Re: sshd: cannot disable password authentication, users canalwayslogin with password.

From: Zhang Weiwu (zhangweiwu_at_realss.com)
Date: 04/19/04

  • Next message: Toomas Aas: "Sendmail aliases mystery" 
    Date: Mon, 19 Apr 2004 14:55:00 +0800
To: freebsd-questions@freebsd.org

    Okay, I figured out the problem myself. I should set

    ChallengeResponseAuthentication no

    to disable password authentication.

    Zhang Weiwu wrote:

    > Hello. I'm today following the FreeBSD security how to
    > <http://www.it.daemonnews.org/200108/security-howto.html> to secury my
    > FreeBSD server. I configured dsa ssh access, now I can use my own
    > computer to login to the server with ssh with dsa no problem, no
    > password authentication is necessary. Following the guide I edit
    > /etc/ssh/sshd_config and made sure
    >
    > PasswordAuthentication no
    >
    > But I tried restart sshd and even reboot the server, I can always
    > login with password on any other computer.
    >
    > Please drop me a hint.
    >
    > Here is my server's configuration:
    >
    > > uname -a
    > FreeBSD dino.realss 5.2-RELEASE FreeBSD 5.2-RELEASE #0: Sun Feb 29
    > 04:29:22 CST 2004
    > zhangweiwu@dino.realss:/usr/src/sys/i386/compile/DINO i386
    > > cat /etc/ssh/sshd_config
    > # $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
    > # $FreeBSD: src/crypto/openssh/sshd_config,v 1.33 2003/09/24
    > 19:20:23 des Exp $
    >
    > # This is the sshd server system-wide configuration file. See
    > # sshd_config(5) for more information.
    >
    > # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
    >
    > # The strategy used for options in the default sshd_config shipped with
    > # OpenSSH is to specify options with their default value where
    > # possible, but leave them commented. Uncommented options change a
    > # default value.
    >
    > # Note that some of FreeBSD's defaults differ from OpenBSD's, and
    > # FreeBSD has a few additional options.
    >
    > #VersionAddendum FreeBSD-20030924
    >
    > Port 22
    > Protocol 2
    > #ListenAddress 0.0.0.0
    > #ListenAddress ::
    >
    > # HostKey for protocol version 1
    > #HostKey /etc/ssh/ssh_host_key
    > # HostKeys for protocol version 2
    > #HostKey /etc/ssh/ssh_host_dsa_key
    >
    > # Lifetime and size of ephemeral version 1 server key
    > #KeyRegenerationInterval 3600
    > #ServerKeyBits 768
    >
    > # Logging
    > #obsoletes QuietMode and FascistLogging
    > #SyslogFacility AUTH
    > #LogLevel INFO
    >
    > # Authentication:
    >
    > #LoginGraceTime 120
    > PermitRootLogin no
    > StrictModes yes
    >
    > RSAAuthentication no
    > PubkeyAuthentication yes
    > #AuthorizedKeysFile .ssh/authorized_keys
    >
    > # rhosts authentication should not be used
    > RhostsAuthentication no
    > # Don't read the user's ~/.rhosts and ~/.shosts files
    > #IgnoreRhosts yes
    > # For this to work you will also need host keys in
    > /etc/ssh/ssh_known_hosts
    > #RhostsRSAAuthentication no
    > # similar for protocol version 2
    > #HostbasedAuthentication no
    > # Change to yes if you don't trust ~/.ssh/known_hosts for
    > # RhostsRSAAuthentication and HostbasedAuthentication
    > #IgnoreUserKnownHosts no
    >
    > # To disable tunneled clear text passwords, change to no here!
    > PasswordAuthentication no
    > PermitEmptyPasswords no
    >
    > # Change to no to disable PAM authentication
    > #ChallengeResponseAuthentication yes
    >
    > # Kerberos options
    > KerberosAuthentication no
    > KerberosOrLocalPasswd no
    > #KerberosTicketCleanup yes
    >
    > #AFSTokenPassing no
    >
    > # Kerberos TGT Passing only works with the AFS kaserver
    > #KerberosTgtPassing no
    >
    > X11Forwarding yes
    > #X11DisplayOffset 10
    > #X11UseLocalhost yes
    > #PrintMotd yes
    > #PrintLastLog yes
    > #KeepAlive yes
    > #UseLogin no
    > #UsePrivilegeSeparation yes
    > #PermitUserEnvironment no
    > #Compression yes
    >
    > #MaxStartups 10
    > # no default banner path
    > #Banner /some/path
    > #VerifyReverseMapping no
    >
    > # override default of no subsystems
    > Subsystem sftp /usr/libexec/sftp-server
    > >
    >
    >
    > _______________________________________________
    > freebsd-questions@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    > To unsubscribe, send any mail to
    > "freebsd-questions-unsubscribe@freebsd.org"
    >
    >

    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

  • Next message: Toomas Aas: "Sendmail aliases mystery"

    Relevant Pages

    • Re: Kerberos logon to Terminal Server prevents folder redirection
      ... Pass-through refers to the client browser passing through credentials to the Web Interface server; so you can still use Pass-through without enabling the option "Use Kerberos authentication to connect to servers". ...
      (microsoft.public.windows.server.security)
    • Re: Outlook -> remote exchange -> always wants a password
      ... I have my server set to use Integrated Windows authentication over SSL. ... almost certainly "break" your existing users if the client setup does not ... Close out of these configuration dialogs, ...
      (microsoft.public.windows.server.sbs)
    • Re: Integrated Windows Authentication Timeout?
      ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: iis problems with some xp clients - kerberos issue?
      ... is the browser even attempting Kerberos Authentication? ... the webserver failing to get a service ticket for the SQL Server etc. ... Check that the site is in IE's Intranet zone (IE doesn't attempt to Kerberos ... Both access SQL ...
      (microsoft.public.inetserver.iis.security)
    • Re: Help on SMTP setting, loosing my hairs
      ... to email server and I type in the mail server as: ... Thats it for the configuration of CEICW that I have done ... which is a different account as my ISP which give the outside line. ... you authentication. ...
      (microsoft.public.windows.server.sbs)