Subject: A couple of security-related issues.
To: None <>
From: Richard Rauch <>
List: tech-security
Date: 12/23/2000 18:09:12
(Please CC: replies to me; I read the lists via the web-page, which often

While upgrading from 1.5_ALPHA from August to 1.5 (proper), I noticed some
bumps and changes w.r.t. security.  Explanations, or pointers to same,
would be appreciated.

 * With 1.5 and OpenSSH, I get nagged about ``otp'' (One-Time
   Password, maybe?) when logging into some systems.  I never got
   pestered by this with the standard ssh from pkgsrc.  After 3
   trials (and failures, since I have no idea what to enter), I
   get a standard password challenge.

   I seem to remember reading about One Time Passwords as a feature
   of kerberos.  I decided that it sounded a bit over the top to
   remember a new, arbitrary password for every login, so I never
   went there.  Can I get OpenSSH to stop this behavior, or is there
   a reason that I should want OpenSSH to do this?  (Or am I missing
   the point of one-time passwords?)

   (OpenSSH only does this with some hosts.  My other computer is still
   on 1.5_ALPHA with ssh[d], and doesn't do the ``otp'' stuff to me.)

   I couldn't see any options in ssh's man-page that seemed to govern

 * Old /etc/security.conf had check_rhosts=NO, with a comment of
   ``Don't turn this on; malicious users can take advantage''.  Now,
   it is check_rhosts=YES, with no comment.  I assume that whoever
   made the change knew what they were doing; still, can someone
   (briefly) explain why it wasn't okay before, but is okay now?

 * I figured that audit-packages would be in /etc/security by now.
   Did it come too late, or was it just an oversight?  (I run it
   in my /etc/security, though I must admit that I don't check the
   results as often as I could.  Maybe I should have security's
   output go to my main account instead of to root?)

  "I probably don't know what I'm talking about."