[Bug 261342] security/openssh-portable: deceiving false security

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 19 Jan 2022 18:07:47 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261342

            Bug ID: 261342
           Summary: security/openssh-portable: deceiving false security
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: bdrewery@FreeBSD.org
          Reporter: pmc@citylink.dinoex.sub.org
          Assignee: bdrewery@FreeBSD.org
             Flags: maintainer-feedback?(bdrewery@FreeBSD.org)

Short version: 
change  5ef0f821ecc6c892cb7a8ca232a24b7c0e3e5aab forgot to actually uncomment
their setting, so it is without effect and only deceiving the operator (and
seriousely so).


Long version:
Installing beforementioned port produces a default sshd server configuration in
/usr/local/etc/ssh/sshd_config that contains this stance:

# To enable tunneled clear text passwords, change to yes here!
#PasswordAuthentication no
#PermitEmptyPasswords no

This *SHOULD* mean that PasswordAuthentication is *OFF by default*, and need
only be uncommented if desired to be otherwise. Just the same as with our sshd
from base, where it works correctly. Here it doesn't, as you can see when
trying to connect with option -v:

debug1: Authentications that can continue:
publickey,password,keyboard-interactive

Only after *actually uncomment* the setting:

# To enable tunneled clear text passwords, change to yes here!
PasswordAuthentication no
#PermitEmptyPasswords no

now we get the desired behavious:

debug1: Authentications that can continue: publickey,keyboard-interactive


And yes, this is 15 years old. I don't believe it.

-- 
You are receiving this mail because:
You are the assignee for the bug.