Mercurial > illumos > illumos-gate
changeset 12597:5fdb1d206be4
6949049 keyboard-interactive configuration option handling needs to be fixed in SunSSH
author | Jan Pechanec <Jan.Pechanec@Sun.COM> |
---|---|
date | Thu, 10 Jun 2010 03:12:08 -0700 |
parents | d42e6e6980b3 |
children | 0b0970facf04 |
files | usr/src/cmd/ssh/etc/sshd_config usr/src/cmd/ssh/include/servconf.h usr/src/cmd/ssh/sshd/auth2-kbdint.c usr/src/cmd/ssh/sshd/auth2.c usr/src/cmd/ssh/sshd/servconf.c usr/src/cmd/ssh/sshd/sshd.c |
diffstat | 6 files changed, 53 insertions(+), 51 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/cmd/ssh/etc/sshd_config Thu Jun 10 01:37:41 2010 -0700 +++ b/usr/src/cmd/ssh/etc/sshd_config Thu Jun 10 03:12:08 2010 -0700 @@ -1,8 +1,8 @@ # -# Copyright 2009 Sun Microsystems, Inc. All rights reserved. -# Use is subject to license terms. +# Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. # # Configuration file for sshd(1m) (see also sshd_config(4)) +# # Protocol versions supported # @@ -110,13 +110,6 @@ # To disable tunneled clear text passwords, change PasswordAuthentication to no. PasswordAuthentication yes -# Use PAM via keyboard interactive method for authentication. -# Depending on the setup of pam.conf(4) this may allow tunneled clear text -# passwords even when PasswordAuthentication is set to no. This is dependent -# on what the individual modules request and is out of the control of sshd -# or the protocol. -PAMAuthenticationViaKBDInt yes - # Are root logins permitted using sshd. # Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user # maybe denied access by a PAM module regardless of this setting.
--- a/usr/src/cmd/ssh/include/servconf.h Thu Jun 10 01:37:41 2010 -0700 +++ b/usr/src/cmd/ssh/include/servconf.h Thu Jun 10 03:12:08 2010 -0700 @@ -111,8 +111,11 @@ #endif int password_authentication; /* If true, permit password * authentication. */ - int kbd_interactive_authentication; /* If true, permit */ - int challenge_response_authentication; + + int kbd_interactive_authentication; + int challenge_response_authentication; + int pam_authentication_via_kbd_int; + int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int permit_user_env; /* If true, read ~/.ssh/environment */ @@ -152,8 +155,6 @@ char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; - int pam_authentication_via_kbd_int; - int max_auth_tries; int max_auth_tries_log;
--- a/usr/src/cmd/ssh/sshd/auth2-kbdint.c Thu Jun 10 01:37:41 2010 -0700 +++ b/usr/src/cmd/ssh/sshd/auth2-kbdint.c Thu Jun 10 03:12:08 2010 -0700 @@ -22,15 +22,12 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ #include "includes.h" RCSID("$OpenBSD: auth2-kbdint.c,v 1.2 2002/05/31 11:35:15 markus Exp $"); -#pragma ident "%Z%%M% %I% %E% SMI" - #include "packet.h" #include "auth.h" #include "log.h" @@ -55,7 +52,7 @@ debug("keyboard-interactive devs %s", devs); #ifdef USE_PAM - if (options.pam_authentication_via_kbd_int) + if (options.kbd_interactive_authentication) auth2_pam(authctxt); #else if (options.challenge_response_authentication) @@ -69,23 +66,8 @@ return; } #endif - return; } -#if 0 -static int -userauth_kbdint_abandon_chk(Authctxt *authctxt, Authmethod *method) -{ -#ifdef USE_PAM - return kbdint_pam_abandon_chk(authctxt, method); -#endif /* USE_PAM */ - if (method->method_data || method->postponed) - return 1; - - return 0; -} -#endif - static void userauth_kbdint_abandon(Authctxt *authctxt, Authmethod *method) {
--- a/usr/src/cmd/ssh/sshd/auth2.c Thu Jun 10 01:37:41 2010 -0700 +++ b/usr/src/cmd/ssh/sshd/auth2.c Thu Jun 10 03:12:08 2010 -0700 @@ -22,8 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. */ #include "includes.h" @@ -112,12 +111,6 @@ fatal_add_cleanup(audit_failed_login_cleanup, authctxt); #endif /* HAVE_BSM */ - /* challenge-response is implemented via keyboard interactive */ - if (options.challenge_response_authentication) - options.kbd_interactive_authentication = 1; - if (options.pam_authentication_via_kbd_int) - options.kbd_interactive_authentication = 1; - dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
--- a/usr/src/cmd/ssh/sshd/servconf.c Thu Jun 10 01:37:41 2010 -0700 +++ b/usr/src/cmd/ssh/sshd/servconf.c Thu Jun 10 03:12:08 2010 -0700 @@ -69,9 +69,6 @@ { (void) memset(options, 0, sizeof(*options)); - /* Portable-specific options */ - options->pam_authentication_via_kbd_int = -1; - /* Standard Options */ options->num_ports = 0; options->ports_from_cmdline = 0; @@ -121,6 +118,7 @@ options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; + options->pam_authentication_via_kbd_int = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; options->compression = -1; @@ -232,10 +230,6 @@ deflt_fill_default_server_options(options); #endif /* HAVE_DEFOPEN */ - /* Portable-specific options */ - if (options->pam_authentication_via_kbd_int == -1) - options->pam_authentication_via_kbd_int = 0; - /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_1|SSH_PROTO_2; @@ -334,8 +328,12 @@ #endif if (options->password_authentication == -1) options->password_authentication = 1; + /* + * options->pam_authentication_via_kbd_int has intentionally no default + * value since we do not need it. + */ if (options->kbd_interactive_authentication == -1) - options->kbd_interactive_authentication = 0; + options->kbd_interactive_authentication = 1; if (options->challenge_response_authentication == -1) options->challenge_response_authentication = 1; if (options->permit_empty_passwd == -1) @@ -770,6 +768,9 @@ switch (opcode) { /* Portable-specific options */ case sPAMAuthenticationViaKbdInt: + log("%s line %d: PAMAuthenticationViaKbdInt has been " + "deprecated. You should use KbdInteractiveAuthentication " + "instead (which defaults to \"yes\").", filename, linenum); intptr = &options->pam_authentication_via_kbd_int; goto parse_flag;
--- a/usr/src/cmd/ssh/sshd/sshd.c Thu Jun 10 01:37:41 2010 -0700 +++ b/usr/src/cmd/ssh/sshd/sshd.c Thu Jun 10 03:12:08 2010 -0700 @@ -41,8 +41,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2010 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. */ #include "includes.h" @@ -982,6 +981,39 @@ load_server_config(config_file_name, &cfg); parse_server_config(&options, config_file_name, &cfg, NULL, NULL, NULL); + /* + * ChallengeResponseAuthentication is deprecated for protocol 2 which is + * the default setting on Solaris. Warn the user about it. Note that + * ChallengeResponseAuthentication is on by default but the option is + * not set until fill_default_server_options() is called. If the option + * is already set now, the user must have set it manually. + */ + if ((options.protocol & SSH_PROTO_2) && + !(options.protocol & SSH_PROTO_1) && + options.challenge_response_authentication != -1) { + log("ChallengeResponseAuthentication has been " + "deprecated for the SSH Protocol 2. You should use " + "KbdInteractiveAuthentication instead (which defaults to " + "\"yes\")."); + } + + /* + * While PAMAuthenticationViaKbdInt was not documented, it was + * previously set in our default sshd_config and also the only way to + * switch off the keyboard-interactive authentication. To maintain + * backward compatibility, if PAMAuthenticationViaKbdInt is manually set + * to "no" and KbdInteractiveAuthentication is not set, switch off the + * keyboard-interactive authentication method as before. As with the + * challenge response auth situation dealt above, we have not called + * fill_default_server_options() yet so if KbdInteractiveAuthentication + * is already set to 1 here the admin must have set it manually and we + * will honour it. + */ + if (options.kbd_interactive_authentication != 1 && + options.pam_authentication_via_kbd_int == 0) { + options.kbd_interactive_authentication = 0; + } + /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options);