From owner-freebsd-current Sat Mar 30 4:14:16 2002 Delivered-To: freebsd-current@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id DDEDC37B416 for ; Sat, 30 Mar 2002 04:14:10 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 8F48E5346; Sat, 30 Mar 2002 13:14:08 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: current@freebsd.org Cc: Thomas Quinot Subject: Re: Problem with ssh References: <20020328183736.85E9588@nebula.anchoragerescue.org> <20020328192816.GA217@mich.itxmarket.com> <20020328194005.573B688@nebula.anchoragerescue.org> <20020328120317.C92633@dragon.nuxi.com> <20020329030505.GF22998@squall.waterspout.com> <20020329110125.A61943@melusine.cuivre.fr.eu.org> <20020329203139.C74181@dragon.nuxi.com> From: Dag-Erling Smorgrav Date: 30 Mar 2002 13:14:07 +0100 In-Reply-To: <20020329203139.C74181@dragon.nuxi.com> Message-ID: Lines: 37 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG "David O'Brien" writes: > Something is still very wrong: > > ssh foo@releng4 > otp-md5 350 re9786 ext > S/Key Password: > otp-md5 134 re2584 ext > S/Key Password: > otp-md5 417 re5381 ext > S/Key Password: > otp-md5 198 re2571 ext > S/Key Password: > > Uh, why does my sequence keep changing when I just hit ??? Because it's generating fake S/Key challenges, and badly. > And this will not accept my Unix password until I enter garbage _3_ times, > then I finally get a Unix password prompt. > > Hello, DES? Have you seen this thread? No, I haven't seen it, but I've had similar reports. It's actually a bug on the server side, in older OpenSSH servers, that is exposed by newer OpenSSH clients. I haven't yet determined a correct client-side solution, but a workaround is to disable S/Key authentication for those hosts where you don't actually want to use it, by adding the following to ~/.ssh/config: Host foo bar baz SKeyAuthentication no OpenSSH 3.1 servers on -CURRENT will DTRT since they use PAM. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message