Date: Tue, 9 Jul 2002 20:30:51 +0400 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Dag-Erling Smorgrav <des@ofug.org> Cc: current@freebsd.org Subject: Re: PasswordAuthentication not works in sshd Message-ID: <20020709163050.GA18792@nagual.pp.ru> In-Reply-To: <xzpd6txj93r.fsf@flood.ping.uio.no> References: <20020702114530.GB837@nagual.pp.ru> <xzpn0tacp9c.fsf@flood.ping.uio.no> <20020709124943.GA15259@nagual.pp.ru> <xzphej9jb3i.fsf@flood.ping.uio.no> <20020709133611.GA17322@nagual.pp.ru> <xzpd6txj93r.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 09, 2002 at 15:59:04 +0200, Dag-Erling Smorgrav wrote: > What if the client is untrusted? Do you find it reasonable to allow > users to type their password on an untrusted client? Many of our > users use OPIE for precisely this scenario - reading their mail on an > untrusted machine in the USENIX terminal room. I understand that. What I say - it must be not in default setup because break normal password auth for ssh. I.e. I not set any special option in sshd_config to enable OPIE or SKEY, why it is in the way? From sshd configuring point of view OPIE auth must be directly enabled and not turned on indirectly. Admins who already sets up OPIE for other programs will be very confused finding (especially when not finding) that now OPIE is turned on indirectly in ssh without even any config options. To resolve this confusion - could you restore old OPIE/SKEY sshd_config option and load pam_opie* modules only when it is enabled? It seems it can be done via new /etc/pam.d/sshd_opie file unless you know more smarter way. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020709163050.GA18792>
