From owner-freebsd-qa  Fri Jan 18  7:49:49 2002
Delivered-To: freebsd-qa@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id C773237B400; Fri, 18 Jan 2002 07:49:45 -0800 (PST)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.6/8.11.5) with SMTP id g0IFneD23627;
	Fri, 18 Jan 2002 10:49:40 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Fri, 18 Jan 2002 10:49:39 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: green@FreeBSD.org
Cc: qa@FreeBSD.org
Subject: Re: s/key! (fwd)
Message-ID: <Pine.NEB.3.96L.1020118104855.23003J-101000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: MULTIPART/SIGNED; BOUNDARY="0-1606206787-1011368979=:23003"
Content-ID: <Pine.NEB.3.96L.1020118104855.23003K@fledge.watson.org>
Sender: owner-freebsd-qa@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-qa.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-qa>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-qa>
X-Loop: FreeBSD.ORG

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--0-1606206787-1011368979=:23003
Content-Type: TEXT/PLAIN; CHARSET=us-ascii
Content-ID: <Pine.NEB.3.96L.1020118104855.23003L@fledge.watson.org>


Would it make sense to modify the default here so as to avoid violating
POLA?  If S/Key is not configured, it seems like there really shouldn't be
S/Key challenges.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services

---------- Forwarded message ----------
Date: Thu, 17 Jan 2002 14:58:18 +0100
From: Stijn Hoop <stijn@win.tue.nl>
To: Randy Bush <randy@psg.com>
Cc: freebsd-security@freebsd.org
Subject: Re: s/key!

On Thu, Jan 17, 2002 at 05:50:54AM -0800, Randy Bush wrote:
> i have never done anything wish s/key on either host.  why am i getting
> this?  (both quite recent -stable)
> 
> ns0.psg.com:/usr/local/src/distfiles# rsy randy@rip.psg.com:bind-9.2.0.tar.gz .
> otp-md5 3 ri5788 ext
> S/Key Password: 

This has bitten me before as well. Recent -STABLE turns S/Key on by
default in /etc/ssh/sshd_config. Uncomment the line:

# ChallengeResponseAuthentication no

to disable S/Key again.

HTH,

--Stijn

-- 
"I'm not under the alkafluence of inkahol that some thinkle peep I am.  It's
just the drunker I sit here the longer I get."

--0-1606206787-1011368979=:23003
Content-Type: APPLICATION/PGP-SIGNATURE
Content-ID: <Pine.NEB.3.96L.1020118104855.23003M@fledge.watson.org>
Content-Description: 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8Rth6Y3r/tLQmfWcRAm0qAJ0ftUGO/0NvEbX0gm6gBeoetLRHuwCfYMuG
ZhmgGlxuZtJ9fr4jCe3LSFk=
=/rj7
-----END PGP SIGNATURE-----

--0-1606206787-1011368979=:23003--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-qa" in the body of the message