HELP!! sshd permitting password free logins
Ean Kingston
ean at hedron.org
Sun Feb 13 21:39:34 GMT 2005
On February 13, 2005 04:10 pm, Gene wrote:
> I'm running version 5.3 of freebsd.
> I'm not sure what I did - I was experimenting in sshd_config. sshd began
> to permit logins without benefit of password.
>
> When logging in (I'm using putty from a local windows machine) I enter
> the user name. I'm presented with the challenge and the password prompt.
> If hit enter I get the second password prompt with echo on. If I enter
> anything else to the first password prompt, or anything (or just the
> enter key) to the second prompt, I find myself logged on.
I'm not sure what you mean by a second password prompt. I've never seen SSH
provide 2 password prompts.
> The allow groups directive in the config file works, only members of
> grp1 get logged on, but without passwords. This was working correctly
> before I started fooling around -
>
> any ideas?
Check to make sure the user you are logging in as has a password.
Also, check to make sure your ssh client is not sending an RSA key for
authentication. I think that one is enabled by default. If you want to force
passwords, make sure you aren't using RSA keys.
>
> Cinfig file follows:
> ------------------------
> # $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
> # $FreeBSD: src/crypto/openssh/sshd_config,v 1.33 2003/09/24 19:20:23
> des Exp $
>
> # This is the sshd server system-wide configuration file. See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options change a
> # default value.
>
> # Note that some of FreeBSD's defaults differ from OpenBSD's, and
> # FreeBSD has a few additional options.
>
> #VersionAddendum FreeBSD-20030924
>
> #Port 22
> #Protocol 2,1
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 3600
> #ServerKeyBits 768
>
> # Logging
> #obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> #LogLevel INFO
>
> # Authentication:
>
> LoginGraceTime 120
> PermitRootLogin no
> #StrictModes yes
>
> #RSAAuthentication yes
> PubkeyAuthentication no
> AuthorizedKeysFile .ssh/authorized_keys
>
> AllowGroups grp1
>
> # rhosts authentication should not be used
> #RhostsAuthentication no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication no
> PermitEmptyPasswords no
>
> # Change to no to disable PAM authentication
> ChallengeResponseAuthentication yes
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
>
> #AFSTokenPassing no
>
> # Kerberos TGT Passing only works with the AFS kaserver
> #KerberosTgtPassing no
>
> #X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> KeepAlive yes
> #UseLogin no
> #UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression yes
>
> #MaxStartups 10
> # no default banner path
> #Banner /some/path
> #VerifyReverseMapping no
>
> # override default of no subsystems
> Subsystem sftp /usr/libexec/sftp-server
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
--
Ean Kingston
E-Mail: ean AT hedron DOT org
URL: http://www.hedron.org/
More information about the freebsd-questions
mailing list