Re: 4.5-RC1: Why sshd require opie for SSH version 2?

2002-01-17 Thread Bruce A. Mah 

If memory serves me right, Josh Tiefenbach wrote:
  After doing some tests, I found that connecting to this 4.5-RC1 box
  from other machine by OpenSSH (without RSA/DSA key, nor rhost*auth,
  assuming to use plain password to login), requires opie to login,
  though /etc/opiekeys, and /etc/skeykeys are both size 0. If I start
  openssh with flag '-1', which means to use OpenSSH version 1 protocol,
  it works fine: require plain password. I checked 4.4-RELEASE machine,
  and found that it works fine without '-1' flag, and even with '-2', it
  works.

[snip]

 Perhaps its an OpenSSH v3 thing? If I have some time tonite, I'll go compile
 up v3 someplace and check it out.

Did you get a chance to do this?

I'm unable to reproduce this problem between two RELENG_4 machines
running the base system OpenSSH (both machines built within the last
three days).  Usually I use a DSA keypair to authenticate, but I
temporarily blew away ~/.ssh/authorized_keys2 on the server side and ~/
.ssh/id_dsa on the client side.

Bruce.



To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-stable in the body of the message

Re: 4.5-RC1: Why sshd require opie for SSH version 2?

2002-01-17 Thread Koji Hino 

I send this message to [EMAIL PROTECTED], because Brian committed
skeychallenge() - opiechallenge() staff...

Brian, could you check this?

I change crypto/openssh/auth-chall.c as follows, and test it.
--- auth-chall.c.dist   Thu Sep 27 18:33:33 2001
+++ auth-chall.cThu Jan 17 13:28:07 2002
@@ -77,7 +77,7 @@
 {
static char challenge[1024];
struct opie opie;
-   if (opiechallenge(opie, authctxt-user, challenge) == -1)
+   if (opiechallenge(opie, authctxt-user, challenge))
return NULL;
strlcat(challenge, \nS/Key Password: , sizeof challenge);
return challenge;

It works as expected, ie:
 * FreeBSD 4.5-RC1 box is in default config.
 * Client is OpenSSH_3.0.1p1, in default config.
 (1) If /etc/opiekeys @ FreeBSD box is size=0, opiechallenge return 1,
 and sshd fall back to plain password. OK.
 (2) If /etc/opiekeys @ FreeBSD box lists no requested user, same as
 (1). OK.
 (3) If there are no /etc/opiekeys @ FreeBSD box, /etc/opiekeys is
 created automatically, and behave as (1). OK.
 (4) If requested user is listed on /etc/opiekeys @ FreeBSD box, sshd
 requests opie password, and happy with correct pass phrase. OK.

Koji

From: Koji Hino [EMAIL PROTECTED]
 Subject: Re: 4.5-RC1: Why sshd require opie for SSH version 2?
 Date: Wed, 16 Jan 2002 17:35:25 -0800 (PST)
 ID: [EMAIL PROTECTED]

: Thanks to everyone who answered to my question.
: 
: OK, there are some workaround to overcome this problem. Then, how
: 4.5-R should be? Disable opie as default sshd configuration?
: 
: Or
: 
: I looked into source (not deeply), and found:
: * opiechallenge() [/usr/src/contrib/opie/libopie/challenge.c] returns
:   value: 0, -1, 1. If there are no related user, it seems (I'm not
:   checked by debugger. only my understanding..) to return 1.
: * old version, skeychallenge(), only return 0 (OK), or -1 (BAD).
: * get_challenge() [/usr/src/crypto/openssh/auth-chall.c] only check
:   return value of opiechallenge() if it is -1.
: 
: So, I think get_challenge() should handle '1' case.
: 
: Best regards,
: 
: 
: Koji HINO(HINO is my family name)
: CC Research Laboratories, NEC USA, Inc.
: E-mail: [EMAIL PROTECTED]
: --
: DISCLAIMER: this message is the author's personal opinion and does not
: constitute the support, opinion, or policy of NEC USA, Inc.

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-stable in the body of the message