Security problem depending on your point of view with OpenSSH 2.5.1p1 related to Password authentication.

Damien Miller djm at mindrot.org
Sun Mar 4 00:22:10 EST 2001


On Fri, 2 Mar 2001, William Hahn wrote:

> I compiled 2.5.1p1 on solaris and linux with PAM support and
> produced the same problem.
>
> If I set sshd_config to not allow password authentication(
> PasswordAuthentication no ) and restart sshd.

This is a documentation problem.

Using ChallengeResponseAuthentication with PAM bypasses OpenSSH's
password code - the "Password:" prompts that you are seeing are
coming directly from PAM and the replies are going straight back to
it.

I have disabled ChallengeResponseAuthentication by default in
sshd_config (it doesn't do much unless you are bulding against s/key
and/or PAM) and have documented that it bypasses the password checking
in the manpage.

You can control whether password authentication is allowed using the
/etc/pam.d/sshd file.

-d

-- 
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer






More information about the openssh-unix-dev mailing list