From owner-freebsd-questions@FreeBSD.ORG Wed Jan 14 17:43:44 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49C0F16A4CE for ; Wed, 14 Jan 2004 17:43:44 -0800 (PST) Received: from theatre.msu.edu (theatre.msu.edu [35.8.69.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE28543D1F for ; Wed, 14 Jan 2004 17:43:41 -0800 (PST) (envelope-from sagejona@theatre.msu.edu) Received: from theatre.msu.edu (c-67-167-140-34.client.comcast.net [67.167.140.34]) (authenticated bits=0) by theatre.msu.edu (8.12.10/8.12.10) with ESMTP id i0F1hOJa086562 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 14 Jan 2004 20:43:39 -0500 (EST) (envelope-from sagejona@theatre.msu.edu) Message-ID: <4005F03E.3010808@theatre.msu.edu> Date: Wed, 14 Jan 2004 20:43:26 -0500 From: "Jonathan T. Sage" Organization: MSU Dept of Theatre User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Didier Wiroth , questions@freebsd.org References: <130d319f1f.19f1f130d3@etat.lu> In-Reply-To: <130d319f1f.19f1f130d3@etat.lu> X-Enigmail-Version: 0.82.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime X-Phone: +1-517-974-1428 X-WWW-Home-Page: http://theatre.msu.edu X-PGP-Key-Figerprint: 182C CF3F 93A9 1DAA 2EBE D4D5 A159 96D9 452E A7F1 X-IM: AIM(jonathantsage,spartyman), ICQ(9587621), YIM(wisesage98) Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig79829E530A906E2FCD8515ED" Subject: Re: sshd, how is this possible, security bug? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jan 2004 01:43:44 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig79829E530A906E2FCD8515ED Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Didier Wiroth wrote: > Hi, > > using freebsd 5.2 release. > > Below you can see what is not commented out in my sshd_config file, which is almost the default: > #$FreeBSD: src/crypto/openssh/sshd_config,v 1.33 2003/09/24 19:20:23 des Exp $ > #VersionAddendum FreeBSD-20030924 > Protocol 2 > ListenAddress x.y.z.x > LoginGraceTime 60 > PubkeyAuthentication yes > PasswordAuthentication no > PermitEmptyPasswords no > PrintMotd yes > PrintLastLog yes > AllowGroups ssh > Banner /usr/local/etc/ssh/banner > Subsystem sftp /usr/libexec/sftp-server > > I'm using ssh windows client version 3.2.9 from: > http://www.ssh.com > I get a passphrase prompt, I enter xyz, press enter, than I'm prompted to enter my "password", I enter the password and I have my prompt: > me@mypc: > > Is this a security bug, a misconfiguration or what? > > I thought I had disabled password authentication with: PasswordAuthentication no > > thx a lot > you did. from ssh's point of view. however, pam is enabled, and it allows password authentication. to do what you're asking, edit sshd_config again, and toggle this line # Change to no to disable PAM authentication ChallengeResponseAuthentication no this is my fix, it allows only pubkey logins. i'm sure this is also possible with PAM, and actually, would love to know how that works too :) hope this helps ~j --------------enig79829E530A906E2FCD8515ED Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFABfA+oVmW2UUup/ERAj0DAJ4/nEkl9+DSNf2YfSouCF1krzWxDQCdESkE edYDsrCp1G0g3xWuL/MJu6A= =6Q+8 -----END PGP SIGNATURE----- --------------enig79829E530A906E2FCD8515ED--