[nycbug-talk] ssh password auth note
Charles Sprickman
spork at bway.net
Fri Apr 7 20:01:05 EDT 2006
Hi all,
Just thought I'd share something that I just discovered...
I've made it standard practice when I bring up a unix host that has ssh
open to the world to edit sshd_config and set it to only accept protocol 2
and to not allow passwords.
Today I was working on a FreeBSD jail (4.11) and I had not yet done this,
nor had I transferred my keys over. I made the config changes and ssh'd
to the box, and was let in with my password. After double-checking
everything and restarting sshd, I got the same result.
This auth.log message stuck out:
Apr 7 19:36:27 devel4 sshd[53082]: Accepted keyboard-interactive/pam for
spork from 68.45.2.223 port 52130 ssh2
PAM. Hmmm. So it appears that the option to disallow passwords is
basically circumvented by PAM.
To stop that, this line must also be set to "no":
# Change to no to disable PAM authentication
ChallengeResponseAuthentication no
Like I said, maybe I'm the only one that didn't know this...
Charles
More information about the talk
mailing list