From owner-freebsd-hackers Mon Apr 22 17:40:22 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from winston.freebsd.org (adsl-64-173-15-98.dsl.sntc01.pacbell.net [64.173.15.98]) by hub.freebsd.org (Postfix) with ESMTP id 48B4237B428 for ; Mon, 22 Apr 2002 17:40:15 -0700 (PDT) Received: from winston.freebsd.org (jkh@localhost [127.0.0.1]) by winston.freebsd.org (8.12.2/8.12.2) with ESMTP id g3N0dQ7W011314 for ; Mon, 22 Apr 2002 17:39:26 -0700 (PDT) (envelope-from jkh@winston.freebsd.org) Received: (from jkh@localhost) by winston.freebsd.org (8.12.2/8.12.2/Submit) id g3N0dQ8i011313 for hackers@freebsd.org; Mon, 22 Apr 2002 17:39:26 -0700 (PDT) Date: Mon, 22 Apr 2002 17:39:26 -0700 (PDT) From: Jordan Hubbard Message-Id: <200204230039.g3N0dQ8i011313@winston.freebsd.org> To: hackers@freebsd.org Subject: ssh + compiled-in SKEY support considered harmful? Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG We at Apple are noticing a strange problem with newer versions of ssh (which has been upgraded to OpenSSH_3.1p1) and FreeBSD 4.5-STABLE's sshd. This problem did not occur with our older ssh, but it also does not occur with the newer version and *any* other OS other than FreeBSD, e.g. if you ssh to a Linux or Solaris or Mac OS X box, for that matter, you will not see this behavior. What behavior am I talking about? This: jhubbard@wafer-> ssh jkh@winston.freebsd.org otp-md5 114 wi7854 ext S/Key Password: otp-md5 117 wi5044 ext S/Key Password: otp-md5 397 wi0652 ext S/Key Password: jkh@winston.freebsd.org's password: The machine "wafer" is a Mac OS X box running 10.1.3 and winston.freebsd.org is running FreeBSD 4.5-STABLE. The authentication method which tries this S/Key stuff is "keyboard-interactive" and this is tried, for some reason, before the "password" auth method. If you compile sshd on the FreeBSD side without SKEY support built-in, the problem also goes away. My question: Who's "wrong" here, FreeBSD or Mac OS X? If the latter, why doesn't Linux or anything else produce this problem? I ask now because I know that the usage of Mac OS X is growing and there are going to be a lot of annoyed users (like me!) who very quickly get tired of having to wind through all the bogus S/Key password prompts before they can actually type in their real password (and no, skey is not enabled on winston and I have never done a keyinit operation, so I couldn't S/Key authenticate to it if I wanted to). - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message