Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 22 Apr 2002 22:41:02 -0400 (EDT)
From:      Robert Watson <rwatson@FreeBSD.ORG>
To:        Jordan Hubbard <jkh@winston.freebsd.org>
Cc:        Oscar Bonilla <obonilla@galileo.edu>, Anthony Schneider <aschneid@mail.slc.edu>, Mike Meyer <mwm-dated-1019955884.8b118e@mired.org>, hackers@FreeBSD.ORG
Subject:   Re: ssh + compiled-in SKEY support considered harmful? 
Message-ID:  <Pine.NEB.3.96L.1020422223923.64976i-100000@fledge.watson.org>
In-Reply-To: <11531.1019527281@winston.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help

On Mon, 22 Apr 2002, Jordan Hubbard wrote:

> That would be my question as well, especially since "everyone else" 
> seems to use that default.  Thanks to all who responded, and so quickly
> at that - this at least clarified the situation (and gave me a way
> out!). 

This was discussed fairly extensively regarding -current: basically, s/key
is "greedy" and attempts to fake s/key responses even for users who don't
have s/key enabled.  Nothing is wrong with challenge response -- arguably,
that's a cleaner way to handle things as a default in the client, since it
means if you connect to a server that does want to use challenge response,
it DTRT.  The fix in -CURRENT, I believe, was to make s/key "faking" for
non-enabled users be an option, and to turn the option off by default.
That fix relies on the extensive PAM updates in -CURRENT however; in
-STABLE it can probably be similarly replicated via appropriate tweaking
of sshd (?).

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020422223923.64976i-100000>