sshd, how is this possible, security bug?
Jonathan T. Sage
sagejona at theatre.msu.edu
Wed Jan 14 17:43:44 PST 2004
Didier Wiroth wrote:
> Hi,
>
> using freebsd 5.2 release.
>
> Below you can see what is not commented out in my sshd_config file, which is almost the default:
> #$FreeBSD: src/crypto/openssh/sshd_config,v 1.33 2003/09/24 19:20:23 des Exp $
> #VersionAddendum FreeBSD-20030924
> Protocol 2
> ListenAddress x.y.z.x
> LoginGraceTime 60
> PubkeyAuthentication yes
> PasswordAuthentication no
> PermitEmptyPasswords no
> PrintMotd yes
> PrintLastLog yes
> AllowGroups ssh
> Banner /usr/local/etc/ssh/banner
> Subsystem sftp /usr/libexec/sftp-server
>
> I'm using ssh windows client version 3.2.9 from:
> http://www.ssh.com
> I get a passphrase prompt, I enter xyz, press enter, than I'm prompted to enter my "password", I enter the password and I have my prompt:
> me at mypc:
>
> Is this a security bug, a misconfiguration or what?
>
> I thought I had disabled password authentication with: PasswordAuthentication no
>
> thx a lot
>
you did. from ssh's point of view. however, pam is enabled, and it
allows password authentication. to do what you're asking, edit
sshd_config again, and toggle this line
# Change to no to disable PAM authentication
ChallengeResponseAuthentication no
this is my fix, it allows only pubkey logins. i'm sure this is also
possible with PAM, and actually, would love to know how that works too :)
hope this helps ~j
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 254 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040114/8ed5c658/attachment.bin
More information about the freebsd-questions
mailing list