Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 12 Feb 2007 15:44:42 +0100
From:      Olaf Greve <o.greve@axis.nl>
To:        freebsd-questions@freebsd.org
Subject:   Help please: how to enable SSH password authentication under FreeBSD 6.2?
Message-ID:  <45D07D5A.2040307@axis.nl>

next in thread | raw e-mail | index | archive | help
Hi guys,

(Firstly: I posted this message well over an hour ago, and it does not 
seem to have come through, in case you recieve this twice, then I'm 
sorry for that :P )

Sorry to ask such a trivial question, and I'm positive it must have been
treated here before, but I just can't remember how to do it exactly, and
perhaps someone can give me a quick answer and spare me hours of further
RTFM-ing. :P

The issue:
I'm (re-) installing my fall-back server, and selected FreeBSD 6.2 i386
release (generic kernel, for now) for that. Now, I want to be able to
access it using SSH (PuTTY, most often) from anywhere in the world, and
hence would like to enable password authentication in SSH again.
Therefore, I used the same /etc/ssh/sshd_config (as listed down below,
with dummy names abc, def, and ghi in the AllowUsers line) as on my live
server, where this works fine. However, when I try accessing it using
PuTTY, PuTTY keeps failing mentioning something like 'host key check
failed'. In the debug.log file on the fallback machine, I learnt that
PuTTY only tries the SSH2 protocol, and doesn't fall back to SSH1 when
it notices that that fails. On the live server (FreeBSD 5.4-release
AMD64, custom kernel), this works a charm, and on that machine the
debug.log file does mention PuTTY (yes, the very same as used for trying
to connect to the fallback machine) that PuTTY falls back to SSH1 and
uses PAM for authentication...

The question:
I recall having had this issue before, and I *think* the resolution was
to enable PAM authentication or so outside of /etc/ssh/sshd_config. I
thought to recall that I either did this in rc.conf (or the defaults for
that), or in the custom kernel configuration. However, I couldn't find
any hints to that anymore on the live box...:(
Does anyone know how to get this going properly, and what it is that I'm
overlooking?

Tnx in advance and cheers!
Olafo

PS: the used /etc/ssh/sshd_config file's contents follows here:



#       $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $
#       $FreeBSD: src/crypto/openssh/sshd_config,v 1.40 2004/04/20
09:37:29 des Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#VersionAddendum FreeBSD-20040419

#Port 22
#Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
LogLevel DEBUG
PrintLastLog no

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
AllowUsers abc def ghi

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication (via challenge-response)
# and session processing.
#UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server







Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45D07D5A.2040307>