mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-11-23 18:23:25 +08:00
- (djm) Add new server configuration directive 'PAMAuthenticationViaKbdInt'
(default: off), implies KbdInteractiveAuthentication. Suggestion from markus@
This commit is contained in:
Damien Miller
parent
768f975b13
commit
f815442116
@ -7,6 +7,9 @@
|
||||
[ssh-keygen.c]
|
||||
remove debug
|
||||
- (bal) Whitespace resync w/ OpenBSD for uidswap.c
|
||||
- (djm) Add new server configuration directive 'PAMAuthenticationViaKbdInt'
|
||||
(default: off), implies KbdInteractiveAuthentication. Suggestion from
|
||||
markus@
|
||||
|
||||
20010424
|
||||
- OpenBSD CVS Sync
|
||||
@ -5246,4 +5249,4 @@
|
||||
- Wrote replacements for strlcpy and mkdtemp
|
||||
- Released 1.0pre1
|
||||
|
||||
$Id: ChangeLog,v 1.1168 2001/04/25 06:27:59 mouring Exp $
|
||||
$Id: ChangeLog,v 1.1169 2001/04/25 12:44:14 djm Exp $
|
||||
|
||||
4
auth2.c
4
auth2.c
@ -127,6 +127,8 @@ do_authentication2()
|
||||
/* challenge-reponse is implemented via keyboard interactive */
|
||||
if (options.challenge_reponse_authentication)
|
||||
options.kbd_interactive_authentication = 1;
|
||||
if (options.pam_authentication_via_kbd_int)
|
||||
options.kbd_interactive_authentication = 1;
|
||||
|
||||
dispatch_init(&protocol_error);
|
||||
dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
|
||||
@ -411,7 +413,7 @@ userauth_kbdint(Authctxt *authctxt)
|
||||
authenticated = auth2_challenge(authctxt, devs);
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (authenticated == 0)
|
||||
if (authenticated == 0 && options.pam_authentication_via_kbd_int)
|
||||
authenticated = auth2_pam(authctxt);
|
||||
#endif
|
||||
xfree(lang);
|
||||
|
||||
10
servconf.c
10
servconf.c
@ -101,6 +101,7 @@ initialize_server_options(ServerOptions *options)
|
||||
options->reverse_mapping_check = -1;
|
||||
options->client_alive_interval = -1;
|
||||
options->client_alive_count_max = -1;
|
||||
options->pam_authentication_via_kbd_int = -1;
|
||||
}
|
||||
|
||||
void
|
||||
@ -207,6 +208,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->client_alive_interval = 0;
|
||||
if (options->client_alive_count_max == -1)
|
||||
options->client_alive_count_max = 3;
|
||||
if (options->pam_authentication_via_kbd_int == -1)
|
||||
options->pam_authentication_via_kbd_int = 0;
|
||||
}
|
||||
|
||||
/* Keyword tokens. */
|
||||
@ -232,7 +235,7 @@ typedef enum {
|
||||
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
|
||||
sBanner, sReverseMappingCheck, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax
|
||||
sClientAliveCountMax, sPAMAuthenticationViaKbdInt
|
||||
} ServerOpCodes;
|
||||
|
||||
/* Textual representation of the tokens. */
|
||||
@ -298,6 +301,7 @@ static struct {
|
||||
{ "reversemappingcheck", sReverseMappingCheck },
|
||||
{ "clientaliveinterval", sClientAliveInterval },
|
||||
{ "clientalivecountmax", sClientAliveCountMax },
|
||||
{ "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
|
||||
{ NULL, 0 }
|
||||
};
|
||||
|
||||
@ -794,6 +798,10 @@ parse_flag:
|
||||
case sClientAliveCountMax:
|
||||
intptr = &options->client_alive_count_max;
|
||||
goto parse_int;
|
||||
case sPAMAuthenticationViaKbdInt:
|
||||
intptr = &options->pam_authentication_via_kbd_int;
|
||||
goto parse_flag;
|
||||
|
||||
default:
|
||||
fatal("%s line %d: Missing handler for opcode %s (%d)",
|
||||
filename, linenum, arg, opcode);
|
||||
|
||||
@ -124,7 +124,7 @@ typedef struct {
|
||||
* for this many intervals, above
|
||||
* diconnect the session
|
||||
*/
|
||||
|
||||
int pam_authentication_via_kbd_int;
|
||||
} ServerOptions;
|
||||
/*
|
||||
* Initializes the server options to special values that indicate that they
|
||||
|
||||
8
sshd.8
8
sshd.8
@ -616,6 +616,14 @@ The probability increases linearly and all connection attempts
|
||||
are refused if the number of unauthenticated connections reaches
|
||||
.Dq full
|
||||
(60).
|
||||
.It Cm PAMAuthenticationViaKbdInt
|
||||
Specifies whether PAM challenge response authentication is allowed. This
|
||||
allows the use of most PAM challenge response authentication modules, but
|
||||
it will allow password authentication regardless of whether
|
||||
.Cm PasswordAuthentication
|
||||
is disabled.
|
||||
The default is
|
||||
.Dq no .
|
||||
.It Cm PasswordAuthentication
|
||||
Specifies whether password authentication is allowed.
|
||||
The default is
|
||||
|
||||
10
sshd_config
10
sshd_config
@ -46,10 +46,12 @@ RSAAuthentication yes
|
||||
PasswordAuthentication yes
|
||||
PermitEmptyPasswords no
|
||||
|
||||
# Comment to enable s/key passwords or PAM interactive authentication
|
||||
# NB. Neither of these are compiled in by default. Please read the
|
||||
# notes in the sshd(8) manpage before enabling this on a PAM system.
|
||||
ChallengeResponseAuthentication no
|
||||
# Uncomment to disable s/key passwords
|
||||
#ChallengeResponseAuthentication no
|
||||
|
||||
# Uncomment to enable PAM keyboard-interactive authentication
|
||||
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
|
||||
#PAMAuthenticationViaKbdInt yes
|
||||
|
||||
# To change Kerberos options
|
||||
#KerberosAuthentication no
|
||||
|
||||
Loading…
Reference in New Issue
Block a user