FreeBSD, SSH and "Enter Authentication Response"
Rishi Chopra
rchopra at cal.berkeley.edu
Tue Jan 13 13:31:43 PST 2004
I've included copies of my /etc/ssh/ssh_config file and /etc/pam.d/ssh -
I'm running a default minimal installation of FreeBSD 5.2:
etc/ssh/ssh_config:
# $FreeBSD: src/crypto/openssh/ssh_config,v 1.21 2003/04/23
17:10:53 des Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsAuthentication no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP no
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
# VersionAddendum FreeBSD-20030423
/etc/pam.d/ssh
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
password required pam_unix.so no_warn
try_first_pass
Any ideas what I should change?
-Rishi
Ruben de Groot wrote:
>On Tue, Jan 13, 2004 at 11:55:50AM +0000, Matthew Seaman typed:
>
>
>>On Mon, Jan 12, 2004 at 01:32:30PM -0800, Rishi Chopra wrote:
>>
>>
>>>I have a nitpicky question about logging into a FreeBSD machine and
>>>SSH. I'm using a minimal FreeBSD install and SSH Secure Shell client
>>>v3.2.0 - the crux of the problem is I am unable to "smoothly" login.
>>>
>>>
>>Which FreeBSD version? And are you running the OpenSSH server
>>supplied with the system or one from ports?
>>
>>
>
>Judging by name and version number, I think he's not running OpenSSH
>at all, but the other ssh implementation from ssh.org
>
>
>
>>>When I login to my machine, I'm prompted to enter an "authentication
>>>response". A window is displayed with "Enter Authentication Response"
>>>in the title bar, and two buttons at the bottom ('OK' and 'Cancel') -
>>>the text says:
>>>
>>> Enter your authentication response.
>>> Password:
>>>
>>>
>>Sounds like you've got the PAM based challenge-response authentication
>>enabled in your /etc/ssh/sshd_config (which is the default), but
>>your /etc/pam.conf (FreeBSD 4.x) or /etc/pam.d (FreeBSD 5.x) has a
>>modified configuration.
>>
>>Here are a couple of things to try --
>>
>>Turn off Challenge-response authentication in /etc/ssh/sshd_config
>>
>>Change:
>>
>> #ChallengeResponseAuthentication yes
>>
>>to
>>
>> ChallengeResponseAuthentication no
>>
>>and then:
>>
>> # kill -HUP `cat /var/run/sshd.pid`
>>
>>to get it to reread the config.
>>
>> -- or --
>>
>>Double check the PAM settings: they should look like this in /etc/pam.conf
>>
>> # OpenSSH with PAM support requires similar modules. The session one is
>> # a bit strange, though...
>> sshd auth sufficient pam_skey.so
>> sshd auth sufficient pam_opie.so no_fake_prompts
>> #sshd auth requisite pam_opieaccess.so
>> #sshd auth sufficient pam_kerberosIV.so try_first_pass
>> #sshd auth sufficient pam_krb5.so try_first_pass
>> sshd auth required pam_unix.so try_first_pass
>> sshd account required pam_unix.so
>> sshd password required pam_permit.so
>> sshd session required pam_permit.so
>>
>>The /etc/pam.d case is similar, except you should have a file called
>>'sshd' in that directory, whose contents are similar, but without the
>>'sshd' entries in the first column.
>>
>> Cheers,
>>
>> Matthew
>>
>>
>>--
>>Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
>> Savill Way
>>PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
>>Tel: +44 1628 476614 Bucks., SL7 1TH UK
>>
>>
>
>
>
>
>
More information about the freebsd-questions
mailing list