[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh allowing password logins even though its disabled

From: "Jeremy T. Bouse" <jbouse@debian.org>
>	Have you verified that keyboard-interaction is not enabled as
>well? As I quote from the man page for sshd... 
>
>     PAMAuthenticationViaKbdInt
>             Specifies whether PAM challenge response authentication is
>             allowed. This allows the use of most PAM challenge response
>             authentication modules, but it will allow password authentication
>             regardless of whether PasswordAuthentication is disabled. The
>             default is ``no''.

Right on the money.  I had followed the instructions that were given
with bug 109846 and added this line to /etc/pam.d/ssh after the line
mentioning "pam_env.so":

   auth       required     pam_deny.so

This left me with a "password" prompt, but no matter which password I
typed in, it didn't let me in.  Secure, but ugly.  Commenting out this
line from pam.d/ssh and changing the line in /etc/ssh/sshd_config to

   PAMAuthenticationViaKbdInt no

makes it omit the "password" prompt instead of putting up a prompt
which rejects all passwords.

I should have read around all mentions of "password" in the sshd man
page when changing the config files.  Thanks for the pointer.

cc'd this to 109846@bugs.debian.org.

-- 
Tim Freeman       
tim@fungible.com


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: