Short version: change 5ef0f821ecc6c892cb7a8ca232a24b7c0e3e5aab forgot to actually uncomment their setting, so it is without effect and only deceiving the operator (and seriousely so). Long version: Installing beforementioned port produces a default sshd server configuration in /usr/local/etc/ssh/sshd_config that contains this stance: # To enable tunneled clear text passwords, change to yes here! #PasswordAuthentication no #PermitEmptyPasswords no This *SHOULD* mean that PasswordAuthentication is *OFF by default*, and need only be uncommented if desired to be otherwise. Just the same as with our sshd from base, where it works correctly. Here it doesn't, as you can see when trying to connect with option -v: debug1: Authentications that can continue: publickey,password,keyboard-interactive Only after *actually uncomment* the setting: # To enable tunneled clear text passwords, change to yes here! PasswordAuthentication no #PermitEmptyPasswords no now we get the desired behavious: debug1: Authentications that can continue: publickey,keyboard-interactive And yes, this is 15 years old. I don't believe it.
Peter have you compiled OpenSSH without PAM support (UsePAM=NO)? The comments in sshd_config are correct IF OpenSSH (with patch-servconf.c) is compiled with PAM support enabled. PAM support is enabled by default in the port. When PAM is enabled password authentication is controlled by KbdInteractiveAuthentication (ChallengeResponseAuthentication is a deprecated alias) If it's compiled without PAM support the comment should read: # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes [1] https://cgit.freebsd.org/ports/tree/security/openssh-portable/files/patch-servconf.c
Yes, exactly. I am using Kerberos only, so I switched off everything else - assuming that what is not compiled cannot have bugs. Apparently I was wrong.
Created attachment 231761 [details] fix docs when built without PAM support I've attached a patch to fix this. Subject: [PATCH] security/openssh-portable: fix docs when built without PAM support The defaults documented in sshd_config and sshd_config.5 are incorrect if OpenSSH was built without PAM support and can be misleading to the user weather or not password authentication is enabled. - Moved PAM specific changes out of patch-sshd_config and into extra-patch-pam-sshd_config - sshd_config.5 PasswordAuthentication: added a new line before the note to make it easier to read. - sshd_config.5 UsePAM: noted the default value depends on weather sshd was built with or without PAM support. --- security/openssh-portable/Makefile | 4 ++- .../files/extra-patch-pam-sshd_config | 31 ++++++++++++++++++ .../openssh-portable/files/patch-sshd_config | 32 ++----------------- .../files/patch-sshd_config.5 | 26 ++++++++-------
Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=418bb1fbd26b1b66b71096b364b0ee10477541b7 commit 418bb1fbd26b1b66b71096b364b0ee10477541b7 Author: Andrew Fyfe <andrew@neptune-one.net> AuthorDate: 2022-02-11 17:13:39 +0000 Commit: Bryan Drewery <bdrewery@FreeBSD.org> CommitDate: 2022-03-03 19:59:09 +0000 security/openssh-portable: fix docs when built without PAM support The defaults documented in sshd_config and sshd_config.5 are incorrect if OpenSSH was built without PAM support and can be misleading to the user whether or not password authentication is enabled. - Moved PAM specific changes out of patch-sshd_config and into extra-patch-pam-sshd_config - sshd_config.5 PasswordAuthentication: added a new line before the note to make it easier to read. - sshd_config.5 UsePAM: noted the default value depends on whether sshd was built with or without PAM support. PR: 261342 security/openssh-portable/Makefile | 4 ++- .../files/extra-patch-pam-sshd_config (new) | 31 +++++++++++++++++++ security/openssh-portable/files/patch-sshd_config | 35 ++++------------------ .../openssh-portable/files/patch-sshd_config.5 | 26 +++++++++------- 4 files changed, 55 insertions(+), 41 deletions(-)