"David O'Brien" <[EMAIL PROTECTED]> writes: > so getting an OPIE formatted challenge on RELENG_4 immediately lets > someone know it is fake and bogus.
I know. I told you it is a bug in the server. > > the client attempts challenge-response authentication, which is what > > is used for PAM. > I do not follow what you are saying. FreeBSD's OpenSSH 3.1 server now uses PAM for authentication, using SSH's challenge-response authentication protocol, which is used for S/Key or OPIE in older versions. > I thought 3.1 was imported due to a security problem with 3.0. No, the security problem was already fixed in our version of OpenSSH. 3.1 was imported to solve other problems, reduce the amount of local patches and allow us to use PAM on the server side. > > > Considering I DO want SKeyAuthentication (USENIX is comming up); what is > > > the real fix? > > Enable it only for servers that need it. > I just said "I need it". The user from "ssh user@server" does have a > properly setup S/Key entry in /etc/skeykeys The *client* should add "SKeyAuthentication yes" to his ~/.ssh/config only for those hosts that need it. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
