From owner-freebsd-hackers Tue Apr 23 9: 7:14 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id CFF3A37B404; Tue, 23 Apr 2002 09:07:09 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.6) with SMTP id g3NG6xw87250; Tue, 23 Apr 2002 12:06:59 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Tue, 23 Apr 2002 12:06:58 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: "Greg 'groggy' Lehey" Cc: Jordan Hubbard , Oscar Bonilla , Anthony Schneider , Mike Meyer , hackers@FreeBSD.org Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?) In-Reply-To: <20020423131646.I6425@wantadilla.lemis.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 23 Apr 2002, Greg 'groggy' Lehey wrote: > On Monday, 22 April 2002 at 19:53:06 -0700, Jordan Hubbard wrote: > >> That fix relies on the extensive PAM updates in -CURRENT however; in > >> -STABLE it can probably be similarly replicated via appropriate tweaking > >> of sshd (?). > > > > Why not fix it in stable by the very simple tweaking of the > > ChallengeResponseAuthentication to no in the sshd config file we ship > > Trust me, this question is going to come up a _lot_ for us otherwise. :( > > I've been noticing a continuing trend for more and more "safe" > configurations the default. I spent half a day recently trying to find > why I could no longer open windows on my X display, only to discover > that somebody had turned off tcp connections by default. BTW, I think this is somewhat of a red herring, and isn't really related to this discussion at all. The issue with S/Key is something that we've already built concensus on: it's a bug for most users, and should be fixed (or at least made optional), which as I indicated, is *already* the strategy taken in -CURRENT. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message