Bug 204475 - security/openssh-portable: documentation: fully disabling password authentication
Summary: security/openssh-portable: documentation: fully disabling password authentica...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Bryan Drewery
Depends on:
Reported: 2015-11-11 18:01 UTC by Mark.Martinec
Modified: 2015-11-11 18:05 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (bdrewery)


Note You need to log in before you can comment on or make changes to this bug.
Description Mark.Martinec 2015-11-11 18:01:16 UTC
When installing the openssh-portable (7.1.p1_2,1) the following
advice is displayed:

  Users are encouraged to create single-purpose users with ssh keys, disable
  Password auth with 'PasswordAuthentication no' and define very narrow sudo
  privileges instead of using root for automated tasks.

which is half-true / misleading.

Actually it is necessary to also set:

  ChallengeResponseAuthentication no

otherwise the PAM mechanism will still allow authentication
through a password if authentication with a key fails,
leaving a host open to password-guessing attacks.
Comment 1 Bryan Drewery freebsd_committer 2015-11-11 18:05:00 UTC
Good catch. I had that in my local setup as well. I've updated the message.
Comment 2 commit-hook freebsd_committer 2015-11-11 18:05:42 UTC
A commit references this bug:

Author: bdrewery
Date: Wed Nov 11 18:04:41 UTC 2015
New revision: 401289
URL: https://svnweb.freebsd.org/changeset/ports/401289

  Update advice to disable ChallengeResponseAuthentication for key usage.

  PR:		204475
  Reported by:	Mark.Martinec@ijs.si