From owner-freebsd-doc Mon Oct 7 11:10:26 2002 Delivered-To: freebsd-doc@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B3C337B422 for ; Mon, 7 Oct 2002 11:10:14 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC8C243E86 for ; Mon, 7 Oct 2002 11:10:11 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g97IABCo093562 for ; Mon, 7 Oct 2002 11:10:11 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g97IABlJ093558; Mon, 7 Oct 2002 11:10:11 -0700 (PDT) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3894137B401 for ; Mon, 7 Oct 2002 11:00:13 -0700 (PDT) Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13E4043E6A for ; Mon, 7 Oct 2002 11:00:11 -0700 (PDT) (envelope-from archie@dellroad.org) Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id KAA28129 for ; Mon, 7 Oct 2002 10:52:09 -0700 (PDT) Received: from arch20m.dellroad.org (localhost [127.0.0.1]) by arch20m.dellroad.org (8.12.6/8.12.6) with ESMTP id g97HoqTZ056832 for ; Mon, 7 Oct 2002 10:50:52 -0700 (PDT) (envelope-from archie@arch20m.dellroad.org) Received: (from archie@localhost) by arch20m.dellroad.org (8.12.6/8.12.6/Submit) id g97HoqeD056831; Mon, 7 Oct 2002 10:50:52 -0700 (PDT) Message-Id: <200210071750.g97HoqeD056831@arch20m.dellroad.org> Date: Mon, 7 Oct 2002 10:50:52 -0700 (PDT) From: Archie Cobbs Reply-To: Archie Cobbs To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: docs/43776: /etc/sshd_config settings overridden by PAM but not documented Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 43776 >Category: docs >Synopsis: /etc/sshd_config settings overridden by PAM but not documented >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Mon Oct 07 11:10:11 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Archie Cobbs >Release: FreeBSD 4.7-PRERELEASE i386 >Organization: Packet Design >Environment: System: FreeBSD arch20m.dellroad.org 4.7-PRERELEASE FreeBSD 4.7-PRERELEASE #0: Sun Sep 15 19:59:17 PDT 2002 root@arch20m.dellroad.org:/usr/obj/usr/src/sys/THINKPAD i386 >Description: The basic problem is that FreeBSD now ships with PAM enabled for sshd, yet the man pages for sshd do not accurrately reflect this. So it's possible for an admin to think they are configuring sshd one way but unknowingly opening a security hole. Not only possible but it happened on a machine that I administer. Fortunately I found out when I accidentally ssh'd into the machine wihout having done 'ssh-add' for the RSA key, and it asked me for a password, and I entered it and it let me in! This happened even though I had these settings in sshd_config: PasswordAuthentication no PermitRootLogin without-password This is an accident waiting to happen. >How-To-Repeat: Take stock 4.7-RC system, and change sshd_config to have this: PasswordAuthentication no PermitRootLogin without-password These settings have NO EFFECT, because PAM overrides them. Although the man page says that "PAMAuthenticationViaKbdInt" enables PAM, actually it appears that "ChallengeResponseAuthentication" enables PAM. Or something like that. >Fix: See email exchange below.