tech-security: Re: OpenSSH Priv Sep and Remote Exploit?

Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: Jason R Thorpe <thorpej@wasabisystems.com>
From: Simon J. Gerraty <sjg@crufty.net>
List: tech-security
Date: 06/26/2002 14:14:14

In lists.netbsd.tech-security you write:

>On Wed, Jun 26, 2002 at 02:11:15PM -0400, Steven M. Bellovin wrote:

> > I'm confused again.  sshd_config in 1.6beta3 has this:
> > 
> > # Change to no to disable s/key passwords
> > #ChallengeResponseAuthentication yes
> > 
> > which implies that they're the same option.  Or is it different on 
> > other versions?  I checked 3.1 and 3.3.1.

>Hm, they used to be different, I thought.  I could be mistaken.

AFAIK {TIS,SKey,ChallengeResponse}Authentication are all the same thing
they just keep re-naming it - and of course sshd vomits until you
guess the right one.  `strings sshd | grep authentication` is more
accurate than man sshd :-)

--sjg