NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/41812: sshd config enables both password *and* pam (keyboard-interactive)
>Number: 41812
>Category: bin
>Synopsis: as shipped, sshd enables both password and PAM. thus securing
>requires turning off both.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: doc-bug
>Submitter-Id: net
>Arrival-Date: Tue Aug 04 07:30:00 +0000 2009
>Originator: George Michaelson
>Release: NetBSD 5.0
>Organization:
>Environment:
System: NetBSD sploid 5.0 NetBSD 5.0 (GENERIC) #0: Sun Apr 26 18:50:08 UTC 2009
builds%b6.netbsd.org@localhost:/home/builds/ab/netbsd-5-0-RELEASE/i386/200904260229Z-obj/home/builds/ab/netbsd-5-0-RELEASE/src/sys/arch/i386/compile/GENERIC
i386
Architecture: i386
Machine: i386
>Description:
ok. So, I decided to enable SSH key-only access back to my home host. But, it
turns out that you can't disable password login with one sshd_config change:
you have to BOTH disable PAM and the password entry. Because, one is 'password'
and the other is 'keyboard-interactive' (duh! like, is that not the same thing?)
>How-To-Repeat:
run a 5.0 install, try and disable ssh login access with password
>Fix:
man sshd | grep eyboard-interactive no match
man sshd_config | grep eyboard-interactive no match
man sshd | grep -i pam no match
man sshd_config | grep -i pam no match
Hmm. so, the default turns ON pam, but, doesn't document the implications?
I'd suggest something like:
By default, sshd is shipped in NetBSD 5.0 with password login accepted
from both PAM and normal login processing. If you want a more secure
sshd, you should probably restrict it to key-based authentication only.
To disable password login, you must define BOTH the
PasswordAuthentication no
and
UsePam no
settings in /etc/sshd/sshd_config
>Unformatted:
Home |
Main Index |
Thread Index |
Old Index