Do you have a question? Post it now! No Registration Necessary. Now with pictures!
January 9, 2008, 4:05 pm
rate this thread
never by passowrd. I build a new version of ssh to do thias as the
version on sles 9 is too old. The server sees and recognises the
match (see partial logs below) , but does allow password login even
though the match correctly says passwordauthentication no. This is on
a sles9 server with openssh 4.7p1.
Can anyone spot an issue?
Server 4.7 : Local version string SSH-2.0-OpenSSH_4.7
on sles 9 system
running on port 77 sshd -ddd -p 77 I get verbose output
When I use in sshd_config
Match User xxxx or match user xxx I get on the ssh server upon login
debug3: checking match for 'user leonardz' user leonardz host cn-r1-4
debug1: user leonardz matched 'User leonardz' at line 124
debug3: match found
debug3: reprocess config:125 setting RSAAuthentication yes
debug3: reprocess config:126 setting passwordauthentication no
after being prompted for a paassword at the client end I see:
debug1: do_pam_account: called
debug3: mm_request_send entering: type 47
Accepted keyboard-interactive/pam for leonardz from 192.168.1.4 port
debug1: monitor_child_preauth: leonardz has been authenticated by
debug3: mm_get_keystate: Waiting for new keys
and I am logged in by password.
Re: Match user not working
No, you're logged in by keyboard-interactive (via PAM).
Depending on what PAM is configured to do, keyboard-interactive may
or may not be a password (eg it could be a challenge/response token)
but sshd has no way to tell. There's a warning to this effect in the
sshd_config(5) man page:
Because PAM challenge-response authentication usually serves an
equivalent role to password authentication, you should disable
either PasswordAuthentication or ChallengeResponseAuthentication.
Unfortunately (for reasons of backward compatibility) you can't
set ChallengeResponseAuthentication in a Match block but you can set
KbdInteractiveAuthentication, which is the Protocol 2 method. To prevent
your user from using Protocol 1 challenge-response, what you want to
Match user whatever
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- » WinSCP: prompt truncated. Any option to view it full?
- — Next thread in » Secure Shell Forum
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum