>Number:         31517
>Category:       bin
>Synopsis:       sshd doesn't do s/key when PAM is enabled
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Oct 09 00:12:00 +0000 2005
>Originator:     Cheese Lottery
>Release:        NetBSD-3.0BETA
>Organization:
>Environment:
NetBSD xps450.localdomain 3.0_BETA NetBSD 3.0_BETA (GENERIC) #0: Fri Oct  7 14:42:50 UTC 2005  builds@b4.netbsd.org:/home/builds/ab/netbsd-3/i386/200510070000Z-obj/home/builds/ab/netbsd-3/src/sys/arch/i386/compile/GENERIC i386
>Description:
When sshd is built with PAM enabled, it will not prompt for s/key
authentication, even when PAM is disabled in /etc/ssh/sshd_config.

To be clear, when I say s/key, I mean through sshd's own support for it
and not through PAM and pam_skey.
>How-To-Repeat:
1) make sure sshd is built with PAM enabled (now the default)
2) create a one-time password with skeyinit
3) attempt to login with ssh
>Fix:
Starting from openssh-4.0p1, auth_chall.c has this:

get_challenge(Authctxt *authctxt)
{
/* ... */
#ifdef USE_PAM
        if (!options.use_pam)
                remove_kbdint_device("pam");
#endif
/* ... */
}

remove_kbdint_device() also seems new to 4.0p1.  I believe this will fix
the problem. I have verified that openssh-4.2p1, built with PAM and s/key
enabled, does not exhibit this problem.