From: Damien Miller Subject: Remove privsep vestige To: tech@openbsd.org Cc: openssh@openssh.com Date: Thu, 5 Feb 2026 11:20:51 +1100 Hi, This is another vestigial bit of support for the !privsep case in sshd. All direct access to the KbdintDevice should happen in the unprivileged ssh-auth process and should therefore be done by RPC into the privileged monitor. This means using the mm_* functions unconditionally. Would appreciate if someone who uses BSD authentication (e.g. login_yubikey or login_ldap) could test this. -d diff --git a/auth-bsdauth.c b/auth-bsdauth.c index 13c7b44..250de75 100644 --- a/auth-bsdauth.c +++ b/auth-bsdauth.c @@ -122,14 +122,6 @@ bsdauth_free_ctx(void *ctx) } } -KbdintDevice bsdauth_device = { - "bsdauth", - bsdauth_init_ctx, - bsdauth_query, - bsdauth_respond, - bsdauth_free_ctx -}; - KbdintDevice mm_bsdauth_device = { "bsdauth", bsdauth_init_ctx, diff --git a/auth.h b/auth.h index 078f431..0bba2a1 100644 --- a/auth.h +++ b/auth.h @@ -163,8 +163,6 @@ int auth2_update_methods_lists(Authctxt *, const char *, const char *); int auth2_setup_methods_lists(Authctxt *); int auth2_method_allowed(Authctxt *, const char *, const char *); -void privsep_challenge_enable(void); - int auth2_challenge(struct ssh *, char *); void auth2_challenge_stop(struct ssh *); int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **); diff --git a/auth2-chall.c b/auth2-chall.c index d208bea..b0c7560 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -46,10 +46,10 @@ static int auth2_challenge_start(struct ssh *); static int send_userauth_info_request(struct ssh *); static int input_userauth_info_response(int, u_int32_t, struct ssh *); -extern KbdintDevice bsdauth_device; +extern KbdintDevice mm_bsdauth_device; KbdintDevice *devices[] = { - &bsdauth_device, + &mm_bsdauth_device, NULL }; @@ -323,10 +323,3 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh) devicename); return 0; } - -void -privsep_challenge_enable(void) -{ - extern KbdintDevice mm_bsdauth_device; - devices[0] = &mm_bsdauth_device; -} diff --git a/sshd-auth.c b/sshd-auth.c index 31d9f06..4728112 100644 --- a/sshd-auth.c +++ b/sshd-auth.c @@ -705,9 +705,6 @@ main(int ac, char **av) fatal("sshbuf_new loginmsg failed"); auth_debug_reset(); - /* Enable challenge-response authentication for privilege separation */ - privsep_challenge_enable(); - #ifdef GSSAPI /* Cache supported mechanism OIDs for later use */ ssh_gssapi_prepare_supported_oids();