Bug 580

Summary: disable kbdint if host key mismatch
Product: Portable OpenSSH Reporter: Frank Cusack <fcusack>
Component: sshAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED FIXED    
Severity: normal    
Priority: P2    
Version: -current   
Hardware: All   
OS: All   
Attachments:
Description Flags
disable kbdint on host key mismatch
none
disable kbdint on host key mismatch none

Description Frank Cusack 2003-05-30 13:37:27 AEST 
currently, password auth is disabled if the host key mismatches.
kbdint auth should probably also be disabled.
Comment 1 Frank Cusack 2003-05-30 13:39:23 AEST 
Created attachment 314 [details]
disable kbdint on host key mismatch

I had to move the "c/r auth sets kbdint auth" to before the call to
check_host_key().  It might be better in readconf() but this was simpler,
and other options are check post-readconf() as well anyway.
Comment 2 Frank Cusack 2003-05-30 13:43:04 AEST 
My patch just arbitrarily disables kbdint.  An improvement would be to
#ifdef PAM around the disable bits, since kbdint is safe without PAM
(kbdint is used for internal challenge response methods).  Unfortunately,
with PAM you can't tell if it's safe to use or not, so to be on the safe
side it should be disabled.  An option could be added to control this, but
I think that's unwise (too many options).
Comment 3 Frank Cusack 2003-05-30 13:47:34 AEST 
Created attachment 315 [details]
disable kbdint on host key mismatch

oops, left in an extra line from my testing.  here's an update
Comment 4 Damien Miller 2003-06-04 18:24:44 AEST 
similar patch applied, thanks.
Comment 5 Damien Miller 2004-04-14 12:24:19 AEST 
Mass change of RESOLVED bugs to CLOSED