freebsd security - Nov 2003 - SSHD password authentication issue in 4.9-RELEASE and 5.1-RELEASE

Wonder if you guys could help me out...have a security problem with sshd
wich enables a user to do a password login tough the sshd_config states
PasswordAuthentication no
My config works fine in both gentoo and openbsd 3.3 but users are able to
login with tunneled clear text passwords in both 4.9 and 5.1
Im lost.tried everything I can think of.
Here is the config:

-------------------------------------------------------------------
#       $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
#       $FreeBSD: src/crypto/openssh/sshd_config,v 1.32 2003/04/23 17:10:53
des
Exp $
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.
# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#VersionAddendum FreeBSD-20030423

Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO

# Authentication:

#LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server
-------------------------------------------------------------------

Everything else is default.I'm not starting SSHD with any additional
parameters than the defaults in /etc/defaults/rc.conf and just added
sshd_enable="YES" in /etc/rc.conf
I have of course restarted sshd after changes in the config.
Nothing is patched or updated in any ways, its from the stock install from
the ISOs.
Any ideas?
Regards /Nils

Nils von Greyerz
Senior Network Consultant,
Juniper Certified Internet Associate: JNCIA-M #0090

Hello,

try disable PAM auth.

ChallengeResponseAuthentication no


-=Snoopy=-



On Thu, 13 Nov 2003 10:34:31 +0100
"Nils von Greyerz" <nisse@imtech.se> wrote:
> Wonder if you guys could help me out...have a security problem with sshd
> wich enables a user to do a password login tough the sshd_config states
> PasswordAuthentication no
> My config works fine in both gentoo and openbsd 3.3 but users are able to
> login with tunneled clear text passwords in both 4.9 and 5.1
> Im lost.tried everything I can think of.
> Here is the config:
> 
> -------------------------------------------------------------------
> #       $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
> #       $FreeBSD: src/crypto/openssh/sshd_config,v 1.32 2003/04/23 17:10:53
> des
> Exp $
> # This is the sshd server system-wide configuration file.  See
> # sshd_config(5) for more information.
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented.  Uncommented options change a
> # default value.
> # Note that some of FreeBSD's defaults differ from OpenBSD's, and
> # FreeBSD has a few additional options.
> 
> #VersionAddendum FreeBSD-20030423
> 
> Port 22
> Protocol 2
> #ListenAddress 0.0.0.0
> #ListenAddress ::
> 
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_dsa_key
> 
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 3600
> #ServerKeyBits 768
> 
> # Logging
> #obsoletes QuietMode and FascistLogging
> SyslogFacility AUTH
> LogLevel INFO
> 
> # Authentication:
> 
> #LoginGraceTime 120
> PermitRootLogin no
> StrictModes yes
> 
> RSAAuthentication yes
> PubkeyAuthentication yes
> AuthorizedKeysFile      .ssh/authorized_keys
> 
> # rhosts authentication should not be used
> #RhostsAuthentication no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> 
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication no
> PermitEmptyPasswords no
> 
> # Change to no to disable PAM authentication
> #ChallengeResponseAuthentication yes
> 
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> 
> #AFSTokenPassing no
> 
> # Kerberos TGT Passing only works with the AFS kaserver
> #KerberosTgtPassing no
> 
> #X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #KeepAlive yes
> #UseLogin no
> #UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression yes
> 
> #MaxStartups 10
> # no default banner path
> #Banner /some/path
> #VerifyReverseMapping no
> 
> # override default of no subsystems
> Subsystem       sftp    /usr/libexec/sftp-server
> -------------------------------------------------------------------
> 
> Everything else is default.I'm not starting SSHD with any additional
> parameters than the defaults in /etc/defaults/rc.conf and just added
> sshd_enable="YES" in /etc/rc.conf
> I have of course restarted sshd after changes in the config.
> Nothing is patched or updated in any ways, its from the stock install from
> the ISOs.
> Any ideas?
> Regards /Nils
> 
> Nils von Greyerz
> Senior Network Consultant,
> Juniper Certified Internet Associate: JNCIA-M #0090
> 
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
>