[Bug 423] Workaround for pw change in privsep mode (3.5.p1)
Michael Steffens
michael_steffens at hp.com
Mon Nov 11 20:22:36 EST 2002
Frank Cusack wrote:
>>and that it does challenge/response authentication, can it
>>replace the password authentication part?
>
>
> No. Sorry to have indicated that.
>
> On further review, that patch isn't quite an "ssh1 kbdint equivalent", and
> wouldn't be safe to modify into a password authentication mechanism. I can
> go into length on the details if desired.
Yes, I would like to know the details! :)
> The only thing that patch is
> useful for is challenge/response type auths, eg S/Key. This is a limitation
> of protocol 1.
>
> There's no reason a new auth type couldn't be added to protocol 1, however.
> It wouldn't be portable though. I think it's unlikely that any new ssh1
> auth would be picked up by any implementation, even openssh.
Unlikely. But if the bottom line is that with protocol 1 PAM authentication
dialogs can only be handled when demanding exectly one password, while
protocol 2 can handle arbitrary ones via keyboard interactive, that's quite
fair IMO.
More information about the openssh-unix-dev
mailing list