Date: Wed, 24 Apr 2002 22:00:15 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.ORG> To: Jordan Hubbard <jkh@winston.freebsd.org> Cc: hackers@FreeBSD.ORG Subject: Re: Erm, since everyone managed to HIJACK my sshd thread! ;) Message-ID: <Pine.NEB.3.96L.1020424215852.55944O-100000@fledge.watson.org> In-Reply-To: <Pine.NEB.3.96L.1020424214955.55944N-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
BTW, what I'm suggesting here is the equivilent of the "no_fake_prompts" setting in pam_opie.so found in -CURRENT. Basically, if the flag is set, then OPIE doesn't generate fake prompts for users that don't have OPIE enabled. If the flag is disabled, OPIE will generate prompts for the users to hide the fact that OPIE isn't present. Some people like the fake prompts, but I think disabling them in the OPIE code is the right choice for a default, and is what we're doing in -CURRENT. Your fix doesn't address the case where some users have SKEY/OPIE enabled, and others don't. It also makes it a lot harder to enable OPIE if you want to. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Wed, 24 Apr 2002, Robert Watson wrote: > Sigh. I responded privately, but I see a plethora of mis-informed response > also. Please commit the fix to the S/Key code, rather than disabling > challenge response protocol behavior. There's nothing wrong with > supporting the challenge/response parts of the protocol, and it's even > desirable from a PAM perspective. Go fix it properly. > > Robert N M Watson FreeBSD Core Team, TrustedBSD Project > robert@fledge.watson.org NAI Labs, Safeport Network Services > > On Tue, 23 Apr 2002, Jordan Hubbard wrote: > > > I'm going to commit the following in 48 hours unless someone can > > convince me that it's a good idea for FreeBSD to be the odd-OS out > > with respect to this behavior: > > > > Index: sshd_config > > =================================================================== > > RCS file: /home/ncvs/src/crypto/openssh/sshd_config,v > > retrieving revision 1.4.2.6 > > diff -u -r1.4.2.6 sshd_config > > --- sshd_config 28 Sep 2001 01:33:35 -0000 1.4.2.6 > > +++ sshd_config 23 Apr 2002 18:38:01 -0000 > > @@ -48,8 +48,8 @@ > > PasswordAuthentication yes > > PermitEmptyPasswords no > > > > -# Uncomment to disable s/key passwords > > -#ChallengeResponseAuthentication no > > +# Comment out to enable s/key passwords > > +ChallengeResponseAuthentication no > > > > # To change Kerberos options > > #KerberosAuthentication no > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-hackers" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020424215852.55944O-100000>