Bug 204475

Summary: security/openssh-portable: documentation: fully disabling password authentication
Product: Ports & Packages Reporter: Mark.Martinec
Component: Individual Port(s)Assignee: Bryan Drewery <bdrewery>
Status: Closed FIXED    
Severity: Affects Some People Flags: bugzilla: maintainer-feedback? (bdrewery)
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   

Description Mark.Martinec 2015-11-11 18:01:16 UTC 
When installing the openssh-portable (7.1.p1_2,1) the following
advice is displayed:

  [...]
  Users are encouraged to create single-purpose users with ssh keys, disable
  Password auth with 'PasswordAuthentication no' and define very narrow sudo
  privileges instead of using root for automated tasks.

which is half-true / misleading.

Actually it is necessary to also set:

  ChallengeResponseAuthentication no

otherwise the PAM mechanism will still allow authentication
through a password if authentication with a key fails,
leaving a host open to password-guessing attacks.
Comment 1 Bryan Drewery freebsd_committer freebsd_triage 2015-11-11 18:05:00 UTC 
Good catch. I had that in my local setup as well. I've updated the message.
Comment 2 commit-hook freebsd_committer freebsd_triage 2015-11-11 18:05:42 UTC 
A commit references this bug:

Author: bdrewery
Date: Wed Nov 11 18:04:41 UTC 2015
New revision: 401289
URL: https://svnweb.freebsd.org/changeset/ports/401289

Log:
  Update advice to disable ChallengeResponseAuthentication for key usage.

  PR:		204475
  Reported by:	Mark.Martinec@ijs.si

Changes:
  head/security/openssh-portable/Makefile
  head/security/openssh-portable/pkg-message