Nils von Greyerz
2003-Nov-13 01:35 UTC
SSHD password authentication issue in 4.9-RELEASE and 5.1-RELEASE
Wonder if you guys could help me out...have a security problem with sshd wich enables a user to do a password login tough the sshd_config states PasswordAuthentication no My config works fine in both gentoo and openbsd 3.3 but users are able to login with tunneled clear text passwords in both 4.9 and 5.1 Im lost.tried everything I can think of. Here is the config: ------------------------------------------------------------------- # $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $ # $FreeBSD: src/crypto/openssh/sshd_config,v 1.32 2003/04/23 17:10:53 des Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. #VersionAddendum FreeBSD-20030423 Port 22 Protocol 2 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel INFO # Authentication: #LoginGraceTime 120 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys # rhosts authentication should not be used #RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server ------------------------------------------------------------------- Everything else is default.I'm not starting SSHD with any additional parameters than the defaults in /etc/defaults/rc.conf and just added sshd_enable="YES" in /etc/rc.conf I have of course restarted sshd after changes in the config. Nothing is patched or updated in any ways, its from the stock install from the ISOs. Any ideas? Regards /Nils Nils von Greyerz Senior Network Consultant, Juniper Certified Internet Associate: JNCIA-M #0090
unix_list
2003-Nov-13 01:43 UTC
SSHD password authentication issue in 4.9-RELEASE and 5.1-RELEASE
Hello, try disable PAM auth. ChallengeResponseAuthentication no -=Snoopy=- On Thu, 13 Nov 2003 10:34:31 +0100 "Nils von Greyerz" <nisse@imtech.se> wrote:> Wonder if you guys could help me out...have a security problem with sshd > wich enables a user to do a password login tough the sshd_config states > PasswordAuthentication no > My config works fine in both gentoo and openbsd 3.3 but users are able to > login with tunneled clear text passwords in both 4.9 and 5.1 > Im lost.tried everything I can think of. > Here is the config: > > ------------------------------------------------------------------- > # $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $ > # $FreeBSD: src/crypto/openssh/sshd_config,v 1.32 2003/04/23 17:10:53 > des > Exp $ > # This is the sshd server system-wide configuration file. See > # sshd_config(5) for more information. > # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin > # The strategy used for options in the default sshd_config shipped with > # OpenSSH is to specify options with their default value where > # possible, but leave them commented. Uncommented options change a > # default value. > # Note that some of FreeBSD's defaults differ from OpenBSD's, and > # FreeBSD has a few additional options. > > #VersionAddendum FreeBSD-20030423 > > Port 22 > Protocol 2 > #ListenAddress 0.0.0.0 > #ListenAddress :: > > # HostKey for protocol version 1 > #HostKey /etc/ssh/ssh_host_key > # HostKeys for protocol version 2 > #HostKey /etc/ssh/ssh_host_dsa_key > > # Lifetime and size of ephemeral version 1 server key > #KeyRegenerationInterval 3600 > #ServerKeyBits 768 > > # Logging > #obsoletes QuietMode and FascistLogging > SyslogFacility AUTH > LogLevel INFO > > # Authentication: > > #LoginGraceTime 120 > PermitRootLogin no > StrictModes yes > > RSAAuthentication yes > PubkeyAuthentication yes > AuthorizedKeysFile .ssh/authorized_keys > > # rhosts authentication should not be used > #RhostsAuthentication no > # Don't read the user's ~/.rhosts and ~/.shosts files > IgnoreRhosts yes > # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts > #RhostsRSAAuthentication no > # similar for protocol version 2 > #HostbasedAuthentication no > # Change to yes if you don't trust ~/.ssh/known_hosts for > # RhostsRSAAuthentication and HostbasedAuthentication > #IgnoreUserKnownHosts no > > # To disable tunneled clear text passwords, change to no here! > PasswordAuthentication no > PermitEmptyPasswords no > > # Change to no to disable PAM authentication > #ChallengeResponseAuthentication yes > > # Kerberos options > #KerberosAuthentication no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > > #AFSTokenPassing no > > # Kerberos TGT Passing only works with the AFS kaserver > #KerberosTgtPassing no > > #X11Forwarding yes > #X11DisplayOffset 10 > #X11UseLocalhost yes > #PrintMotd yes > #PrintLastLog yes > #KeepAlive yes > #UseLogin no > #UsePrivilegeSeparation yes > #PermitUserEnvironment no > #Compression yes > > #MaxStartups 10 > # no default banner path > #Banner /some/path > #VerifyReverseMapping no > > # override default of no subsystems > Subsystem sftp /usr/libexec/sftp-server > ------------------------------------------------------------------- > > Everything else is default.I'm not starting SSHD with any additional > parameters than the defaults in /etc/defaults/rc.conf and just added > sshd_enable="YES" in /etc/rc.conf > I have of course restarted sshd after changes in the config. > Nothing is patched or updated in any ways, its from the stock install from > the ISOs. > Any ideas? > Regards /Nils > > Nils von Greyerz > Senior Network Consultant, > Juniper Certified Internet Associate: JNCIA-M #0090 > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Seemingly Similar Threads
- OpenSSH_3.5p1 server, PC clients cannot connect
- [Bug 289] New: mmap error when trying to use 3.3p1 with privsep
- AFS/Kerberos authentication problems on IRIX 6.5.15
- Non-root hostname auth problem
- [Bug 2618] New: net-misc/openssh-7.2_p2: Terribly slow Interactive Logon