Date: Thu, 17 Jan 2002 14:29:26 -0800 (PST) From: Koji Hino <hino@ccrl.sj.nec.com> To: green@FreeBSD.ORG, stable@FreeBSD.ORG Subject: Re: 4.5-RC1: Why sshd require opie for SSH version 2? Message-ID: <20020117.142926.45265184.hino@ccrl.sj.nec.com> In-Reply-To: <20020116.173525.68550113.hino@ccrl.sj.nec.com> References: <20020116.110509.05717273.hino@ccrl.sj.nec.com> <20020116155436.A28166@zipperup.org> <20020116180508.A11693@hardy.mskcc.org> <20020116181943.B30361@zipperup.org> <3C4614CE.8050001@bogen.org> <20020116.173525.68550113.hino@ccrl.sj.nec.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I send this message to green@freebsd.org, because Brian committed
skeychallenge() -> opiechallenge() staff...
Brian, could you check this?
I change crypto/openssh/auth-chall.c as follows, and test it.
--- auth-chall.c.dist Thu Sep 27 18:33:33 2001
+++ auth-chall.c Thu Jan 17 13:28:07 2002
@@ -77,7 +77,7 @@
{
static char challenge[1024];
struct opie opie;
- if (opiechallenge(&opie, authctxt->user, challenge) == -1)
+ if (opiechallenge(&opie, authctxt->user, challenge))
return NULL;
strlcat(challenge, "\nS/Key Password: ", sizeof challenge);
return challenge;
It works as expected, ie:
* FreeBSD 4.5-RC1 box is in default config.
* Client is OpenSSH_3.0.1p1, in default config.
(1) If /etc/opiekeys @ FreeBSD box is size=0, opiechallenge return 1,
and sshd fall back to plain password. OK.
(2) If /etc/opiekeys @ FreeBSD box lists no requested user, same as
(1). OK.
(3) If there are no /etc/opiekeys @ FreeBSD box, /etc/opiekeys is
created automatically, and behave as (1). OK.
(4) If requested user is listed on /etc/opiekeys @ FreeBSD box, sshd
requests opie password, and happy with correct pass phrase. OK.
Koji
From: Koji Hino <hino@ccrl.sj.nec.com>
Subject: Re: 4.5-RC1: Why sshd require opie for SSH version 2?
Date: Wed, 16 Jan 2002 17:35:25 -0800 (PST)
ID: <20020116.173525.68550113.hino@ccrl.sj.nec.com>
:> Thanks to everyone who answered to my question.
:>
:> OK, there are some workaround to overcome this problem. Then, how
:> 4.5-R should be? Disable opie as default sshd configuration?
:>
:> Or....
:>
:> I looked into source (not deeply), and found:
:> * opiechallenge() [/usr/src/contrib/opie/libopie/challenge.c] returns
:> value: 0, -1, 1. If there are no related user, it seems (I'm not
:> checked by debugger. only my understanding..) to return 1.
:> * old version, skeychallenge(), only return 0 (OK), or -1 (BAD).
:> * get_challenge() [/usr/src/crypto/openssh/auth-chall.c] only check
:> return value of opiechallenge() if it is -1.
:>
:> So, I think get_challenge() should handle '1' case.
:>
:> Best regards,
:>
:> ====================================================================
:> Koji HINO(HINO is my family name)
:> C&C Research Laboratories, NEC USA, Inc.
:> E-mail: hino@ccrl.sj.nec.com
:> ----------
:> DISCLAIMER: this message is the author's personal opinion and does not
:> constitute the support, opinion, or policy of NEC USA, Inc.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020117.142926.45265184.hino>