From owner-freebsd-hackers Mon Apr 22 19:42: 1 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 5DB3037B417 for ; Mon, 22 Apr 2002 19:41:58 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.6) with SMTP id g3N2f3w54443; Mon, 22 Apr 2002 22:41:04 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Mon, 22 Apr 2002 22:41:02 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jordan Hubbard Cc: Oscar Bonilla , Anthony Schneider , Mike Meyer , hackers@FreeBSD.ORG Subject: Re: ssh + compiled-in SKEY support considered harmful? In-Reply-To: <11531.1019527281@winston.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 22 Apr 2002, Jordan Hubbard wrote: > That would be my question as well, especially since "everyone else" > seems to use that default. Thanks to all who responded, and so quickly > at that - this at least clarified the situation (and gave me a way > out!). This was discussed fairly extensively regarding -current: basically, s/key is "greedy" and attempts to fake s/key responses even for users who don't have s/key enabled. Nothing is wrong with challenge response -- arguably, that's a cleaner way to handle things as a default in the client, since it means if you connect to a server that does want to use challenge response, it DTRT. The fix in -CURRENT, I believe, was to make s/key "faking" for non-enabled users be an option, and to turn the option off by default. That fix relies on the extensive PAM updates in -CURRENT however; in -STABLE it can probably be similarly replicated via appropriate tweaking of sshd (?). Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message