diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | auth2.c | 4 | ||||
-rw-r--r-- | servconf.c | 10 | ||||
-rw-r--r-- | servconf.h | 2 | ||||
-rw-r--r-- | sshd.8 | 8 | ||||
-rw-r--r-- | sshd_config | 10 |
6 files changed, 31 insertions, 8 deletions
@@ -7,6 +7,9 @@ [ssh-keygen.c] remove debug - (bal) Whitespace resync w/ OpenBSD for uidswap.c + - (djm) Add new server configuration directive 'PAMAuthenticationViaKbdInt' + (default: off), implies KbdInteractiveAuthentication. Suggestion from + markus@ 20010424 - OpenBSD CVS Sync @@ -5246,4 +5249,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.1168 2001/04/25 06:27:59 mouring Exp $ +$Id: ChangeLog,v 1.1169 2001/04/25 12:44:14 djm Exp $ @@ -127,6 +127,8 @@ do_authentication2() /* challenge-reponse is implemented via keyboard interactive */ if (options.challenge_reponse_authentication) options.kbd_interactive_authentication = 1; + if (options.pam_authentication_via_kbd_int) + options.kbd_interactive_authentication = 1; dispatch_init(&protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); @@ -411,7 +413,7 @@ userauth_kbdint(Authctxt *authctxt) authenticated = auth2_challenge(authctxt, devs); #ifdef USE_PAM - if (authenticated == 0) + if (authenticated == 0 && options.pam_authentication_via_kbd_int) authenticated = auth2_pam(authctxt); #endif xfree(lang); @@ -101,6 +101,7 @@ initialize_server_options(ServerOptions *options) options->reverse_mapping_check = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; + options->pam_authentication_via_kbd_int = -1; } void @@ -207,6 +208,8 @@ fill_default_server_options(ServerOptions *options) options->client_alive_interval = 0; if (options->client_alive_count_max == -1) options->client_alive_count_max = 3; + if (options->pam_authentication_via_kbd_int == -1) + options->pam_authentication_via_kbd_int = 0; } /* Keyword tokens. */ @@ -232,7 +235,7 @@ typedef enum { sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sBanner, sReverseMappingCheck, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax + sClientAliveCountMax, sPAMAuthenticationViaKbdInt } ServerOpCodes; /* Textual representation of the tokens. */ @@ -298,6 +301,7 @@ static struct { { "reversemappingcheck", sReverseMappingCheck }, { "clientaliveinterval", sClientAliveInterval }, { "clientalivecountmax", sClientAliveCountMax }, + { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, { NULL, 0 } }; @@ -794,6 +798,10 @@ parse_flag: case sClientAliveCountMax: intptr = &options->client_alive_count_max; goto parse_int; + case sPAMAuthenticationViaKbdInt: + intptr = &options->pam_authentication_via_kbd_int; + goto parse_flag; + default: fatal("%s line %d: Missing handler for opcode %s (%d)", filename, linenum, arg, opcode); @@ -124,7 +124,7 @@ typedef struct { * for this many intervals, above * diconnect the session */ - + int pam_authentication_via_kbd_int; } ServerOptions; /* * Initializes the server options to special values that indicate that they @@ -616,6 +616,14 @@ The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches .Dq full (60). +.It Cm PAMAuthenticationViaKbdInt +Specifies whether PAM challenge response authentication is allowed. This +allows the use of most PAM challenge response authentication modules, but +it will allow password authentication regardless of whether +.Cm PasswordAuthentication +is disabled. +The default is +.Dq no . .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is diff --git a/sshd_config b/sshd_config index fda1456e..8c411e47 100644 --- a/sshd_config +++ b/sshd_config @@ -46,10 +46,12 @@ RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords no -# Comment to enable s/key passwords or PAM interactive authentication -# NB. Neither of these are compiled in by default. Please read the -# notes in the sshd(8) manpage before enabling this on a PAM system. -ChallengeResponseAuthentication no +# Uncomment to disable s/key passwords +#ChallengeResponseAuthentication no + +# Uncomment to enable PAM keyboard-interactive authentication +# Warning: enabling this may bypass the setting of 'PasswordAuthentication' +#PAMAuthenticationViaKbdInt yes # To change Kerberos options #KerberosAuthentication no |