* Dave (dave@alfar.co.uk) [020625 22:22]: :: ::I have the same problem, namely md5 passwords on SuSE 7.3 and can no longer ::get keyboard authentication to work, after disabling compression and ::privilege seperation. :: ::I sympathise with the pressure the team is under day to day, but can we have ::a bit more testing next time, please guys? At least make the 2.9.9p2-98 ::patch available until there is an updated version that authenticates ::properly (I believe the OpenSSH team is moving for a security fix version by ::Monday, rather than one which merely coincidentally closes the hole?) :: ::I'm surprised at the haste with which this update was released - especially ::considering the vague nature of security concerns raised. Well, I would suggest going to have a look at the OpenBSD or OpenSSH sites. There were several discussions on the net over the last few days in which they (not SuSE) stated that the md5 and PAM support was still a bit 1/2 baked with 3.3p1. As for a vague nature..blame Theo and the OpenBSD team for this. They didn't give any more information then "If you don't use privsep and 3.3p1 there is a "remote root exploit". *shrug* I would blame SuSE..how can one test what one doesn't have knowledge of. They could only comply with what the OpenBSD/SSH team said publicly. It's a quickfix for a problem that was thought to be a serious one. Sometimes I think this is why SuSE did a damn fine job putting together a fix that works for most people. When the bug and true fix are released by the OpenBSD/SSH team I am sure SuSE will jump on it quickly. If you want to go back to 3.2.3 and not run privsep..you are free to do so..no one's twisting your arm ..accept maybe a script kiddie who gets into your system because you didn't use the best fix that could be provided at the time. ;) -=Ben --=====-----=====-- mailto:ben@whack.org --=====-- Tell me what you believe..I tell you what you should see. -DP --=====-----=====--