From owner-freebsd-security@FreeBSD.ORG  Thu Feb 19 07:44:34 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6A89C16A4CE
	for <freebsd-security@freebsd.org>;
	Thu, 19 Feb 2004 07:44:34 -0800 (PST)
Received: from smtp.des.no (flood.des.no [217.116.83.31])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 35C5B43D1D
	for <freebsd-security@freebsd.org>;
	Thu, 19 Feb 2004 07:44:34 -0800 (PST)	(envelope-from des@des.no)
Received: by smtp.des.no (Pony Express, from userid 666)
	id 1E1B85309; Thu, 19 Feb 2004 16:44:33 +0100 (CET)
Received: from dwp.des.no (des.no [80.203.228.37])
	by smtp.des.no (Pony Express) with ESMTP id C9A7D5308
	for <freebsd-security@freebsd.org>;
	Thu, 19 Feb 2004 16:44:26 +0100 (CET)
Received: by dwp.des.no (Postfix, from userid 2602)
	id AD17A33C6F; Thu, 19 Feb 2004 16:44:26 +0100 (CET)
To: freebsd-security@freebsd.org
References: <20040219120450.1854b521@piglet.goo>
	<20040219123349.GB23725@yagonna.de>
From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=)
Date: Thu, 19 Feb 2004 16:44:26 +0100
In-Reply-To: <20040219123349.GB23725@yagonna.de> (Sven Pfeifer's message of
 "Thu, 19 Feb 2004 13:33:49 +0100")
Message-ID: <xzpwu6jul9h.fsf@dwp.des.no>
User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no
X-Spam-Level: 
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.63
Subject: Re: secuirty bug with /etc/login.access
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2004 15:44:34 -0000

Sven Pfeifer <sven@yagonna.de> writes:
> this looks like, you have configured
>
>        PasswordAuthentication yes
> and
>         Protocol 2,1
>
> in your servers /etc/ssh/sshd_config. So your client is trying to
> authenticate to the _local_ id-File. If this is failing (3 times) then
> it tries the PasswordAuthentication at the _remote_ maschine.

Uh, no.  There is never any attempt by the client to authenticate the
user against the client machine's password database.  All four prompts
are issued by the remote machine.  The first three are from PAM, the
fourth is OpenSSH's built-in password authentication which apparently
does not respect login.access.  The solution is to disable password
authentication in /etc/ssh/sshd_config; this should be the default now
that PAM works.

DES
--=20
Dag-Erling Sm=F8rgrav - des@des.no