Security problem depending on your point of view with OpenSSH 2.5.1p1 related to Password authentication.
Damien Miller
djm at mindrot.org
Sun Mar 4 00:22:10 EST 2001
On Fri, 2 Mar 2001, William Hahn wrote:
> I compiled 2.5.1p1 on solaris and linux with PAM support and
> produced the same problem.
>
> If I set sshd_config to not allow password authentication(
> PasswordAuthentication no ) and restart sshd.
This is a documentation problem.
Using ChallengeResponseAuthentication with PAM bypasses OpenSSH's
password code - the "Password:" prompts that you are seeing are
coming directly from PAM and the replies are going straight back to
it.
I have disabled ChallengeResponseAuthentication by default in
sshd_config (it doesn't do much unless you are bulding against s/key
and/or PAM) and have documented that it bypasses the password checking
in the manpage.
You can control whether password authentication is allowed using the
/etc/pam.d/sshd file.
-d
--
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org / distributed filesystem'' - Dan Geer
More information about the openssh-unix-dev
mailing list