- markus@cvs.openbsd.org 2001/01/22 23:06:39

[auth1.c auth2.c readconf.c readconf.h servconf.c servconf.h
      sshconnect1.c sshconnect2.c sshd.c]
     rename skey -> challenge response.
     auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.

ChangeLog

@@ -15,6 +15,11 @@
    - stevesk@cvs.openbsd.org 2001/01/22 17:22:28
      [sshconnect2.c sshd.c]
      fix memory leaks in SSH2 key exchange; ok markus@
+   - markus@cvs.openbsd.org 2001/01/22 23:06:39
+     [auth1.c auth2.c readconf.c readconf.h servconf.c servconf.h
+      sshconnect1.c sshconnect2.c sshd.c]
+     rename skey -> challenge response.
+     auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
 
 
 20010122

auth1.c

@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.13 2001/01/21 19:05:43 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.14 2001/01/22 23:06:39 markus Exp $");
 
 #ifdef HAVE_OSF_SIA
 # include <sia.h>
@@ -281,7 +281,7 @@ do_authloop(Authctxt *authctxt)
 
 		case SSH_CMSG_AUTH_TIS:
 			debug("rcvd SSH_CMSG_AUTH_TIS");
-			if (options.skey_authentication == 1) {
+			if (options.challenge_reponse_authentication == 1) {
 				char *challenge = get_challenge(authctxt, authctxt->style);
 				if (challenge != NULL) {
 					debug("sending challenge '%s'", challenge);
@@ -296,7 +296,7 @@ do_authloop(Authctxt *authctxt)
 
 		case SSH_CMSG_AUTH_TIS_RESPONSE:
 			debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
-			if (options.skey_authentication == 1) {
+			if (options.challenge_reponse_authentication == 1) {
 				char *response = packet_get_string(&dlen);
 				debug("got response '%s'", response);
 				packet_integrity_check(plen, 4 + dlen, type);

auth2.c

@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.33 2001/01/22 08:32:53 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.34 2001/01/22 23:06:39 markus Exp $");
 
 #ifdef HAVE_OSF_SIA
 # include <sia.h>
@@ -123,6 +123,10 @@ do_authentication2()
 
 	x_authctxt = authctxt;		/*XXX*/
 
+	/* challenge-reponse is implemented via keyboard interactive */
+	if (options.challenge_reponse_authentication)
+		options.kbd_interactive_authentication = 1;
+
 #ifdef AFS
 	/* If machine has AFS, set process authentication group. */
 	if (k_hasafs()) {
@@ -401,7 +405,8 @@ userauth_kbdint(Authctxt *authctxt)
 
 	debug("keyboard-interactive language %s devs %s", lang, devs);
 
-	authenticated = auth2_challenge(authctxt, devs);
+	if (options.challenge_reponse_authentication)
+		authenticated = auth2_challenge(authctxt, devs);
 
 #ifdef USE_PAM
 	if (authenticated == 0)

readconf.c

@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.58 2001/01/21 19:05:53 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.59 2001/01/22 23:06:39 markus Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -93,7 +93,7 @@ typedef enum {
 	oBadOption,
 	oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
 	oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
-	oSkeyAuthentication, oXAuthLocation,
+	oChallengeResponseAuthentication, oXAuthLocation,
 #ifdef KRB4
 	oKerberosAuthentication,
 #endif /* KRB4 */
@@ -104,7 +104,7 @@ typedef enum {
 	oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
 	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
 	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
-	oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication,
+	oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,
 	oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol,
 	oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias
@@ -127,8 +127,10 @@ static struct {
 	{ "kbdinteractivedevices", oKbdInteractiveDevices },
 	{ "rsaauthentication", oRSAAuthentication },
 	{ "pubkeyauthentication", oPubkeyAuthentication },
-	{ "dsaauthentication", oPubkeyAuthentication },		/* alias */
-	{ "skeyauthentication", oSkeyAuthentication },
+	{ "dsaauthentication", oPubkeyAuthentication },		    /* alias */
+	{ "challengeresponseauthentication", oChallengeResponseAuthentication },
+	{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
+	{ "tisauthentication", oChallengeResponseAuthentication },  /* alias */
 #ifdef KRB4
 	{ "kerberosauthentication", oKerberosAuthentication },
 #endif /* KRB4 */
@@ -165,7 +167,6 @@ static struct {
 	{ "compressionlevel", oCompressionLevel },
 	{ "keepalive", oKeepAlives },
 	{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
-	{ "tisauthentication", oTISAuthentication },
 	{ "loglevel", oLogLevel },
 	{ NULL, 0 }
 };
@@ -318,10 +319,8 @@ parse_flag:
 		intptr = &options->rhosts_rsa_authentication;
 		goto parse_flag;
 
-	case oTISAuthentication:
-		/* fallthrough, there is no difference on the client side */
-	case oSkeyAuthentication:
-		intptr = &options->skey_authentication;
+	case oChallengeResponseAuthentication:
+		intptr = &options->challenge_reponse_authentication;
 		goto parse_flag;
 
 #ifdef KRB4
@@ -669,7 +668,7 @@ initialize_options(Options * options)
 	options->rhosts_authentication = -1;
 	options->rsa_authentication = -1;
 	options->pubkey_authentication = -1;
-	options->skey_authentication = -1;
+	options->challenge_reponse_authentication = -1;
 #ifdef KRB4
 	options->kerberos_authentication = -1;
 #endif
@@ -736,8 +735,8 @@ fill_default_options(Options * options)
 		options->rsa_authentication = 1;
 	if (options->pubkey_authentication == -1)
 		options->pubkey_authentication = 1;
-	if (options->skey_authentication == -1)
-		options->skey_authentication = 0;
+	if (options->challenge_reponse_authentication == -1)
+		options->challenge_reponse_authentication = 0;
 #ifdef KRB4
 	if (options->kerberos_authentication == -1)
 		options->kerberos_authentication = 1;
@@ -751,7 +750,7 @@ fill_default_options(Options * options)
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
-		options->kbd_interactive_authentication = 0;
+		options->kbd_interactive_authentication = 1;
 	if (options->rhosts_rsa_authentication == -1)
 		options->rhosts_rsa_authentication = 1;
 	if (options->fallback_to_rsh == -1)

readconf.h

@@ -11,7 +11,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
-/* RCSID("$OpenBSD: readconf.h,v 1.24 2000/12/27 12:30:20 markus Exp $"); */
+/* RCSID("$OpenBSD: readconf.h,v 1.25 2001/01/22 23:06:39 markus Exp $"); */
 
 #ifndef READCONF_H
 #define READCONF_H
@@ -36,7 +36,8 @@ typedef struct {
 						 * authentication. */
 	int     rsa_authentication;	/* Try RSA authentication. */
 	int     pubkey_authentication;	/* Try ssh2 pubkey authentication. */
-	int     skey_authentication;	/* Try S/Key or TIS authentication. */
+	int     challenge_reponse_authentication;
+					/* Try S/Key or TIS, authentication. */
 #ifdef KRB4
 	int     kerberos_authentication;	/* Try Kerberos
 						 * authentication. */

servconf.c

@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.62 2001/01/21 19:05:55 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.63 2001/01/22 23:06:39 markus Exp $");
 
 #ifdef KRB4
 #include <krb.h>
@@ -77,7 +77,7 @@ initialize_server_options(ServerOptions *options)
 #endif
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
-	options->skey_authentication = -1;
+	options->challenge_reponse_authentication = -1;
 	options->permit_empty_passwd = -1;
 	options->use_login = -1;
 	options->allow_tcp_forwarding = -1;
@@ -171,8 +171,8 @@ fill_default_server_options(ServerOptions *options)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
 		options->kbd_interactive_authentication = 0;
-	if (options->skey_authentication == -1)
-		options->skey_authentication = 1;
+	if (options->challenge_reponse_authentication == -1)
+		options->challenge_reponse_authentication = 1;
 	if (options->permit_empty_passwd == -1)
 		options->permit_empty_passwd = 0;
 	if (options->use_login == -1)
@@ -201,7 +201,7 @@ typedef enum {
 #ifdef AFS
 	sKerberosTgtPassing, sAFSTokenPassing,
 #endif
-	sSkeyAuthentication,
+	sChallengeResponseAuthentication,
 	sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
 	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
 	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
@@ -243,7 +243,8 @@ static struct {
 #endif
 	{ "passwordauthentication", sPasswordAuthentication },
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
-	{ "skeyauthentication", sSkeyAuthentication },
+	{ "challengeresponseauthentication", sChallengeResponseAuthentication },
+	{ "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
 	{ "checkmail", sCheckMail },
 	{ "listenaddress", sListenAddress },
 	{ "printmotd", sPrintMotd },
@@ -537,8 +538,8 @@ parse_flag:
 			intptr = &options->check_mail;
 			goto parse_flag;
 
-		case sSkeyAuthentication:
-			intptr = &options->skey_authentication;
+		case sChallengeResponseAuthentication:
+			intptr = &options->challenge_reponse_authentication;
 			goto parse_flag;
 
 		case sPrintMotd:

servconf.h

@@ -11,7 +11,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
-/* RCSID("$OpenBSD: servconf.h,v 1.34 2001/01/19 12:45:27 markus Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.35 2001/01/22 23:06:40 markus Exp $"); */
 
 #ifndef SERVCONF_H
 #define SERVCONF_H
@@ -80,8 +80,7 @@ typedef struct {
 	int     password_authentication;	/* If true, permit password
 						 * authentication. */
 	int     kbd_interactive_authentication;	/* If true, permit */
-	int     skey_authentication;	/* If true, permit s/key
-					 * authentication. */
+	int     challenge_reponse_authentication;
 	int     permit_empty_passwd;	/* If false, do not permit empty
 					 * passwords. */
 	int     use_login;	/* If true, login(1) is used */

sshconnect1.c

@@ -13,7 +13,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.19 2001/01/22 08:15:00 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.20 2001/01/22 23:06:40 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/evp.h>
@@ -613,7 +613,7 @@ send_afs_tokens(void)
  * Note that the client code is not tied to s/key or TIS.
  */
 int
-try_skey_authentication()
+try_challenge_reponse_authentication()
 {
 	int type, i;
 	int payload_len;
@@ -621,7 +621,7 @@ try_skey_authentication()
 	char prompt[1024];
 	char *challenge, *response;
 
-	debug("Doing skey authentication.");
+	debug("Doing challenge reponse authentication.");
 
 	for (i = 0; i < options.number_of_password_prompts; i++) {
 		/* request a challenge */
@@ -633,10 +633,10 @@ try_skey_authentication()
 		if (type != SSH_SMSG_FAILURE &&
 		    type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
 			packet_disconnect("Protocol error: got %d in response "
-			    "to skey-auth", type);
+			    "to SSH_CMSG_AUTH_TIS", type);
 		}
 		if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
-			debug("No challenge for skey authentication.");
+			debug("No challenge.");
 			return 0;
 		}
 		challenge = packet_get_string(&clen);
@@ -665,7 +665,7 @@ try_skey_authentication()
 			return 1;
 		if (type != SSH_SMSG_FAILURE)
 			packet_disconnect("Protocol error: got %d in response "
-			    "to skey-auth-reponse", type);
+			    "to SSH_CMSG_AUTH_TIS_RESPONSE", type);
 	}
 	/* failure */
 	return 0;
@@ -1018,10 +1018,10 @@ ssh_userauth(
 			    try_rsa_authentication(options.identity_files[i]))
 				return;
 	}
-	/* Try skey authentication if the server supports it. */
+	/* Try challenge response authentication if the server supports it. */
 	if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
-	    options.skey_authentication && !options.batch_mode) {
-		if (try_skey_authentication())
+	    options.challenge_reponse_authentication && !options.batch_mode) {
+		if (try_challenge_reponse_authentication())
 			return;
 	}
 	/* Try password authentication if the server supports it. */

sshconnect2.c

@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.38 2001/01/22 17:22:28 stevesk Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.39 2001/01/22 23:06:40 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@@ -513,6 +513,9 @@ ssh_userauth2(const char *server_user, char *host)
 	int type;
 	int plen;
 
+	if (options.challenge_reponse_authentication)
+		options.kbd_interactive_authentication = 1;
+
 	debug("send SSH2_MSG_SERVICE_REQUEST");
 	packet_start(SSH2_MSG_SERVICE_REQUEST);
 	packet_put_cstring("ssh-userauth");

sshd.c

@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.156 2001/01/22 17:22:28 stevesk Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.157 2001/01/22 23:06:40 markus Exp $");
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -1254,7 +1254,7 @@ do_ssh1_kex(void)
 	if (options.afs_token_passing)
 		auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
 #endif
-	if (options.skey_authentication == 1)
+	if (options.challenge_reponse_authentication == 1)
 		auth_mask |= 1 << SSH_AUTH_TIS;
 	if (options.password_authentication)
 		auth_mask |= 1 << SSH_AUTH_PASSWORD;