NetBSD Problem Report #32313

From cjs@tabemo.com  Fri Dec 16 04:52:59 2005
Return-Path: <cjs@tabemo.com>
Received: from cjs.tabemo.com (host-222-228-110-2.b-base.svips.gol.ne.jp [222.228.110.2])
	by narn.netbsd.org (Postfix) with ESMTP id AE55D63B88D
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 16 Dec 2005 04:52:58 +0000 (UTC)
Message-Id: <20051216045242.D398A3F47B@cjs.tabemo.com>
Date: Fri, 16 Dec 2005 13:52:42 +0900 (JST)
From: cjs@tabemo.com
Reply-To: cjs@tabemo.com
To: gnats-bugs@netbsd.org
Subject: sshd 'PasswordAuthentication no' silently fails
X-Send-Pr-Version: 3.95

>Number:         32313
>Category:       bin
>Synopsis:       sshd 'PasswordAuthentication no' silently fails
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    jnemeth
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Dec 16 04:55:00 +0000 2005
>Closed-Date:    Tue May 03 13:06:27 +0000 2011
>Last-Modified:  Tue May 03 13:20:02 +0000 2011
>Originator:     Curt Sampson
>Release:        NetBSD 3.0_RC6
>Organization:
>Environment:
System: NetBSD cjs.tabemo.com 3.0_RC6 NetBSD 3.0_RC6 ($Id$) #0: Thu Dec 15 17:42:35 JST 2005 cjs@cjs.tabemo.com:/u/netbsd/src-3/sys/arch/i386/compile/TABEMO-3.WORKSTATION i386
Architecture: i386
Machine: i386
>Description:

    On a NetBSD-3.0 system, unlike NetBSD-2, by default, setting
    'PasswordAuthentication no' in the /etc/ssh/sshd_config file
    silently allows password authentication anyway.

>How-To-Repeat:

    Install NetBSD-3.0. Set 'PasswordAuthentication no' in the
    /etc/ssh/sshd_config. Try to log in using a password, and note that
    you can do so.

>Fix:

    Two possible fixes. I don't really have a preference, but 2) and 3)
    is much more work, so if we want to go that way, and can't implement
    it immediately, we should at least do 1) in the meantime. (That
    gives PAM users a fairly obvious failure rather than non-PAM users a
    subtle failure.)

    1) Change the default /etc/ssh/sshd_config to have 'UsePAM no'
    instead of 'UsePAM yes'.

    2) Change sshd not to start, but instead warn the user if
    incompatable options are set.

    3) Change PAM to use the /etc/ssh/sshd_config file, in addition to
    any of its own config files.

>Release-Note:

>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/32313: sshd 'PasswordAuthentication no' silently fails
Date: Fri, 16 Dec 2005 10:11:38 +0100

 Side note: UsePAM seems to be undocumented. It's default seems to be "no".

 Martin


From: Matthew Mondor <mm_lists@pulsar-zone.net>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/32313
Date: Fri, 24 Apr 2009 12:16:33 -0400

 This appears to also happen on netbsd-5 (5.0rc4).
 I haven't looked into the sshd code yet to see why yet, however.
 -- 
 Matt

From: Matthew Mondor <mm_lists@pulsar-zone.net>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/32313: sshd 'PasswordAuthentication no' silently fails
Date: Fri, 24 Apr 2009 14:16:34 -0400

 I could put in a few minutes testing if

 UsePAM no
 PasswordAuthentication no

 works and can confirm it does on netbsd-5.  Although this does not seem
 like a proper fix, it might be good to at least document this in a
 comment in /etc/ssh/sshd_config and/or in sshd_config(5)...

 As it is, this could be considered to affect security, as an unknowing
 admin might simply disable password authentication as usual to only
 allow public key authentication, and think it works out-of-the-box,
 without performing a test.
 -- 
 Matt

Responsible-Changed-From-To: bin-bug-people->jnemeth
Responsible-Changed-By: jnemeth@NetBSD.org
Responsible-Changed-When: Thu, 30 Jul 2009 19:40:48 +0000
Responsible-Changed-Why:
take


State-Changed-From-To: open->closed
State-Changed-By: jruoho@NetBSD.org
State-Changed-When: Tue, 03 May 2011 13:06:27 +0000
State-Changed-Why:

I fixed this within the sample 'sshd_config', as suggested by
Matthew Mondor. If you are still planning a better fix, please reopen.



From: "Jukka Ruohonen" <jruoho@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/32313 CVS commit: src/crypto/external/bsd/openssh/dist
Date: Tue, 3 May 2011 13:04:00 +0000

 Module Name:	src
 Committed By:	jruoho
 Date:		Tue May  3 13:04:00 UTC 2011

 Modified Files:
 	src/crypto/external/bsd/openssh/dist: sshd_config

 Log Message:
 Clarify the comment on how to disable password authentication (i.e. the
 combination of PasswordAuthentication=no and UsePam=yes still allow password
 authentication). Fixes PR bin/32313 from Curt Sampson.


 To generate a diff of this commit:
 cvs rdiff -u -r1.5 -r1.6 src/crypto/external/bsd/openssh/dist/sshd_config

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.