Bug#428968: changes needed to config
On Mon, Jun 18, 2007 at 04:39:22PM -0700, Ryan Murray wrote:
> ssh 4.6p1 defaults to having challenge_response_authentication and
> kbd_interaction_authentication to off.
Assuming you mean the defaults in the code, where do you see that?
servconf.c:fill_default_server_options() says:
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
options->challenge_response_authentication = 1;
... and parse_server_config applies an additional fixup:
/* challenge-response is implemented via keyboard interactive */
if (options->challenge_response_authentication == 1)
options->kbd_interactive_authentication = 1;
It is true that the configuration file shipped with new installations
turns off ChallengeResponseAuthentication.
> The shipped config file does not set either option by default. This
> means that PAM is disabled by default. A KbdInteractiveAuthentication
> yes or ChallengeResponseAuthentication yes is needed to enable PAM
> based authentication.
Certainly it seems that some of those suffering from this bug have
ChallengeResponseAuthentication explicitly disabled, but not all; see
for example the configuration file in #428968, noting my comments above
about the defaults.
I haven't yet found any evidence of an intentional change of behaviour
in this area in 4.6p1, and until I do I still consider this a bug. (If
it was an intentional change, I'll add a NEWS item once I figure out
what's going on.)
--
Colin Watson [cjwatson@debian.org]
Reply to: