Re: 3.1p2 allows Password Auth

From: Darren Tucker (dtucker_at_zip.com.au)
Date: 11/17/03

  • Next message: Patel, Dipak R: "OpenSSH for Windows"
    Date: Mon, 17 Nov 2003 17:26:11 +1100
    To: Asif Iqbal <iqbala@qwestip.net>
    
    

    Asif Iqbal wrote:
    > I am using openssh 3.7.1p2 with Darren Tucker's password expiration patch.
    > I noticed in my config file if I have the following two entries
    >
    > PasswordAuthentication yes
    > UsePAM yes
    >
    > you can bypass the PAM authentication (via challenge-response) by hitting enter
    > couple times at the login prompt and then it switches to password authentication.
    > Then you can login with your local password
    >
    > I am using pam_radius_auth
    >
    > Is it normal ? Am I doing something wrong ? OR is it a question for the
    > pam_radius_auth's author ?

    That's normal for the configuration you've currently got. If you're using
    PAM (which now uses keyboard-interactive) you don't want to allow password
    authentication you should disable it.

    It's mentioned in the sshd_config man page:

    UsePAM Enables PAM authentication (via challenge-response) and
      session set up. If you enable this, you should probably disable
      PasswordAuthentication. If you enable then you will not be able
      to run sshd as a non-root user. The default is ``no''.

    -- 
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
        Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.
    

  • Next message: Patel, Dipak R: "OpenSSH for Windows"