[nycbug-talk] ssh password auth note

Charles Sprickman spork at bway.net
Fri Apr 7 20:01:05 EDT 2006

Hi all,

Just thought I'd share something that I just discovered...

I've made it standard practice when I bring up a unix host that has ssh 
open to the world to edit sshd_config and set it to only accept protocol 2 
and to not allow passwords.

Today I was working on a FreeBSD jail (4.11) and I had not yet done this, 
nor had I transferred my keys over.  I made the config changes and ssh'd 
to the box, and was let in with my password.  After double-checking 
everything and restarting sshd, I got the same result.

This auth.log message stuck out:

Apr  7 19:36:27 devel4 sshd[53082]: Accepted keyboard-interactive/pam for 
spork from port 52130 ssh2

PAM.  Hmmm.  So it appears that the option to disallow passwords is 
basically circumvented by PAM.

To stop that, this line must also be set to "no":

# Change to no to disable PAM authentication
ChallengeResponseAuthentication no

Like I said, maybe I'm the only one that didn't know this...


More information about the talk mailing list