Security Problem with OPENSSH 3.7.1
Darren Tucker
dtucker at zip.com.au
Sun Sep 21 23:19:40 EST 2003
Thomas Boernert wrote:
> we've a big problem with the new version.
> we're using key authentication and in the
> sshd_config on the server ist "PasswordAuthentication no".
> in this case password authentication should be rejected.
> But in the new release it does'nt work !!!
>
> i do
> # ssh server
> Enter passphrase for key '/home/tboernert/.ssh/id_rsa': [Now i press
> only Enter]
> -> normaly now should come ->
> Permission denied (publickey,keyboard-interactive).
> -> but it comes ->
> Password: :-( !!! and i can log in !!!!
It looks like you compiled with PAM and you're authenticating via
keyboard-interactive. You probably need to set
ChallengeResponseAuthentication to "no", or turn of PAM ("UsePam no").
> The next strange problem, i've try login as root, but root login
> is disabeld and normaly now should come ->
> Permission denied (publickey,keyboard-interactive).
> -> but it comes ->
> Password: :-( !!! i can't login, but it can be a feature that the
> root login is globaly disabled in /etc/securetty !!! )
Set "PermitRootLogin no" if you want to disable root.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list