Date: Mon, 22 Apr 2002 22:41:02 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.ORG> To: Jordan Hubbard <jkh@winston.freebsd.org> Cc: Oscar Bonilla <obonilla@galileo.edu>, Anthony Schneider <aschneid@mail.slc.edu>, Mike Meyer <mwm-dated-1019955884.8b118e@mired.org>, hackers@FreeBSD.ORG Subject: Re: ssh + compiled-in SKEY support considered harmful? Message-ID: <Pine.NEB.3.96L.1020422223923.64976i-100000@fledge.watson.org> In-Reply-To: <11531.1019527281@winston.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 22 Apr 2002, Jordan Hubbard wrote: > That would be my question as well, especially since "everyone else" > seems to use that default. Thanks to all who responded, and so quickly > at that - this at least clarified the situation (and gave me a way > out!). This was discussed fairly extensively regarding -current: basically, s/key is "greedy" and attempts to fake s/key responses even for users who don't have s/key enabled. Nothing is wrong with challenge response -- arguably, that's a cleaner way to handle things as a default in the client, since it means if you connect to a server that does want to use challenge response, it DTRT. The fix in -CURRENT, I believe, was to make s/key "faking" for non-enabled users be an option, and to turn the option off by default. That fix relies on the extensive PAM updates in -CURRENT however; in -STABLE it can probably be similarly replicated via appropriate tweaking of sshd (?). Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020422223923.64976i-100000>