After building -current on Feb 25, I noticed when I attempted to use S/Key
remotely, that it was not a permitted authentication style.  (I use S/Key 
when publc key authentication is not available, so it may have nothing to do 
with recent changes to how sshd_config Match works, and may be something else
entirely, I have not used S/Key in a few weeks.)

Trying to recreate the problem, I ran sshd in debug mode, and ssh -vvv; 
it looks like the authentication method isn't viable.

I'm hoping someone can  quickly come to an "ah-hah!!" by looking at this output
and my config files.  If not, perhaps recreate the problem?

(I used -p 222 to override the default port while collecting debug output.)
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='222'
debug1: Bind to port 222 on 0.0.0.0.
Server listening on 0.0.0.0 port 222.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: fd 5 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 4, 4
Connection from 127.0.0.1 port 46616
debug1: Client protocol version 2.0; client software version OpenSSH_4.5
debug1: match: OpenSSH_4.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_4.5
debug1: permanently_set_uid: 27/27
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: ...
[ message continues ]

Oops, forgot to add my dmesg.  This kernel is GENERIC+RAIDFrame:

OpenBSD 4.1-beta (JGGIMI) #14: Sun Feb 25 13:36:43 EST 2007
    josh@jggimi.homeip.net:/usr/src/sys/arch/i386/compile/JGGIMI
cpu0: AMD Sempron(tm) 2600+ ("AuthenticAMD" 686-class, 256KB L2 cache) 1.84 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem  = 502820864 (491036K)
avail mem = 450584576 (440024K)
using 4278 buffers containing 25264128 bytes (24672K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 01/07/05, BIOS32 rev. 0 @ 0xfb9b0, SMBIOS rev. 2.2 @ 0xf0000 (44 entries)
bios0: ASUS A7VT
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xda84
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfda10/112 (5 entries)
pcibios0: PCI Exclusive IRQs: 3 5 10 11
pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT82C596A ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0x7e00 0xc8000/0x8000!
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8378 PCI" rev 0x00
ppb0 at pci0 dev 1 function 0 "VIA VT8377 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "VIA VT8378 VGA" rev 0x01: aperture at 0xe4000000, size 0x10000000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
dc0 at pci0 dev 8 function 0 "Lite-On PNIC-II" rev 0x25: irq 10, address 00:a0:cc:e3:42:d6
dcphy0 at dc0 phy 31: internal PHY
uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x80: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x80: irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, rev 1.00/1.00, addr ...
[ message continues ]

Please send a Debug3 trace (sshd -dddp222), debug level 1 doesn't
contain all the necessary information

-d


[ message continues ]

debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 268
debug2: parse_server_config: config /etc/ssh/sshd_config len 268
debug3: /etc/ssh/sshd_config:12 setting PermitRootLogin no
debug3: /etc/ssh/sshd_config:13 setting PasswordAuthentication no
debug3: /etc/ssh/sshd_config:14 setting ClientAliveInterval 15
debug3: /etc/ssh/sshd_config:15 setting ClientAliveCountMax 3
debug3: /etc/ssh/sshd_config:16 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:17 setting AddressFamily inet
debug3: /etc/ssh/sshd_config:101 setting Subsystem sftp /usr/libexec/sftp-server
debug1: sshd version OpenSSH_4.5
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-dddp222'
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 222 on 0.0.0.0.
Server listening on 0.0.0.0 port 222.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: fd 5 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 268
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 4, 4
Connection from 192.168.2.50 port 26193
debug1: Client protocol version 2.0; client software version OpenSSH_4.5
debug1: match: OpenSSH_4.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_4.5
debug2: fd 4 setting O_NONBLOCK
debug2: Network child is on pid 18455
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 27:27
debug1: permanently_set_uid: 27/27
debug1: ...
[ message continues ]

what does the client say? (ssh -vvvp 222 localhost)


[ message continues ]

also, does it work if you try connecting without any keys in your ssh-agent?

...

[ message continues ]

I had a quick look at it and it appears to be due to the Match changes
interacting with this code in auth2.c:do_authentication2():

        /* challenge-response is implemented via keyboard interactive */
        if (options.challenge_response_authentication)
                options.kbd_interactive_authentication = 1;

It works if you set "KbdInteractiveAuthentication yes" in sshd_config
(and I suggest this as a workaround) rather than relying on
ChallengeResponseAuthentication.

I'll do a patch later today.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[ message continues ]

This seems to be the simplest way to do it.

Index: auth2.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth2.c,v
retrieving revision 1.113
diff -u -p -r1.113 auth2.c
--- auth2.c	3 Aug 2006 03:34:41 -0000	1.113
+++ auth2.c	28 Feb 2007 00:05:10 -0000
@@ -92,10 +92,6 @@ int user_key_allowed(struct passwd *, Ke
 void
 do_authentication2(Authctxt *authctxt)
 {
-	/* challenge-response is implemented via keyboard interactive */
-	if (options.challenge_response_authentication)
-		options.kbd_interactive_authentication = 1;
-
 	dispatch_init(&dispatch_protocol_error);
 	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
 	dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
Index: servconf.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
retrieving revision 1.169
diff -u -p -r1.169 servconf.c
--- servconf.c	22 Feb 2007 12:58:40 -0000	1.169
+++ servconf.c	28 Feb 2007 00:05:10 -0000
@@ -1345,4 +1345,8 @@ parse_server_config(ServerOptions *optio
 	if (bad_options > 0)
 		fatal("%s: terminating, %d bad configuration options",
 		    filename, bad_options);
+
+	/* challenge-response is implemented via keyboard interactive */
+	if (options->challenge_response_authentication)
+		options->kbd_interactive_authentication = 1;
 }

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[ message continues ]

It does, indeed, work with that added to my sshd_config file.  

Thank you for your quick and helpful analysis, Darren!

Damien, thank you for trying to help; I know I hadn't produced quite as
much debug output as you'd wanted, but this circumvention Darren 
recommended is working well.

  -J-

[ message continues ]