Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Apr 2002 22:00:15 -0400 (EDT)
From:      Robert Watson <rwatson@FreeBSD.ORG>
To:        Jordan Hubbard <jkh@winston.freebsd.org>
Cc:        hackers@FreeBSD.ORG
Subject:   Re: Erm, since everyone managed to HIJACK my sshd thread! ;)
Message-ID:  <Pine.NEB.3.96L.1020424215852.55944O-100000@fledge.watson.org>
In-Reply-To: <Pine.NEB.3.96L.1020424214955.55944N-100000@fledge.watson.org>

next in thread | previous in thread | raw e-mail | index | archive | help
BTW, what I'm suggesting here is the equivilent of the "no_fake_prompts" 
setting in pam_opie.so found in -CURRENT.  Basically, if the flag is set,
then OPIE doesn't generate fake prompts for users that don't have OPIE
enabled.  If the flag is disabled, OPIE will generate prompts for the
users to hide the fact that OPIE isn't present.  Some people like the fake
prompts, but I think disabling them in the OPIE code is the right choice
for a default, and is what we're doing in -CURRENT.  Your fix doesn't
address the case where some users have SKEY/OPIE enabled, and others
don't.  It also makes it a lot harder to enable OPIE if you want to.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services

On Wed, 24 Apr 2002, Robert Watson wrote:

> Sigh. I responded privately, but I see a plethora of mis-informed response
> also.  Please commit the fix to the S/Key code, rather than disabling
> challenge response protocol behavior.  There's nothing wrong with
> supporting the challenge/response parts of the protocol, and it's even
> desirable from a PAM perspective.  Go fix it properly.
> 
> Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
> robert@fledge.watson.org      NAI Labs, Safeport Network Services
> 
> On Tue, 23 Apr 2002, Jordan Hubbard wrote:
> 
> > I'm going to commit the following in 48 hours unless someone can
> > convince me that it's a good idea for FreeBSD to be the odd-OS out
> > with respect to this behavior:
> > 
> > Index: sshd_config
> > ===================================================================
> > RCS file: /home/ncvs/src/crypto/openssh/sshd_config,v
> > retrieving revision 1.4.2.6
> > diff -u -r1.4.2.6 sshd_config
> > --- sshd_config	28 Sep 2001 01:33:35 -0000	1.4.2.6
> > +++ sshd_config	23 Apr 2002 18:38:01 -0000
> > @@ -48,8 +48,8 @@
> >  PasswordAuthentication yes
> >  PermitEmptyPasswords no
> >  
> > -# Uncomment to disable s/key passwords 
> > -#ChallengeResponseAuthentication no
> > +# Comment out to enable s/key passwords 
> > +ChallengeResponseAuthentication no
> >  
> >  # To change Kerberos options
> >  #KerberosAuthentication no
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-hackers" in the body of the message
> > 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020424215852.55944O-100000>