HELP!! sshd permitting password free logins

Ean Kingston ean at hedron.org
Sun Feb 13 21:39:34 GMT 2005 

On February 13, 2005 04:10 pm, Gene wrote:
> I'm running version 5.3 of freebsd.
> I'm not sure what I did - I was experimenting in sshd_config. sshd began
> to permit logins without benefit of password.
>
> When logging in (I'm using putty from a local windows machine) I enter
> the user name. I'm presented with the challenge and the password prompt.
> If hit enter I get the second password prompt with echo on. If I enter
> anything else to the  first password prompt, or anything (or just the
> enter key) to the second prompt, I find myself logged on.

I'm not sure what you mean by a second password prompt. I've never seen SSH 
provide 2 password prompts.

> The allow groups directive in the config file works, only members of
> grp1 get logged on, but without passwords. This was working correctly
> before I started fooling around -
>
> any ideas?

Check to make sure the user you are logging in as has a password.

Also, check to make sure your ssh client is not sending an RSA key for 
authentication. I think that one is enabled by default. If you want to force 
passwords, make sure you aren't using RSA keys.

>
> Cinfig file follows:
> ------------------------
> #    $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
> #    $FreeBSD: src/crypto/openssh/sshd_config,v 1.33 2003/09/24 19:20:23
> des Exp $
>
> # This is the sshd server system-wide configuration file.  See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented.  Uncommented options change a
> # default value.
>
> # Note that some of FreeBSD's defaults differ from OpenBSD's, and
> # FreeBSD has a few additional options.
>
> #VersionAddendum FreeBSD-20030924
>
> #Port 22
> #Protocol 2,1
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 3600
> #ServerKeyBits 768
>
> # Logging
> #obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> #LogLevel INFO
>
> # Authentication:
>
> LoginGraceTime 120
> PermitRootLogin no
> #StrictModes yes
>
> #RSAAuthentication yes
> PubkeyAuthentication no
> AuthorizedKeysFile    .ssh/authorized_keys
>
> AllowGroups grp1
>
> # rhosts authentication should not be used
> #RhostsAuthentication no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication no
> PermitEmptyPasswords no
>
> # Change to no to disable PAM authentication
> ChallengeResponseAuthentication yes
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
>
> #AFSTokenPassing no
>
> # Kerberos TGT Passing only works with the AFS kaserver
> #KerberosTgtPassing no
>
> #X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> KeepAlive yes
> #UseLogin no
> #UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression yes
>
> #MaxStartups 10
> # no default banner path
> #Banner /some/path
> #VerifyReverseMapping no
>
> # override default of no subsystems
> Subsystem    sftp    /usr/libexec/sftp-server
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"

-- 
Ean Kingston

E-Mail: ean AT hedron DOT org
URL: http://www.hedron.org/

More information about the freebsd-questions mailing list