From owner-freebsd-questions@FreeBSD.ORG Sat Apr 19 10:37:47 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C02737B401 for ; Sat, 19 Apr 2003 10:37:47 -0700 (PDT) Received: from sage.thought.org (dsl231-043-140.sea1.dsl.speakeasy.net [216.231.43.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6A3B43FBD for ; Sat, 19 Apr 2003 10:37:45 -0700 (PDT) (envelope-from kline@thought.org) Received: from thought.org (root@tao [10.0.0.247]) by sage.thought.org (8.12.9/8.11.4) with ESMTP id h3JHbCkh073331; Sat, 19 Apr 2003 10:37:14 -0700 (PDT) (envelope-from kline@thought.org) Received: (from kline@localhost) by thought.org (8.12.6/8.11.3) id h3JHbVYR093112; Sat, 19 Apr 2003 10:37:31 -0700 (PDT) (envelope-from kline) Date: Sat, 19 Apr 2003 10:37:30 -0700 From: Gary D Kline To: Olivier Dony Message-ID: <20030419173730.GA77154@tao.thought.org> References: <3E9F2F25.1050103@relia.net> <200304181502.23207.will@unfoldings.net> <20030419104149.GA16454@naboo.blacktrap.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030419104149.GA16454@naboo.blacktrap.net> X-Organization: Thought Unlimited. Public service Unix since 1986. X-Of_Interest: Observing 16 years of service to the Unix community User-Agent: Mutt/1.5.3i cc: Willie Viljoen cc: questions@freebsd.org cc: Joe Lewis Subject: Re: Why does SSH prompt for 2 passwords? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Apr 2003 17:37:47 -0000 On Sat, Apr 19, 2003 at 12:41:51PM +0200, Olivier Dony wrote: > On Fri, Apr 18, 2003 at 03:02:23PM +0200, Willie Viljoen wrote: > > On Friday 18 April 2003 0:48, someone, possibly Joe Lewis, typed: > > > > > Password: > > > Response: > > > joe@192.168.1.1's password: > > > > The first prompt is PAM challenge response authentication. This uses the PAM > > system instead of a just a flat read of /etc/master.passwd to authenticate, > > and is also more secure than standard plaintext authentication. > > > > Unless your sshd is misconfigured, your configuration files and binaries are > > out of sync (this happend when a system is upgraded without doing > > mergemaster), this should not be happening, and you should be able to log > > in at the first prompt. It might also be that the ssh client you are using > > does not handle challenge response authentication properly. > > Indeed and one thing you should check is whether you are not using SSH v1 by > mistake. This might happen if you are using it with arg -1 e.g : > > $ ssh -1 somehost.domain.tld > Password: > Response: > $ ssh -2 somehost.domain.tld > Password: > > or if your ssh client is setup to try SSH v1 first, eg if using FreeBSD's > one as it seem, that would be : > > Protocol 1,2 You're absolutely right. My config file was looking at v1 first. --Probably on at least one other server too, come to think of it... . > > in the relevant part of your /etc/ssh/ssh_config, see ssh_config(5) for more > details. > > > If you are happy with standard plaintext configuration, you may edit > > /etc/ssh/sshd_config and change the setting to this: > > > > # Change to no to disable PAM authentication > > ChallengeResponseAuthentication no > > This will do if you control the ssh server you are connecting to, but that > will only be a workaround and you probably want to fix the client problem, > as the same could happen on other hosts. > > > I'd recommend you rather get PAM fixed though, or use public key > > authentication instead, that's much more secure than any form of password > > authentication. > > I'd second on using public key authentication, as this will make remote > logins even faster, and more secure, provided that your private key is > properly secured. The ssh(1) man page explains it somewhat in the SSH protocol > version 2 section. > Right; there is more in ssh-keygen. I've used ssh for a few years and have my keys in .identity and identity.pub. If the newer authentication algorithms are lots better I'll switch. What's the general consensus on this? thanks much for yur help; it did.. ! gary -- Gary Kline kline@thought.org www.thought.org Public service Unix