Re: HELP!! sshd permitting password free logins

Sun, 13 Feb 2005 21:55:57 -0800 

Ean Kingston wrote:

On February 13, 2005 04:10 pm, Gene wrote:


I'm running version 5.3 of freebsd.
I'm not sure what I did - I was experimenting in sshd_config. sshd began
to permit logins without benefit of password.

When logging in (I'm using putty from a local windows machine) I enter
the user name. I'm presented with the challenge and the password prompt.
If hit enter I get the second password prompt with echo on. If I enter
anything else to the first password prompt, or anything (or just the
enter key) to the second prompt, I find myself logged on.



I'm not sure what you mean by a second password prompt. I've never seen SSH provide 2 password prompts.



Login accounts use opie. Once the user name is entered, a challenge is displayed followed by a password prompt. Entered passwords at this prompt do not echo. Normally, if you enter just a return, another prompt appears with the notation "[echo on]" and the entered password is echoed as it is entered.

The allow groups directive in the config file works, only members of
grp1 get logged on, but without passwords. This was working correctly
before I started fooling around -

any ideas?



Check to make sure the user you are logging in as has a password.

Also, check to make sure your ssh client is not sending an RSA key for authentication. I think that one is enabled by default. If you want to force passwords, make sure you aren't using RSA keys.



If disable RSA keys in the config file, but the problem persists.

Cinfig file follows:
------------------------
#    $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
#    $FreeBSD: src/crypto/openssh/sshd_config,v 1.33 2003/09/24 19:20:23
des Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#VersionAddendum FreeBSD-20030924

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

LoginGraceTime 120
PermitRootLogin no
#StrictModes yes

RSAAuthentication no
PubkeyAuthentication no
AuthorizedKeysFile    .ssh/authorized_keys

AllowGroups grp1

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable PAM authentication
ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem    sftp    /usr/libexec/sftp-server

_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"






_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to