From owner-freebsd-questions@FreeBSD.ORG Mon Feb 12 17:55:09 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AE03316A402 for ; Mon, 12 Feb 2007 17:55:09 +0000 (UTC) (envelope-from o.greve@axis.nl) Received: from yggdrasil.interstroom.nl (yggdrasil.interstroom.nl [80.85.129.11]) by mx1.freebsd.org (Postfix) with ESMTP id 3F7E913C4A7 for ; Mon, 12 Feb 2007 17:55:09 +0000 (UTC) (envelope-from o.greve@axis.nl) Received: from ip127-180.introweb.nl ([80.65.127.180] helo=[192.168.1.42]) by yggdrasil.interstroom.nl with asmtp (Exim 3.35 #1 (Debian)) id 1HGbdS-00052K-00; Mon, 12 Feb 2007 14:54:26 +0100 Message-ID: <45D07192.2010701@axis.nl> Date: Mon, 12 Feb 2007 14:54:26 +0100 From: Olaf Greve User-Agent: Thunderbird 1.5.0.9 (X11/20061222) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-MailScanner-Information: Interstroom virusscan, please e-mail helpdesk@interstroom.nl for more information X-MailScanner-SpamCheck: Subject: Help please: how to enable SSH password authentication under FreeBSD 6.2? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Feb 2007 17:55:09 -0000 Hi guys, Sorry to ask such a trivial question, and I'm positive it must have been treated here before, but I just can't remember how to do it exactly, and perhaps someone can give me a quick answer and spare me hours of further RTFM-ing. :P The issue: I'm (re-) installing my fall-back server, and selected FreeBSD 6.2 i386 release (generic kernel, for now) for that. Now, I want to be able to access it using SSH (PuTTY, most often) from anywhere in the world, and hence would like to enable password authentication in SSH again. Therefore, I used the same /etc/ssh/sshd_config (as listed down below, with dummy names abc, def, and ghi in the AllowUsers line) as on my live server, where this works fine. However, when I try accessing it using PuTTY, PuTTY keeps failing mentioning something like 'host key check failed'. In the debug.log file on the fallback machine, I learnt that PuTTY only tries the SSH2 protocol, and doesn't fall back to SSH1 when it notices that that fails. On the live server (FreeBSD 5.4-release AMD64, custom kernel), this works a charm, and on that machine the debug.log file does mention PuTTY (yes, the very same as used for trying to connect to the fallback machine) that PuTTY falls back to SSH1 and uses PAM for authentication... The question: I recall having had this issue before, and I *think* the resolution was to enable PAM authentication or so outside of /etc/ssh/sshd_config. I thought to recall that I either did this in rc.conf (or the defaults for that), or in the custom kernel configuration. However, I couldn't find any hints to that anymore on the live box...:( Does anyone know how to get this going properly, and what it is that I'm overlooking? Tnx in advance and cheers! Olafo PS: the used /etc/ssh/sshd_config file's contents follows here: # $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $ # $FreeBSD: src/crypto/openssh/sshd_config,v 1.40 2004/04/20 09:37:29 des Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. #VersionAddendum FreeBSD-20040419 #Port 22 #Protocol 2 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO LogLevel DEBUG PrintLastLog no # Authentication: #LoginGraceTime 2m #PermitRootLogin no #StrictModes yes AllowUsers abc def ghi RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # Change to yes to enable built-in password authentication. PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication (via challenge-response) # and session processing. #UsePAM yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server