Call for testing: OpenSSH-6.3

Damien Miller djm at mindrot.org
Fri Jul 26 11:22:14 EST 2013


On Thu, 25 Jul 2013, Andy Tsouladze wrote:

> openssh-SNAP-20130726.tar.gz compiles and passes all tests on
> slackware64-14.0.

Thanks for testing.

> I found it strange that configure script does not try to determine
> whether md5 passwords are supported by the system, and it defaults to
> no support. It only checks if --with-md5-passwords was supplied. Is
> this intended? What are the consequences of running sshd with no md5
> password support on a system that does support them? Is there a way to
> programmatically determine this? Or maybe default should be to support
> md5 passwords?

These days, libc's crypt(3) is expected to handle any style of password
hashing in use on the system. Looking at the crypt manpage the Ubuntu
box I have at hand, it currently supports olde DES, md5crypt and their
own SHA-256 and SHA-512 styles.

OpenSSH's --with-md5-passwords dates from a time before wide libc support
for anything but DES crypt and where authenticating applications were
expected to either supply their own crypt-variants or delegate it to a
PAM module that did. OpenSSH could be compiled without PAM support, but
still needed to be able to authenticate users, so we needed to supply
our own.

If you are unable to authenticate without --with-md5-passwords with your
usual system passwords, then I'd argue that your system is broken: your
password database should be intelligible to your libc's crypt(3) on its
own.

-d


More information about the openssh-unix-dev mailing list