secuirty bug with /etc/login.access
Tig
tigger at onemoremonkey.com
Thu Feb 19 14:40:27 PST 2004
On Thu, 19 Feb 2004 16:44:26 +0100
des at des.no (Dag-Erling Smørgrav) wrote:
> Sven Pfeifer <sven at yagonna.de> writes:
> > this looks like, you have configured
> >
> > PasswordAuthentication yes
> > and
> > Protocol 2,1
> >
> > in your servers /etc/ssh/sshd_config. So your client is trying to
> > authenticate to the _local_ id-File. If this is failing (3 times)
> > then it tries the PasswordAuthentication at the _remote_ maschine.
>
> Uh, no. There is never any attempt by the client to authenticate the
> user against the client machine's password database. All four prompts
> are issued by the remote machine. The first three are from PAM, the
> fourth is OpenSSH's built-in password authentication which apparently
> does not respect login.access. The solution is to disable password
> authentication in /etc/ssh/sshd_config; this should be the default now
> that PAM works.
>
> DES
> --
> Dag-Erling Smørgrav - des at des.no
OK, Thanks, but do you mean;
'this should be the default now that PAM works, because I have have just
update the CVS repository'
or..
'this should be the default now that PAM works, but its not at the
moment. Someone will (hopefully) fix it soon'
-Tig
More information about the freebsd-security
mailing list