Problem with restrictive login

• Previous message: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: windows to linux via the internet"
• Next in thread: Steven Lake: "Re: Problem with restrictive login"
• Reply: Steven Lake: "Re: Problem with restrictive login"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 13 Feb 2004 14:53:59 -0500
To: secureshell@securityfocus.com

         Hello. I'm new to the list and need a bit of help. This issue
just popped up today on my home mail server (freebsd 4.8) which has SSH
available to the internet so I can get into the box from work if need
be. That is the only port open as it's a fetching mail server so port 25
isn't available to the rest of the world. Nor is 110. What I just
discovered today is that my sshd is allowing auth by public key OR
password. I don't want it to auth by password. JUST public key. So in
other words if you don't already have the public key file, well, it sucks
being you because you won't get connected.

         I've tried setting "PasswordAuthentication no" and restarting ssh,
but it still lets me in via password regardless, and if I ssh between
machines inside of my network, if I'm connected via the same username as my
mail server uses, then it won't even ask me for public key. It just logs
me straight on. No password, no public key, nothing. What in heavens name
am I doing wrong? Here's my config file if anyone wants to look at it and
see what's wrong.

# This is ssh server systemwide configuration file. See sshd(8)
# for more information

Port 22
Protocol 2
HostDsaKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 120
KeyRegenerationInterval 3600
PermitRootLogin no

# After 3 unauthenticated connections, refuse 50% of the new ones, and
# refuse any more than 10 total.
MaxStartups 3:50:10
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes
KeepAlive yes

# Logging
SyslogFacility AUTH
LogLevel VERBOSE
#obsoletes QuietMode and FascistLogging

RhostsAuthentication no
#
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#
RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
ChallengeResponseAuthentication no

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

CheckMail yes
#UseLogin no

Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem sftp /usr/libexec/sftp-server

AllowUsers mailuser

• Previous message: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: windows to linux via the internet"
• Next in thread: Steven Lake: "Re: Problem with restrictive login"
• Reply: Steven Lake: "Re: Problem with restrictive login"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]