Re: FreeBSD, SSH and "Enter Authentication Response"

[Rishi Chopra]

I've included copies of my /etc/ssh/ssh_config file and /etc/pam.d/ssh - 
I'm running a default minimal installation of FreeBSD 5.2:

etc/ssh/ssh_config:

#       $FreeBSD: src/crypto/openssh/ssh_config,v 1.21 2003/04/23 
17:10:53 des Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsAuthentication no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   BatchMode no
#   CheckHostIP no
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~
#   VersionAddendum FreeBSD-20030423

/etc/pam.d/ssh

#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn 
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn 
try_first_pass
#auth           sufficient      pam_ssh.so              no_warn 
try_first_pass
auth            required        pam_unix.so             no_warn 
try_first_pass

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so
# session
#session        optional        pam_ssh.so
session         required        pam_permit.so
# password
#password       sufficient      pam_krb5.so             no_warn 
try_first_pass
password        required        pam_unix.so             no_warn 
try_first_pass

Any ideas what I should change?

-Rishi

Ruben de Groot wrote:

On Tue, Jan 13, 2004 at 11:55:50AM +0000, Matthew Seaman typed:
 

On Mon, Jan 12, 2004 at 01:32:30PM -0800, Rishi Chopra wrote:
   

I have a nitpicky question about logging into a FreeBSD machine and 
SSH.  I'm using a minimal FreeBSD install and SSH Secure Shell client 
v3.2.0 - the crux of the problem is I am unable to "smoothly" login.
     

Which FreeBSD version?  And are you running the OpenSSH server
supplied with the system or one from ports?
   

Judging by name and version number, I think he's not running OpenSSH
at all, but the other ssh implementation from ssh.org
 

When I login to my machine, I'm prompted to enter an "authentication 
response".  A window is displayed with "Enter Authentication Response" 
in the title bar, and two buttons at the bottom ('OK' and 'Cancel') - 
the text says:

 Enter your authentication response.
 Password:
     

Sounds like you've got the PAM based challenge-response authentication
enabled in your /etc/ssh/sshd_config (which is the default), but
your /etc/pam.conf (FreeBSD 4.x) or /etc/pam.d (FreeBSD 5.x) has a
modified configuration.
Here are a couple of things to try --

Turn off Challenge-response authentication in /etc/ssh/sshd_config 

Change:

   #ChallengeResponseAuthentication yes

to

   ChallengeResponseAuthentication no

and then:

   # kill -HUP `cat /var/run/sshd.pid`

to get it to reread the config.

-- or --

Double check the PAM settings: they should look like this in /etc/pam.conf

   # OpenSSH with PAM support requires similar modules.  The session one is
   # a bit strange, though...
   sshd    auth    sufficient      pam_skey.so
   sshd    auth    sufficient      pam_opie.so                     no_fake_prompts
   #sshd   auth    requisite       pam_opieaccess.so
   #sshd   auth    sufficient      pam_kerberosIV.so               try_first_pass
   #sshd   auth    sufficient      pam_krb5.so                     try_first_pass
   sshd    auth    required        pam_unix.so                     try_first_pass
   sshd    account required        pam_unix.so
   sshd    password required       pam_permit.so
   sshd    session required        pam_permit.so
The /etc/pam.d case is similar, except you should have a file called
'sshd' in that directory, whose contents are similar, but without the
'sshd' entries in the first column.
	Cheers,

	Matthew

--
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                     Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
   



 

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"