On Wed, Jun 25, 2014 at 12:08 PM, Joshua Judson Rosen <roz...@geekspace.com> wrote:
> *AHA*--found the answer: > > http://article.gmane.org/gmane.network.openssh.general/7446 > > OpenSSH implements "none" auth by trying to authenticate > with an empty password. I'm still not sure where in > the code this is actually happening, but it does seem > to work: if I just null-out my user's password, and then > enable PermitEmptyPasswords in sshd_config, then I can > use "ssh -o PreferredAuthentications=none" and it just works. > > Actually, I don't even have to pass "-o PreferredAuthentications=none"-- > it looks like "none" auth is tried automatically, and it really > all "just works" once I have a `passwordless' login allowed > (for some somewhat surprising meaning of "just works"...). > > I've created passwordless SSH keys. That turns it into having a shared secret with is better then a blank password IMO. I think the keys would work even if the account is locked in /etc/shadow and possibly other auth methods. > -- > "'tis an ill wind that blows no minds." > > > Joshua Judson Rosen <roz...@geekspace.com> writes: > > > > Having sshd manage auth using PKI is not what I'm looking for; > > supposedly there is a "none" auth-type that SSH can use, > > which means that SSH is just giving you an encrypted stream > > and the shell running at the end of the link is responsible > > for actually prompting for login credentials and authenticating > > (similarly to using SSL telnet, since telnetd doesn't actually > > manage logins, it just execs a "login" command and hooks > > its stdio up to the socket that goes back to the client). > > > > Glancing at the code in OpenSSH 6.0 (client and server), it looks like > > the OpenSSH client can be made to request "none" auth; and there are at > > least some *vestiges* of support for "none" auth in the server-- > > like all of the code in auth2-none.c, and this comment in auth2.c: > > > > /* Allow initial try of "none" auth without failure penalty */ > > > > (I also see that there's another `hidden auth mode' called "J-PAKE", > > which looks interesting but is also probably not what I want). > > > > From what little documentation I see on sshd's > ChallengeResponseAuthentication > > option, it seems like that might let me do this... but only if I > > implement the authenticating end as a PAM module rather than something > > like a "login command"... > > > > Help!? > > > > Do I `just' need to patch sshd to actually accept "none" auth? > _______________________________________________ > gnhlug-discuss mailing list > gnhlug-discuss@mail.gnhlug.org > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ >
_______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/