From owner-freebsd-current  Tue Jul  9  6:59: 9 2002
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4969337B400
	for <current@freebsd.org>; Tue,  9 Jul 2002 06:59:07 -0700 (PDT)
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C853A43E3B
	for <current@freebsd.org>; Tue,  9 Jul 2002 06:59:06 -0700 (PDT)
	(envelope-from des@ofug.org)
Received: by flood.ping.uio.no (Postfix, from userid 2602)
	id 40601534A; Tue,  9 Jul 2002 15:59:05 +0200 (CEST)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: current@freebsd.org
Subject: Re: PasswordAuthentication not works in sshd
References: <20020702114530.GB837@nagual.pp.ru>
	<xzpn0tacp9c.fsf@flood.ping.uio.no>
	<20020709124943.GA15259@nagual.pp.ru>
	<xzphej9jb3i.fsf@flood.ping.uio.no>
	<20020709133611.GA17322@nagual.pp.ru>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 09 Jul 2002 15:59:04 +0200
In-Reply-To: <20020709133611.GA17322@nagual.pp.ru>
Message-ID: <xzpd6txj93r.fsf@flood.ping.uio.no>
Lines: 14
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

"Andrey A. Chernov" <ache@nagual.pp.ru> writes:
> Normally OPIE not accepts plain Unix password remotely, and it is right,
> because of cleartext. But it is wrong for sshd, because no cleartext
> sended for PasswordAuth. It seems that opieaccess in pam.d/sshd should not
> fails by default or maybe even not present there.

What if the client is untrusted?  Do you find it reasonable to allow
users to type their password on an untrusted client?  Many of our
users use OPIE for precisely this scenario - reading their mail on an
untrusted machine in the USENIX terminal room.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message