Date: Sat, 6 Jul 2002 02:47:06 -0700 (PDT) From: Christian Laursen <xi@borderworlds.dk> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/40261: sshd allows PasswordAuthentication even though it is turned off if ChallengeResponseAuthentication is enabled Message-ID: <200207060947.g669l6Aw007525@www.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 40261
>Category: bin
>Synopsis: sshd allows PasswordAuthentication even though it is turned off if ChallengeResponseAuthentication is enabled
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Jul 06 02:50:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Christian Laursen
>Release: FreeBSD 4.6-STABLE
>Organization:
The Border Worlds
>Environment:
FreeBSD ferengi.borderworlds.dk 4.6-STABLE FreeBSD 4.6-STABLE #17: Fri Jul 5 10:42:51 CEST 2002 root@ferengi.borderworlds.dk:/usr/obj/usr/src/sys/FERENGI i386
>Description:
After upgrading yesterday and now running OpenSSH 3.4p1 I discovered by
accident, that I could log into my machine using PasswordAuthentication
even though I had disabled that in sshd_config.
After I tried disabling ChallengeResponseAuthentication too, it was
no longer possible to log in using passwords.
This is the OpenSSH included in the base system.
>How-To-Repeat:
This is my sshd_config, that produces the surprising behaviour:
# $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $
# $FreeBSD: src/crypto/openssh/sshd_config,v 1.4.2.9 2002/07/03 22:11:44 des Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.
#VersionAddendum FreeBSD-20020629
#Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 120
#PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable PAM authentication
#ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#AFSTokenPassing no
# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#Compression yes
#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no
# override default of no subsystems
#Subsystem sftp /usr/libexec/sftp-server
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207060947.g669l6Aw007525>