From owner-freebsd-current Mon Apr 1 16: 0:29 2002 Delivered-To: freebsd-current@freebsd.org Received: from dragon.nuxi.com (trang.nuxi.com [66.92.13.169]) by hub.freebsd.org (Postfix) with ESMTP id 3178837B417 for ; Mon, 1 Apr 2002 16:00:23 -0800 (PST) Received: from dragon.nuxi.com (obrien@localhost [127.0.0.1]) by dragon.nuxi.com (8.12.2/8.12.2) with ESMTP id g3200JYm038298; Mon, 1 Apr 2002 16:00:19 -0800 (PST) (envelope-from obrien@dragon.nuxi.com) Received: (from obrien@localhost) by dragon.nuxi.com (8.12.2/8.12.2/Submit) id g31Nx4XV038245; Mon, 1 Apr 2002 15:59:04 -0800 (PST) Date: Mon, 1 Apr 2002 15:59:04 -0800 From: "David O'Brien" To: Dag-Erling Smorgrav Cc: current@freebsd.org, Thomas Quinot Subject: Re: Problem with ssh Message-ID: <20020401155904.B37730@dragon.nuxi.com> Reply-To: obrien@freebsd.org References: <20020328183736.85E9588@nebula.anchoragerescue.org> <20020328192816.GA217@mich.itxmarket.com> <20020328194005.573B688@nebula.anchoragerescue.org> <20020328120317.C92633@dragon.nuxi.com> <20020329030505.GF22998@squall.waterspout.com> <20020329110125.A61943@melusine.cuivre.fr.eu.org> <20020329203139.C74181@dragon.nuxi.com> <20020401142524.C23489@dragon.nuxi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Tue, Apr 02, 2002 at 01:48:56AM +0200 X-Operating-System: FreeBSD 5.0-CURRENT Organization: The NUXI BSD group X-Pgp-Rsa-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Rsa-Keyid: 1024/34F9F9D5 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Apr 02, 2002 at 01:48:56AM +0200, Dag-Erling Smorgrav wrote: > "David O'Brien" writes: > > On Sat, Mar 30, 2002 at 01:14:07PM +0100, Dag-Erling Smorgrav wrote: > > > "David O'Brien" writes: > > > > Uh, why does my sequence keep changing when I just hit ??? > > > Because it's generating fake S/Key challenges, and badly. > > Especially since RELENG_4 does NOT use OPIE. > > Who this "fake S/Key challenge" that and turned it on? > > OpenSSH in RELENG_4 does use S/Key, and generates fake challenges when Yes. But it is obvious it is fake: This is an S/Key challenge: s/key 90 re95460 this is an OPIE challenge: otp-md5 315 re7955 ext so getting an OPIE formatted challenge on RELENG_4 immediately lets someone know it is fake and bogus. > the client attempts challenge-response authentication, which is what > is used for PAM. I do not follow what you are saying. > > > No, I haven't seen it, but I've had similar reports. It's actually a > > > bug on the server side, in older OpenSSH servers, that is exposed by > > > newer OpenSSH clients. > > Will OpenSSH 3.1 be MFC'ed soon? > > Not likely. There are a number of problems that still need fixing. I thought 3.1 was imported due to a security problem with 3.0. > > Considering I DO want SKeyAuthentication (USENIX is comming up); what is > > the real fix? > > Enable it only for servers that need it. I just said "I need it". The user from "ssh user@server" does have a properly setup S/Key entry in /etc/skeykeys > It used to be disabled by default in the client, so this shouldn't make > much of a difference. I admit to having problems getting this working in the past. -- -- David (obrien@FreeBSD.org) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message