FS#71941 - [openssh] Disable KbdInteractiveAuthentication

Attached to Project: Arch Linux
Opened by Marcos Mello (marcosfrm) - Saturday, 28 August 2021, 19:00 GMT
Last edited by Giancarlo Razzolini (grazzolini) - Friday, 17 September 2021, 01:24 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Lukas Fleischer (lfleischer)
Levente Polyak (anthraxx)
Giancarlo Razzolini (grazzolini)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

ChallengeResponseAuthentication is now deprecated alias to KbdInteractiveAuthentication starting with OpenSSH 8.7.

https://www.openssh.com/releasenotes.html

* ssh(1)/sshd(8): remove references to ChallengeResponseAuthentication
in favour of KbdInteractiveAuthentication. The former is what was in
SSHv1, the latter is what is in SSHv2 (RFC4256) and they were
treated as somewhat but not entirely equivalent. We retain the old
name as a deprecated alias so configuration files continue to work
as well as a reference in the man page for people looking for it.
bz#3303

ChallengeResponseAuthentication is not in sshd_config anymore, so this thing in not disabled by default in new installs.
This task depends upon

Closed by  Giancarlo Razzolini (grazzolini)
Friday, 17 September 2021, 01:24 GMT
Reason for closing:  Fixed
Additional comments about closing:  openssh-8.7p1-2 fixes this issue.
Comment by Marcos Mello (marcosfrm) - Thursday, 16 September 2021, 10:51 GMT
Is is not disabled. The upstream config file has

# Change to no to disable s/key passwords
#KbdInteractiveAuthentication yes

and the sed call in PKGBUILD does not change it.
Comment by Jonas Witschel (diabonas) - Thursday, 16 September 2021, 10:56 GMT
The problem is in our PKGBUILD: https://github.com/archlinux/svntogit-packages/blob/c6db7a1b5fa46bb0e8c93bb83a1b5e66f3acc452/trunk/PKGBUILD#L102 modifies the upstream sshd_config, which has ChallengeResponseAuthentication/KbdInteractiveAuthentication enabled by default, using a sed expression. This doesn't work any more since the upstream sshd_config doesn't contain the expression to be replaced any more after the rename. Thus we now ship the unmodified upstream sshd_config with KbdInteractiveAuthentication *enabled*, while previously we had a modified sshd_config with ChallengeResponseAuthentication *disabled*.
Comment by Giancarlo Razzolini (grazzolini) - Thursday, 16 September 2021, 15:06 GMT
Yes, it looks like the sed expression needs to be changed.

Loading...