|
Line
Link Here
|
| 0 |
-- openssh.orig/auth2-kbdint.c |
0 |
++ openssh/auth2-kbdint.c |
|
Lines 46-51
Link Here
|
| 46 |
|
46 |
|
| 47 |
debug("keyboard-interactive devs %s", devs); |
47 |
debug("keyboard-interactive devs %s", devs); |
| 48 |
|
48 |
|
|
|
49 |
/* disable password auth if we're doing "one or the other" */ |
| 50 |
if (options.kbdint_xor_password_authentication) |
| 51 |
options.password_authentication = 0; |
| 52 |
|
| 49 |
if (options.challenge_response_authentication) |
53 |
if (options.challenge_response_authentication) |
| 50 |
authenticated = auth2_challenge(authctxt, devs); |
54 |
authenticated = auth2_challenge(authctxt, devs); |
| 51 |
|
55 |
|
| 52 |
-- openssh.orig/auth2-passwd.c |
56 |
++ openssh/auth2-passwd.c |
|
Lines 42-47
Link Here
|
| 42 |
int authenticated = 0; |
42 |
int authenticated = 0; |
| 43 |
int change; |
43 |
int change; |
| 44 |
u_int len; |
44 |
u_int len; |
|
|
45 |
|
| 46 |
/* disable kbdint auth if we're doing "one or the other" */ |
| 47 |
if (options.kbdint_xor_password_authentication) |
| 48 |
options.kbd_interactive_authentication = 0; |
| 49 |
|
| 45 |
change = packet_get_char(); |
50 |
change = packet_get_char(); |
| 46 |
if (change) |
51 |
if (change) |
| 47 |
log("password change not supported"); |
52 |
log("password change not supported"); |
| 48 |
-- openssh.orig/servconf.c |
53 |
++ openssh/servconf.c |
|
Lines 100-105
Link Here
|
| 100 |
options->password_authentication = -1; |
100 |
options->password_authentication = -1; |
| 101 |
options->kbd_interactive_authentication = -1; |
101 |
options->kbd_interactive_authentication = -1; |
| 102 |
options->challenge_response_authentication = -1; |
102 |
options->challenge_response_authentication = -1; |
|
|
103 |
options->kbdint_xor_password_authentication = -1; |
| 103 |
options->tis_via_pam = -1; |
104 |
options->tis_via_pam = -1; |
| 104 |
options->permit_empty_passwd = -1; |
105 |
options->permit_empty_passwd = -1; |
| 105 |
options->permit_user_env = -1; |
106 |
options->permit_user_env = -1; |
|
Lines 225-230
Link Here
|
| 225 |
options->kbd_interactive_authentication = 0; |
226 |
options->kbd_interactive_authentication = 0; |
| 226 |
if (options->challenge_response_authentication == -1) |
227 |
if (options->challenge_response_authentication == -1) |
| 227 |
options->challenge_response_authentication = 1; |
228 |
options->challenge_response_authentication = 1; |
|
|
229 |
if (options->kbdint_xor_password_authentication == -1) |
| 230 |
options->kbdint_xor_password_authentication = 0; |
| 228 |
if (options->permit_empty_passwd == -1) |
231 |
if (options->permit_empty_passwd == -1) |
| 229 |
options->permit_empty_passwd = 0; |
232 |
options->permit_empty_passwd = 0; |
| 230 |
if (options->permit_user_env == -1) |
233 |
if (options->permit_user_env == -1) |
|
Lines 298-303
Link Here
|
| 298 |
#endif |
301 |
#endif |
| 299 |
sChallengeResponseAuthentication, sTISviaPAM, |
302 |
sChallengeResponseAuthentication, sTISviaPAM, |
| 300 |
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, |
303 |
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, |
|
|
304 |
sKbdintXorPasswordAuthentication, |
| 301 |
sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
305 |
sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
| 302 |
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
306 |
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
| 303 |
sStrictModes, sEmptyPasswd, sKeepAlives, |
307 |
sStrictModes, sEmptyPasswd, sKeepAlives, |
|
Lines 353-358
Link Here
|
| 353 |
{ "passwordauthentication", sPasswordAuthentication }, |
357 |
{ "passwordauthentication", sPasswordAuthentication }, |
| 354 |
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, |
358 |
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, |
| 355 |
{ "challengeresponseauthentication", sChallengeResponseAuthentication }, |
359 |
{ "challengeresponseauthentication", sChallengeResponseAuthentication }, |
|
|
360 |
{ "kbdintxorpasswordauthentication", sKbdintXorPasswordAuthentication }, |
| 356 |
{ "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ |
361 |
{ "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ |
| 357 |
{ "tisviapam", sTISviaPAM }, |
362 |
{ "tisviapam", sTISviaPAM }, |
| 358 |
{ "checkmail", sDeprecated }, |
363 |
{ "checkmail", sDeprecated }, |
|
Lines 693-698
Link Here
|
| 693 |
intptr = &options->challenge_response_authentication; |
698 |
intptr = &options->challenge_response_authentication; |
| 694 |
goto parse_flag; |
699 |
goto parse_flag; |
| 695 |
|
700 |
|
|
|
701 |
case sKbdintXorPasswordAuthentication: |
| 702 |
intptr = &options->kbdint_xor_password_authentication; |
| 703 |
goto parse_flag; |
| 704 |
|
| 696 |
case sPrintMotd: |
705 |
case sPrintMotd: |
| 697 |
intptr = &options->print_motd; |
706 |
intptr = &options->print_motd; |
| 698 |
goto parse_flag; |
707 |
goto parse_flag; |
| 699 |
-- openssh.orig/servconf.h |
708 |
++ openssh/servconf.h |
|
Lines 95-100
Link Here
|
| 95 |
* authentication. */ |
95 |
* authentication. */ |
| 96 |
int kbd_interactive_authentication; /* If true, permit */ |
96 |
int kbd_interactive_authentication; /* If true, permit */ |
| 97 |
int challenge_response_authentication; |
97 |
int challenge_response_authentication; |
|
|
98 |
int kbdint_xor_password_authentication; /* one or the other */ |
| 98 |
int tis_via_pam; /* Use PAM for TIS? */ |
99 |
int tis_via_pam; /* Use PAM for TIS? */ |
| 99 |
int permit_empty_passwd; /* If false, do not permit empty |
100 |
int permit_empty_passwd; /* If false, do not permit empty |
| 100 |
* passwords. */ |
101 |
* passwords. */ |
| 101 |
-- openssh.orig/sshd_config.5 |
102 |
++ openssh/sshd_config.5 |
|
Lines 282-287
Link Here
|
| 282 |
.Cm HostbasedAuthentication . |
282 |
.Cm HostbasedAuthentication . |
| 283 |
The default is |
283 |
The default is |
| 284 |
.Dq no . |
284 |
.Dq no . |
|
|
285 |
.It Cm KbdintXORPasswordAuthentication |
| 286 |
Specifies whether only one or the other of keyboard-interactive and |
| 287 |
password authentication should be permitted. Setting this to |
| 288 |
.Dq yes |
| 289 |
disables the other method once one is attempted. This can be useful |
| 290 |
to present a more consistent interface for typical clients that would |
| 291 |
opportunistically attempt both, as both of these authentication types |
| 292 |
are generally "password" authentications, if both are enabled. |
| 293 |
The default is |
| 294 |
.Dq no . |
| 295 |
This option applies to protocol version 2 only. |
| 285 |
.It Cm KeepAlive |
296 |
.It Cm KeepAlive |
| 286 |
Specifies whether the system should send TCP keepalive messages to the |
297 |
Specifies whether the system should send TCP keepalive messages to the |
| 287 |
other side. |
298 |
other side. |