Date: Wed, 19 Jan 2022 18:07:47 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 261342] security/openssh-portable: deceiving false security Message-ID: <bug-261342-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D261342 Bug ID: 261342 Summary: security/openssh-portable: deceiving false security Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: bdrewery@FreeBSD.org Reporter: pmc@citylink.dinoex.sub.org Assignee: bdrewery@FreeBSD.org Flags: maintainer-feedback?(bdrewery@FreeBSD.org) Short version:=20 change 5ef0f821ecc6c892cb7a8ca232a24b7c0e3e5aab forgot to actually uncomme= nt their setting, so it is without effect and only deceiving the operator (and seriousely so). Long version: Installing beforementioned port produces a default sshd server configuratio= n in /usr/local/etc/ssh/sshd_config that contains this stance: # To enable tunneled clear text passwords, change to yes here! #PasswordAuthentication no #PermitEmptyPasswords no This *SHOULD* mean that PasswordAuthentication is *OFF by default*, and need only be uncommented if desired to be otherwise. Just the same as with our s= shd from base, where it works correctly. Here it doesn't, as you can see when trying to connect with option -v: debug1: Authentications that can continue: publickey,password,keyboard-interactive Only after *actually uncomment* the setting: # To enable tunneled clear text passwords, change to yes here! PasswordAuthentication no #PermitEmptyPasswords no now we get the desired behavious: debug1: Authentications that can continue: publickey,keyboard-interactive And yes, this is 15 years old. I don't believe it. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-261342-7788>