Re: PHK's MD5 might not be slow enough anymore



Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx> writes:
"Dag-Erling Smørgrav" <des@xxxxxx> writes:
Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx> writes:
Just run sshd and put this in your sshd_config:

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
This does not do what you think it does. RTFM.
It looks like the defaults in FreeBSD are different, so shoot me.

Nope.

Ah, I see, YOU were the one who changed the FreeBSD defaults to be
less secure.

Nope.

"PasswordAuthentication no" *is* the default.

It does not disable password authentication. It disables the SSH
"password" authentication method. Password authentication is still
possible via PAM.

Now I understand.

No, you don't, you're just making it up as you go along.

So, FreeBSD users, it looks like you have to play russian roulette
with your sshd_config options if you want the directives to actually
work.

No Russian roulette, no sshd_config tweaking. All you need is a
one-line change to /etc/pam.d/sshd. See pam.conf(5) and pam_unix(8) for
further deatils.

But hey, I'm sure DES will be happy to flip you off instead of tell
you which options will work with FreeBSD.

I don't flip off users with valid concerns. You don't fall into that
category.

So I guess I'll have to instead.

I'm sure users will be eternally grateful to you for giving them
incorrect information which weakens the security of their systems.

If you don't need PAM's extra features for your sshd access (which is
most people)

Wrong; most people *do* need PAM.

then turn PAM off in your sshd_config to work around the base code
change that DES made.

UsePAM is on by default in OpenSSH-portable.

Yes, I wrote the original PAM support code for OpenSSH; so shoot me. It
was necessary.

Then the other options will work as
intended. And, just to be safe, also turn off the challenge-response
option.

UsePAM no
ChallengeResponseAuthentication no
PasswordAuthentication no

There, all better.

Yeah, now you turned off *all* authentication methods except keys, and
by turning off PAM, you also turned off session management, accounting,
utmpx logging, lockout of expired accounts, etc.

If you're serious about strong authentication, use time-synchronized OTP
tokens. Oh wait, you can't, because you need PAM and ChallengeResponse
to mediate between the user and the backend, which usually acts like a
Radius server. Too bad.

DES
--
Dag-Erling Smørgrav - des@xxxxxx
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: OpenSSH and pam_krb5
    ... > with GSSAPI and PAM authentication. ... this data is present in a separate process (the "authentication ... application (ie sshd). ...
    (SSH)
  • Re: Solaris 9 authentication and access control into Active Directory
    ... implement a user within your Active Directory for the machine, ... As others have mentioned there's PAM samba SMB integration. ... Recently I've been using LDAP authentication. ...
    (Focus-SUN)
  • Re: Understanding LDAP or MS Active Directory authenticationand Informix
    ... Hopefully we can upgrade to IDS 10 once Orrible certs PeopleSoft Tools ... Understanding LDAP or MS Active ... I know the LDAP support is through PAM. ... when you make the authentication call to the OS, ...
    (comp.databases.informix)
  • Re: ODBC credentials and/or PAM
    ... A Pluggable Authentication Module (PAM) is a well-defined framework ... Your Informix database server must be on an operating system platform ... You must have the appropriate PAM service configured in the operating ...
    (comp.databases.informix)
  • Re: alternatives to NIS and NFS
    ... >> I have been having some hassles with NIS and would like to upgrade to ... > For authentication, ... > OSX should be able to authenticate against LDAP. ... Authentication in Linux is done via the PAM library, ...
    (Debian-User)