Subject: A couple of security-related issues.
To: None <firstname.lastname@example.org>
From: Richard Rauch <email@example.com>
Date: 12/23/2000 18:09:12
(Please CC: replies to me; I read the lists via the web-page, which often
While upgrading from 1.5_ALPHA from August to 1.5 (proper), I noticed some
bumps and changes w.r.t. security. Explanations, or pointers to same,
would be appreciated.
* With 1.5 and OpenSSH, I get nagged about ``otp'' (One-Time
Password, maybe?) when logging into some systems. I never got
pestered by this with the standard ssh from pkgsrc. After 3
trials (and failures, since I have no idea what to enter), I
get a standard password challenge.
I seem to remember reading about One Time Passwords as a feature
of kerberos. I decided that it sounded a bit over the top to
remember a new, arbitrary password for every login, so I never
went there. Can I get OpenSSH to stop this behavior, or is there
a reason that I should want OpenSSH to do this? (Or am I missing
the point of one-time passwords?)
(OpenSSH only does this with some hosts. My other computer is still
on 1.5_ALPHA with ssh[d], and doesn't do the ``otp'' stuff to me.)
I couldn't see any options in ssh's man-page that seemed to govern
* Old /etc/security.conf had check_rhosts=NO, with a comment of
``Don't turn this on; malicious users can take advantage''. Now,
it is check_rhosts=YES, with no comment. I assume that whoever
made the change knew what they were doing; still, can someone
(briefly) explain why it wasn't okay before, but is okay now?
* I figured that audit-packages would be in /etc/security by now.
Did it come too late, or was it just an oversight? (I run it
in my /etc/security, though I must admit that I don't check the
results as often as I could. Maybe I should have security's
output go to my main account instead of to root?)
"I probably don't know what I'm talking about." --firstname.lastname@example.org