Re: 3.1p2 allows Password Auth
From: Darren Tucker (dtucker_at_zip.com.au)
Date: 11/17/03
- Previous message: Asif Iqbal: "3.1p2 allows Password Auth"
- In reply to: Asif Iqbal: "3.1p2 allows Password Auth"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 17 Nov 2003 17:26:11 +1100 To: Asif Iqbal <iqbala@qwestip.net>
Asif Iqbal wrote:
> I am using openssh 3.7.1p2 with Darren Tucker's password expiration patch.
> I noticed in my config file if I have the following two entries
>
> PasswordAuthentication yes
> UsePAM yes
>
> you can bypass the PAM authentication (via challenge-response) by hitting enter
> couple times at the login prompt and then it switches to password authentication.
> Then you can login with your local password
>
> I am using pam_radius_auth
>
> Is it normal ? Am I doing something wrong ? OR is it a question for the
> pam_radius_auth's author ?
That's normal for the configuration you've currently got. If you're using
PAM (which now uses keyboard-interactive) you don't want to allow password
authentication you should disable it.
It's mentioned in the sshd_config man page:
UsePAM Enables PAM authentication (via challenge-response) and
session set up. If you enable this, you should probably disable
PasswordAuthentication. If you enable then you will not be able
to run sshd as a non-root user. The default is ``no''.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- Previous message: Asif Iqbal: "3.1p2 allows Password Auth"
- In reply to: Asif Iqbal: "3.1p2 allows Password Auth"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
