On Mon, 22 Apr 2002, Jordan Hubbard wrote:
> That would be my question as well, especially since "everyone else"
> seems to use that default. Thanks to all who responded, and so quickly
> at that - this at least clarified the situation (and gave me a way
This was discussed fairly extensively regarding -current: basically, s/key
is "greedy" and attempts to fake s/key responses even for users who don't
have s/key enabled. Nothing is wrong with challenge response -- arguably,
that's a cleaner way to handle things as a default in the client, since it
means if you connect to a server that does want to use challenge response,
it DTRT. The fix in -CURRENT, I believe, was to make s/key "faking" for
non-enabled users be an option, and to turn the option off by default.
That fix relies on the extensive PAM updates in -CURRENT however; in
-STABLE it can probably be similarly replicated via appropriate tweaking
of sshd (?).
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
firstname.lastname@example.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message