From owner-freebsd-questions@FreeBSD.ORG Wed Sep 26 13:52:40 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8D36316A418 for ; Wed, 26 Sep 2007 13:52:40 +0000 (UTC) (envelope-from lists-fbsd@shadypond.com) Received: from mx-outbound01.easydns.com (mailout.easydns.com [205.210.42.54]) by mx1.freebsd.org (Postfix) with ESMTP id 693BA13C44B for ; Wed, 26 Sep 2007 13:52:39 +0000 (UTC) (envelope-from lists-fbsd@shadypond.com) Received: from slider.shadypond.com (69-12-173-117.static.humboldt1.com [69.12.173.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx-outbound01.easydns.com (Postfix) with ESMTP id 1FFA181CA for ; Wed, 26 Sep 2007 09:52:37 -0400 (EDT) Received: from slider.shadypond.com (slider.shadypond.com [192.168.1.11]) by slider.shadypond.com (postoffice) with ESMTP id 8ECA9B65A9 for ; Wed, 26 Sep 2007 13:52:27 +0000 (UTC) From: Pollywog To: freebsd-questions@freebsd.org Date: Wed, 26 Sep 2007 13:52:26 +0000 References: <20070925150058.J79029@dogmatix.home.rakhesh.com> <46F910EE.6070005@cyberleo.net> <20070926145429.B65660@dogmatix.home.rakhesh.com> In-Reply-To: <20070926145429.B65660@dogmatix.home.rakhesh.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200709261352.26495.lists-fbsd@shadypond.com> Subject: Re: Confusion on SSH and PAM X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2007 13:52:40 -0000 On Wednesday 26 September 2007 11:02:26 Rakhesh Sasidharan wrote: > CyberLeo Kitsana wrote: > > Rakhesh Sasidharan wrote: > >> Any ideas or nudges in the right direction as to why this is happening? > >> Looks like I've understood the interaction between SSH and PAM wrong > >> here, so would appreciate some enlightenment. > > > > According to my understanding of the SSH protocol, you're continually > > asked because an authentication failure is not a fatal error. > > > > When authenticating an SSH session, a list of mutually supported methods > > is compiled (public-key, challenge-response, S/Key, > > keyboard-interactive, plaintext) and the client cycles through the list > > based on what it thinks is most likely to work. > > > > It's perfectly acceptable for a client to attempt password > > authentication before public-key, or even interleave them. All the > > server can do is say yay or nay to an attempt with a restricted method, > > because it cannot know if the next attempt may utilize an allowed method. > > > > After the requisite three or five failed attempts (depending on the > > server config), it may send a general failure code (too many failed > > attempts) and disconnect the client at it's discretion. > > Here's another oddity I encountered today. > > If "PermitRootLogin" is set to "forced-commands-only", my understanding is > the SSHD will permit root logins if a command to be executed is given. But > that doesn't seem to be the case in practice! I have keys setup for root > to login, but instead of letting me in with those keys, SSHD ignores them, > passes me to PAM for password prompting (three times) and the denies me > out! Very strange. > > I even setup a "Match User" clause for root and specified a command to > run. Still, SSHD refuses to let me in with/ without key and for a specific > command. PermitRootLogin without-password won't allow what you want to do? To use it, you have to set up a passphrase (public key).