From owner-freebsd-questions@FreeBSD.ORG Sun Feb 13 21:10:41 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B826416A4CE for ; Sun, 13 Feb 2005 21:10:41 +0000 (GMT) Received: from brightstar.bomgardner.net (brightstar.bomgardner.net [209.240.79.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5AE7B43D2F for ; Sun, 13 Feb 2005 21:10:41 +0000 (GMT) (envelope-from listmail@Bomgardner.net) Received: from [192.168.0.2] (morningstar [192.168.0.2]) by brightstar.bomgardner.net (Postfix) with ESMTP id 9D15B21D865 for ; Sun, 13 Feb 2005 15:10:40 -0600 (CST) Message-ID: <420FC246.10200@Bomgardner.net> Date: Sun, 13 Feb 2005 15:10:30 -0600 From: Gene User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "freebsd-questions@FreeBSD. ORG" Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: HELP!! sshd permitting password free logins X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Feb 2005 21:10:41 -0000 I'm running version 5.3 of freebsd. I'm not sure what I did - I was experimenting in sshd_config. sshd began to permit logins without benefit of password. When logging in (I'm using putty from a local windows machine) I enter the user name. I'm presented with the challenge and the password prompt. If hit enter I get the second password prompt with echo on. If I enter anything else to the first password prompt, or anything (or just the enter key) to the second prompt, I find myself logged on. The allow groups directive in the config file works, only members of grp1 get logged on, but without passwords. This was working correctly before I started fooling around - any ideas? Cinfig file follows: ------------------------ # $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $ # $FreeBSD: src/crypto/openssh/sshd_config,v 1.33 2003/09/24 19:20:23 des Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. #VersionAddendum FreeBSD-20030924 #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no #StrictModes yes #RSAAuthentication yes PubkeyAuthentication no AuthorizedKeysFile .ssh/authorized_keys AllowGroups grp1 # rhosts authentication should not be used #RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no # Change to no to disable PAM authentication ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server