Bugzilla – Attachment 316 Details for
Bug 582
Add 'KbdintXORPasswordAuthentication' option.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Add 'KbdintXORPasswordAuthentication' option.
d (text/plain), 3.72 KB, created by
Frank Cusack
on 2003-06-02 11:51:33 AEST
(
hide
)
Description:
Add 'KbdintXORPasswordAuthentication' option.
Filename:
MIME Type:
Creator:
Frank Cusack
Created:
2003-06-02 11:51:33 AEST
Size:
3.72 KB
patch
obsolete
> > Add 'KbdintXORPasswordAuthentication' option. > >--- openssh.orig/auth2-kbdint.c >+++ openssh/auth2-kbdint.c >@@ -46,6 +46,10 @@ > > debug("keyboard-interactive devs %s", devs); > >+ /* disable password auth if we're doing "one or the other" */ >+ if (options.kbdint_xor_password_authentication) >+ options.password_authentication = 0; >+ > if (options.challenge_response_authentication) > authenticated = auth2_challenge(authctxt, devs); > > >--- openssh.orig/auth2-passwd.c >+++ openssh/auth2-passwd.c >@@ -42,6 +42,11 @@ > int authenticated = 0; > int change; > u_int len; >+ >+ /* disable kbdint auth if we're doing "one or the other" */ >+ if (options.kbdint_xor_password_authentication) >+ options.kbd_interactive_authentication = 0; >+ > change = packet_get_char(); > if (change) > log("password change not supported"); > >--- openssh.orig/servconf.c >+++ openssh/servconf.c >@@ -100,6 +100,7 @@ > options->password_authentication = -1; > options->kbd_interactive_authentication = -1; > options->challenge_response_authentication = -1; >+ options->kbdint_xor_password_authentication = -1; > options->tis_via_pam = -1; > options->permit_empty_passwd = -1; > options->permit_user_env = -1; >@@ -225,6 +226,8 @@ > options->kbd_interactive_authentication = 0; > if (options->challenge_response_authentication == -1) > options->challenge_response_authentication = 1; >+ if (options->kbdint_xor_password_authentication == -1) >+ options->kbdint_xor_password_authentication = 0; > if (options->permit_empty_passwd == -1) > options->permit_empty_passwd = 0; > if (options->permit_user_env == -1) >@@ -298,6 +301,7 @@ > #endif > sChallengeResponseAuthentication, sTISviaPAM, > sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, >+ sKbdintXorPasswordAuthentication, > sPrintMotd, sPrintLastLog, sIgnoreRhosts, > sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, > sStrictModes, sEmptyPasswd, sKeepAlives, >@@ -353,6 +357,7 @@ > { "passwordauthentication", sPasswordAuthentication }, > { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, > { "challengeresponseauthentication", sChallengeResponseAuthentication }, >+ { "kbdintxorpasswordauthentication", sKbdintXorPasswordAuthentication }, > { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ > { "tisviapam", sTISviaPAM }, > { "checkmail", sDeprecated }, >@@ -693,6 +698,10 @@ > intptr = &options->challenge_response_authentication; > goto parse_flag; > >+ case sKbdintXorPasswordAuthentication: >+ intptr = &options->kbdint_xor_password_authentication; >+ goto parse_flag; >+ > case sPrintMotd: > intptr = &options->print_motd; > goto parse_flag; > >--- openssh.orig/servconf.h >+++ openssh/servconf.h >@@ -95,6 +95,7 @@ > * authentication. */ > int kbd_interactive_authentication; /* If true, permit */ > int challenge_response_authentication; >+ int kbdint_xor_password_authentication; /* one or the other */ > int tis_via_pam; /* Use PAM for TIS? */ > int permit_empty_passwd; /* If false, do not permit empty > * passwords. */ > >--- openssh.orig/sshd_config.5 >+++ openssh/sshd_config.5 >@@ -282,6 +282,17 @@ > .Cm HostbasedAuthentication . > The default is > .Dq no . >+.It Cm KbdintXORPasswordAuthentication >+Specifies whether only one or the other of keyboard-interactive and >+password authentication should be permitted. Setting this to >+.Dq yes >+disables the other method once one is attempted. This can be useful >+to present a more consistent interface for typical clients that would >+opportunistically attempt both, as both of these authentication types >+are generally "password" authentications, if both are enabled. >+The default is >+.Dq no . >+This option applies to protocol version 2 only. > .It Cm KeepAlive > Specifies whether the system should send TCP keepalive messages to the > other side.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=316">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 582
: 316