Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 13 Jan 2004 13:30:15 -0800
From:      Rishi Chopra <rchopra@cal.berkeley.edu>
To:        Ruben de Groot <mail25@bzerk.org>
Cc:        Matthew Seaman <matthew@cryptosphere.com>
Subject:   Re: FreeBSD, SSH and "Enter Authentication Response"
Message-ID:  <40046367.3050305@cal.berkeley.edu>
In-Reply-To: <20040113122853.GD57681@ei.bzerk.org>
References:  <4003126E.5030107@cal.berkeley.edu> <20040113115550.GB23956@happy-idiot-talk.infracaninophile.co.uk> <20040113122853.GD57681@ei.bzerk.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
I've included copies of my /etc/ssh/ssh_config file and /etc/pam.d/ssh - 
I'm running a default minimal installation of FreeBSD 5.2:

etc/ssh/ssh_config:

#       $FreeBSD: src/crypto/openssh/ssh_config,v 1.21 2003/04/23 
17:10:53 des Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsAuthentication no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   BatchMode no
#   CheckHostIP no
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~
#   VersionAddendum FreeBSD-20030423


/etc/pam.d/ssh

#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#

# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn 
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn 
try_first_pass
#auth           sufficient      pam_ssh.so              no_warn 
try_first_pass
auth            required        pam_unix.so             no_warn 
try_first_pass

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn 
try_first_pass
password        required        pam_unix.so             no_warn 
try_first_pass


Any ideas what I should change?

-Rishi

Ruben de Groot wrote:

>On Tue, Jan 13, 2004 at 11:55:50AM +0000, Matthew Seaman typed:
>  
>
>>On Mon, Jan 12, 2004 at 01:32:30PM -0800, Rishi Chopra wrote:
>>    
>>
>>>I have a nitpicky question about logging into a FreeBSD machine and 
>>>SSH.  I'm using a minimal FreeBSD install and SSH Secure Shell client 
>>>v3.2.0 - the crux of the problem is I am unable to "smoothly" login.
>>>      
>>>
>>Which FreeBSD version?  And are you running the OpenSSH server
>>supplied with the system or one from ports?
>>    
>>
>
>Judging by name and version number, I think he's not running OpenSSH
>at all, but the other ssh implementation from ssh.org
>
>  
>
>>>When I login to my machine, I'm prompted to enter an "authentication 
>>>response".  A window is displayed with "Enter Authentication Response" 
>>>in the title bar, and two buttons at the bottom ('OK' and 'Cancel') - 
>>>the text says:
>>>
>>>  Enter your authentication response.
>>>  Password:
>>>      
>>>
>>Sounds like you've got the PAM based challenge-response authentication
>>enabled in your /etc/ssh/sshd_config (which is the default), but
>>your /etc/pam.conf (FreeBSD 4.x) or /etc/pam.d (FreeBSD 5.x) has a
>>modified configuration.
>>
>>Here are a couple of things to try --
>>
>>Turn off Challenge-response authentication in /etc/ssh/sshd_config 
>>
>>Change:
>>
>>    #ChallengeResponseAuthentication yes
>>
>>to
>>
>>    ChallengeResponseAuthentication no
>>
>>and then:
>>
>>    # kill -HUP `cat /var/run/sshd.pid`
>>
>>to get it to reread the config.
>>
>> -- or --
>>
>>Double check the PAM settings: they should look like this in /etc/pam.conf
>>
>>    # OpenSSH with PAM support requires similar modules.  The session one is
>>    # a bit strange, though...
>>    sshd    auth    sufficient      pam_skey.so
>>    sshd    auth    sufficient      pam_opie.so                     no_fake_prompts
>>    #sshd   auth    requisite       pam_opieaccess.so
>>    #sshd   auth    sufficient      pam_kerberosIV.so               try_first_pass
>>    #sshd   auth    sufficient      pam_krb5.so                     try_first_pass
>>    sshd    auth    required        pam_unix.so                     try_first_pass
>>    sshd    account required        pam_unix.so
>>    sshd    password required       pam_permit.so
>>    sshd    session required        pam_permit.so
>>
>>The /etc/pam.d case is similar, except you should have a file called
>>'sshd' in that directory, whose contents are similar, but without the
>>'sshd' entries in the first column.
>>
>>	Cheers,
>>
>>	Matthew
>>
>>
>>-- 
>>Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
>>                                                      Savill Way
>>PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
>>Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
>>    
>>
>
>
>
>  
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40046367.3050305>