FreeBSD, SSH and "Enter Authentication Response"

Ruben de Groot mail25 at bzerk.org
Tue Jan 13 13:55:20 PST 2004 

On Tue, Jan 13, 2004 at 01:30:15PM -0800, Rishi Chopra typed:
> I've included copies of my /etc/ssh/ssh_config file and /etc/pam.d/ssh - 
> I'm running a default minimal installation of FreeBSD 5.2:
> 
> etc/ssh/ssh_config:
> 
> # Host *
> #   ForwardAgent no
> #   ForwardX11 no
> #   RhostsAuthentication no
> #   RhostsRSAAuthentication no
> #   RSAAuthentication yes
> #   PasswordAuthentication yes
> #   HostbasedAuthentication no

As Matthew suggested, you can put the line

ChallengeResponseAuthentication no

in here. Then restart sshd

good luck,
Ruben

> #   BatchMode no
> #   CheckHostIP no
> #   StrictHostKeyChecking ask
> #   IdentityFile ~/.ssh/identity
> #   IdentityFile ~/.ssh/id_rsa
> #   IdentityFile ~/.ssh/id_dsa
> #   Port 22
> #   Protocol 2,1
> #   Cipher 3des
> #   Ciphers 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
> #   EscapeChar ~
> #   VersionAddendum FreeBSD-20030423
> 
> 
> /etc/pam.d/ssh
> 
> #
> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
> #
> # PAM configuration for the "sshd" service
> #
> 
> # auth
> auth            required        pam_nologin.so          no_warn
> auth            sufficient      pam_opie.so             no_warn 
> no_fake_prompts
> auth            requisite       pam_opieaccess.so       no_warn allow_local
> #auth           sufficient      pam_krb5.so             no_warn 
> try_first_pass
> #auth           sufficient      pam_ssh.so              no_warn 
> try_first_pass
> auth            required        pam_unix.so             no_warn 
> try_first_pass
> 
> # account
> #account        required        pam_krb5.so
> account         required        pam_login_access.so
> account         required        pam_unix.so
> 
> # session
> #session        optional        pam_ssh.so
> session         required        pam_permit.so
> 
> # password
> #password       sufficient      pam_krb5.so             no_warn 
> try_first_pass
> password        required        pam_unix.so             no_warn 
> try_first_pass
> 
> 
> Any ideas what I should change?
> 
> -Rishi
> 
> Ruben de Groot wrote:
> 
> >On Tue, Jan 13, 2004 at 11:55:50AM +0000, Matthew Seaman typed:
> > 
> >
> >>On Mon, Jan 12, 2004 at 01:32:30PM -0800, Rishi Chopra wrote:
> >>   
> >>
> >>>I have a nitpicky question about logging into a FreeBSD machine and 
> >>>SSH.  I'm using a minimal FreeBSD install and SSH Secure Shell client 
> >>>v3.2.0 - the crux of the problem is I am unable to "smoothly" login.
> >>>     
> >>>
> >>Which FreeBSD version?  And are you running the OpenSSH server
> >>supplied with the system or one from ports?
> >>   
> >>
> >
> >Judging by name and version number, I think he's not running OpenSSH
> >at all, but the other ssh implementation from ssh.org
> >
> > 
> >
> >>>When I login to my machine, I'm prompted to enter an "authentication 
> >>>response".  A window is displayed with "Enter Authentication Response" 
> >>>in the title bar, and two buttons at the bottom ('OK' and 'Cancel') - 
> >>>the text says:
> >>>
> >>> Enter your authentication response.
> >>> Password:
> >>>     
> >>>
> >>Sounds like you've got the PAM based challenge-response authentication
> >>enabled in your /etc/ssh/sshd_config (which is the default), but
> >>your /etc/pam.conf (FreeBSD 4.x) or /etc/pam.d (FreeBSD 5.x) has a
> >>modified configuration.
> >>
> >>Here are a couple of things to try --
> >>
> >>Turn off Challenge-response authentication in /etc/ssh/sshd_config 
> >>
> >>Change:
> >>
> >>   #ChallengeResponseAuthentication yes
> >>
> >>to
> >>
> >>   ChallengeResponseAuthentication no
> >>
> >>and then:
> >>
> >>   # kill -HUP `cat /var/run/sshd.pid`
> >>
> >>to get it to reread the config.
> >>
> >>-- or --
> >>
> >>Double check the PAM settings: they should look like this in /etc/pam.conf
> >>
> >>   # OpenSSH with PAM support requires similar modules.  The session one 
> >>   is
> >>   # a bit strange, though...
> >>   sshd    auth    sufficient      pam_skey.so
> >>   sshd    auth    sufficient      pam_opie.so                     
> >>   no_fake_prompts
> >>   #sshd   auth    requisite       pam_opieaccess.so
> >>   #sshd   auth    sufficient      pam_kerberosIV.so               
> >>   try_first_pass
> >>   #sshd   auth    sufficient      pam_krb5.so                     
> >>   try_first_pass
> >>   sshd    auth    required        pam_unix.so                     
> >>   try_first_pass
> >>   sshd    account required        pam_unix.so
> >>   sshd    password required       pam_permit.so
> >>   sshd    session required        pam_permit.so
> >>
> >>The /etc/pam.d case is similar, except you should have a file called
> >>'sshd' in that directory, whose contents are similar, but without the
> >>'sshd' entries in the first column.
> >>
> >>	Cheers,
> >>
> >>	Matthew
> >>
> >>
> >>-- 
> >>Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
> >>                                                     Savill Way
> >>PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
> >>Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
> >>   
> >>
> >
> >
> >
> > 
> >
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list