[ssh-keygen.c]
remove debug
- (bal) Whitespace resync w/ OpenBSD for uidswap.c
+ - (djm) Add new server configuration directive 'PAMAuthenticationViaKbdInt'
+ (default: off), implies KbdInteractiveAuthentication. Suggestion from
+ markus@
20010424
- OpenBSD CVS Sync
/* challenge-reponse is implemented via keyboard interactive */
if (options.challenge_reponse_authentication)
options.kbd_interactive_authentication = 1;
+ if (options.pam_authentication_via_kbd_int)
+ options.kbd_interactive_authentication = 1;
dispatch_init(&protocol_error);
dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
authenticated = auth2_challenge(authctxt, devs);
#ifdef USE_PAM
- if (authenticated == 0)
+ if (authenticated == 0 && options.pam_authentication_via_kbd_int)
authenticated = auth2_pam(authctxt);
#endif
xfree(lang);
options->reverse_mapping_check = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
+ options->pam_authentication_via_kbd_int = -1;
}
void
options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
options->client_alive_count_max = 3;
+ if (options->pam_authentication_via_kbd_int == -1)
+ options->pam_authentication_via_kbd_int = 0;
}
/* Keyword tokens. */
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
sBanner, sReverseMappingCheck, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
- sClientAliveCountMax
+ sClientAliveCountMax, sPAMAuthenticationViaKbdInt
} ServerOpCodes;
/* Textual representation of the tokens. */
{ "reversemappingcheck", sReverseMappingCheck },
{ "clientaliveinterval", sClientAliveInterval },
{ "clientalivecountmax", sClientAliveCountMax },
+ { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
{ NULL, 0 }
};
case sClientAliveCountMax:
intptr = &options->client_alive_count_max;
goto parse_int;
+ case sPAMAuthenticationViaKbdInt:
+ intptr = &options->pam_authentication_via_kbd_int;
+ goto parse_flag;
+
default:
fatal("%s line %d: Missing handler for opcode %s (%d)",
filename, linenum, arg, opcode);
* for this many intervals, above
* diconnect the session
*/
-
+ int pam_authentication_via_kbd_int;
} ServerOptions;
/*
* Initializes the server options to special values that indicate that they
are refused if the number of unauthenticated connections reaches
.Dq full
(60).
+.It Cm PAMAuthenticationViaKbdInt
+Specifies whether PAM challenge response authentication is allowed. This
+allows the use of most PAM challenge response authentication modules, but
+it will allow password authentication regardless of whether
+.Cm PasswordAuthentication
+is disabled.
+The default is
+.Dq no .
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
PasswordAuthentication yes
PermitEmptyPasswords no
-# Comment to enable s/key passwords or PAM interactive authentication
-# NB. Neither of these are compiled in by default. Please read the
-# notes in the sshd(8) manpage before enabling this on a PAM system.
-ChallengeResponseAuthentication no
+# Uncomment to disable s/key passwords
+#ChallengeResponseAuthentication no
+
+# Uncomment to enable PAM keyboard-interactive authentication
+# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
+#PAMAuthenticationViaKbdInt yes
# To change Kerberos options
#KerberosAuthentication no