openssh bugs - Jan 2024 - [Bug 3658] New: Wrong comment in /etc/ssh/sshd_config

https://bugzilla.mindrot.org/show_bug.cgi?id=3658

            Bug ID: 3658
           Summary: Wrong comment in /etc/ssh/sshd_config
           Product: Portable OpenSSH
           Version: 9.6p1
          Hardware: Other
                OS: Illumos
            Status: NEW
          Severity: minor
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: marcel at telka.sk

[This is copied from downstream bug report at
https://www.illumos.org/issues/10168]

The following code fragment in sshd_config is misleading:

<pre>
# To disable tunneled clear text passwords, change
PasswordAuthentication to no.
PasswordAuthentication yes
</pre>

Indeed, Setting PasswordAuthentication to "no" will NOT disable
clear-text passwords if ChallengeResponseAuthentication keeps its
default value "yes" . 
One also needs to set ChallengeResponseAuthentication to "no". 

See for details, eg. https://access.redhat.com/solutions/336773 or
https://blog.tankywoo.com/linux/2013/09/14/ssh-passwordauthentication-vs-challengeresponseauthentication.html

The above code fragment should be replaced by

<pre>
# To disable tunneled clear text passwords, change
PasswordAuthentication and ChallengeResponseAuthentication to no.
PasswordAuthentication yes
ChallengeResponseAuthentication yes
</pre>

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3658

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
It's not that simple.  From a protocol standpoint,
PasswordAuthentication is definitely "clear-text passwords".
> Indeed, Setting PasswordAuthentication to "no" will NOT disable
clear-text passwords if ChallengeResponseAuthentication keeps its default value
"yes" .
What ChallengeResponseAuthentication (or rather,
KbdInteractiveAuthentication, for which the former is a deprecated
synonym) does depends on the compile options, and in the common case,
what the host's PAM stack is configured to do.  This might involve
passwords, or one-time tokens, something else, or a combination of all
of these things.   From a protocol perspective, sshd doesn't know. 
I'll see if we can update the comment on KbdInteractiveAuthentication
to be a bit more informative.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3658

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3740


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3740
[Bug 3740] Tracking bug for OpenSSH 10.0
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3658

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
I've changed it to read:

# Change to "no" to disable keyboard-interactive authentication. 
Depending on
# the system's configuration, this may involve passwords,
challenge-response,
# one-time passwords or some combination of these and other methods.
#KbdInteractiveAuthentication yes

which will hopefully give enough context to cover your case, without
being misleading or incorrect in other cases.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3658

--- Comment #3 from Marcel Telka <marcel at telka.sk> ---
I think the change makes sense.  Thank you!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.