3.6.1p2 - UsePAM & challenge response

[Mike Bethune]

this is simple, here's a step-by-step:
1) get a version of openssh past 3.6.1p2 that has the UsePAM option (latest snapshot even)
2) sshd_config: default is probably fine, but specifically:
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
3) get a windows ssh client like putty (which will try to connect with v1 by default)
4) try to connect to your server with it: it doesn't work.
5) configure putty to use v2: it works.

as mentioned below, the response from the server when using v1 is:
Password:
Response:

which is different from they way it responds when connecting with v2:
Password:

this may be why it doesn't work.


> Please tell us how the clients are broken. You didn't even get the
> version number right. 3.6.1p2 doesn't have UsePAM, that 
> feature is only
> in the CVS snapshots.
> 
> > it doesn't break ssh1, it breaks these windows clients 
> trying to auth w/v1
> > for how please read past the first line in my email...
> > 
> > > hi, i don't understand how 3.6.1p2 breaks ssh1....
> > > 
> > > 
> > > On Fri, Sep 12, 2003 at 10:27:15AM -0700, Mike Bethune wrote:
> > > > Hello,
> > > > the new way this works breaks windows ssh clients using v1 
> > > (I know, who cares :)
> > > > since when these options are enabled and you connect w/v1, 
> > > the server asks:
> > > > Password:
> > > > Response: 
> > > > and I guess these clients (tested putty, pscp, vandyke) 
> > > expect just "Password:"
> > > > 
> > > > v2 is fine though.  But it's still a pain because I have 
> > > customers who need v1 or are too dumb to select v2 in their 
> > > client.  Also, pscp only uses v1 as far as I can see :(
> > > > 
> > > > (Sorry if there's already discussion on this, I didn't find 
> > > any but the issue is probably known since even I noticed it 
> > > back in June.)
> > > > 
> > > > Thanks,
> > > > Mike
> > > 
> 
>