From owner-freebsd-questions@FreeBSD.ORG  Tue Jan 13 03:56:21 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B623616A4CE
	for <questions@freebsd.org>; Tue, 13 Jan 2004 03:56:21 -0800 (PST)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
	[81.2.69.218])	by mx1.FreeBSD.org (Postfix) with ESMTP id BBB5D43D67
	for <questions@freebsd.org>; Tue, 13 Jan 2004 03:56:00 -0800 (PST)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	i0DBtpfn034620
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 13 Jan 2004 11:55:51 GMT
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)id i0DBtolB034619;
	Tue, 13 Jan 2004 11:55:50 GMT	(envelope-from matthew)
Date: Tue, 13 Jan 2004 11:55:50 +0000
From: Matthew Seaman <matthew@cryptosphere.com>
To: Rishi Chopra <rchopra@cal.berkeley.edu>
Message-ID: <20040113115550.GB23956@happy-idiot-talk.infracaninophile.co.uk>
Mail-Followup-To: Matthew Seaman <matthew@cryptosphere.com>,
	Rishi Chopra <rchopra@cal.berkeley.edu>, questions@freebsd.org
References: <4003126E.5030107@cal.berkeley.edu>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="ZfOjI3PrQbgiZnxM"
Content-Disposition: inline
In-Reply-To: <4003126E.5030107@cal.berkeley.edu>
User-Agent: Mutt/1.5.5.1i
X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham 
	version=2.61
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on 
	happy-idiot-talk.infracaninophile.co.uk
cc: questions@freebsd.org
Subject: Re: FreeBSD, SSH and "Enter Authentication Response"
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jan 2004 11:56:21 -0000


--ZfOjI3PrQbgiZnxM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jan 12, 2004 at 01:32:30PM -0800, Rishi Chopra wrote:
> I have a nitpicky question about logging into a FreeBSD machine and=20
> SSH.  I'm using a minimal FreeBSD install and SSH Secure Shell client=20
> v3.2.0 - the crux of the problem is I am unable to "smoothly" login.

Which FreeBSD version?  And are you running the OpenSSH server
supplied with the system or one from ports?

> When I login to my machine, I'm prompted to enter an "authentication=20
> response".  A window is displayed with "Enter Authentication Response"=20
> in the title bar, and two buttons at the bottom ('OK' and 'Cancel') -=20
> the text says:
>=20
>   Enter your authentication response.
>   Password:

Sounds like you've got the PAM based challenge-response authentication
enabled in your /etc/ssh/sshd_config (which is the default), but
your /etc/pam.conf (FreeBSD 4.x) or /etc/pam.d (FreeBSD 5.x) has a
modified configuration.

Here are a couple of things to try --

Turn off Challenge-response authentication in /etc/ssh/sshd_config=20

Change:

    #ChallengeResponseAuthentication yes

to

    ChallengeResponseAuthentication no

and then:

    # kill -HUP `cat /var/run/sshd.pid`

to get it to reread the config.

 -- or --

Double check the PAM settings: they should look like this in /etc/pam.conf

    # OpenSSH with PAM support requires similar modules.  The session one is
    # a bit strange, though...
    sshd    auth    sufficient      pam_skey.so
    sshd    auth    sufficient      pam_opie.so                     no_fake=
_prompts
    #sshd   auth    requisite       pam_opieaccess.so
    #sshd   auth    sufficient      pam_kerberosIV.so               try_fir=
st_pass
    #sshd   auth    sufficient      pam_krb5.so                     try_fir=
st_pass
    sshd    auth    required        pam_unix.so                     try_fir=
st_pass
    sshd    account required        pam_unix.so
    sshd    password required       pam_permit.so
    sshd    session required        pam_permit.so

The /etc/pam.d case is similar, except you should have a file called
'sshd' in that directory, whose contents are similar, but without the
'sshd' entries in the first column.

	Cheers,

	Matthew


--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--ZfOjI3PrQbgiZnxM
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAA9zGdtESqEQa7a0RAo/gAJ4ym4hYGJY0JvzxbBbiEjbFYt1mkQCfY/TC
AE2cAnC54HtgoButEg+flx4=
=dvcn
-----END PGP SIGNATURE-----

--ZfOjI3PrQbgiZnxM--