Bug 43776

Summary: /etc/sshd_config settings overridden by PAM but not documented
Product: Documentation Reporter: Archie Cobbs <archie>
Component: Books & ArticlesAssignee: freebsd-doc (Nobody) <doc>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Archie Cobbs 2002-10-07 19:10:11 UTC 
	The basic problem is that FreeBSD now ships with PAM enabled
	for sshd, yet the man pages for sshd do not accurrately reflect
	this.

	So it's possible for an admin to think they are configuring sshd
	one way but unknowingly opening a security hole.

	Not only possible but it happened on a machine that I
	administer. Fortunately I found out when I accidentally
	ssh'd into the machine wihout having done 'ssh-add' for the
	RSA key, and it asked me for a password, and I entered it
	and it let me in!

	This happened even though I had these settings in sshd_config:

		PasswordAuthentication no
		PermitRootLogin without-password

	This is an accident waiting to happen.

Fix: 

See email exchange below.

From cjohnson@palomine.net Fri Sep 27 14:55:01 2002
Return-path: <cjohnson@palomine.net>
Mail-Followup-To: freebsd-stable@freebsd.org,
  archie@dellroad.org
Date: Fri, 27 Sep 2002 17:54:34 -0400
From: Chris Johnson <dcj-dated-1033163462.npbbkdfc@palomine.net>
To: Archie Cobbs <archie@dellroad.org>
cc: freebsd-stable@freebsd.org
Message-ID: <20020927215434.GA94394@palomine.net>
References: <200209272135.g8RLZ3We005877@arch20m.dellroad.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="VbJkn9YxBvnuCH5J"
Content-Disposition: inline
In-Reply-To: <200209272135.g8RLZ3We005877@arch20m.dellroad.org>
User-Agent: Mutt/1.4i
Status: OR


--VbJkn9YxBvnuCH5J
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Sep 27, 2002 at 02:35:03PM -0700, Archie Cobbs wrote:
> Yow! I was surprised to notice that setting these parameters:
How-To-Repeat: 
	Take stock 4.7-RC system, and change sshd_config to have this:

		PasswordAuthentication no
		PermitRootLogin without-password

	These settings have NO EFFECT, because PAM overrides them.

	Although the man page says that "PAMAuthenticationViaKbdInt" enables
	PAM, actually it appears that "ChallengeResponseAuthentication"
	enables PAM. Or something like that.
Comment 1 Dag-Erling Smørgrav freebsd_committer freebsd_triage 2003-06-06 07:36:59 UTC 
State Changed
From-To: open->closed

Fixed.