Security Problem with OPENSSH 3.7.1

Darren Tucker dtucker at zip.com.au
Sun Sep 21 23:19:40 EST 2003


Thomas Boernert wrote:
> we've a big problem with the new version.
> we're using key authentication and in the
> sshd_config on the server ist "PasswordAuthentication no".
> in this case password authentication should be rejected.
> But in the new release it does'nt work !!!
> 
> i do
> # ssh server
> Enter passphrase for key '/home/tboernert/.ssh/id_rsa': [Now i press
> only Enter]
> -> normaly now should come ->
> Permission denied (publickey,keyboard-interactive).
> -> but it comes ->
> Password: :-( !!! and i can log in !!!!

It looks like you compiled with PAM and you're authenticating via
keyboard-interactive.  You probably need to set
ChallengeResponseAuthentication to "no", or turn of PAM ("UsePam no").

> The next strange problem, i've try login as root, but root login
> is disabeld and normaly now should come ->
> Permission denied (publickey,keyboard-interactive).
> -> but it comes ->
> Password: :-( !!! i can't login, but it can be a feature that the
> root login is globaly disabled in /etc/securetty !!! )

Set "PermitRootLogin no" if you want to disable root.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list