12, MONITOR_ANS_AUTHPASSWORD = 13,
 	MONITOR_REQ_BSDAUTHQUERY = 14, MONITOR_ANS_BSDAUTHQUERY = 15,
 	MONITOR_REQ_BSDAUTHRESPOND = 16, MONITOR_ANS_BSDAUTHRESPOND = 17,
-	MONITOR_REQ_SKEYQUERY = 18, MONITOR_ANS_SKEYQUERY = 19,
-	MONITOR_REQ_SKEYRESPOND = 20, MONITOR_ANS_SKEYRESPOND = 21,
 	MONITOR_REQ_KEYALLOWED = 22, MONITOR_ANS_KEYALLOWED = 23,
 	MONITOR_REQ_KEYVERIFY = 24, MONITOR_ANS_KEYVERIFY = 25,
 	MONITOR_REQ_KEYEXPORT = 26,

monitor_wrap.c

@@ -867,73 +867,6 @@ mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses)
 	return ((authok == 0) ? -1 : 0);
 }
 
-#ifdef SKEY
-int
-mm_skey_query(void *ctx, char **name, char **infotxt,
-   u_int *numprompts, char ***prompts, u_int **echo_on)
-{
-	struct sshbuf *m;
-	u_int success;
-	char *challenge;
-	int r;
-
-	debug3("%s: entering", __func__);
-
-	if ((m = sshbuf_new()) == NULL)
-		fatal("%s: sshbuf_new failed", __func__);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYQUERY, m);
-
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SKEYQUERY, m);
-	if ((r = sshbuf_get_u32(m, &success)) != 0)
-		fatal("%s: buffer error: %s", __func__, ssh_err(r));
-	if (success == 0) {
-		debug3("%s: no challenge", __func__);
-		sshbuf_free(m);
-		return (-1);
-	}
-
-	/* Get the challenge, and format the response */
-	if ((r = sshbuf_get_cstring(m, &challenge, NULL)) != 0)
-		fatal("%s: buffer error: %s", __func__, ssh_err(r));
-	sshbuf_free(m);
-
-	debug3("%s: received challenge: %s", __func__, challenge);
-
-	mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
-
-	xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
-	free(challenge);
-
-	return (0);
-}
-
-int
-mm_skey_respond(void *ctx, u_int numresponses, char **responses)
-{
-	struct sshbuf *m;
-	int authok, r;
-
-	debug3("%s: entering", __func__);
-	if (numresponses != 1)
-		return (-1);
-
-	if ((m = sshbuf_new()) == NULL)
-		fatal("%s: sshbuf_new failed", __func__);
-	if ((r = sshbuf_put_cstring(m, responses[0])) != 0)
-		fatal("%s: buffer error: %s", __func__, ssh_err(r));
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYRESPOND, m);
-
-	mm_request_receive_expect(pmonitor->m_recvfd,
-	    MONITOR_ANS_SKEYRESPOND, m);
-
-	if ((r = sshbuf_get_u32(m, &authok)) != 0)
-		fatal("%s: buffer error: %s", __func__, ssh_err(r));
-	sshbuf_free(m);
-
-	return ((authok == 0) ? -1 : 0);
-}
-#endif /* SKEY */
-
 #ifdef SSH_AUDIT_EVENTS
 void
 mm_audit_event(ssh_audit_event_t event)

monitor_wrap.h

@@ -97,8 +97,4 @@ void mm_send_keystate(struct monitor*);
 int mm_bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
 int mm_bsdauth_respond(void *, u_int, char **);
 
-/* skey */
-int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
-int mm_skey_respond(void *, u_int, char **);
-
 #endif /* _MM_WRAP_H_ */

readconf.c

@@ -230,7 +230,7 @@ static struct {
 	{ "dsaauthentication", oPubkeyAuthentication },		    /* alias */
 	{ "hostbasedauthentication", oHostbasedAuthentication },
 	{ "challengeresponseauthentication", oChallengeResponseAuthentication },
-	{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
+	{ "skeyauthentication", oUnsupported },
 	{ "tisauthentication", oChallengeResponseAuthentication },  /* alias */
 	{ "identityfile", oIdentityFile },
 	{ "identityfile2", oIdentityFile },			/* obsolete */

servconf.c

@@ -564,7 +564,7 @@ static struct {
 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
+	{ "skeyauthentication", sDeprecated, SSHCFG_GLOBAL },
 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },

ssh_config.5

@@ -997,10 +997,9 @@ The default is to use the server specified list.
 The methods available vary depending on what the server supports.
 For an OpenSSH server,
 it may be zero or more of:
-.Cm bsdauth ,
+.Cm bsdauth
-.Cm pam ,
 and
-.Cm skey .
+.Cm pam .
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.

sshd_config.5

@@ -205,10 +205,9 @@ keyboard-interactive authentication before public key.
 For keyboard interactive authentication it is also possible to
 restrict authentication to a specific device by appending a
 colon followed by the device identifier
-.Cm bsdauth ,
+.Cm bsdauth
-.Cm pam ,
 or
-.Cm skey ,
+.Cm pam .
 depending on the server configuration.
 For example,
 .Qq keyboard-interactive:bsdauth