From f815442116071c69525915018edf5a32081bddc2 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Wed, 25 Apr 2001 22:44:14 +1000
Subject:  - (djm) Add new server configuration directive
 'PAMAuthenticationViaKbdInt'    (default: off), implies
 KbdInteractiveAuthentication. Suggestion from    markus@

---
 ChangeLog   |  5 ++++-
 auth2.c     |  4 +++-
 servconf.c  | 10 +++++++++-
 servconf.h  |  2 +-
 sshd.8      |  8 ++++++++
 sshd_config | 10 ++++++----
 6 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1e1ad344..ddf385f8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,9 @@
      [ssh-keygen.c]
      remove debug
  - (bal) Whitespace resync w/ OpenBSD for uidswap.c
+ - (djm) Add new server configuration directive 'PAMAuthenticationViaKbdInt'
+   (default: off), implies KbdInteractiveAuthentication. Suggestion from 
+   markus@
 
 20010424
  - OpenBSD CVS Sync
@@ -5246,4 +5249,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1168 2001/04/25 06:27:59 mouring Exp $
+$Id: ChangeLog,v 1.1169 2001/04/25 12:44:14 djm Exp $
diff --git a/auth2.c b/auth2.c
index 5ffd43fe..f357b582 100644
--- a/auth2.c
+++ b/auth2.c
@@ -127,6 +127,8 @@ do_authentication2()
 	/* challenge-reponse is implemented via keyboard interactive */
 	if (options.challenge_reponse_authentication)
 		options.kbd_interactive_authentication = 1;
+	if (options.pam_authentication_via_kbd_int)
+		options.kbd_interactive_authentication = 1;
 
 	dispatch_init(&protocol_error);
 	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
@@ -411,7 +413,7 @@ userauth_kbdint(Authctxt *authctxt)
 		authenticated = auth2_challenge(authctxt, devs);
 
 #ifdef USE_PAM
-	if (authenticated == 0)
+	if (authenticated == 0 && options.pam_authentication_via_kbd_int)
 		authenticated = auth2_pam(authctxt);
 #endif
 	xfree(lang);
diff --git a/servconf.c b/servconf.c
index 3d0c9efa..73c07c2f 100644
--- a/servconf.c
+++ b/servconf.c
@@ -101,6 +101,7 @@ initialize_server_options(ServerOptions *options)
 	options->reverse_mapping_check = -1;
 	options->client_alive_interval = -1;
 	options->client_alive_count_max = -1;
+	options->pam_authentication_via_kbd_int = -1;
 }
 
 void
@@ -207,6 +208,8 @@ fill_default_server_options(ServerOptions *options)
 		options->client_alive_interval = 0;  
 	if (options->client_alive_count_max == -1)
 		options->client_alive_count_max = 3;
+	if (options->pam_authentication_via_kbd_int == -1)
+		options->pam_authentication_via_kbd_int = 0;
 }
 
 /* Keyword tokens. */
@@ -232,7 +235,7 @@ typedef enum {
 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
 	sBanner, sReverseMappingCheck, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 
-	sClientAliveCountMax
+	sClientAliveCountMax, sPAMAuthenticationViaKbdInt
 } ServerOpCodes;
 
 /* Textual representation of the tokens. */
@@ -298,6 +301,7 @@ static struct {
 	{ "reversemappingcheck", sReverseMappingCheck },
 	{ "clientaliveinterval", sClientAliveInterval },
 	{ "clientalivecountmax", sClientAliveCountMax },
+	{ "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
 	{ NULL, 0 }
 };
 
@@ -794,6 +798,10 @@ parse_flag:
 		case sClientAliveCountMax:
 			intptr = &options->client_alive_count_max;
 			goto parse_int;
+		case sPAMAuthenticationViaKbdInt:
+			intptr = &options->pam_authentication_via_kbd_int;
+			goto parse_flag;
+
 		default:
 			fatal("%s line %d: Missing handler for opcode %s (%d)",
 			    filename, linenum, arg, opcode);
diff --git a/servconf.h b/servconf.h
index 4c02c0f5..78bca97f 100644
--- a/servconf.h
+++ b/servconf.h
@@ -124,7 +124,7 @@ typedef struct {
 					 * for this many intervals, above
 					 * diconnect the session 
 					 */
-
+	int	pam_authentication_via_kbd_int;
 }       ServerOptions;
 /*
  * Initializes the server options to special values that indicate that they
diff --git a/sshd.8 b/sshd.8
index 62e3de7c..56723392 100644
--- a/sshd.8
+++ b/sshd.8
@@ -616,6 +616,14 @@ The probability increases linearly and all connection attempts
 are refused if the number of unauthenticated connections reaches
 .Dq full
 (60).
+.It Cm PAMAuthenticationViaKbdInt
+Specifies whether PAM challenge response authentication is allowed. This
+allows the use of most PAM challenge response authentication modules, but 
+it will allow password authentication regardless of whether 
+.Cm PasswordAuthentication
+is disabled.
+The default is
+.Dq no .
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is
diff --git a/sshd_config b/sshd_config
index fda1456e..8c411e47 100644
--- a/sshd_config
+++ b/sshd_config
@@ -46,10 +46,12 @@ RSAAuthentication yes
 PasswordAuthentication yes
 PermitEmptyPasswords no
 
-# Comment to enable s/key passwords or PAM interactive authentication
-# NB. Neither of these are compiled in by default. Please read the
-# notes in the sshd(8) manpage before enabling this on a PAM system.
-ChallengeResponseAuthentication no
+# Uncomment to disable s/key passwords 
+#ChallengeResponseAuthentication no
+
+# Uncomment to enable PAM keyboard-interactive authentication 
+# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
+#PAMAuthenticationViaKbdInt yes
 
 # To change Kerberos options
 #KerberosAuthentication no
-- 
cgit v1.2.3