Re: ssh authentication configuration?

To: debian-security@lists.debian.org
Subject: Re: ssh authentication configuration?
From: Will Aoki <waoki@umnh.utah.edu>
Date: Wed, 29 May 2002 20:04:11 -0600
Message-id: <[🔎] 20020529200411.E23231@umnh.utah.edu>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 1022633464.317.21.camel@monkeypaw>; from steve@webninja.com on Tue, May 28, 2002 at 05:51:02PM -0700
References: <[🔎] 1022633464.317.21.camel@monkeypaw>

On Tue, May 28, 2002 at 05:51:02PM -0700, Stephen Johnson wrote:
> Hello, i'm confused on a couple variables in the sshd_config file, i
> have a client that's using that 'other os' and has an ssh client that he
> likes. however, he wanted me to secure the server as much as possible,
> i've always disabled clear text passwords(PasswordAuthentication no),
> and turn on pam auth (PAMAuthenticationViaKbdInt yes).  That's always
> worked fine for me as i'm using debian linux, and i don't actually know
> why i do it other than in the conf file debian adds a comment above
> telling me to do so, so i do.  Well, my clients ssh client app doesn't
> seem to be able to handle pam auth, so when i disable clear text passes

Both PasswordAuthentication and PAMAuthenticationViaKbdInt go through
PAM [0]. The difference is that PasswordAuthentication obtains a
password and hands that to the auth modules, whereas
PAMAuthenticationViaKbdInt allows modules to interact with the user so
that they can display their own prompts and collect responses.

Note that both send passwords (or other data) as *tunneled* cleartext -
in other words, the string itself is sent, but it's sent over the
encrypted channel.

> it won't let him in, even though i can get in with his account from my
> ssh client.  i guess what i'm asking is, "How much of a security risk is
> using regular auth versus Pam?". 

Unless you've modified your PAM configuration to use some
challenge-response authentication mechanism, and barring any relevant
undiscovered bugs in OpenSSH or PAM, there's no difference in the risks
posed by using SSH password-authentication and SSH keyboard-interactive
authentication, nor reason to turn off PasswordAuthentication but leave
PAMAuthenticationViaKbdInt on.

[0] in the Debian configuration - if configured at build time without
    PAM, PasswordAuthentication will use another mechanism to check
    passwords.

-- 
William Aoki     waoki@umnh.utah.edu       /"\  ASCII Ribbon Campaign
B1FB C169 C7A6 238B 280B  <- key change    \ /  No HTML in mail or news!
99AF A093 29AE 0AE1 9734   prev. expired    X
                                           / \

-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- ssh authentication configuration?
  - From: Stephen Johnson <steve@webninja.com>

Prev by Date: RE: Configuration problems with pam_smb, mod_auth_pam
Next by Date: RE: Configuration problems with pam_smb, mod_auth_pam
Previous by thread: Re: ssh authentication configuration?
Next by thread: ipchains rules for dmz??
Index(es):
- Date
- Thread