Mercurial > illumos > illumos-gate

changeset 12597:5fdb1d206be4

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6949049 keyboard-interactive configuration option handling needs to be fixed in SunSSH
author Jan Pechanec <Jan.Pechanec@Sun.COM>
date Thu, 10 Jun 2010 03:12:08 -0700
parents d42e6e6980b3
children 0b0970facf04
files usr/src/cmd/ssh/etc/sshd_config usr/src/cmd/ssh/include/servconf.h usr/src/cmd/ssh/sshd/auth2-kbdint.c usr/src/cmd/ssh/sshd/auth2.c usr/src/cmd/ssh/sshd/servconf.c usr/src/cmd/ssh/sshd/sshd.c
diffstat 6 files changed, 53 insertions(+), 51 deletions(-) [+]
line wrap: on
line diff
--- a/usr/src/cmd/ssh/etc/sshd_config	Thu Jun 10 01:37:41 2010 -0700
+++ b/usr/src/cmd/ssh/etc/sshd_config	Thu Jun 10 03:12:08 2010 -0700
@@ -1,8 +1,8 @@
 #
-# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
+# Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
 #
 # Configuration file for sshd(1m) (see also sshd_config(4))
+#
 
 # Protocol versions supported
 #
@@ -110,13 +110,6 @@
 # To disable tunneled clear text passwords, change PasswordAuthentication to no.
 PasswordAuthentication yes
 
-# Use PAM via keyboard interactive method for authentication.
-# Depending on the setup of pam.conf(4) this may allow tunneled clear text
-# passwords even when PasswordAuthentication is set to no. This is dependent
-# on what the individual modules request and is out of the control of sshd
-# or the protocol.
-PAMAuthenticationViaKBDInt yes
-
 # Are root logins permitted using sshd.
 # Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
 # maybe denied access by a PAM module regardless of this setting.
--- a/usr/src/cmd/ssh/include/servconf.h	Thu Jun 10 01:37:41 2010 -0700
+++ b/usr/src/cmd/ssh/include/servconf.h	Thu Jun 10 03:12:08 2010 -0700
@@ -111,8 +111,11 @@
 #endif
 	int     password_authentication;	/* If true, permit password
 						 * authentication. */
-	int     kbd_interactive_authentication;	/* If true, permit */
-	int     challenge_response_authentication;
+
+	int     kbd_interactive_authentication;
+	int	challenge_response_authentication;
+	int	pam_authentication_via_kbd_int;
+
 	int     permit_empty_passwd;	/* If false, do not permit empty
 					 * passwords. */
 	int     permit_user_env;	/* If true, read ~/.ssh/environment */
@@ -152,8 +155,6 @@
 	char   *authorized_keys_file;	/* File containing public keys */
 	char   *authorized_keys_file2;
 
-	int	pam_authentication_via_kbd_int;
-
 	int	max_auth_tries;
 	int	max_auth_tries_log;
 
--- a/usr/src/cmd/ssh/sshd/auth2-kbdint.c	Thu Jun 10 01:37:41 2010 -0700
+++ b/usr/src/cmd/ssh/sshd/auth2-kbdint.c	Thu Jun 10 03:12:08 2010 -0700
@@ -22,15 +22,12 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 #include "includes.h"
 RCSID("$OpenBSD: auth2-kbdint.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include "packet.h"
 #include "auth.h"
 #include "log.h"
@@ -55,7 +52,7 @@
 	debug("keyboard-interactive devs %s", devs);
 
 #ifdef USE_PAM
-	if (options.pam_authentication_via_kbd_int)
+	if (options.kbd_interactive_authentication)
 		auth2_pam(authctxt);
 #else
 	if (options.challenge_response_authentication)
@@ -69,23 +66,8 @@
 		return;
 	}
 #endif
-	return;
 }
 
-#if 0
-static int
-userauth_kbdint_abandon_chk(Authctxt *authctxt, Authmethod *method)
-{
-#ifdef USE_PAM
-	return kbdint_pam_abandon_chk(authctxt, method);
-#endif /* USE_PAM */
-	if (method->method_data || method->postponed)
-		return 1;
-
-	return 0;
-}
-#endif
-
 static void
 userauth_kbdint_abandon(Authctxt *authctxt, Authmethod *method)
 {
--- a/usr/src/cmd/ssh/sshd/auth2.c	Thu Jun 10 01:37:41 2010 -0700
+++ b/usr/src/cmd/ssh/sshd/auth2.c	Thu Jun 10 03:12:08 2010 -0700
@@ -22,8 +22,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 #include "includes.h"
@@ -112,12 +111,6 @@
 	fatal_add_cleanup(audit_failed_login_cleanup, authctxt);
 #endif /* HAVE_BSM */
 
-	/* challenge-response is implemented via keyboard interactive */
-	if (options.challenge_response_authentication)
-		options.kbd_interactive_authentication = 1;
-	if (options.pam_authentication_via_kbd_int)
-		options.kbd_interactive_authentication = 1;
-
 	dispatch_init(&dispatch_protocol_error);
 	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
 	dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
--- a/usr/src/cmd/ssh/sshd/servconf.c	Thu Jun 10 01:37:41 2010 -0700
+++ b/usr/src/cmd/ssh/sshd/servconf.c	Thu Jun 10 03:12:08 2010 -0700
@@ -69,9 +69,6 @@
 {
 	(void) memset(options, 0, sizeof(*options));
 
-	/* Portable-specific options */
-	options->pam_authentication_via_kbd_int = -1;
-
 	/* Standard Options */
 	options->num_ports = 0;
 	options->ports_from_cmdline = 0;
@@ -121,6 +118,7 @@
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->challenge_response_authentication = -1;
+	options->pam_authentication_via_kbd_int = -1;
 	options->permit_empty_passwd = -1;
 	options->permit_user_env = -1;
 	options->compression = -1;
@@ -232,10 +230,6 @@
 	deflt_fill_default_server_options(options);
 #endif /* HAVE_DEFOPEN */
 
-	/* Portable-specific options */
-	if (options->pam_authentication_via_kbd_int == -1)
-		options->pam_authentication_via_kbd_int = 0;
-
 	/* Standard Options */
 	if (options->protocol == SSH_PROTO_UNKNOWN)
 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
@@ -334,8 +328,12 @@
 #endif
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
+	/*
+	 * options->pam_authentication_via_kbd_int has intentionally no default
+	 * value since we do not need it.
+	 */
 	if (options->kbd_interactive_authentication == -1)
-		options->kbd_interactive_authentication = 0;
+		options->kbd_interactive_authentication = 1;
 	if (options->challenge_response_authentication == -1)
 		options->challenge_response_authentication = 1;
 	if (options->permit_empty_passwd == -1)
@@ -770,6 +768,9 @@
 	switch (opcode) {
 	/* Portable-specific options */
 	case sPAMAuthenticationViaKbdInt:
+		log("%s line %d: PAMAuthenticationViaKbdInt has been "
+		    "deprecated. You should use KbdInteractiveAuthentication "
+		    "instead (which defaults to \"yes\").", filename, linenum);
 		intptr = &options->pam_authentication_via_kbd_int;
 		goto parse_flag;
 
--- a/usr/src/cmd/ssh/sshd/sshd.c	Thu Jun 10 01:37:41 2010 -0700
+++ b/usr/src/cmd/ssh/sshd/sshd.c	Thu Jun 10 03:12:08 2010 -0700
@@ -41,8 +41,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 /*
- * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 #include "includes.h"
@@ -982,6 +981,39 @@
 	load_server_config(config_file_name, &cfg);
 	parse_server_config(&options, config_file_name, &cfg, NULL, NULL, NULL);
 
+	/*
+	 * ChallengeResponseAuthentication is deprecated for protocol 2 which is
+	 * the default setting on Solaris. Warn the user about it. Note that
+	 * ChallengeResponseAuthentication is on by default but the option is
+	 * not set until fill_default_server_options() is called. If the option
+	 * is already set now, the user must have set it manually.
+	 */
+	if ((options.protocol & SSH_PROTO_2) &&
+	    !(options.protocol & SSH_PROTO_1) &&
+	    options.challenge_response_authentication != -1) {
+		log("ChallengeResponseAuthentication has been "
+		"deprecated for the SSH Protocol 2. You should use "
+		"KbdInteractiveAuthentication instead (which defaults to "
+		"\"yes\").");
+	}
+
+	/*
+	 * While PAMAuthenticationViaKbdInt was not documented, it was
+	 * previously set in our default sshd_config and also the only way to
+	 * switch off the keyboard-interactive authentication. To maintain
+	 * backward compatibility, if PAMAuthenticationViaKbdInt is manually set
+	 * to "no" and KbdInteractiveAuthentication is not set, switch off the
+	 * keyboard-interactive authentication method as before. As with the
+	 * challenge response auth situation dealt above, we have not called
+	 * fill_default_server_options() yet so if KbdInteractiveAuthentication
+	 * is already set to 1 here the admin must have set it manually and we
+	 * will honour it.
+	 */
+	if (options.kbd_interactive_authentication != 1 &&
+	    options.pam_authentication_via_kbd_int == 0) {
+		options.kbd_interactive_authentication = 0;
+	}
+
 	/* Fill in default values for those options not explicitly set. */
 	fill_default_server_options(&options);