From owner-freebsd-questions@FreeBSD.ORG Sun Feb 13 21:39:34 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37EEE16A4CE for ; Sun, 13 Feb 2005 21:39:34 +0000 (GMT) Received: from prosporo.hedron.org (hedron.org [66.11.182.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 57DFF43D45 for ; Sun, 13 Feb 2005 21:39:33 +0000 (GMT) (envelope-from ean@hedron.org) Received: from localhost.hedron.org (localhost.hedron.org [127.0.0.1]) by prosporo.hedron.org (Postfix) with ESMTP id 88264C102; Sun, 13 Feb 2005 16:39:50 -0500 (EST) From: Ean Kingston To: freebsd-questions@freebsd.org Date: Sun, 13 Feb 2005 16:39:49 -0500 User-Agent: KMail/1.7.1 References: <420FC246.10200@Bomgardner.net> In-Reply-To: <420FC246.10200@Bomgardner.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200502131639.50072.ean@hedron.org> cc: Gene cc: "freebsd-questions@FreeBSD. ORG" Subject: Re: HELP!! sshd permitting password free logins X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Feb 2005 21:39:34 -0000 On February 13, 2005 04:10 pm, Gene wrote: > I'm running version 5.3 of freebsd. > I'm not sure what I did - I was experimenting in sshd_config. sshd began > to permit logins without benefit of password. > > When logging in (I'm using putty from a local windows machine) I enter > the user name. I'm presented with the challenge and the password prompt. > If hit enter I get the second password prompt with echo on. If I enter > anything else to the first password prompt, or anything (or just the > enter key) to the second prompt, I find myself logged on. I'm not sure what you mean by a second password prompt. I've never seen SSH provide 2 password prompts. > The allow groups directive in the config file works, only members of > grp1 get logged on, but without passwords. This was working correctly > before I started fooling around - > > any ideas? Check to make sure the user you are logging in as has a password. Also, check to make sure your ssh client is not sending an RSA key for authentication. I think that one is enabled by default. If you want to force passwords, make sure you aren't using RSA keys. > > Cinfig file follows: > ------------------------ > # $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $ > # $FreeBSD: src/crypto/openssh/sshd_config,v 1.33 2003/09/24 19:20:23 > des Exp $ > > # This is the sshd server system-wide configuration file. See > # sshd_config(5) for more information. > > # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin > > # The strategy used for options in the default sshd_config shipped with > # OpenSSH is to specify options with their default value where > # possible, but leave them commented. Uncommented options change a > # default value. > > # Note that some of FreeBSD's defaults differ from OpenBSD's, and > # FreeBSD has a few additional options. > > #VersionAddendum FreeBSD-20030924 > > #Port 22 > #Protocol 2,1 > #ListenAddress 0.0.0.0 > #ListenAddress :: > > # HostKey for protocol version 1 > #HostKey /etc/ssh/ssh_host_key > # HostKeys for protocol version 2 > #HostKey /etc/ssh/ssh_host_dsa_key > > # Lifetime and size of ephemeral version 1 server key > #KeyRegenerationInterval 3600 > #ServerKeyBits 768 > > # Logging > #obsoletes QuietMode and FascistLogging > #SyslogFacility AUTH > #LogLevel INFO > > # Authentication: > > LoginGraceTime 120 > PermitRootLogin no > #StrictModes yes > > #RSAAuthentication yes > PubkeyAuthentication no > AuthorizedKeysFile .ssh/authorized_keys > > AllowGroups grp1 > > # rhosts authentication should not be used > #RhostsAuthentication no > # Don't read the user's ~/.rhosts and ~/.shosts files > #IgnoreRhosts yes > # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts > #RhostsRSAAuthentication no > # similar for protocol version 2 > #HostbasedAuthentication no > # Change to yes if you don't trust ~/.ssh/known_hosts for > # RhostsRSAAuthentication and HostbasedAuthentication > #IgnoreUserKnownHosts no > > # To disable tunneled clear text passwords, change to no here! > PasswordAuthentication no > PermitEmptyPasswords no > > # Change to no to disable PAM authentication > ChallengeResponseAuthentication yes > > # Kerberos options > #KerberosAuthentication no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > > #AFSTokenPassing no > > # Kerberos TGT Passing only works with the AFS kaserver > #KerberosTgtPassing no > > #X11Forwarding yes > #X11DisplayOffset 10 > #X11UseLocalhost yes > #PrintMotd yes > #PrintLastLog yes > KeepAlive yes > #UseLogin no > #UsePrivilegeSeparation yes > #PermitUserEnvironment no > #Compression yes > > #MaxStartups 10 > # no default banner path > #Banner /some/path > #VerifyReverseMapping no > > # override default of no subsystems > Subsystem sftp /usr/libexec/sftp-server > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" -- Ean Kingston E-Mail: ean AT hedron DOT org URL: http://www.hedron.org/