[Bug 423] Workaround for pw change in privsep mode (3.5.p1)

Michael Steffens michael_steffens at hp.com
Mon Nov 11 20:22:36 EST 2002

Frank Cusack wrote:
>>and that it does challenge/response authentication, can it
>>replace the password authentication part?
> No.  Sorry to have indicated that.
> On further review, that patch isn't quite an "ssh1 kbdint equivalent", and
> wouldn't be safe to modify into a password authentication mechanism.  I can
> go into length on the details if desired.

Yes, I would like to know the details! :)

> The only thing that patch is
> useful for is challenge/response type auths, eg S/Key.  This is a limitation
> of protocol 1.
> There's no reason a new auth type couldn't be added to protocol 1, however.
> It wouldn't be portable though.  I think it's unlikely that any new ssh1
> auth would be picked up by any implementation, even openssh.

Unlikely. But if the bottom line is that with protocol 1 PAM authentication
dialogs can only be handled when demanding exectly one password, while
protocol 2 can handle arbitrary ones via keyboard interactive, that's quite
fair IMO.

More information about the openssh-unix-dev mailing list