From owner-freebsd-hackers Wed Apr 24 20:22:25 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 648E937B405 for ; Wed, 24 Apr 2002 20:22:06 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.6) with SMTP id g3P20Fw44288; Wed, 24 Apr 2002 22:00:15 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 24 Apr 2002 22:00:15 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jordan Hubbard Cc: hackers@FreeBSD.ORG Subject: Re: Erm, since everyone managed to HIJACK my sshd thread! ;) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG BTW, what I'm suggesting here is the equivilent of the "no_fake_prompts" setting in pam_opie.so found in -CURRENT. Basically, if the flag is set, then OPIE doesn't generate fake prompts for users that don't have OPIE enabled. If the flag is disabled, OPIE will generate prompts for the users to hide the fact that OPIE isn't present. Some people like the fake prompts, but I think disabling them in the OPIE code is the right choice for a default, and is what we're doing in -CURRENT. Your fix doesn't address the case where some users have SKEY/OPIE enabled, and others don't. It also makes it a lot harder to enable OPIE if you want to. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Wed, 24 Apr 2002, Robert Watson wrote: > Sigh. I responded privately, but I see a plethora of mis-informed response > also. Please commit the fix to the S/Key code, rather than disabling > challenge response protocol behavior. There's nothing wrong with > supporting the challenge/response parts of the protocol, and it's even > desirable from a PAM perspective. Go fix it properly. > > Robert N M Watson FreeBSD Core Team, TrustedBSD Project > robert@fledge.watson.org NAI Labs, Safeport Network Services > > On Tue, 23 Apr 2002, Jordan Hubbard wrote: > > > I'm going to commit the following in 48 hours unless someone can > > convince me that it's a good idea for FreeBSD to be the odd-OS out > > with respect to this behavior: > > > > Index: sshd_config > > =================================================================== > > RCS file: /home/ncvs/src/crypto/openssh/sshd_config,v > > retrieving revision 1.4.2.6 > > diff -u -r1.4.2.6 sshd_config > > --- sshd_config 28 Sep 2001 01:33:35 -0000 1.4.2.6 > > +++ sshd_config 23 Apr 2002 18:38:01 -0000 > > @@ -48,8 +48,8 @@ > > PasswordAuthentication yes > > PermitEmptyPasswords no > > > > -# Uncomment to disable s/key passwords > > -#ChallengeResponseAuthentication no > > +# Comment out to enable s/key passwords > > +ChallengeResponseAuthentication no > > > > # To change Kerberos options > > #KerberosAuthentication no > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-hackers" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message