[Bug 3658] New: Wrong comment in /etc/ssh/sshd_config

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Jan 23 09:26:19 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3658

            Bug ID: 3658
           Summary: Wrong comment in /etc/ssh/sshd_config
           Product: Portable OpenSSH
           Version: 9.6p1
          Hardware: Other
                OS: Illumos
            Status: NEW
          Severity: minor
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: marcel at telka.sk

[This is copied from downstream bug report at
https://www.illumos.org/issues/10168]

The following code fragment in sshd_config is misleading:

<pre>
# To disable tunneled clear text passwords, change
PasswordAuthentication to no.
PasswordAuthentication yes
</pre>

Indeed, Setting PasswordAuthentication to "no" will NOT disable
clear-text passwords if ChallengeResponseAuthentication keeps its
default value "yes" . 
One also needs to set ChallengeResponseAuthentication to "no". 

See for details, eg. https://access.redhat.com/solutions/336773 or
https://blog.tankywoo.com/linux/2013/09/14/ssh-passwordauthentication-vs-challengeresponseauthentication.html

The above code fragment should be replaced by

<pre>
# To disable tunneled clear text passwords, change
PasswordAuthentication and ChallengeResponseAuthentication to no.
PasswordAuthentication yes
ChallengeResponseAuthentication yes
</pre>

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list