Date: Mon, 1 Apr 2002 15:59:04 -0800 From: "David O'Brien" <obrien@freebsd.org> To: Dag-Erling Smorgrav <des@ofug.org> Cc: current@freebsd.org, Thomas Quinot <thomas@cuivre.fr.eu.org> Subject: Re: Problem with ssh Message-ID: <20020401155904.B37730@dragon.nuxi.com> In-Reply-To: <xzp3cyfm13r.fsf@flood.ping.uio.no>; from des@ofug.org on Tue, Apr 02, 2002 at 01:48:56AM %2B0200 References: <20020328183736.85E9588@nebula.anchoragerescue.org> <20020328192816.GA217@mich.itxmarket.com> <20020328194005.573B688@nebula.anchoragerescue.org> <20020328120317.C92633@dragon.nuxi.com> <20020329030505.GF22998@squall.waterspout.com> <20020329110125.A61943@melusine.cuivre.fr.eu.org> <20020329203139.C74181@dragon.nuxi.com> <xzpk7rutfqo.fsf@flood.ping.uio.no> <20020401142524.C23489@dragon.nuxi.com> <xzp3cyfm13r.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 02, 2002 at 01:48:56AM +0200, Dag-Erling Smorgrav wrote:
> "David O'Brien" <obrien@freebsd.org> writes:
> > On Sat, Mar 30, 2002 at 01:14:07PM +0100, Dag-Erling Smorgrav wrote:
> > > "David O'Brien" <obrien@freebsd.org> writes:
> > > > Uh, why does my sequence keep changing when I just hit <return>???
> > > Because it's generating fake S/Key challenges, and badly.
> > Especially since RELENG_4 does NOT use OPIE.
> > Who this "fake S/Key challenge" that and turned it on?
>
> OpenSSH in RELENG_4 does use S/Key, and generates fake challenges when
Yes. But it is obvious it is fake:
This is an S/Key challenge:
s/key 90 re95460
this is an OPIE challenge:
otp-md5 315 re7955 ext
so getting an OPIE formatted challenge on RELENG_4 immediately lets
someone know it is fake and bogus.
> the client attempts challenge-response authentication, which is what
> is used for PAM.
I do not follow what you are saying.
> > > No, I haven't seen it, but I've had similar reports. It's actually a
> > > bug on the server side, in older OpenSSH servers, that is exposed by
> > > newer OpenSSH clients.
> > Will OpenSSH 3.1 be MFC'ed soon?
>
> Not likely. There are a number of problems that still need fixing.
I thought 3.1 was imported due to a security problem with 3.0.
> > Considering I DO want SKeyAuthentication (USENIX is comming up); what is
> > the real fix?
>
> Enable it only for servers that need it.
I just said "I need it". The user from "ssh user@server" does have a
properly setup S/Key entry in /etc/skeykeys
> It used to be disabled by default in the client, so this shouldn't make
> much of a difference.
I admit to having problems getting this working in the past.
--
-- David (obrien@FreeBSD.org)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020401155904.B37730>