Re: secuirty bug with /etc/login.access

From: Dag-Erling Smørgrav (des_at_des.no)
Date: 02/19/04

  • Next message: Dorin H: "traffic normalizer for ipfw?"
    To: freebsd-security@freebsd.org
    Date: Thu, 19 Feb 2004 16:44:26 +0100
    
    

    Sven Pfeifer <sven@yagonna.de> writes:
    > this looks like, you have configured
    >
    > PasswordAuthentication yes
    > and
    > Protocol 2,1
    >
    > in your servers /etc/ssh/sshd_config. So your client is trying to
    > authenticate to the _local_ id-File. If this is failing (3 times) then
    > it tries the PasswordAuthentication at the _remote_ maschine.

    Uh, no. There is never any attempt by the client to authenticate the
    user against the client machine's password database. All four prompts
    are issued by the remote machine. The first three are from PAM, the
    fourth is OpenSSH's built-in password authentication which apparently
    does not respect login.access. The solution is to disable password
    authentication in /etc/ssh/sshd_config; this should be the default now
    that PAM works.

    DES

    -- 
    Dag-Erling Smørgrav - des@des.no
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Dorin H: "traffic normalizer for ipfw?"

    Relevant Pages

    • [Full-disclosure] [GOATSE SECURITY] Clench: Goatses way to say "screw you" to certificate author
      ... Application layer authentication-inherent validation of public key ... Goatse Security’s new simple password-based authentication mechanism ... getting hundreds of thousands or millions of users to install a client ... client hashes locally and then sends the hash to the server. ...
      (Full-Disclosure)
    • Re: Windows Authentication, Single sign on and Active Directory
      ... service proxy client fails to connect due to authentication failure and then ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The server is always in the domain. ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: BASIC authentication Issues with IE - Part II - Solved but WHY?
      ... it does not know the difference between a request from IE or from ... some other HTTP client. ... Some other authentication schemes are more ... IIS can sometimes remember the token for a particular set of credentials so ...
      (microsoft.public.inetserver.iis.security)
    • Re: Authenticate a User.
      ... >> to PAM if he likes. ... > adding more authentication methods later easy. ... This is the real strength of PAM (Pluggable Authentication Modules), ... >> the client is on different machine. ...
      (comp.os.linux.development.apps)
    • Re: Sporadic IAS Authentication problems
      ... * Some times however, a physical reboot of the client laptop is required, ... *The remote access policy in IAS is set to grant access to the group 'Domain ... Proxy-Policy-Name = Use Windows authentication for all users ...
      (microsoft.public.internet.radius)