Date: Mon, 7 Oct 2002 10:50:52 -0700 (PDT) From: Archie Cobbs <archie@dellroad.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: docs/43776: /etc/sshd_config settings overridden by PAM but not documented Message-ID: <200210071750.g97HoqeD056831@arch20m.dellroad.org>
next in thread | raw e-mail | index | archive | help
>Number: 43776 >Category: docs >Synopsis: /etc/sshd_config settings overridden by PAM but not documented >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Mon Oct 07 11:10:11 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Archie Cobbs >Release: FreeBSD 4.7-PRERELEASE i386 >Organization: Packet Design >Environment: System: FreeBSD arch20m.dellroad.org 4.7-PRERELEASE FreeBSD 4.7-PRERELEASE #0: Sun Sep 15 19:59:17 PDT 2002 root@arch20m.dellroad.org:/usr/obj/usr/src/sys/THINKPAD i386 >Description: The basic problem is that FreeBSD now ships with PAM enabled for sshd, yet the man pages for sshd do not accurrately reflect this. So it's possible for an admin to think they are configuring sshd one way but unknowingly opening a security hole. Not only possible but it happened on a machine that I administer. Fortunately I found out when I accidentally ssh'd into the machine wihout having done 'ssh-add' for the RSA key, and it asked me for a password, and I entered it and it let me in! This happened even though I had these settings in sshd_config: PasswordAuthentication no PermitRootLogin without-password This is an accident waiting to happen. >How-To-Repeat: Take stock 4.7-RC system, and change sshd_config to have this: PasswordAuthentication no PermitRootLogin without-password These settings have NO EFFECT, because PAM overrides them. Although the man page says that "PAMAuthenticationViaKbdInt" enables PAM, actually it appears that "ChallengeResponseAuthentication" enables PAM. Or something like that. >Fix: See email exchange below.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210071750.g97HoqeD056831>