Date: Sun, 13 Feb 2005 23:54:15 -0600 From: Gene <listmail@Bomgardner.net> To: Ean Kingston <ean@hedron.org> Cc: freebsd-questions@freebsd.org Subject: Re: HELP!! sshd permitting password free logins Message-ID: <42103D07.1020505@Bomgardner.net> In-Reply-To: <200502131639.50072.ean@hedron.org> References: <420FC246.10200@Bomgardner.net> <200502131639.50072.ean@hedron.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Ean Kingston wrote: >On February 13, 2005 04:10 pm, Gene wrote: > > >>I'm running version 5.3 of freebsd. >>I'm not sure what I did - I was experimenting in sshd_config. sshd began >>to permit logins without benefit of password. >> >>When logging in (I'm using putty from a local windows machine) I enter >>the user name. I'm presented with the challenge and the password prompt. >>If hit enter I get the second password prompt with echo on. If I enter >>anything else to the first password prompt, or anything (or just the >>enter key) to the second prompt, I find myself logged on. >> >> > >I'm not sure what you mean by a second password prompt. I've never seen SSH >provide 2 password prompts. > > > Login accounts use opie. Once the user name is entered, a challenge is displayed followed by a password prompt. Entered passwords at this prompt do not echo. Normally, if you enter just a return, another prompt appears with the notation "[echo on]" and the entered password is echoed as it is entered. >>The allow groups directive in the config file works, only members of >>grp1 get logged on, but without passwords. This was working correctly >>before I started fooling around - >> >>any ideas? >> >> > >Check to make sure the user you are logging in as has a password. > >Also, check to make sure your ssh client is not sending an RSA key for >authentication. I think that one is enabled by default. If you want to force >passwords, make sure you aren't using RSA keys. > > > If disable RSA keys in the config file, but the problem persists. >>Cinfig file follows: >>------------------------ >># $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $ >># $FreeBSD: src/crypto/openssh/sshd_config,v 1.33 2003/09/24 19:20:23 >>des Exp $ >> >># This is the sshd server system-wide configuration file. See >># sshd_config(5) for more information. >> >># This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin >> >># The strategy used for options in the default sshd_config shipped with >># OpenSSH is to specify options with their default value where >># possible, but leave them commented. Uncommented options change a >># default value. >> >># Note that some of FreeBSD's defaults differ from OpenBSD's, and >># FreeBSD has a few additional options. >> >>#VersionAddendum FreeBSD-20030924 >> >>#Port 22 >>#Protocol 2,1 >>#ListenAddress 0.0.0.0 >>#ListenAddress :: >> >># HostKey for protocol version 1 >>#HostKey /etc/ssh/ssh_host_key >># HostKeys for protocol version 2 >>#HostKey /etc/ssh/ssh_host_dsa_key >> >># Lifetime and size of ephemeral version 1 server key >>#KeyRegenerationInterval 3600 >>#ServerKeyBits 768 >> >># Logging >>#obsoletes QuietMode and FascistLogging >>#SyslogFacility AUTH >>#LogLevel INFO >> >># Authentication: >> >>LoginGraceTime 120 >>PermitRootLogin no >>#StrictModes yes >> >>RSAAuthentication no >>PubkeyAuthentication no >>AuthorizedKeysFile .ssh/authorized_keys >> >>AllowGroups grp1 >> >># rhosts authentication should not be used >>#RhostsAuthentication no >># Don't read the user's ~/.rhosts and ~/.shosts files >>#IgnoreRhosts yes >># For this to work you will also need host keys in /etc/ssh/ssh_known_hosts >>#RhostsRSAAuthentication no >># similar for protocol version 2 >>#HostbasedAuthentication no >># Change to yes if you don't trust ~/.ssh/known_hosts for >># RhostsRSAAuthentication and HostbasedAuthentication >>#IgnoreUserKnownHosts no >> >># To disable tunneled clear text passwords, change to no here! >>PasswordAuthentication no >>PermitEmptyPasswords no >> >># Change to no to disable PAM authentication >>ChallengeResponseAuthentication yes >> >># Kerberos options >>#KerberosAuthentication no >>#KerberosOrLocalPasswd yes >>#KerberosTicketCleanup yes >> >>#AFSTokenPassing no >> >># Kerberos TGT Passing only works with the AFS kaserver >>#KerberosTgtPassing no >> >>#X11Forwarding yes >>#X11DisplayOffset 10 >>#X11UseLocalhost yes >>#PrintMotd yes >>#PrintLastLog yes >>KeepAlive yes >>#UseLogin no >>#UsePrivilegeSeparation yes >>#PermitUserEnvironment no >>#Compression yes >> >>#MaxStartups 10 >># no default banner path >>#Banner /some/path >>#VerifyReverseMapping no >> >># override default of no subsystems >>Subsystem sftp /usr/libexec/sftp-server >> >>_______________________________________________ >>freebsd-questions@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>To unsubscribe, send any mail to >>"freebsd-questions-unsubscribe@freebsd.org" >> >> > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42103D07.1020505>