From owner-freebsd-hackers Wed Apr 24 18:52:18 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 758FE37B41B for ; Wed, 24 Apr 2002 18:52:08 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.6) with SMTP id g3P1okw43680; Wed, 24 Apr 2002 21:50:46 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 24 Apr 2002 21:50:46 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jordan Hubbard Cc: hackers@freebsd.org Subject: Re: Erm, since everyone managed to HIJACK my sshd thread! ;) In-Reply-To: <200204231839.g3NId1UR013639@winston.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Sigh. I responded privately, but I see a plethora of mis-informed response also. Please commit the fix to the S/Key code, rather than disabling challenge response protocol behavior. There's nothing wrong with supporting the challenge/response parts of the protocol, and it's even desirable from a PAM perspective. Go fix it properly. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Tue, 23 Apr 2002, Jordan Hubbard wrote: > I'm going to commit the following in 48 hours unless someone can > convince me that it's a good idea for FreeBSD to be the odd-OS out > with respect to this behavior: > > Index: sshd_config > =================================================================== > RCS file: /home/ncvs/src/crypto/openssh/sshd_config,v > retrieving revision 1.4.2.6 > diff -u -r1.4.2.6 sshd_config > --- sshd_config 28 Sep 2001 01:33:35 -0000 1.4.2.6 > +++ sshd_config 23 Apr 2002 18:38:01 -0000 > @@ -48,8 +48,8 @@ > PasswordAuthentication yes > PermitEmptyPasswords no > > -# Uncomment to disable s/key passwords > -#ChallengeResponseAuthentication no > +# Comment out to enable s/key passwords > +ChallengeResponseAuthentication no > > # To change Kerberos options > #KerberosAuthentication no > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message