Bug#428968: changes needed to config

[Colin Watson <cjwatson@debian.org>]

On Mon, Jun 18, 2007 at 04:39:22PM -0700, Ryan Murray wrote:
> ssh 4.6p1 defaults to having challenge_response_authentication and
> kbd_interaction_authentication to off.

Assuming you mean the defaults in the code, where do you see that?
servconf.c:fill_default_server_options() says:

        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
                options->kbd_interactive_authentication = 0;
        if (options->challenge_response_authentication == -1)
                options->challenge_response_authentication = 1;

... and parse_server_config applies an additional fixup:

        /* challenge-response is implemented via keyboard interactive */
        if (options->challenge_response_authentication == 1)
                options->kbd_interactive_authentication = 1;

It is true that the configuration file shipped with new installations
turns off ChallengeResponseAuthentication.

> The shipped config file does not set either option by default.  This
> means that PAM is disabled by default.  A KbdInteractiveAuthentication
> yes or ChallengeResponseAuthentication yes is needed to enable PAM
> based authentication.

Certainly it seems that some of those suffering from this bug have
ChallengeResponseAuthentication explicitly disabled, but not all; see
for example the configuration file in #428968, noting my comments above
about the defaults.

I haven't yet found any evidence of an intentional change of behaviour
in this area in 4.6p1, and until I do I still consider this a bug. (If
it was an intentional change, I'll add a NEWS item once I figure out
what's going on.)

-- 
Colin Watson                                       [cjwatson@debian.org]