HELP!! sshd permitting password free logins

Gene listmail at Bomgardner.net
Mon Feb 14 05:54:28 GMT 2005 

Ean Kingston wrote:

>On February 13, 2005 04:10 pm, Gene wrote:
>  
>
>>I'm running version 5.3 of freebsd.
>>I'm not sure what I did - I was experimenting in sshd_config. sshd began
>>to permit logins without benefit of password.
>>
>>When logging in (I'm using putty from a local windows machine) I enter
>>the user name. I'm presented with the challenge and the password prompt.
>>If hit enter I get the second password prompt with echo on. If I enter
>>anything else to the  first password prompt, or anything (or just the
>>enter key) to the second prompt, I find myself logged on.
>>    
>>
>
>I'm not sure what you mean by a second password prompt. I've never seen SSH 
>provide 2 password prompts.
>
>  
>
Login accounts use opie. Once the user name is entered, a challenge is 
displayed followed by a password prompt. Entered passwords at this 
prompt do not echo. Normally, if you enter just a return, another prompt 
appears with the notation "[echo on]" and the entered password is echoed 
as it is entered.

>>The allow groups directive in the config file works, only members of
>>grp1 get logged on, but without passwords. This was working correctly
>>before I started fooling around -
>>
>>any ideas?
>>    
>>
>
>Check to make sure the user you are logging in as has a password.
>
>Also, check to make sure your ssh client is not sending an RSA key for 
>authentication. I think that one is enabled by default. If you want to force 
>passwords, make sure you aren't using RSA keys.
>
>  
>
If disable RSA keys in the config file, but the problem persists.

>>Cinfig file follows:
>>------------------------
>>#    $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
>>#    $FreeBSD: src/crypto/openssh/sshd_config,v 1.33 2003/09/24 19:20:23
>>des Exp $
>>
>># This is the sshd server system-wide configuration file.  See
>># sshd_config(5) for more information.
>>
>># This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
>>
>># The strategy used for options in the default sshd_config shipped with
>># OpenSSH is to specify options with their default value where
>># possible, but leave them commented.  Uncommented options change a
>># default value.
>>
>># Note that some of FreeBSD's defaults differ from OpenBSD's, and
>># FreeBSD has a few additional options.
>>
>>#VersionAddendum FreeBSD-20030924
>>
>>#Port 22
>>#Protocol 2,1
>>#ListenAddress 0.0.0.0
>>#ListenAddress ::
>>
>># HostKey for protocol version 1
>>#HostKey /etc/ssh/ssh_host_key
>># HostKeys for protocol version 2
>>#HostKey /etc/ssh/ssh_host_dsa_key
>>
>># Lifetime and size of ephemeral version 1 server key
>>#KeyRegenerationInterval 3600
>>#ServerKeyBits 768
>>
>># Logging
>>#obsoletes QuietMode and FascistLogging
>>#SyslogFacility AUTH
>>#LogLevel INFO
>>
>># Authentication:
>>
>>LoginGraceTime 120
>>PermitRootLogin no
>>#StrictModes yes
>>
>>RSAAuthentication no
>>PubkeyAuthentication no
>>AuthorizedKeysFile    .ssh/authorized_keys
>>
>>AllowGroups grp1
>>
>># rhosts authentication should not be used
>>#RhostsAuthentication no
>># Don't read the user's ~/.rhosts and ~/.shosts files
>>#IgnoreRhosts yes
>># For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
>>#RhostsRSAAuthentication no
>># similar for protocol version 2
>>#HostbasedAuthentication no
>># Change to yes if you don't trust ~/.ssh/known_hosts for
>># RhostsRSAAuthentication and HostbasedAuthentication
>>#IgnoreUserKnownHosts no
>>
>># To disable tunneled clear text passwords, change to no here!
>>PasswordAuthentication no
>>PermitEmptyPasswords no
>>
>># Change to no to disable PAM authentication
>>ChallengeResponseAuthentication yes
>>
>># Kerberos options
>>#KerberosAuthentication no
>>#KerberosOrLocalPasswd yes
>>#KerberosTicketCleanup yes
>>
>>#AFSTokenPassing no
>>
>># Kerberos TGT Passing only works with the AFS kaserver
>>#KerberosTgtPassing no
>>
>>#X11Forwarding yes
>>#X11DisplayOffset 10
>>#X11UseLocalhost yes
>>#PrintMotd yes
>>#PrintLastLog yes
>>KeepAlive yes
>>#UseLogin no
>>#UsePrivilegeSeparation yes
>>#PermitUserEnvironment no
>>#Compression yes
>>
>>#MaxStartups 10
>># no default banner path
>>#Banner /some/path
>>#VerifyReverseMapping no
>>
>># override default of no subsystems
>>Subsystem    sftp    /usr/libexec/sftp-server
>>
>>_______________________________________________
>>freebsd-questions at freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>To unsubscribe, send any mail to
>>"freebsd-questions-unsubscribe at freebsd.org"
>>    
>>
>
>  
>

More information about the freebsd-questions mailing list