From owner-freebsd-stable Thu Jan 17 14:29:41 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mail4.nec.com (dns4.nec.com [131.241.15.4]) by hub.freebsd.org (Postfix) with ESMTP id F2E9737B405; Thu, 17 Jan 2002 14:29:36 -0800 (PST) Received: from netkeeper2.sj.nec.com (netkeeper2.sj.nec.com [131.241.31.10]) by mail4.nec.com (/) with ESMTP id g0HMTUe18868; Thu, 17 Jan 2002 14:29:30 -0800 (PST) Received: from ccrl.sj.nec.com (localhost [127.0.0.1]) by netkeeper2.sj.nec.com (8.9.1a/8.9.1) with ESMTP id OAA15778; Thu, 17 Jan 2002 14:29:27 -0800 (PST) Received: from localhost (hirosige [131.241.79.26]) by ccrl.sj.nec.com (8.9.3/8.9.2) with ESMTP id OAA23127; Thu, 17 Jan 2002 14:29:28 -0800 (PST) Date: Thu, 17 Jan 2002 14:29:26 -0800 (PST) Message-Id: <20020117.142926.45265184.hino@ccrl.sj.nec.com> To: green@FreeBSD.ORG, stable@FreeBSD.ORG Subject: Re: 4.5-RC1: Why sshd require opie for SSH version 2? From: Koji Hino In-Reply-To: <20020116.173525.68550113.hino@ccrl.sj.nec.com> References: <20020116.110509.05717273.hino@ccrl.sj.nec.com> <20020116155436.A28166@zipperup.org> <20020116180508.A11693@hardy.mskcc.org> <20020116181943.B30361@zipperup.org> <3C4614CE.8050001@bogen.org> <20020116.173525.68550113.hino@ccrl.sj.nec.com> Organization: C&C Research Laboratories (CCRL), NEC USA, Inc. X-Mailer: Mew version 2.2rc1 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I send this message to green@freebsd.org, because Brian committed skeychallenge() -> opiechallenge() staff... Brian, could you check this? I change crypto/openssh/auth-chall.c as follows, and test it. --- auth-chall.c.dist Thu Sep 27 18:33:33 2001 +++ auth-chall.c Thu Jan 17 13:28:07 2002 @@ -77,7 +77,7 @@ { static char challenge[1024]; struct opie opie; - if (opiechallenge(&opie, authctxt->user, challenge) == -1) + if (opiechallenge(&opie, authctxt->user, challenge)) return NULL; strlcat(challenge, "\nS/Key Password: ", sizeof challenge); return challenge; It works as expected, ie: * FreeBSD 4.5-RC1 box is in default config. * Client is OpenSSH_3.0.1p1, in default config. (1) If /etc/opiekeys @ FreeBSD box is size=0, opiechallenge return 1, and sshd fall back to plain password. OK. (2) If /etc/opiekeys @ FreeBSD box lists no requested user, same as (1). OK. (3) If there are no /etc/opiekeys @ FreeBSD box, /etc/opiekeys is created automatically, and behave as (1). OK. (4) If requested user is listed on /etc/opiekeys @ FreeBSD box, sshd requests opie password, and happy with correct pass phrase. OK. Koji From: Koji Hino Subject: Re: 4.5-RC1: Why sshd require opie for SSH version 2? Date: Wed, 16 Jan 2002 17:35:25 -0800 (PST) ID: <20020116.173525.68550113.hino@ccrl.sj.nec.com> :> Thanks to everyone who answered to my question. :> :> OK, there are some workaround to overcome this problem. Then, how :> 4.5-R should be? Disable opie as default sshd configuration? :> :> Or.... :> :> I looked into source (not deeply), and found: :> * opiechallenge() [/usr/src/contrib/opie/libopie/challenge.c] returns :> value: 0, -1, 1. If there are no related user, it seems (I'm not :> checked by debugger. only my understanding..) to return 1. :> * old version, skeychallenge(), only return 0 (OK), or -1 (BAD). :> * get_challenge() [/usr/src/crypto/openssh/auth-chall.c] only check :> return value of opiechallenge() if it is -1. :> :> So, I think get_challenge() should handle '1' case. :> :> Best regards, :> :> ==================================================================== :> Koji HINO(HINO is my family name) :> C&C Research Laboratories, NEC USA, Inc. :> E-mail: hino@ccrl.sj.nec.com :> ---------- :> DISCLAIMER: this message is the author's personal opinion and does not :> constitute the support, opinion, or policy of NEC USA, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message