bugzilla-daemon at mindrot.org
2024-Jan-22 22:26 UTC
[Bug 3658] New: Wrong comment in /etc/ssh/sshd_config
https://bugzilla.mindrot.org/show_bug.cgi?id=3658
Bug ID: 3658
Summary: Wrong comment in /etc/ssh/sshd_config
Product: Portable OpenSSH
Version: 9.6p1
Hardware: Other
OS: Illumos
Status: NEW
Severity: minor
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: marcel at telka.sk
[This is copied from downstream bug report at
https://www.illumos.org/issues/10168]
The following code fragment in sshd_config is misleading:
<pre>
# To disable tunneled clear text passwords, change
PasswordAuthentication to no.
PasswordAuthentication yes
</pre>
Indeed, Setting PasswordAuthentication to "no" will NOT disable
clear-text passwords if ChallengeResponseAuthentication keeps its
default value "yes" .
One also needs to set ChallengeResponseAuthentication to "no".
See for details, eg. https://access.redhat.com/solutions/336773 or
https://blog.tankywoo.com/linux/2013/09/14/ssh-passwordauthentication-vs-challengeresponseauthentication.html
The above code fragment should be replaced by
<pre>
# To disable tunneled clear text passwords, change
PasswordAuthentication and ChallengeResponseAuthentication to no.
PasswordAuthentication yes
ChallengeResponseAuthentication yes
</pre>
--
You are receiving this mail because:
You are watching the assignee of the bug.
Reasonably Related Threads
- Questions about sshd_config man page and comments in the file
- initlog is deprecated
- enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
- [Bug 1410] New: Correct UsePAM comment in sshd_config on Mac OS X
- unable to login with LDAP when set Uselogin to yes