On Tue, Apr 02, 2002 at 01:48:56AM +0200, Dag-Erling Smorgrav wrote:
> "David O'Brien" <[EMAIL PROTECTED]> writes:
> > On Sat, Mar 30, 2002 at 01:14:07PM +0100, Dag-Erling Smorgrav wrote:
> > > "David O'Brien" <[EMAIL PROTECTED]> writes:
> > > > Uh, why does my sequence keep changing when I just hit <return>???
> > > Because it's generating fake S/Key challenges, and badly.
> > Especially since RELENG_4 does NOT use OPIE.
> > Who this "fake S/Key challenge" that and turned it on?
> OpenSSH in RELENG_4 does use S/Key, and generates fake challenges when

Yes.  But it is obvious it is fake:

This is an S/Key challenge:

    s/key 90 re95460

this is an OPIE challenge:

    otp-md5 315 re7955 ext

so getting an OPIE formatted challenge on RELENG_4 immediately lets
someone know it is fake and bogus.

> the client attempts challenge-response authentication, which is what
> is used for PAM.

I do not follow what you are saying.

> > > No, I haven't seen it, but I've had similar reports.  It's actually a
> > > bug on the server side, in older OpenSSH servers, that is exposed by
> > > newer OpenSSH clients.
> > Will OpenSSH 3.1 be MFC'ed soon?
> Not likely.  There are a number of problems that still need fixing.

I thought 3.1 was imported due to a security problem with 3.0.

> > Considering I DO want SKeyAuthentication (USENIX is comming up); what is
> > the real fix?
> Enable it only for servers that need it.

I just said "I need it".  The user from "ssh user@server" does have a
properly setup S/Key entry in /etc/skeykeys

> It used to be disabled by default in the client, so this shouldn't make
> much of a difference.

I admit to having problems getting this working in the past.

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to