Re: PHK's MD5 might not be slow enough anymore

Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx> writes:
"Dag-Erling Smørgrav" <des@xxxxxx> writes:
Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx> writes:
Just run sshd and put this in your sshd_config:

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
This does not do what you think it does. RTFM.
It looks like the defaults in FreeBSD are different, so shoot me.


Ah, I see, YOU were the one who changed the FreeBSD defaults to be
less secure.


"PasswordAuthentication no" *is* the default.

It does not disable password authentication. It disables the SSH
"password" authentication method. Password authentication is still
possible via PAM.

Now I understand.

No, you don't, you're just making it up as you go along.

So, FreeBSD users, it looks like you have to play russian roulette
with your sshd_config options if you want the directives to actually

No Russian roulette, no sshd_config tweaking. All you need is a
one-line change to /etc/pam.d/sshd. See pam.conf(5) and pam_unix(8) for
further deatils.

But hey, I'm sure DES will be happy to flip you off instead of tell
you which options will work with FreeBSD.

I don't flip off users with valid concerns. You don't fall into that

So I guess I'll have to instead.

I'm sure users will be eternally grateful to you for giving them
incorrect information which weakens the security of their systems.

If you don't need PAM's extra features for your sshd access (which is
most people)

Wrong; most people *do* need PAM.

then turn PAM off in your sshd_config to work around the base code
change that DES made.

UsePAM is on by default in OpenSSH-portable.

Yes, I wrote the original PAM support code for OpenSSH; so shoot me. It
was necessary.

Then the other options will work as
intended. And, just to be safe, also turn off the challenge-response

UsePAM no
ChallengeResponseAuthentication no
PasswordAuthentication no

There, all better.

Yeah, now you turned off *all* authentication methods except keys, and
by turning off PAM, you also turned off session management, accounting,
utmpx logging, lockout of expired accounts, etc.

If you're serious about strong authentication, use time-synchronized OTP
tokens. Oh wait, you can't, because you need PAM and ChallengeResponse
to mediate between the user and the backend, which usually acts like a
Radius server. Too bad.

Dag-Erling Smørgrav - des@xxxxxx
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages