Re: ssh allowing password logins even though its disabled
From: "Jeremy T. Bouse" <jbouse@debian.org>
> Have you verified that keyboard-interaction is not enabled as
>well? As I quote from the man page for sshd...
>
> PAMAuthenticationViaKbdInt
> Specifies whether PAM challenge response authentication is
> allowed. This allows the use of most PAM challenge response
> authentication modules, but it will allow password authentication
> regardless of whether PasswordAuthentication is disabled. The
> default is ``no''.
Right on the money. I had followed the instructions that were given
with bug 109846 and added this line to /etc/pam.d/ssh after the line
mentioning "pam_env.so":
auth required pam_deny.so
This left me with a "password" prompt, but no matter which password I
typed in, it didn't let me in. Secure, but ugly. Commenting out this
line from pam.d/ssh and changing the line in /etc/ssh/sshd_config to
PAMAuthenticationViaKbdInt no
makes it omit the "password" prompt instead of putting up a prompt
which rejects all passwords.
I should have read around all mentions of "password" in the sshd man
page when changing the config files. Thanks for the pointer.
cc'd this to 109846@bugs.debian.org.
--
Tim Freeman
tim@fungible.com
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: