Index | Thread | Search

From:
Damien Miller <djm@mindrot.org>
Subject:
Remove privsep vestige
To:
tech@openbsd.org
Cc:
openssh@openssh.com
Date:
Thu, 5 Feb 2026 11:20:51 +1100

Download raw body.

Thread

  • Damien Miller:

    Remove privsep vestige

Hi,

This is another vestigial bit of support for the !privsep case in
sshd. All direct access to the KbdintDevice should happen in the
unprivileged ssh-auth process and should therefore be done by RPC
into the privileged monitor. This means using the mm_* functions
unconditionally.

Would appreciate if someone who uses BSD authentication (e.g.
login_yubikey or login_ldap) could test this.

-d

diff --git a/auth-bsdauth.c b/auth-bsdauth.c
index 13c7b44..250de75 100644
--- a/auth-bsdauth.c
+++ b/auth-bsdauth.c
@@ -122,14 +122,6 @@ bsdauth_free_ctx(void *ctx)
 	}
 }
 
-KbdintDevice bsdauth_device = {
-	"bsdauth",
-	bsdauth_init_ctx,
-	bsdauth_query,
-	bsdauth_respond,
-	bsdauth_free_ctx
-};
-
 KbdintDevice mm_bsdauth_device = {
 	"bsdauth",
 	bsdauth_init_ctx,
diff --git a/auth.h b/auth.h
index 078f431..0bba2a1 100644
--- a/auth.h
+++ b/auth.h
@@ -163,8 +163,6 @@ int	 auth2_update_methods_lists(Authctxt *, const char *, const char *);
 int	 auth2_setup_methods_lists(Authctxt *);
 int	 auth2_method_allowed(Authctxt *, const char *, const char *);
 
-void	privsep_challenge_enable(void);
-
 int	auth2_challenge(struct ssh *, char *);
 void	auth2_challenge_stop(struct ssh *);
 int	bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
diff --git a/auth2-chall.c b/auth2-chall.c
index d208bea..b0c7560 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -46,10 +46,10 @@ static int auth2_challenge_start(struct ssh *);
 static int send_userauth_info_request(struct ssh *);
 static int input_userauth_info_response(int, u_int32_t, struct ssh *);
 
-extern KbdintDevice bsdauth_device;
+extern KbdintDevice mm_bsdauth_device;
 
 KbdintDevice *devices[] = {
-	&bsdauth_device,
+	&mm_bsdauth_device,
 	NULL
 };
 
@@ -323,10 +323,3 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
 	    devicename);
 	return 0;
 }
-
-void
-privsep_challenge_enable(void)
-{
-	extern KbdintDevice mm_bsdauth_device;
-	devices[0] = &mm_bsdauth_device;
-}
diff --git a/sshd-auth.c b/sshd-auth.c
index 31d9f06..4728112 100644
--- a/sshd-auth.c
+++ b/sshd-auth.c
@@ -705,9 +705,6 @@ main(int ac, char **av)
 		fatal("sshbuf_new loginmsg failed");
 	auth_debug_reset();
 
-	/* Enable challenge-response authentication for privilege separation */
-	privsep_challenge_enable();
-
 #ifdef GSSAPI
 	/* Cache supported mechanism OIDs for later use */
 	ssh_gssapi_prepare_supported_oids();