Bug 1922

Summary: Disabling ChallengeResponseAuthentication also disables KbdInteractiveAuthentication
Product: Portable OpenSSH Reporter: Max Bowsher <maxb>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: normal CC: dtucker
Priority: P2    
Version: 5.8p2   
Hardware: All   
OS: All   

Description Max Bowsher 2011-07-31 06:18:23 AEST 
I was chasing some unexpected behaviour from OpenSSH, and have come
across an oddity in the source code which feels like a bug.

In auth2-kbdint.c, the Authmethod struct declares
options.kbd_interactive_authentication as the enabled flag for this
method. However in the implementation function a few lines above, it
checks options.challenge_response_authentication to decide whether to
actually proceed with the authentication.

This results in the behaviour of "ChallengeResponseAuthentication no"
also disabling keyboard-interactive authentication, even if
"KbdInteractiveAuthentication yes" is specified.

(Also, the KbdInteractiveAuthentication option isn't explicitly
documented in the manpages, so I'm unsure if it's actually intended to
be used or not.)
Comment 1 Darren Tucker 2021-09-10 16:24:01 AEST 
OpenSSH 8.7 fixed this by removing the distinction between the two, they're now equivalent (with ChallengeResponseAuthentication being the deprecated alias).  From https://www.openssh.com/releasenotes.html#8.7

 * ssh(1)/sshd(8): remove references to ChallengeResponseAuthentication
   in favour of KbdInteractiveAuthentication. The former is what was in
   SSHv1, the latter is what is in SSHv2 (RFC4256) and they were
   treated as somewhat but not entirely equivalent. We retain the old
   name as a deprecated alias so configuration files continue to work
   as well as a reference in the man page for people looking for it.
   bz#3303

Thanks for the report.
Comment 2 Damien Miller 2022-02-25 13:56:11 AEDT 
closing bugs resolved before openssh-8.9