Date: Wed, 26 Sep 2007 13:52:26 +0000 From: Pollywog <lists-fbsd@shadypond.com> To: freebsd-questions@freebsd.org Subject: Re: Confusion on SSH and PAM Message-ID: <200709261352.26495.lists-fbsd@shadypond.com> In-Reply-To: <20070926145429.B65660@dogmatix.home.rakhesh.com> References: <20070925150058.J79029@dogmatix.home.rakhesh.com> <46F910EE.6070005@cyberleo.net> <20070926145429.B65660@dogmatix.home.rakhesh.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 26 September 2007 11:02:26 Rakhesh Sasidharan wrote: > CyberLeo Kitsana wrote: > > Rakhesh Sasidharan wrote: > >> Any ideas or nudges in the right direction as to why this is happening? > >> Looks like I've understood the interaction between SSH and PAM wrong > >> here, so would appreciate some enlightenment. > > > > According to my understanding of the SSH protocol, you're continually > > asked because an authentication failure is not a fatal error. > > > > When authenticating an SSH session, a list of mutually supported methods > > is compiled (public-key, challenge-response, S/Key, > > keyboard-interactive, plaintext) and the client cycles through the list > > based on what it thinks is most likely to work. > > > > It's perfectly acceptable for a client to attempt password > > authentication before public-key, or even interleave them. All the > > server can do is say yay or nay to an attempt with a restricted method, > > because it cannot know if the next attempt may utilize an allowed method. > > > > After the requisite three or five failed attempts (depending on the > > server config), it may send a general failure code (too many failed > > attempts) and disconnect the client at it's discretion. > > Here's another oddity I encountered today. > > If "PermitRootLogin" is set to "forced-commands-only", my understanding is > the SSHD will permit root logins if a command to be executed is given. But > that doesn't seem to be the case in practice! I have keys setup for root > to login, but instead of letting me in with those keys, SSHD ignores them, > passes me to PAM for password prompting (three times) and the denies me > out! Very strange. > > I even setup a "Match User" clause for root and specified a command to > run. Still, SSHD refuses to let me in with/ without key and for a specific > command. PermitRootLogin without-password won't allow what you want to do? To use it, you have to set up a passphrase (public key).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200709261352.26495.lists-fbsd>