- markus@cvs.openbsd.org 2001/05/18 14:13:29

[auth-chall.c auth.h auth1.c auth2-chall.c auth2.c readconf.c
      readconf.h servconf.c servconf.h sshconnect1.c sshconnect2.c sshd.c]
     improved kbd-interactive support. work by per@appgate.com and me

ChangeLog

@@ -4,6 +4,11 @@
      [ssh.1]                                                                    
      no spaces in PreferredAuthentications; 
      meixner@rbg.informatik.tu-darmstadt.de
+   - markus@cvs.openbsd.org 2001/05/18 14:13:29
+     [auth-chall.c auth.h auth1.c auth2-chall.c auth2.c readconf.c 
+      readconf.h servconf.c servconf.h sshconnect1.c sshconnect2.c sshd.c]
+     improved kbd-interactive support. work by per@appgate.com and me
+
 20010528
  - (tim) [conifgure.in] add setvbuf test needed for sftp-int.c
    Patch by Corinna Vinschen <vinschen@redhat.com>
@@ -5433,4 +5438,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1227 2001/06/05 18:39:10 mouring Exp $
+$Id: ChangeLog,v 1.1228 2001/06/05 18:56:16 mouring Exp $

auth-chall.c

@@ -23,82 +23,60 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-chall.c,v 1.7 2001/04/05 10:42:47 markus Exp $");
+RCSID("$OpenBSD: auth-chall.c,v 1.8 2001/05/18 14:13:28 markus Exp $");
 
 #include "auth.h"
 #include "log.h"
+#include "xmalloc.h"
 
-#ifdef BSD_AUTH
-char *
-get_challenge(Authctxt *authctxt, char *devs)
-{
-	char *challenge;
+/* limited protocol v1 interface to kbd-interactive authentication */
 
-	if (authctxt->as != NULL) {
-		debug2("try reuse session");
-		challenge = auth_getitem(authctxt->as, AUTHV_CHALLENGE);
-		if (challenge != NULL) {
-			debug2("reuse bsd auth session");
-			return challenge;
-		}
-		auth_close(authctxt->as);
-		authctxt->as = NULL;
-	}
-	debug2("new bsd auth session");
-	if (devs == NULL || strlen(devs) == 0)
-		devs = authctxt->style;
-	debug3("bsd auth: devs %s", devs ? devs : "<default>");
-	authctxt->as = auth_userchallenge(authctxt->user, devs, "auth-ssh",
-	    &challenge);
-	if (authctxt->as == NULL)
-		return NULL;
-	debug2("get_challenge: <%s>", challenge ? challenge : "EMPTY");
-	return challenge;
-}
-int
-verify_response(Authctxt *authctxt, char *response)
-{
-	int authok;
-
-	if (authctxt->as == 0)
-		error("verify_response: no bsd auth session");
-	authok = auth_userresponse(authctxt->as, response, 0);
-	authctxt->as = NULL;
-	debug("verify_response: <%s> = <%d>", response, authok);
-	return authok != 0;
-}
-#else
-#ifdef SKEY
-#include <skey.h>
+extern KbdintDevice *devices[];
+static KbdintDevice *device;
 
 char *
-get_challenge(Authctxt *authctxt, char *devs)
+get_challenge(Authctxt *authctxt)
 {
-	static char challenge[1024];
-	struct skey skey;
-	if (skeychallenge(&skey, authctxt->user, challenge) == -1)
+	char *challenge, *name, *info, **prompts;
+	u_int i, numprompts;
+	u_int *echo_on;
+
+	device = devices[0]; /* we always use the 1st device for protocol 1 */
+	if (device == NULL)
 		return NULL;
-	strlcat(challenge, "\nS/Key Password: ", sizeof challenge);
-	return challenge;
-}
-int
-verify_response(Authctxt *authctxt, char *response)
-{
-	return (authctxt->valid &&
-	    skey_haskey(authctxt->pw->pw_name) == 0 &&
-	    skey_passcheck(authctxt->pw->pw_name, response) != -1);
-}
-#else
-/* not available */
-char *
-get_challenge(Authctxt *authctxt, char *devs)
-{
+	if ((authctxt->kbdintctxt = device->init_ctx(authctxt)) == NULL)
+		return NULL;
+	if (device->query(authctxt->kbdintctxt, &name, &info,
+	    &numprompts, &prompts, &echo_on)) {
+		device->free_ctx(authctxt->kbdintctxt);
+		authctxt->kbdintctxt = NULL;
 		return NULL;
 	}
+	if (numprompts < 1)
+		fatal("get_challenge: numprompts < 1");
+	challenge = xstrdup(prompts[0]);
+	for (i = 0; i < numprompts; i++)
+		xfree(prompts[i]);
+	xfree(prompts);
+	xfree(name);
+	xfree(echo_on);
+	xfree(info);
+
+	return (challenge);
+}
 int
-verify_response(Authctxt *authctxt, char *response)
+verify_response(Authctxt *authctxt, const char *response)
 {
+	char *resp[1];
+	int res;
+
+	if (device == NULL)
 		return 0;
+	if (authctxt->kbdintctxt == NULL)
+		return 0;
+	resp[0] = (char *)response;
+	res = device->respond(authctxt->kbdintctxt, 1, resp);
+	device->free_ctx(authctxt->kbdintctxt);
+	authctxt->kbdintctxt = NULL;
+	return res ? 0 : 1;
 }
-#endif
-#endif

auth.h

@@ -21,7 +21,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $OpenBSD: auth.h,v 1.15 2001/04/12 19:15:24 markus Exp $
+ * $OpenBSD: auth.h,v 1.16 2001/05/18 14:13:28 markus Exp $
  */
 #ifndef AUTH_H
 #define AUTH_H
@@ -36,6 +36,8 @@
 #endif
 
 typedef struct Authctxt Authctxt;
+typedef struct KbdintDevice KbdintDevice;
+
 struct Authctxt {
 	int success;
 	int postponed;
@@ -46,11 +48,30 @@ struct Authctxt {
 	char *service;
 	struct passwd *pw;
 	char *style;
+	void *kbdintctxt;
 #ifdef BSD_AUTH
 	auth_session_t *as;
 #endif
 };
 
+/*
+ * Keyboard interactive device:
+ * init_ctx	returns: non NULL upon success 
+ * query	returns: 0 - success, otherwise failure 
+ * respond	returns: 0 - success, 1 - need further interaction,
+ *		otherwise - failure
+ */
+struct KbdintDevice
+{
+	const char *name;
+	void*	(*init_ctx)	__P((Authctxt*));
+	int	(*query)	__P((void *ctx, char **name, char **infotxt,
+				u_int *numprompts, char ***prompts,
+				u_int **echo_on));
+	int	(*respond)	__P((void *ctx, u_int numresp, char **responses));
+	void	(*free_ctx)	__P((void *ctx));
+};
+
 /*
  * Tries to authenticate the user using the .rhosts file.  Returns true if
  * authentication succeeds.  If ignore_rhosts is non-zero, this will not
@@ -133,8 +154,8 @@ int	auth2_challenge(Authctxt *authctxt, char *devs);
 
 int	allowed_user(struct passwd * pw);
 
-char	*get_challenge(Authctxt *authctxt, char *devs);
-int	verify_response(Authctxt *authctxt, char *response);
+char	*get_challenge(Authctxt *authctxt);
+int	verify_response(Authctxt *authctxt, const char *response);
 
 struct passwd * auth_get_user(void);
 

auth1.c

@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.22 2001/03/23 12:02:49 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.23 2001/05/18 14:13:28 markus Exp $");
 
 #include "xmalloc.h"
 #include "rsa.h"
@@ -271,12 +271,13 @@ do_authloop(Authctxt *authctxt)
 
 		case SSH_CMSG_AUTH_TIS:
 			debug("rcvd SSH_CMSG_AUTH_TIS");
-			if (options.challenge_reponse_authentication == 1) {
-				char *challenge = get_challenge(authctxt, authctxt->style);
+			if (options.challenge_response_authentication == 1) {
+				char *challenge = get_challenge(authctxt);
 				if (challenge != NULL) {
 					debug("sending challenge '%s'", challenge);
 					packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
 					packet_put_cstring(challenge);
+					xfree(challenge);
 					packet_send();
 					packet_write_wait();
 					continue;
@@ -285,7 +286,7 @@ do_authloop(Authctxt *authctxt)
 			break;
 		case SSH_CMSG_AUTH_TIS_RESPONSE:
 			debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
-			if (options.challenge_reponse_authentication == 1) {
+			if (options.challenge_response_authentication == 1) {
 				char *response = packet_get_string(&dlen);
 				debug("got response '%s'", response);
 				packet_integrity_check(plen, 4 + dlen, type);

auth2-chall.c

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+ * Copyright (c) 2001 Per Allansson.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -22,91 +23,285 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: auth2-chall.c,v 1.4 2001/03/28 22:43:31 markus Exp $");
+RCSID("$OpenBSD: auth2-chall.c,v 1.5 2001/05/18 14:13:28 markus Exp $");
 
 #include "ssh2.h"
 #include "auth.h"
 #include "packet.h"
 #include "xmalloc.h"
 #include "dispatch.h"
+#include "auth.h"
 #include "log.h"
 
-void send_userauth_into_request(Authctxt *authctxt, char *challenge, int echo);
-void input_userauth_info_response(int type, int plen, void *ctxt);
+static int auth2_challenge_start(Authctxt *authctxt);
+static int send_userauth_info_request(Authctxt *authctxt);
+static void input_userauth_info_response(int type, int plen, void *ctxt);
+
+#ifdef BSD_AUTH
+extern KbdintDevice bsdauth_device;
+#else
+#ifdef SKEY
+extern KbdintDevice skey_device;
+#endif
+#endif
+
+KbdintDevice *devices[] = {
+#ifdef BSD_AUTH
+	&bsdauth_device,
+#else
+#ifdef SKEY
+	&skey_device,
+#endif
+#endif
+	NULL
+};
+
+typedef struct KbdintAuthctxt KbdintAuthctxt;
+struct KbdintAuthctxt
+{
+	char *devices;
+	void *ctxt;
+	KbdintDevice *device;
+};
+
+KbdintAuthctxt *
+kbdint_alloc(const char *devs)
+{
+	KbdintAuthctxt *kbdintctxt;
+	int i;
+	char buf[1024];
+
+	kbdintctxt = xmalloc(sizeof(KbdintAuthctxt));
+	if (strcmp(devs, "") == 0) {
+		buf[0] = '\0';
+		for (i = 0; devices[i]; i++) {
+			if (i != 0)
+				strlcat(buf, ",", sizeof(buf));
+			strlcat(buf, devices[i]->name, sizeof(buf));
+		}
+		debug("kbdint_alloc: devices '%s'", buf);
+		kbdintctxt->devices = xstrdup(buf);
+	} else {
+		kbdintctxt->devices = xstrdup(devs);
+	}
+	kbdintctxt->ctxt = NULL;
+	kbdintctxt->device = NULL;
+
+	return kbdintctxt;
+}
+void
+kbdint_reset_device(KbdintAuthctxt *kbdintctxt)
+{
+	if (kbdintctxt->ctxt) {
+		kbdintctxt->device->free_ctx(kbdintctxt->ctxt);
+		kbdintctxt->ctxt = NULL;
+	}
+	kbdintctxt->device = NULL;
+}
+void
+kbdint_free(KbdintAuthctxt *kbdintctxt)
+{
+	if (kbdintctxt->device)
+		kbdint_reset_device(kbdintctxt);
+	if (kbdintctxt->devices) {
+		xfree(kbdintctxt->devices);
+		kbdintctxt->devices = NULL;
+	}
+	xfree(kbdintctxt);
+}
+/* get next device */
+int
+kbdint_next_device(KbdintAuthctxt *kbdintctxt)
+{
+	size_t len;
+	char *t;
+	int i;
+
+	if (kbdintctxt->device)
+		kbdint_reset_device(kbdintctxt);
+	do {
+		len = kbdintctxt->devices ?
+		    strcspn(kbdintctxt->devices, ",") : 0;
+
+		if (len == 0)
+			break;
+		for (i = 0; devices[i]; i++)
+			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
+				kbdintctxt->device = devices[i];
+		t = kbdintctxt->devices;
+		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
+		xfree(t);
+		debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
+		   kbdintctxt->devices : "<empty>");
+	} while (kbdintctxt->devices && !kbdintctxt->device);
+
+	return kbdintctxt->device ? 1 : 0;
+}
 
 /*
- * try challenge-reponse, return -1 (= postponed) if we have to
+ * try challenge-reponse, set authctxt->postponed if we have to
  * wait for the response.
  */
 int
 auth2_challenge(Authctxt *authctxt, char *devs)
 {
-	char *challenge;
+	debug("auth2_challenge: user=%s devs=%s",
+	    authctxt->user ? authctxt->user : "<nouser>",
+	    devs ? devs : "<no devs>");
 
-	if (!authctxt->valid || authctxt->user == NULL)
+	if (!authctxt->valid || authctxt->user == NULL || !devs)
 		return 0;
-	if ((challenge = get_challenge(authctxt, devs)) == NULL)
+	if (authctxt->kbdintctxt == NULL) 
+		authctxt->kbdintctxt = kbdint_alloc(devs);
+	return auth2_challenge_start(authctxt);
+}
+
+/* side effect: sets authctxt->postponed if a reply was sent*/
+static int
+auth2_challenge_start(Authctxt *authctxt)
+{
+	KbdintAuthctxt *kbdintctxt = authctxt->kbdintctxt;
+
+	debug2("auth2_challenge_start: devices %s",
+	    kbdintctxt->devices ?  kbdintctxt->devices : "<empty>");
+
+	if (kbdint_next_device(kbdintctxt) == 0) {
+		kbdint_free(kbdintctxt);
+		authctxt->kbdintctxt = NULL;
 		return 0;
-	send_userauth_into_request(authctxt, challenge, 0);
+	}
+	debug("auth2_challenge_start: trying authentication method '%s'",
+	    kbdintctxt->device->name);
+
+	if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) {
+		kbdint_free(kbdintctxt);
+		authctxt->kbdintctxt = NULL;
+		return 0;
+	}
+	if (send_userauth_info_request(authctxt) == 0) {
+		kbdint_free(kbdintctxt);
+		authctxt->kbdintctxt = NULL;
+		return 0;
+	}
 	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
 	    &input_userauth_info_response);
+
 	authctxt->postponed = 1;
 	return 0;
 }
 
-void
-send_userauth_into_request(Authctxt *authctxt, char *challenge, int echo)
+static int
+send_userauth_info_request(Authctxt *authctxt)
 {
-	int nprompts = 1;
+	KbdintAuthctxt *kbdintctxt;
+	char *name, *instr, **prompts;
+	int i;
+	u_int numprompts, *echo_on;
+
+	kbdintctxt = authctxt->kbdintctxt;
+	if (kbdintctxt->device->query(kbdintctxt->ctxt,
+	    &name, &instr, &numprompts, &prompts, &echo_on))
+		return 0;
 
 	packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
-	/* name, instruction and language are unused */
-	packet_put_cstring("");
-	packet_put_cstring("");
-	packet_put_cstring("");
-	packet_put_int(nprompts);
-	packet_put_cstring(challenge);
-	packet_put_char(echo);
+	packet_put_cstring(name);
+	packet_put_cstring(instr);
+	packet_put_cstring(""); 	/* language not used */
+	packet_put_int(numprompts);
+	for (i = 0; i < numprompts; i++) {
+		packet_put_cstring(prompts[i]);
+		packet_put_char(echo_on[i]);
+	}
 	packet_send();
 	packet_write_wait();
+
+	for (i = 0; i < numprompts; i++)
+		xfree(prompts[i]);
+	xfree(prompts);
+	xfree(echo_on);
+	xfree(name);
+	xfree(instr);
+	return 1;
 }
 
-void
+static void
 input_userauth_info_response(int type, int plen, void *ctxt)
 {
 	Authctxt *authctxt = ctxt;
-	int authenticated = 0;
-	u_int nresp, rlen;
-	char *response, *method = "challenge-reponse";
+	KbdintAuthctxt *kbdintctxt;
+	int i, authenticated = 0, res, len;
+	u_int nresp;
+	char **response = NULL, *method;
 
 	if (authctxt == NULL)
 		fatal("input_userauth_info_response: no authctxt");
+	kbdintctxt = authctxt->kbdintctxt;
+	if (kbdintctxt == NULL || kbdintctxt->ctxt == NULL)
+		fatal("input_userauth_info_response: no kbdintctxt");
+	if (kbdintctxt->device == NULL)
+		fatal("input_userauth_info_response: no device");
 
 	authctxt->postponed = 0;	/* reset */
 	nresp = packet_get_int();
-	if (nresp == 1) {
-		response = packet_get_string(&rlen);
+	if (nresp > 0) {
+		response = xmalloc(nresp * sizeof(char*));
+		for (i = 0; i < nresp; i++)
+			response[i] = packet_get_string(NULL);
+	}
 	packet_done();
-		if (strlen(response) == 0) {
-			/*
-			 * if we received an empty response, resend challenge
-			 * with echo enabled
-			 */
-			char *challenge = get_challenge(authctxt, NULL);
-			if (challenge != NULL) {
-				send_userauth_into_request(authctxt,
-				    challenge, 1);
-				authctxt->postponed = 1;
+
+	if (authctxt->valid) {
+		res = kbdintctxt->device->respond(kbdintctxt->ctxt,
+		    nresp, response);
+	} else {
+		res = -1;
 	}
-		} else if (authctxt->valid) {
-			authenticated = verify_response(authctxt, response);
-			memset(response, 'r', rlen);
+
+	for (i = 0; i < nresp; i++) {
+		memset(response[i], 'r', strlen(response[i]));
+		xfree(response[i]);
 	}
+	if (response)
 		xfree(response);
+
+	switch (res) {
+	case 0:
+		/* Success! */
+		authenticated = 1;
+		break;
+	case 1:
+		/* Authentication needs further interaction */
+		authctxt->postponed = 1;
+		if (send_userauth_info_request(authctxt) == 0) {
+			authctxt->postponed = 0;
 		}
+		break;
+	default:
+		/* Failure! */
+		break;
+	}
+
+	len = strlen("keyboard-interactive") + 2 +
+		strlen(kbdintctxt->device->name);
+	method = xmalloc(len);
+	method[0] = '\0';
+	strlcat(method, "keyboard-interactive", len);
+	strlcat(method, "/", len);
+	strlcat(method, kbdintctxt->device->name, len);
+
+	if (!authctxt->postponed) {
 		/* unregister callback */
-	if (!authctxt->postponed)
 		dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
 
-	userauth_finish(authctxt, authenticated, method);
+		if (authenticated) {
+			kbdint_free(kbdintctxt);
+			authctxt->kbdintctxt = NULL;
+		} else {
+			/* start next device */
+			/* may set authctxt->postponed */
+			auth2_challenge_start(authctxt);
+		}
+	}
+	userauth_finish(authctxt, authenticated, method);
+	xfree(method);
 }

auth2.c

@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.56 2001/04/19 00:05:11 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.57 2001/05/18 14:13:28 markus Exp $");
 
 #include <openssl/evp.h>
 
@@ -51,6 +51,7 @@ RCSID("$OpenBSD: auth2.c,v 1.56 2001/04/19 00:05:11 markus Exp $");
 #include "hostfile.h"
 #include "canohost.h"
 #include "tildexpand.h"
+#include "match.h"
 
 /* import */
 extern ServerOptions options;
@@ -125,7 +126,7 @@ do_authentication2()
 	x_authctxt = authctxt;		/*XXX*/
 
 	/* challenge-reponse is implemented via keyboard interactive */
-	if (options.challenge_reponse_authentication)
+	if (options.challenge_response_authentication)
 		options.kbd_interactive_authentication = 1;
 	if (options.pam_authentication_via_kbd_int)
 		options.kbd_interactive_authentication = 1;
@@ -400,24 +401,23 @@ int
 userauth_kbdint(Authctxt *authctxt)
 {
 	int authenticated = 0;
-	char *lang = NULL;
-	char *devs = NULL;
+	char *lang, *devs;
 
 	lang = packet_get_string(NULL);
 	devs = packet_get_string(NULL);
 	packet_done();
 
-	debug("keyboard-interactive language %s devs %s", lang, devs);
+	debug("keyboard-interactive devs %s", devs);
 
-	if (options.challenge_reponse_authentication)
+	if (options.challenge_response_authentication)
 		authenticated = auth2_challenge(authctxt, devs);
 
 #ifdef USE_PAM
 	if (authenticated == 0 && options.pam_authentication_via_kbd_int)
 		authenticated = auth2_pam(authctxt);
 #endif
-	xfree(lang);
 	xfree(devs);
+	xfree(lang);
 #ifdef HAVE_CYGWIN
 	if (check_nt_auth(0, authctxt->pw->pw_uid) == 0)
 		return(0);

readconf.c

@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.77 2001/04/30 11:18:51 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.78 2001/05/18 14:13:28 markus Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -333,7 +333,7 @@ parse_flag:
 		goto parse_flag;
 
 	case oChallengeResponseAuthentication:
-		intptr = &options->challenge_reponse_authentication;
+		intptr = &options->challenge_response_authentication;
 		goto parse_flag;
 
 #ifdef KRB4
@@ -723,7 +723,7 @@ initialize_options(Options * options)
 	options->rhosts_authentication = -1;
 	options->rsa_authentication = -1;
 	options->pubkey_authentication = -1;
-	options->challenge_reponse_authentication = -1;
+	options->challenge_response_authentication = -1;
 #ifdef KRB4
 	options->kerberos_authentication = -1;
 #endif
@@ -797,8 +797,8 @@ fill_default_options(Options * options)
 		options->rsa_authentication = 1;
 	if (options->pubkey_authentication == -1)
 		options->pubkey_authentication = 1;
-	if (options->challenge_reponse_authentication == -1)
-		options->challenge_reponse_authentication = 0;
+	if (options->challenge_response_authentication == -1)
+		options->challenge_response_authentication = 0;
 #ifdef KRB4
 	if (options->kerberos_authentication == -1)
 		options->kerberos_authentication = 1;

readconf.h

@@ -11,7 +11,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
-/* RCSID("$OpenBSD: readconf.h,v 1.31 2001/04/30 11:18:52 markus Exp $"); */
+/* RCSID("$OpenBSD: readconf.h,v 1.32 2001/05/18 14:13:29 markus Exp $"); */
 
 #ifndef READCONF_H
 #define READCONF_H
@@ -39,7 +39,7 @@ typedef struct {
 	int     rsa_authentication;	/* Try RSA authentication. */
 	int     pubkey_authentication;	/* Try ssh2 pubkey authentication. */
 	int     hostbased_authentication;	/* ssh2's rhosts_rsa */
-	int     challenge_reponse_authentication;
+	int     challenge_response_authentication;
 					/* Try S/Key or TIS, authentication. */
 #ifdef KRB4
 	int     kerberos_authentication;	/* Try Kerberos

servconf.c

@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.79 2001/05/03 21:43:01 stevesk Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.80 2001/05/18 14:13:29 markus Exp $");
 
 #ifdef KRB4
 #include <krb.h>
@@ -81,7 +81,7 @@ initialize_server_options(ServerOptions *options)
 #endif
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
-	options->challenge_reponse_authentication = -1;
+	options->challenge_response_authentication = -1;
 	options->permit_empty_passwd = -1;
 	options->use_login = -1;
 	options->allow_tcp_forwarding = -1;
@@ -186,8 +186,8 @@ fill_default_server_options(ServerOptions *options)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
 		options->kbd_interactive_authentication = 0;
-	if (options->challenge_reponse_authentication == -1)
-		options->challenge_reponse_authentication = 1;
+	if (options->challenge_response_authentication == -1)
+		options->challenge_response_authentication = 1;
 	if (options->permit_empty_passwd == -1)
 		options->permit_empty_passwd = 0;
 	if (options->use_login == -1)
@@ -603,7 +603,7 @@ parse_flag:
 			goto parse_flag;
 
 		case sChallengeResponseAuthentication:
-			intptr = &options->challenge_reponse_authentication;
+			intptr = &options->challenge_response_authentication;
 			goto parse_flag;
 
 		case sPrintMotd:

servconf.h

@@ -11,7 +11,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
-/* RCSID("$OpenBSD: servconf.h,v 1.41 2001/04/13 22:46:53 beck Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.42 2001/05/18 14:13:29 markus Exp $"); */
 
 #ifndef SERVCONF_H
 #define SERVCONF_H
@@ -92,7 +92,7 @@ typedef struct {
 	int     password_authentication;	/* If true, permit password
 						 * authentication. */
 	int     kbd_interactive_authentication;	/* If true, permit */
-	int     challenge_reponse_authentication;
+	int     challenge_response_authentication;
 	int     permit_empty_passwd;	/* If false, do not permit empty
 					 * passwords. */
 	int     use_login;	/* If true, login(1) is used */

sshconnect1.c

@@ -13,7 +13,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.31 2001/04/17 08:14:01 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.32 2001/05/18 14:13:29 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/evp.h>
@@ -616,7 +616,7 @@ send_afs_tokens(void)
  * Note that the client code is not tied to s/key or TIS.
  */
 int
-try_challenge_reponse_authentication(void)
+try_challenge_response_authentication(void)
 {
 	int type, i;
 	int payload_len;
@@ -1024,8 +1024,8 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
 	}
 	/* Try challenge response authentication if the server supports it. */
 	if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
-	    options.challenge_reponse_authentication && !options.batch_mode) {
-		if (try_challenge_reponse_authentication())
+	    options.challenge_response_authentication && !options.batch_mode) {
+		if (try_challenge_response_authentication())
 			return;
 	}
 	/* Try password authentication if the server supports it. */

sshconnect2.c

@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.72 2001/04/18 23:43:26 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.73 2001/05/18 14:13:29 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@@ -229,7 +229,7 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
 	int type;
 	int plen;
 
-	if (options.challenge_reponse_authentication)
+	if (options.challenge_response_authentication)
 		options.kbd_interactive_authentication = 1;
 
 	debug("send SSH2_MSG_SERVICE_REQUEST");
@@ -787,6 +787,7 @@ input_userauth_info_req(int type, int plen, void *ctxt)
 	packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);
 	packet_put_int(num_prompts);
 
+	debug2("input_userauth_info_req: num_prompts %d", num_prompts);
 	for (i = 0; i < num_prompts; i++) {
 		prompt = packet_get_string(NULL);
 		echo = packet_get_char();

sshd.c

@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.195 2001/04/15 16:58:03 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.196 2001/05/18 14:13:29 markus Exp $");
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -1265,7 +1265,7 @@ do_ssh1_kex(void)
 	if (options.afs_token_passing)
 		auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
 #endif
-	if (options.challenge_reponse_authentication == 1)
+	if (options.challenge_response_authentication == 1)
 		auth_mask |= 1 << SSH_AUTH_TIS;
 	if (options.password_authentication)
 		auth_mask |= 1 << SSH_AUTH_PASSWORD;