On Mon, Jun 18, 2007 at 04:39:22PM -0700, Ryan Murray wrote: > ssh 4.6p1 defaults to having challenge_response_authentication and > kbd_interaction_authentication to off.
Assuming you mean the defaults in the code, where do you see that? servconf.c:fill_default_server_options() says: if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; if (options->challenge_response_authentication == -1) options->challenge_response_authentication = 1; ... and parse_server_config applies an additional fixup: /* challenge-response is implemented via keyboard interactive */ if (options->challenge_response_authentication == 1) options->kbd_interactive_authentication = 1; It is true that the configuration file shipped with new installations turns off ChallengeResponseAuthentication. > The shipped config file does not set either option by default. This > means that PAM is disabled by default. A KbdInteractiveAuthentication > yes or ChallengeResponseAuthentication yes is needed to enable PAM > based authentication. Certainly it seems that some of those suffering from this bug have ChallengeResponseAuthentication explicitly disabled, but not all; see for example the configuration file in #428968, noting my comments above about the defaults. I haven't yet found any evidence of an intentional change of behaviour in this area in 4.6p1, and until I do I still consider this a bug. (If it was an intentional change, I'll add a NEWS item once I figure out what's going on.) -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]