Re: ssh allowing password logins even though its disabled
Have you verified that keyboard-interaction is not enabled as
well? As I quote from the man page for sshd...
PAMAuthenticationViaKbdInt
Specifies whether PAM challenge response authentication is
allowed. This allows the use of most PAM challenge response
authentication modules, but it will allow password authentication
regardless of whether PasswordAuthentication is disabled. The
default is ``no''.
Jeremy
On Wed, Apr 03, 2002 at 09:39:21PM -0700, Tim Freeman wrote:
> I just rediscovered bug 109846 in ssh,
>
> "SSH uses PAM password authentication in SSH2 even if disabled"
>
> It's filed as a "normal" bug. Before I discovered the dup, I was
> going to file it as a "grave" bug, since the system involved has weak
> passwords (my kids have to be able to log in, and they can't type too
> well). If I had not tested that ssh disables passwords when you tell
> it to, it would have allowed fairly easy penetration, so there might
> be lots of vulnerable systems out there.
>
> Can anyone clue me in on why other people don't think this is grave,
> or lend me encouragment on pushing the priority up?
>
> --
> Tim Freeman
> tim@fungible.com
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: