From owner-freebsd-current  Tue Apr  2  0:39:54 2002
Delivered-To: freebsd-current@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2BBF837B400; Tue,  2 Apr 2002 00:39:48 -0800 (PST)
Received: by flood.ping.uio.no (Postfix, from userid 2602)
	id 8DE3D5346; Tue,  2 Apr 2002 10:39:45 +0200 (CEST)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: obrien@freebsd.org
Cc: current@freebsd.org, Thomas Quinot <thomas@cuivre.fr.eu.org>
Subject: Re: Problem with ssh
References: <20020328183736.85E9588@nebula.anchoragerescue.org>
	<20020328192816.GA217@mich.itxmarket.com>
	<20020328194005.573B688@nebula.anchoragerescue.org>
	<20020328120317.C92633@dragon.nuxi.com>
	<20020329030505.GF22998@squall.waterspout.com>
	<20020329110125.A61943@melusine.cuivre.fr.eu.org>
	<20020329203139.C74181@dragon.nuxi.com>
	<xzpk7rutfqo.fsf@flood.ping.uio.no>
	<20020401142524.C23489@dragon.nuxi.com>
	<xzp3cyfm13r.fsf@flood.ping.uio.no>
	<20020401155904.B37730@dragon.nuxi.com>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 02 Apr 2002 10:39:44 +0200
In-Reply-To: <20020401155904.B37730@dragon.nuxi.com>
Message-ID: <xzpy9g6lcj3.fsf@flood.ping.uio.no>
Lines: 32
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

"David O'Brien" <obrien@freebsd.org> writes:
> so getting an OPIE formatted challenge on RELENG_4 immediately lets
> someone know it is fake and bogus.

I know.  I told you it is a bug in the server.

> > the client attempts challenge-response authentication, which is what
> > is used for PAM.
> I do not follow what you are saying.

FreeBSD's OpenSSH 3.1 server now uses PAM for authentication, using
SSH's challenge-response authentication protocol, which is used for
S/Key or OPIE in older versions.

> I thought 3.1 was imported due to a security problem with 3.0.

No, the security problem was already fixed in our version of OpenSSH.
3.1 was imported to solve other problems, reduce the amount of local
patches and allow us to use PAM on the server side.

> > > Considering I DO want SKeyAuthentication (USENIX is comming up); what is
> > > the real fix?
> > Enable it only for servers that need it.
> I just said "I need it".  The user from "ssh user@server" does have a
> properly setup S/Key entry in /etc/skeykeys

The *client* should add "SKeyAuthentication yes" to his ~/.ssh/config
only for those hosts that need it.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message