CyberLeo Kitsana wrote:
Rakhesh Sasidharan wrote:
Any ideas or nudges in the right direction as to why this is happening?
Looks like I've understood the interaction between SSH and PAM wrong
here, so would appreciate some enlightenment.
According to my understanding of the SSH protocol, you're continually
asked because an authentication failure is not a fatal error.
When authenticating an SSH session, a list of mutually supported methods
is compiled (public-key, challenge-response, S/Key,
keyboard-interactive, plaintext) and the client cycles through the list
based on what it thinks is most likely to work.
It's perfectly acceptable for a client to attempt password
authentication before public-key, or even interleave them. All the
server can do is say yay or nay to an attempt with a restricted method,
because it cannot know if the next attempt may utilize an allowed method.
After the requisite three or five failed attempts (depending on the
server config), it may send a general failure code (too many failed
attempts) and disconnect the client at it's discretion.
Here's another oddity I encountered today.
If "PermitRootLogin" is set to "forced-commands-only", my understanding is
the SSHD will permit root logins if a command to be executed is given. But
that doesn't seem to be the case in practice! I have keys setup for root
to login, but instead of letting me in with those keys, SSHD ignores them,
passes me to PAM for password prompting (three times) and the denies me
out! Very strange.
I even setup a "Match User" clause for root and specified a command to
run. Still, SSHD refuses to let me in with/ without key and for a specific
command.
Regards,
- Rakhesh
http://rakhesh.net/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
