From owner-freebsd-questions@FreeBSD.ORG Sat Apr 19 09:33:30 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3EAE337B401 for ; Sat, 19 Apr 2003 09:33:30 -0700 (PDT) Received: from neo.relia.net (neo.relia.net [207.173.156.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86F8043FBF for ; Sat, 19 Apr 2003 09:33:29 -0700 (PDT) (envelope-from joe@relia.net) Received: from relia.net (customercare.relia.net [207.173.156.19]) by neo.relia.net (8.11.1/8.11.1) with ESMTP id h3JGWgD20879; Sat, 19 Apr 2003 10:32:43 -0600 (MDT) Message-ID: <3EA17AA9.8090404@relia.net> Date: Sat, 19 Apr 2003 10:34:49 -0600 From: Joe Lewis User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Olivier Dony References: <3E9F2F25.1050103@relia.net> <200304181502.23207.will@unfoldings.net> <20030419104149.GA16454@naboo.blacktrap.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: questions@freebsd.org cc: Willie Viljoen Subject: Re: Why does SSH prompt for 2 passwords? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Apr 2003 16:33:30 -0000 I am MOST appreciative of the tutorial on the matter that I have recieved. The explanations have been simple, straight foreward, and enlightening. Thank all, for the help and info you have provided. Joe Olivier Dony wrote: > On Fri, Apr 18, 2003 at 03:02:23PM +0200, Willie Viljoen wrote: > >>On Friday 18 April 2003 0:48, someone, possibly Joe Lewis, typed: >> >> >>>Password: >>>Response: >>>joe@192.168.1.1's password: >> >>The first prompt is PAM challenge response authentication. This uses the PAM >>system instead of a just a flat read of /etc/master.passwd to authenticate, >>and is also more secure than standard plaintext authentication. >> >>Unless your sshd is misconfigured, your configuration files and binaries are >>out of sync (this happend when a system is upgraded without doing >>mergemaster), this should not be happening, and you should be able to log >>in at the first prompt. It might also be that the ssh client you are using >>does not handle challenge response authentication properly. > > > Indeed and one thing you should check is whether you are not using SSH v1 by > mistake. This might happen if you are using it with arg -1 e.g : > > $ ssh -1 somehost.domain.tld > Password: > Response: > $ ssh -2 somehost.domain.tld > Password: > > or if your ssh client is setup to try SSH v1 first, eg if using FreeBSD's > one as it seem, that would be : > > Protocol 1,2 > > in the relevant part of your /etc/ssh/ssh_config, see ssh_config(5) for more > details. > > >>If you are happy with standard plaintext configuration, you may edit >>/etc/ssh/sshd_config and change the setting to this: >> >># Change to no to disable PAM authentication >>ChallengeResponseAuthentication no > > > This will do if you control the ssh server you are connecting to, but that > will only be a workaround and you probably want to fix the client problem, > as the same could happen on other hosts. > > >>I'd recommend you rather get PAM fixed though, or use public key >>authentication instead, that's much more secure than any form of password >>authentication. > > > I'd second on using public key authentication, as this will make remote > logins even faster, and more secure, provided that your private key is > properly secured. The ssh(1) man page explains it somewhat in the SSH protocol > version 2 section. > > Hope this helps. > > Olivier