NetBSD Problem Report #32313
From cjs@tabemo.com Fri Dec 16 04:52:59 2005
Return-Path: <cjs@tabemo.com>
Received: from cjs.tabemo.com (host-222-228-110-2.b-base.svips.gol.ne.jp [222.228.110.2])
by narn.netbsd.org (Postfix) with ESMTP id AE55D63B88D
for <gnats-bugs@gnats.NetBSD.org>; Fri, 16 Dec 2005 04:52:58 +0000 (UTC)
Message-Id: <20051216045242.D398A3F47B@cjs.tabemo.com>
Date: Fri, 16 Dec 2005 13:52:42 +0900 (JST)
From: cjs@tabemo.com
Reply-To: cjs@tabemo.com
To: gnats-bugs@netbsd.org
Subject: sshd 'PasswordAuthentication no' silently fails
X-Send-Pr-Version: 3.95
>Number: 32313
>Category: bin
>Synopsis: sshd 'PasswordAuthentication no' silently fails
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: jnemeth
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Dec 16 04:55:00 +0000 2005
>Closed-Date: Tue May 03 13:06:27 +0000 2011
>Last-Modified: Tue May 03 13:20:02 +0000 2011
>Originator: Curt Sampson
>Release: NetBSD 3.0_RC6
>Organization:
>Environment:
System: NetBSD cjs.tabemo.com 3.0_RC6 NetBSD 3.0_RC6 ($Id$) #0: Thu Dec 15 17:42:35 JST 2005 cjs@cjs.tabemo.com:/u/netbsd/src-3/sys/arch/i386/compile/TABEMO-3.WORKSTATION i386
Architecture: i386
Machine: i386
>Description:
On a NetBSD-3.0 system, unlike NetBSD-2, by default, setting
'PasswordAuthentication no' in the /etc/ssh/sshd_config file
silently allows password authentication anyway.
>How-To-Repeat:
Install NetBSD-3.0. Set 'PasswordAuthentication no' in the
/etc/ssh/sshd_config. Try to log in using a password, and note that
you can do so.
>Fix:
Two possible fixes. I don't really have a preference, but 2) and 3)
is much more work, so if we want to go that way, and can't implement
it immediately, we should at least do 1) in the meantime. (That
gives PAM users a fairly obvious failure rather than non-PAM users a
subtle failure.)
1) Change the default /etc/ssh/sshd_config to have 'UsePAM no'
instead of 'UsePAM yes'.
2) Change sshd not to start, but instead warn the user if
incompatable options are set.
3) Change PAM to use the /etc/ssh/sshd_config file, in addition to
any of its own config files.
>Release-Note:
>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/32313: sshd 'PasswordAuthentication no' silently fails
Date: Fri, 16 Dec 2005 10:11:38 +0100
Side note: UsePAM seems to be undocumented. It's default seems to be "no".
Martin
From: Matthew Mondor <mm_lists@pulsar-zone.net>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/32313
Date: Fri, 24 Apr 2009 12:16:33 -0400
This appears to also happen on netbsd-5 (5.0rc4).
I haven't looked into the sshd code yet to see why yet, however.
--
Matt
From: Matthew Mondor <mm_lists@pulsar-zone.net>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/32313: sshd 'PasswordAuthentication no' silently fails
Date: Fri, 24 Apr 2009 14:16:34 -0400
I could put in a few minutes testing if
UsePAM no
PasswordAuthentication no
works and can confirm it does on netbsd-5. Although this does not seem
like a proper fix, it might be good to at least document this in a
comment in /etc/ssh/sshd_config and/or in sshd_config(5)...
As it is, this could be considered to affect security, as an unknowing
admin might simply disable password authentication as usual to only
allow public key authentication, and think it works out-of-the-box,
without performing a test.
--
Matt
Responsible-Changed-From-To: bin-bug-people->jnemeth
Responsible-Changed-By: jnemeth@NetBSD.org
Responsible-Changed-When: Thu, 30 Jul 2009 19:40:48 +0000
Responsible-Changed-Why:
take
State-Changed-From-To: open->closed
State-Changed-By: jruoho@NetBSD.org
State-Changed-When: Tue, 03 May 2011 13:06:27 +0000
State-Changed-Why:
I fixed this within the sample 'sshd_config', as suggested by
Matthew Mondor. If you are still planning a better fix, please reopen.
From: "Jukka Ruohonen" <jruoho@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/32313 CVS commit: src/crypto/external/bsd/openssh/dist
Date: Tue, 3 May 2011 13:04:00 +0000
Module Name: src
Committed By: jruoho
Date: Tue May 3 13:04:00 UTC 2011
Modified Files:
src/crypto/external/bsd/openssh/dist: sshd_config
Log Message:
Clarify the comment on how to disable password authentication (i.e. the
combination of PasswordAuthentication=no and UsePam=yes still allow password
authentication). Fixes PR bin/32313 from Curt Sampson.
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/crypto/external/bsd/openssh/dist/sshd_config
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.