From owner-freebsd-hackers  Mon Apr 22 19:42: 1 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id 5DB3037B417
	for <hackers@FreeBSD.ORG>; Mon, 22 Apr 2002 19:41:58 -0700 (PDT)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.6/8.11.6) with SMTP id g3N2f3w54443;
	Mon, 22 Apr 2002 22:41:04 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Mon, 22 Apr 2002 22:41:02 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.ORG>
X-Sender: robert@fledge.watson.org
To: Jordan Hubbard <jkh@winston.freebsd.org>
Cc: Oscar Bonilla <obonilla@galileo.edu>,
	Anthony Schneider <aschneid@mail.slc.edu>,
	Mike Meyer <mwm-dated-1019955884.8b118e@mired.org>,
	hackers@FreeBSD.ORG
Subject: Re: ssh + compiled-in SKEY support considered harmful? 
In-Reply-To: <11531.1019527281@winston.freebsd.org>
Message-ID: <Pine.NEB.3.96L.1020422223923.64976i-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


On Mon, 22 Apr 2002, Jordan Hubbard wrote:

> That would be my question as well, especially since "everyone else" 
> seems to use that default.  Thanks to all who responded, and so quickly
> at that - this at least clarified the situation (and gave me a way
> out!). 

This was discussed fairly extensively regarding -current: basically, s/key
is "greedy" and attempts to fake s/key responses even for users who don't
have s/key enabled.  Nothing is wrong with challenge response -- arguably,
that's a cleaner way to handle things as a default in the client, since it
means if you connect to a server that does want to use challenge response,
it DTRT.  The fix in -CURRENT, I believe, was to make s/key "faking" for
non-enabled users be an option, and to turn the option off by default.
That fix relies on the extensive PAM updates in -CURRENT however; in
-STABLE it can probably be similarly replicated via appropriate tweaking
of sshd (?).

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message