SSHD password authentication issue in 4.9-RELEASE and 5.1-RELEASE

[unix_list]

Hello,

try disable PAM auth.

ChallengeResponseAuthentication no


-=Snoopy=-



On Thu, 13 Nov 2003 10:34:31 +0100
"Nils von Greyerz" <nisse at imtech.se> wrote:

> Wonder if you guys could help me out...have a security problem with sshd
> wich enables a user to do a password login tough the sshd_config states
> PasswordAuthentication no
> My config works fine in both gentoo and openbsd 3.3 but users are able to
> login with tunneled clear text passwords in both 4.9 and 5.1
> Im lost.tried everything I can think of.
> Here is the config:
> 
> -------------------------------------------------------------------
> #       $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
> #       $FreeBSD: src/crypto/openssh/sshd_config,v 1.32 2003/04/23 17:10:53
> des
> Exp $
> # This is the sshd server system-wide configuration file.  See
> # sshd_config(5) for more information.
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented.  Uncommented options change a
> # default value.
> # Note that some of FreeBSD's defaults differ from OpenBSD's, and
> # FreeBSD has a few additional options.
> 
> #VersionAddendum FreeBSD-20030423
> 
> Port 22
> Protocol 2
> #ListenAddress 0.0.0.0
> #ListenAddress ::
> 
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_dsa_key
> 
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 3600
> #ServerKeyBits 768
> 
> # Logging
> #obsoletes QuietMode and FascistLogging
> SyslogFacility AUTH
> LogLevel INFO
> 
> # Authentication:
> 
> #LoginGraceTime 120
> PermitRootLogin no
> StrictModes yes
> 
> RSAAuthentication yes
> PubkeyAuthentication yes
> AuthorizedKeysFile      .ssh/authorized_keys
> 
> # rhosts authentication should not be used
> #RhostsAuthentication no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> 
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication no
> PermitEmptyPasswords no
> 
> # Change to no to disable PAM authentication
> #ChallengeResponseAuthentication yes
> 
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> 
> #AFSTokenPassing no
> 
> # Kerberos TGT Passing only works with the AFS kaserver
> #KerberosTgtPassing no
> 
> #X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #KeepAlive yes
> #UseLogin no
> #UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression yes
> 
> #MaxStartups 10
> # no default banner path
> #Banner /some/path
> #VerifyReverseMapping no
> 
> # override default of no subsystems
> Subsystem       sftp    /usr/libexec/sftp-server
> -------------------------------------------------------------------
> 
> Everything else is default.I'm not starting SSHD with any additional
> parameters than the defaults in /etc/defaults/rc.conf and just added
> sshd_enable="YES" in /etc/rc.conf
> I have of course restarted sshd after changes in the config.
> Nothing is patched or updated in any ways, its from the stock install from
> the ISOs.
> Any ideas?
> Regards /Nils
> 
> Nils von Greyerz
> Senior Network Consultant,
> Juniper Certified Internet Associate: JNCIA-M #0090
> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>