3.7.1p1 and PAM

Tom Schaefer schaefert at tomcat.umsl.edu
Thu Sep 25 00:17:11 EST 2003


I've spent a lot of time digging the last couple days and seen some talk about how now with 3.7.1p1 the PAM challenge response requiring keyboard interactive on the client is "right" and no longer a kludge.  I understand that.

Unfortunately I've got a bunch of users who's client (www.ssh.com's client version 3.2.3)  doesn't function without a kludged server.

The package from www.ssh.com come's with a Windows GUI based client and a "DOS" command line only client.The GUI client does suport keyboard interactive and thus does work ok with PAM and 3.7.1p1 server but the "DOS" command line only client (ssh2.exe) does NOT.

This stinks for me since its the command line version I've got them all using in a DOS batch file.  All it does is connect to the server and forward local port 139 in order to encrypt samba.  Authentication is done with pam_smb PAM module.

Anyhow, I realize its a client side problem but I'm writing to suggest an option be put into the next version of openssh to revert to the old "kludged" method of challenge response giving administrators the ability to maintain compabitability with broken and handicapped clients if they wish to do so.

As it stands I've been forced to revert to an older version of sshd and am going to have to get some firewall rules in place real soon now.

Tom Schaefer
UNIX Administrator
University of Missouri Saint Louis 

I put openssh 3.7.1p1 on a server and 

More information about the openssh-unix-dev mailing list