[Bug 423] Workaround for pw change in privsep mode (3.5.p1)

Frank Cusack fcusack at fcusack.com
Mon Nov 11 10:51:46 EST 2002

On Sun, Nov 10, 2002 at 03:13:53PM +0100, Michael Steffens wrote:
> Frank Cusack wrote:
> > Not so fast there. :-)  Look in the bugs db for a TISviaPAM patch.  This
> > uses the ssh1 TIS auth method to do the same thing that kbdint does.
> Here I'm confused. Assuming that you mean
>   http://bugzilla.mindrot.org/show_bug.cgi?id=118

That is what I meant.

> and that it does challenge/response authentication, can it
> replace the password authentication part?

No.  Sorry to have indicated that.

On further review, that patch isn't quite an "ssh1 kbdint equivalent", and
wouldn't be safe to modify into a password authentication mechanism.  I can
go into length on the details if desired.  The only thing that patch is
useful for is challenge/response type auths, eg S/Key.  This is a limitation
of protocol 1.

There's no reason a new auth type couldn't be added to protocol 1, however.
It wouldn't be portable though.  I think it's unlikely that any new ssh1
auth would be picked up by any implementation, even openssh.


More information about the openssh-unix-dev mailing list