- (djm) Add new server configuration directive 'PAMAuthenticationViaKbdInt'

   (default: off), implies KbdInteractiveAuthentication. Suggestion from
   markus@

diff --git a/ChangeLog b/ChangeLog
index 3d935b3853348532009ae3dcfa99a7d415f3ff11..e88f6f214d30d05b56b09d806fe1b03c4402d4db 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,9 @@
      [ssh-keygen.c]
      remove debug
  - (bal) Whitespace resync w/ OpenBSD for uidswap.c
+ - (djm) Add new server configuration directive 'PAMAuthenticationViaKbdInt'
+   (default: off), implies KbdInteractiveAuthentication. Suggestion from 
+   markus@
 
 20010424
  - OpenBSD CVS Sync

diff --git a/auth2.c b/auth2.c
index 5ffd43fe5b819550ae650245ed11ee7edc254849..f357b582633c021bf0287e21993397a11ca399e3 100644 (file)
--- a/auth2.c
+++ b/auth2.c
@@ -127,6 +127,8 @@ do_authentication2()
        /* challenge-reponse is implemented via keyboard interactive */
        if (options.challenge_reponse_authentication)
                options.kbd_interactive_authentication = 1;
+       if (options.pam_authentication_via_kbd_int)
+               options.kbd_interactive_authentication = 1;
 
        dispatch_init(&protocol_error);
        dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
@@ -411,7 +413,7 @@ userauth_kbdint(Authctxt *authctxt)
                authenticated = auth2_challenge(authctxt, devs);
 
 #ifdef USE_PAM
-       if (authenticated == 0)
+       if (authenticated == 0 && options.pam_authentication_via_kbd_int)
                authenticated = auth2_pam(authctxt);
 #endif
        xfree(lang);

diff --git a/servconf.c b/servconf.c
index 3d0c9efa6f2d28bcb214c2e9402ceaa828844f75..73c07c2fe8832e39b42aa19bdbec2ee7e54d50c9 100644 (file)
--- a/servconf.c
+++ b/servconf.c
@@ -101,6 +101,7 @@ initialize_server_options(ServerOptions *options)
        options->reverse_mapping_check = -1;
        options->client_alive_interval = -1;
        options->client_alive_count_max = -1;
+       options->pam_authentication_via_kbd_int = -1;
 }
 
 void
@@ -207,6 +208,8 @@ fill_default_server_options(ServerOptions *options)
                options->client_alive_interval = 0;  
        if (options->client_alive_count_max == -1)
                options->client_alive_count_max = 3;
+       if (options->pam_authentication_via_kbd_int == -1)
+               options->pam_authentication_via_kbd_int = 0;
 }
 
 /* Keyword tokens. */
@@ -232,7 +235,7 @@ typedef enum {
        sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
        sBanner, sReverseMappingCheck, sHostbasedAuthentication,
        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 
-       sClientAliveCountMax
+       sClientAliveCountMax, sPAMAuthenticationViaKbdInt
 } ServerOpCodes;
 
 /* Textual representation of the tokens. */
@@ -298,6 +301,7 @@ static struct {
        { "reversemappingcheck", sReverseMappingCheck },
        { "clientaliveinterval", sClientAliveInterval },
        { "clientalivecountmax", sClientAliveCountMax },
+       { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
        { NULL, 0 }
 };
 
@@ -794,6 +798,10 @@ parse_flag:
                case sClientAliveCountMax:
                        intptr = &options->client_alive_count_max;
                        goto parse_int;
+               case sPAMAuthenticationViaKbdInt:
+                       intptr = &options->pam_authentication_via_kbd_int;
+                       goto parse_flag;
+
                default:
                        fatal("%s line %d: Missing handler for opcode %s (%d)",
                            filename, linenum, arg, opcode);

diff --git a/servconf.h b/servconf.h
index 4c02c0f5218e2d45e73a839d6ffed39b41bdedd3..78bca97f3691029401dcabbb1dce0d2ceaa357bb 100644 (file)
--- a/servconf.h
+++ b/servconf.h
@@ -124,7 +124,7 @@ typedef struct {
                                         * for this many intervals, above
                                         * diconnect the session 
                                         */
-
+       int     pam_authentication_via_kbd_int;
 }       ServerOptions;
 /*
  * Initializes the server options to special values that indicate that they

diff --git a/sshd.8 b/sshd.8
index 62e3de7c6a206d56f63b6284a793505f1602a5cb..56723392a8fd0cfb1b2f6614b5ebc08d636b3a81 100644 (file)
--- a/sshd.8
+++ b/sshd.8
@@ -616,6 +616,14 @@ The probability increases linearly and all connection attempts
 are refused if the number of unauthenticated connections reaches
 .Dq full
 (60).
+.It Cm PAMAuthenticationViaKbdInt
+Specifies whether PAM challenge response authentication is allowed. This
+allows the use of most PAM challenge response authentication modules, but 
+it will allow password authentication regardless of whether 
+.Cm PasswordAuthentication
+is disabled.
+The default is
+.Dq no .
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is

diff --git a/sshd_config b/sshd_config
index fda1456e6818c486a10e49ffde3fbc41ac7805a5..8c411e476f2f7e17613855d06ef8fd97bd49a8cb 100644 (file)
--- a/sshd_config
+++ b/sshd_config
@@ -46,10 +46,12 @@ RSAAuthentication yes
 PasswordAuthentication yes
 PermitEmptyPasswords no
 
-# Comment to enable s/key passwords or PAM interactive authentication
-# NB. Neither of these are compiled in by default. Please read the
-# notes in the sshd(8) manpage before enabling this on a PAM system.
-ChallengeResponseAuthentication no
+# Uncomment to disable s/key passwords 
+#ChallengeResponseAuthentication no
+
+# Uncomment to enable PAM keyboard-interactive authentication 
+# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
+#PAMAuthenticationViaKbdInt yes
 
 # To change Kerberos options
 #KerberosAuthentication no