Remove support for S/Key
Most people will 1) be using modern multi-factor authentication methods
like TOTP/OATH etc and 2) be getting support for multi-factor
authentication via PAM or BSD Auth.
diff --git a/INSTALL b/INSTALL
index d527511..3fd265d 100644
--- a/INSTALL
+++ b/INSTALL
@@ -66,13 +66,6 @@
http://www.jmknoble.net/software/x11-ssh-askpass/
-S/Key Libraries:
-
-If you wish to use --with-skey then you will need the library below
-installed. No other S/Key library is currently known to be supported.
-
-http://www.sparc.spb.su/solaris/skey/
-
LibEdit:
sftp supports command-line editing via NetBSD's libedit. If your platform
@@ -184,9 +177,6 @@
--with-osfsia, --without-osfsia will enable or disable OSF1's Security
Integration Architecture. The default for OSF1 machines is enable.
---with-skey=PATH will enable S/Key one time password support. You will
-need the S/Key libraries and header files installed for this to work.
-
--with-md5-passwords will enable the use of MD5 passwords. Enable this
if your operating system uses MD5 passwords and the system crypt() does
not support them directly (see the crypt(3/3c) man page). If enabled, the
diff --git a/Makefile.in b/Makefile.in
index c3b67aa..ac744cb 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -110,7 +110,7 @@
sshpty.o sshlogin.o servconf.o serverloop.o \
auth.o auth2.o auth-options.o session.o \
auth2-chall.o groupaccess.o \
- auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
+ auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
monitor.o monitor_wrap.o auth-krb5.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
diff --git a/TODO b/TODO
index 771162b..b76529c 100644
--- a/TODO
+++ b/TODO
@@ -35,7 +35,7 @@
- Use different PAM service name for kbdint vs regular auth (suggest from
Solar Designer)
- Ability to select which ChallengeResponseAuthentications may be used
- and order to try them in e.g. "ChallengeResponseAuthentication skey, pam"
+ and order to try them in e.g. "ChallengeResponseAuthentication pam"
- Complete Tru64 SIA support
- It looks like we could merge it into the password auth code to cut down
diff --git a/auth.h b/auth.h
index 29491df..977562f 100644
--- a/auth.h
+++ b/auth.h
@@ -187,8 +187,6 @@
void auth2_challenge_stop(struct ssh *);
int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
int bsdauth_respond(void *, u_int, char **);
-int skey_query(void *, char **, char **, u_int *, char ***, u_int **);
-int skey_respond(void *, u_int, char **);
int allowed_user(struct passwd *);
struct passwd * getpwnamallow(const char *user);
@@ -239,8 +237,6 @@
int sys_auth_passwd(struct ssh *, const char *);
-#define SKEY_PROMPT "\nS/Key Password: "
-
#if defined(KRB5) && !defined(HEIMDAL)
#include <krb5.h>
krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
diff --git a/auth2-chall.c b/auth2-chall.c
index 4fd18f4..2d5cff4 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -58,9 +58,6 @@
#ifdef USE_PAM
extern KbdintDevice sshpam_device;
#endif
-#ifdef SKEY
-extern KbdintDevice skey_device;
-#endif
#endif
KbdintDevice *devices[] = {
@@ -70,9 +67,6 @@
#ifdef USE_PAM
&sshpam_device,
#endif
-#ifdef SKEY
- &skey_device,
-#endif
#endif
NULL
};
@@ -369,7 +363,7 @@
void
privsep_challenge_enable(void)
{
-#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY)
+#if defined(BSD_AUTH) || defined(USE_PAM)
int n = 0;
#endif
#ifdef BSD_AUTH
@@ -378,9 +372,6 @@
#ifdef USE_PAM
extern KbdintDevice mm_sshpam_device;
#endif
-#ifdef SKEY
- extern KbdintDevice mm_skey_device;
-#endif
#ifdef BSD_AUTH
devices[n++] = &mm_bsdauth_device;
@@ -388,8 +379,5 @@
#ifdef USE_PAM
devices[n++] = &mm_sshpam_device;
#endif
-#ifdef SKEY
- devices[n++] = &mm_skey_device;
-#endif
#endif
}
diff --git a/configure.ac b/configure.ac
index 8c6827a..c4c759d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1495,55 +1495,6 @@
AC_MSG_RESULT([no])
fi
-# Check whether user wants S/Key support
-SKEY_MSG="no"
-AC_ARG_WITH([skey],
- [ --with-skey[[=PATH]] Enable S/Key support (optionally in PATH)],
- [
- if test "x$withval" != "xno" ; then
-
- if test "x$withval" != "xyes" ; then
- CPPFLAGS="$CPPFLAGS -I${withval}/include"
- LDFLAGS="$LDFLAGS -L${withval}/lib"
- fi
-
- AC_DEFINE([SKEY], [1], [Define if you want S/Key support])
- LIBS="-lskey $LIBS"
- SKEY_MSG="yes"
-
- AC_MSG_CHECKING([for s/key support])
- AC_LINK_IFELSE(
- [AC_LANG_PROGRAM([[
-#include <stdio.h>
-#include <skey.h>
- ]], [[
- char *ff = skey_keyinfo(""); ff="";
- exit(0);
- ]])],
- [AC_MSG_RESULT([yes])],
- [
- AC_MSG_RESULT([no])
- AC_MSG_ERROR([** Incomplete or missing s/key libraries.])
- ])
- AC_MSG_CHECKING([if skeychallenge takes 4 arguments])
- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
-#include <stdio.h>
-#include <skey.h>
- ]], [[
- (void)skeychallenge(NULL,"name","",0);
- ]])],
- [
- AC_MSG_RESULT([yes])
- AC_DEFINE([SKEYCHALLENGE_4ARG], [1],
- [Define if your skeychallenge()
- function takes 4 arguments (NetBSD)])],
- [
- AC_MSG_RESULT([no])
- ])
- fi
- ]
-)
-
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -5219,7 +5170,6 @@
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
-echo " S/KEY support: $SKEY_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " libldns support: $LDNS_MSG"
diff --git a/defines.h b/defines.h
index 3fa5ec5..8f42130 100644
--- a/defines.h
+++ b/defines.h
@@ -660,12 +660,6 @@
# define krb5_get_err_text(context,code) error_message(code)
#endif
-#if defined(SKEYCHALLENGE_4ARG)
-# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c,d)
-#else
-# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c)
-#endif
-
/* Maximum number of file descriptors available */
#ifdef HAVE_SYSCONF
# define SSH_SYSFDMAX sysconf(_SC_OPEN_MAX)
diff --git a/monitor.c b/monitor.c
index 78f9c50..d4b4b04 100644
--- a/monitor.c
+++ b/monitor.c
@@ -56,10 +56,6 @@
# endif
#endif
-#ifdef SKEY
-#include <skey.h>
-#endif
-
#ifdef WITH_OPENSSL
#include <openssl/dh.h>
#endif
@@ -122,8 +118,6 @@
int mm_answer_authpassword(int, struct sshbuf *);
int mm_answer_bsdauthquery(int, struct sshbuf *);
int mm_answer_bsdauthrespond(int, struct sshbuf *);
-int mm_answer_skeyquery(int, struct sshbuf *);
-int mm_answer_skeyrespond(int, struct sshbuf *);
int mm_answer_keyallowed(int, struct sshbuf *);
int mm_answer_keyverify(int, struct sshbuf *);
int mm_answer_pty(int, struct sshbuf *);
@@ -212,10 +206,6 @@
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
{MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond},
#endif
-#ifdef SKEY
- {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
- {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
-#endif
{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
#ifdef GSSAPI
@@ -960,62 +950,6 @@
}
#endif
-#ifdef SKEY
-int
-mm_answer_skeyquery(int sock, struct sshbuf *m)
-{
- struct skey skey;
- char challenge[1024];
- u_int success;
- int r;
-
- success = _compat_skeychallenge(&skey, authctxt->user, challenge,
- sizeof(challenge)) < 0 ? 0 : 1;
-
- sshbuf_reset(m);
- if ((r = sshbuf_put_u32(m, success)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
- if (success) {
- if ((r = sshbuf_put_cstring(m, challenge)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
- }
- debug3("%s: sending challenge success: %u", __func__, success);
- mm_request_send(sock, MONITOR_ANS_SKEYQUERY, m);
-
- return (0);
-}
-
-int
-mm_answer_skeyrespond(int sock, struct sshbuf *m)
-{
- char *response;
- size_t rlen;
- int authok, r;
-
- if ((r = sshbuf_get_cstring(m, &response, &rlen)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
-
- authok = (options.challenge_response_authentication &&
- authctxt->valid &&
- skey_haskey(authctxt->pw->pw_name) == 0 &&
- skey_passcheck(authctxt->pw->pw_name, response) != -1);
-
- freezero(response, rlen);
-
- sshbuf_reset(m);
- if ((r = sshbuf_put_u32(m, authok)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
-
- debug3("%s: sending authenticated: %d", __func__, authok);
- mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
-
- auth_method = "keyboard-interactive";
- auth_submethod = "skey";
-
- return (authok != 0);
-}
-#endif
-
#ifdef USE_PAM
int
mm_answer_pam_start(int sock, struct sshbuf *m)
diff --git a/monitor.h b/monitor.h
index 0c76350..1604729 100644
--- a/monitor.h
+++ b/monitor.h
@@ -39,8 +39,6 @@
MONITOR_REQ_AUTHPASSWORD = 12, MONITOR_ANS_AUTHPASSWORD = 13,
MONITOR_REQ_BSDAUTHQUERY = 14, MONITOR_ANS_BSDAUTHQUERY = 15,
MONITOR_REQ_BSDAUTHRESPOND = 16, MONITOR_ANS_BSDAUTHRESPOND = 17,
- MONITOR_REQ_SKEYQUERY = 18, MONITOR_ANS_SKEYQUERY = 19,
- MONITOR_REQ_SKEYRESPOND = 20, MONITOR_ANS_SKEYRESPOND = 21,
MONITOR_REQ_KEYALLOWED = 22, MONITOR_ANS_KEYALLOWED = 23,
MONITOR_REQ_KEYVERIFY = 24, MONITOR_ANS_KEYVERIFY = 25,
MONITOR_REQ_KEYEXPORT = 26,
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 3cb26c2..732fb34 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -867,73 +867,6 @@
return ((authok == 0) ? -1 : 0);
}
-#ifdef SKEY
-int
-mm_skey_query(void *ctx, char **name, char **infotxt,
- u_int *numprompts, char ***prompts, u_int **echo_on)
-{
- struct sshbuf *m;
- u_int success;
- char *challenge;
- int r;
-
- debug3("%s: entering", __func__);
-
- if ((m = sshbuf_new()) == NULL)
- fatal("%s: sshbuf_new failed", __func__);
- mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYQUERY, m);
-
- mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SKEYQUERY, m);
- if ((r = sshbuf_get_u32(m, &success)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
- if (success == 0) {
- debug3("%s: no challenge", __func__);
- sshbuf_free(m);
- return (-1);
- }
-
- /* Get the challenge, and format the response */
- if ((r = sshbuf_get_cstring(m, &challenge, NULL)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
- sshbuf_free(m);
-
- debug3("%s: received challenge: %s", __func__, challenge);
-
- mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
-
- xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
- free(challenge);
-
- return (0);
-}
-
-int
-mm_skey_respond(void *ctx, u_int numresponses, char **responses)
-{
- struct sshbuf *m;
- int authok, r;
-
- debug3("%s: entering", __func__);
- if (numresponses != 1)
- return (-1);
-
- if ((m = sshbuf_new()) == NULL)
- fatal("%s: sshbuf_new failed", __func__);
- if ((r = sshbuf_put_cstring(m, responses[0])) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
- mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYRESPOND, m);
-
- mm_request_receive_expect(pmonitor->m_recvfd,
- MONITOR_ANS_SKEYRESPOND, m);
-
- if ((r = sshbuf_get_u32(m, &authok)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
- sshbuf_free(m);
-
- return ((authok == 0) ? -1 : 0);
-}
-#endif /* SKEY */
-
#ifdef SSH_AUDIT_EVENTS
void
mm_audit_event(ssh_audit_event_t event)
diff --git a/monitor_wrap.h b/monitor_wrap.h
index a3ac17d..644da08 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -97,8 +97,4 @@
int mm_bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_bsdauth_respond(void *, u_int, char **);
-/* skey */
-int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
-int mm_skey_respond(void *, u_int, char **);
-
#endif /* _MM_WRAP_H_ */
diff --git a/readconf.c b/readconf.c
index 4ab312f..4b11bab 100644
--- a/readconf.c
+++ b/readconf.c
@@ -230,7 +230,7 @@
{ "dsaauthentication", oPubkeyAuthentication }, /* alias */
{ "hostbasedauthentication", oHostbasedAuthentication },
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
- { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
+ { "skeyauthentication", oUnsupported },
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
{ "identityfile", oIdentityFile },
{ "identityfile2", oIdentityFile }, /* obsolete */
diff --git a/servconf.c b/servconf.c
index aafefde..f1010b3 100644
--- a/servconf.c
+++ b/servconf.c
@@ -564,7 +564,7 @@
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
- { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
+ { "skeyauthentication", sDeprecated, SSHCFG_GLOBAL },
{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
diff --git a/ssh_config.5 b/ssh_config.5
index fe52578..f499396 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -997,10 +997,9 @@
The methods available vary depending on what the server supports.
For an OpenSSH server,
it may be zero or more of:
-.Cm bsdauth ,
-.Cm pam ,
+.Cm bsdauth
and
-.Cm skey .
+.Cm pam .
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
diff --git a/sshd_config.5 b/sshd_config.5
index 02d8e43..e1b54ba 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -205,10 +205,9 @@
For keyboard interactive authentication it is also possible to
restrict authentication to a specific device by appending a
colon followed by the device identifier
-.Cm bsdauth ,
-.Cm pam ,
+.Cm bsdauth
or
-.Cm skey ,
+.Cm pam .
depending on the server configuration.
For example,
.Qq keyboard-interactive:bsdauth
