From owner-freebsd-hackers  Tue Apr 23  9: 7:14 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id CFF3A37B404; Tue, 23 Apr 2002 09:07:09 -0700 (PDT)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.6/8.11.6) with SMTP id g3NG6xw87250;
	Tue, 23 Apr 2002 12:06:59 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Tue, 23 Apr 2002 12:06:58 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: "Greg 'groggy' Lehey" <grog@FreeBSD.org>
Cc: Jordan Hubbard <jkh@winston.freebsd.org>,
	Oscar Bonilla <obonilla@galileo.edu>,
	Anthony Schneider <aschneid@mail.slc.edu>,
	Mike Meyer <mwm-dated-1019955884.8b118e@mired.org>,
	hackers@FreeBSD.org
Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?)
In-Reply-To: <20020423131646.I6425@wantadilla.lemis.com>
Message-ID: <Pine.NEB.3.96L.1020423120451.55944E-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


On Tue, 23 Apr 2002, Greg 'groggy' Lehey wrote:

> On Monday, 22 April 2002 at 19:53:06 -0700, Jordan Hubbard wrote:
> >> That fix relies on the extensive PAM updates in -CURRENT however; in
> >> -STABLE it can probably be similarly replicated via appropriate tweaking
> >> of sshd (?).
> >
> > Why not fix it in stable by the very simple tweaking of the
> > ChallengeResponseAuthentication to no in the sshd config file we ship
> > Trust me, this question is going to come up a _lot_ for us otherwise. :(
> 
> I've been noticing a continuing trend for more and more "safe" 
> configurations the default.  I spent half a day recently trying to find
> why I could no longer open windows on my X display, only to discover
> that somebody had turned off tcp connections by default. 

BTW, I think this is somewhat of a red herring, and isn't really related
to this discussion at all.  The issue with S/Key is something that we've
already built concensus on: it's a bug for most users, and should be fixed
(or at least made optional), which as I indicated, is *already* the
strategy taken in -CURRENT. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message