PHK's MD5 might not be slow enough anymore

Matthew Dillon dillon at
Mon Feb 1 18:25:01 UTC 2010

:Matthew Dillon <dillon at> writes:
:>     Just give up and turn off tunneled plaintext passwords over the
:>     network.  No (non-kerberos) telnetd, rlogind, (non anonymous) ftpd, etc.
:>     Just run sshd and put this in your sshd_config:
:> 	# To disable tunneled clear text passwords, change to no here!
:> 	PasswordAuthentication no
:This does not do what you think it does.  RTFM.
:Dag-Erling Smørgrav - des at

    Here's a thought, DES.  Try acting like the professional you
    profess to be instead of the 5-year-old you clearly are.

    It looks like the defaults in FreeBSD are different, so shoot me.
    Ah, I see, YOU were the one who changed the FreeBSD defaults to be
    less secure.  Now I understand.  The OpenSSH folks give you a nice
    default-secure setting and an easy way to change it in sshd_config
    and your answer is to actually modify the base code in the contrib
    instead and turn things all around?  Shame on you.

    So, FreeBSD users, it looks like you have to play russian roulette
    with your sshd_config options if you want the directives to actually
    work.  But hey, I'm sure DES will be happy to flip you off instead
    of tell you which options will work with FreeBSD.  So I guess I'll have
    to instead.

    If you don't need PAM's extra features for your sshd access (which is
    most people) then turn PAM off in your sshd_config to work around the
    base code change that DES made.  Then the other options will work as
    intended.  And, just to be safe, also turn off the challenge-response

	UsePAM no
	ChallengeResponseAuthentication no
	PasswordAuthentication no

    There, all better.  PAM has its advantages, but only for a very small
    percentage of users.  Its disadvantage is in its complexity and the
    ease of which a mis-configuration can result in a security hole.  If
    there is no need for ssh to use it in your configuration then it
    should be turned off.

				    Matthew Dillon 
				    <dillon at>

More information about the freebsd-security mailing list