diff options
| author | Darren Tucker <dtucker@dtucker.net> | 2021-07-03 11:23:28 +0200 |
|---|---|---|
| committer | Darren Tucker <dtucker@dtucker.net> | 2021-07-03 11:23:28 +0200 |
| commit | 53237ac789183946dac6dcb8838bc3b6b9b43be1 (patch) | |
| tree | 31ed14140bcb836aae89e13b2a32ba51ce482883 | |
| parent | Disable rocky84 to figure out why agent test fails (diff) | |
| download | openssh-53237ac789183946dac6dcb8838bc3b6b9b43be1.tar.xz openssh-53237ac789183946dac6dcb8838bc3b6b9b43be1.zip | |
Sync remaining ChallengeResponse removal.
These were omitted from commit 88868fd131.
| -rw-r--r-- | auth2-kbdint.c | 4 | ||||
| -rw-r--r-- | monitor.c | 4 | ||||
| -rw-r--r-- | readconf.h | 4 | ||||
| -rw-r--r-- | scp.1 | 5 | ||||
| -rw-r--r-- | servconf.h | 3 | ||||
| -rw-r--r-- | sftp.1 | 5 | ||||
| -rw-r--r-- | ssh.1 | 13 | ||||
| -rw-r--r-- | ssh_config.5 | 13 | ||||
| -rw-r--r-- | sshconnect.c | 9 | ||||
| -rw-r--r-- | sshconnect2.c | 4 | ||||
| -rw-r--r-- | sshd.c | 6 |
11 files changed, 23 insertions, 47 deletions
diff --git a/auth2-kbdint.c b/auth2-kbdint.c index 111f2d29f..037139d44 100644 --- a/auth2-kbdint.c +++ b/auth2-kbdint.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-kbdint.c,v 1.12 2020/10/18 11:32:01 djm Exp $ */ +/* $OpenBSD: auth2-kbdint.c,v 1.13 2021/07/02 05:11:20 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -56,7 +56,7 @@ userauth_kbdint(struct ssh *ssh) debug("keyboard-interactive devs %s", devs); - if (options.challenge_response_authentication) + if (options.kbd_interactive_authentication) authenticated = auth2_challenge(ssh, devs); free(devs); @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.226 2021/04/30 04:02:52 dtucker Exp $ */ +/* $OpenBSD: monitor.c,v 1.227 2021/07/02 05:11:20 dtucker Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Markus Friedl <markus@openbsd.org> @@ -962,7 +962,7 @@ mm_answer_bsdauthrespond(struct ssh *ssh, int sock, struct sshbuf *m) if ((r = sshbuf_get_cstring(m, &response, NULL)) != 0) fatal_fr(r, "parse"); - authok = options.challenge_response_authentication && + authok = options.kbd_interactive_authentication && auth_userresponse(authctxt->as, response, 0); authctxt->as = NULL; debug3_f("<%s> = <%d>", response, authok); diff --git a/readconf.h b/readconf.h index 2fba866eb..f3d02fb38 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.140 2021/02/15 20:43:15 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.141 2021/07/02 05:11:21 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -38,8 +38,6 @@ typedef struct { struct ForwardOptions fwd_opts; /* forwarding options */ int pubkey_authentication; /* Try ssh2 pubkey authentication. */ int hostbased_authentication; /* ssh2's rhosts_rsa */ - int challenge_response_authentication; - /* Try S/Key or TIS, authentication. */ int gss_authentication; /* Try GSS authentication */ int gss_deleg_creds; /* Delegate GSS credentials */ int password_authentication; /* Try password @@ -8,9 +8,9 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.95 2021/01/26 15:40:17 naddy Exp $ +.\" $OpenBSD: scp.1,v 1.96 2021/07/02 05:11:21 dtucker Exp $ .\" -.Dd $Mdocdate: January 26 2021 $ +.Dd $Mdocdate: July 2 2021 $ .Dt SCP 1 .Os .Sh NAME @@ -158,7 +158,6 @@ For full details of the options listed below, and their possible values, see .It CanonicalizePermittedCNAMEs .It CASignatureAlgorithms .It CertificateFile -.It ChallengeResponseAuthentication .It CheckHostIP .It Ciphers .It Compression diff --git a/servconf.h b/servconf.h index f7cdac22a..dd5cbc15c 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.154 2021/04/03 06:18:40 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.155 2021/07/02 05:11:21 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -146,7 +146,6 @@ typedef struct { int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ - int challenge_response_authentication; int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int permit_user_env; /* If true, read ~/.ssh/environment */ @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.137 2021/02/12 03:49:09 djm Exp $ +.\" $OpenBSD: sftp.1,v 1.138 2021/07/02 05:11:21 dtucker Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: February 12 2021 $ +.Dd $Mdocdate: July 2 2021 $ .Dt SFTP 1 .Os .Sh NAME @@ -232,7 +232,6 @@ For full details of the options listed below, and their possible values, see .It CanonicalizePermittedCNAMEs .It CASignatureAlgorithms .It CertificateFile -.It ChallengeResponseAuthentication .It CheckHostIP .It Ciphers .It Compression @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.420 2021/06/25 06:20:39 dtucker Exp $ -.Dd $Mdocdate: June 25 2021 $ +.\" $OpenBSD: ssh.1,v 1.421 2021/07/02 05:11:21 dtucker Exp $ +.Dd $Mdocdate: July 2 2021 $ .Dt SSH 1 .Os .Sh NAME @@ -485,7 +485,6 @@ For full details of the options listed below, and their possible values, see .It CanonicalizePermittedCNAMEs .It CASignatureAlgorithms .It CertificateFile -.It ChallengeResponseAuthentication .It CheckHostIP .It Ciphers .It ClearAllForwardings @@ -833,7 +832,7 @@ The methods available for authentication are: GSSAPI-based authentication, host-based authentication, public key authentication, -challenge-response authentication, +keyboard-interactive authentication, and password authentication. Authentication methods are tried in the order specified above, though @@ -971,11 +970,11 @@ directive in .Xr ssh_config 5 for more information. .Pp -Challenge-response authentication works as follows: +Keyboard-interactive authentication works as follows: The server sends an arbitrary .Qq challenge -text, and prompts for a response. -Examples of challenge-response authentication include +text and prompts for a response, possibly multiple times. +Examples of keyboard-interactive authentication include .Bx Authentication (see .Xr login.conf 5 ) diff --git a/ssh_config.5 b/ssh_config.5 index 438bd803c..aaa331a16 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.354 2021/06/04 05:10:03 djm Exp $ -.Dd $Mdocdate: June 4 2021 $ +.\" $OpenBSD: ssh_config.5,v 1.355 2021/07/02 05:11:21 dtucker Exp $ +.Dd $Mdocdate: July 2 2021 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -412,13 +412,6 @@ Multiple .Cm CertificateFile directives will add to the list of certificates used for authentication. -.It Cm ChallengeResponseAuthentication -Specifies whether to use challenge-response authentication. -The argument to this keyword must be -.Cm yes -(the default) -or -.Cm no . .It Cm CheckHostIP If set to .Cm yes @@ -1085,6 +1078,8 @@ The argument to this keyword must be (the default) or .Cm no . +.Cm ChallengeResponseAuthentication +is a deprecated alias for this. .It Cm KbdInteractiveDevices Specifies the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated. diff --git a/sshconnect.c b/sshconnect.c index 17ce00606..fcf87bb76 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.354 2021/06/25 06:20:39 dtucker Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.355 2021/07/02 05:11:21 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1298,13 +1298,6 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, error("Keyboard-interactive authentication is disabled" " to avoid man-in-the-middle attacks."); options.kbd_interactive_authentication = 0; - options.challenge_response_authentication = 0; - cancelled_forwarding = 1; - } - if (options.challenge_response_authentication) { - error("Challenge/response authentication is disabled" - " to avoid man-in-the-middle attacks."); - options.challenge_response_authentication = 0; cancelled_forwarding = 1; } if (options.forward_agent) { diff --git a/sshconnect2.c b/sshconnect2.c index 5ff90c46b..8bec0b612 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.349 2021/06/07 03:38:38 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.350 2021/07/02 05:11:21 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -442,8 +442,6 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, Authctxt authctxt; int r; - if (options.challenge_response_authentication) - options.kbd_interactive_authentication = 1; if (options.preferred_authentications == NULL) options.preferred_authentications = authmethods_get(); @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.576 2021/06/10 03:14:14 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.577 2021/07/02 05:11:21 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1753,10 +1753,6 @@ main(int ac, char **av) /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); - /* challenge-response is implemented via keyboard interactive */ - if (options.challenge_response_authentication) - options.kbd_interactive_authentication = 1; - /* Check that options are sensible */ if (options.authorized_keys_command_user == NULL && (options.authorized_keys_command != NULL && |