Re: FreeBSD, SSH and "Enter Authentication Response"
Hi, I saw your post regarding the "nitpicking" with the "Enter Authentication Response" while authing with an SSH client. We have a very similar setup to yours and I am seeing the same thing. I was wondering if you found solution and if you would be willing to share. Sincerely, Jay ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD, SSH and "Enter Authentication Response"
To quote Ringo Starr ala The Simpsons, "Please forgive the lateness of my reply". Matthew: Your suggestion worked beautifully. Changing /etc/ssh/sshd_config solved my "confirmation login" problem quite nicely. Just to confirm, I am running the version of SSH that comes standard with FreeBSD 5.1-RELEASE. -- Rishi Chopra http://www.ocf.berkeley.edu/~rchopra Matthew Seaman wrote: On Tue, Jan 13, 2004 at 01:30:15PM -0800, Rishi Chopra wrote: I've included copies of my /etc/ssh/ssh_config file and /etc/pam.d/ssh - I'm running a default minimal installation of FreeBSD 5.2: etc/ssh/ssh_config: Um... /etc/ssh/sshd_config is more to the point -- ssh_config is for the client side, ssh*d*_config is for the server side. However if you've just installed the system then chances are the sshd_config is unmodified from the default settings. Try turning off the challenge-response stuff as I suggested in my earlier e-mail. ie. make it so that sshd_config contains: ChallengeResponseAuthentication no /etc/pam.d/ssh That looks fine. Hmmm... This does look like a peculiar interaction of your particular SSH client software and the OpenSSH server code on FreeBSD. Normally I'd suggest running the client side connection with debugging turned up high, eg: % ssh -v -v -v host.example.com but I don't know what the equivalent of that is for the client software you're using. A very good diagnostic test though is to run the server side with the debugging turned up. A good trick is to run it on an alternative port so you can run it in parallel with your regular sshd. eg: # sshd -d -d -d -p 24 You can then connect to the alternate port by: % ssh host.example.com:24 This will produce quite a lot of output, and exit after the ssh session. By comparing this output to the equivalent output from a machine where you don't have the problem you should be able to tell what the FreeBSD box is doing differently, and maybe work out how to fix it. Be aware that the full debug output from sshd should not be published as it can contain privileged information. Cheers, Matthew ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD, SSH and "Enter Authentication Response"
On Tue, Jan 13, 2004 at 01:30:15PM -0800, Rishi Chopra wrote: > I've included copies of my /etc/ssh/ssh_config file and /etc/pam.d/ssh - > I'm running a default minimal installation of FreeBSD 5.2: > etc/ssh/ssh_config: Um... /etc/ssh/sshd_config is more to the point -- ssh_config is for the client side, ssh*d*_config is for the server side. However if you've just installed the system then chances are the sshd_config is unmodified from the default settings. Try turning off the challenge-response stuff as I suggested in my earlier e-mail. ie. make it so that sshd_config contains: ChallengeResponseAuthentication no > /etc/pam.d/ssh That looks fine. Hmmm... This does look like a peculiar interaction of your particular SSH client software and the OpenSSH server code on FreeBSD. Normally I'd suggest running the client side connection with debugging turned up high, eg: % ssh -v -v -v host.example.com but I don't know what the equivalent of that is for the client software you're using. A very good diagnostic test though is to run the server side with the debugging turned up. A good trick is to run it on an alternative port so you can run it in parallel with your regular sshd. eg: # sshd -d -d -d -p 24 You can then connect to the alternate port by: % ssh host.example.com:24 This will produce quite a lot of output, and exit after the ssh session. By comparing this output to the equivalent output from a machine where you don't have the problem you should be able to tell what the FreeBSD box is doing differently, and maybe work out how to fix it. Be aware that the full debug output from sshd should not be published as it can contain privileged information. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Re: FreeBSD, SSH and "Enter Authentication Response"
On Tue, Jan 13, 2004 at 01:30:15PM -0800, Rishi Chopra typed:
> I've included copies of my /etc/ssh/ssh_config file and /etc/pam.d/ssh -
> I'm running a default minimal installation of FreeBSD 5.2:
>
> etc/ssh/ssh_config:
>
> # Host *
> # ForwardAgent no
> # ForwardX11 no
> # RhostsAuthentication no
> # RhostsRSAAuthentication no
> # RSAAuthentication yes
> # PasswordAuthentication yes
> # HostbasedAuthentication no
As Matthew suggested, you can put the line
ChallengeResponseAuthentication no
in here. Then restart sshd
good luck,
Ruben
> # BatchMode no
> # CheckHostIP no
> # StrictHostKeyChecking ask
> # IdentityFile ~/.ssh/identity
> # IdentityFile ~/.ssh/id_rsa
> # IdentityFile ~/.ssh/id_dsa
> # Port 22
> # Protocol 2,1
> # Cipher 3des
> # Ciphers
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
> # EscapeChar ~
> # VersionAddendum FreeBSD-20030423
>
>
> /etc/pam.d/ssh
>
> #
> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
> #
> # PAM configuration for the "sshd" service
> #
>
> # auth
> authrequiredpam_nologin.so no_warn
> authsufficient pam_opie.so no_warn
> no_fake_prompts
> authrequisite pam_opieaccess.so no_warn allow_local
> #auth sufficient pam_krb5.so no_warn
> try_first_pass
> #auth sufficient pam_ssh.so no_warn
> try_first_pass
> authrequiredpam_unix.so no_warn
> try_first_pass
>
> # account
> #accountrequiredpam_krb5.so
> account requiredpam_login_access.so
> account requiredpam_unix.so
>
> # session
> #sessionoptionalpam_ssh.so
> session requiredpam_permit.so
>
> # password
> #password sufficient pam_krb5.so no_warn
> try_first_pass
> passwordrequiredpam_unix.so no_warn
> try_first_pass
>
>
> Any ideas what I should change?
>
> -Rishi
>
> Ruben de Groot wrote:
>
> >On Tue, Jan 13, 2004 at 11:55:50AM +, Matthew Seaman typed:
> >
> >
> >>On Mon, Jan 12, 2004 at 01:32:30PM -0800, Rishi Chopra wrote:
> >>
> >>
> >>>I have a nitpicky question about logging into a FreeBSD machine and
> >>>SSH. I'm using a minimal FreeBSD install and SSH Secure Shell client
> >>>v3.2.0 - the crux of the problem is I am unable to "smoothly" login.
> >>>
> >>>
> >>Which FreeBSD version? And are you running the OpenSSH server
> >>supplied with the system or one from ports?
> >>
> >>
> >
> >Judging by name and version number, I think he's not running OpenSSH
> >at all, but the other ssh implementation from ssh.org
> >
> >
> >
> >>>When I login to my machine, I'm prompted to enter an "authentication
> >>>response". A window is displayed with "Enter Authentication Response"
> >>>in the title bar, and two buttons at the bottom ('OK' and 'Cancel') -
> >>>the text says:
> >>>
> >>> Enter your authentication response.
> >>> Password:
> >>>
> >>>
> >>Sounds like you've got the PAM based challenge-response authentication
> >>enabled in your /etc/ssh/sshd_config (which is the default), but
> >>your /etc/pam.conf (FreeBSD 4.x) or /etc/pam.d (FreeBSD 5.x) has a
> >>modified configuration.
> >>
> >>Here are a couple of things to try --
> >>
> >>Turn off Challenge-response authentication in /etc/ssh/sshd_config
> >>
> >>Change:
> >>
> >> #ChallengeResponseAuthentication yes
> >>
> >>to
> >>
> >> ChallengeResponseAuthentication no
> >>
> >>and then:
> >>
> >> # kill -HUP `cat /var/run/sshd.pid`
> >>
> >>to get it to reread the config.
> >>
> >>-- or --
> >>
> >>Double check the PAM settings: they should look like this in /etc/pam.conf
> >>
> >> # OpenSSH with PAM support requires similar modules. The session one
> >> is
> >> # a bit strange, though...
> >> sshdauthsufficient pam_skey.so
> >> sshdauthsufficient pam_opie.so
> >> no_fake_prompts
> >> #sshd authrequisite pam_opieaccess.so
> >> #sshd authsufficient pam_kerberosIV.so
> >> try_first_pass
> >> #sshd authsufficient pam_krb5.so
> >> try_first_pass
> >> sshdauthrequiredpam_unix.so
> >> try_first_pass
> >> sshdaccount requiredpam_unix.so
> >> sshdpassword required pam_permit.so
> >> sshdsession requiredpam_permit.so
> >>
> >>The /etc/pam.d case is similar, except you should have a file called
> >>'sshd' in that directory, whose contents are similar, but without the
> >>'sshd' entries in the first column.
> >>
> >>Cheers,
> >>
> >>Matthew
> >>
> >>
> >>--
> >>Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
> >> Savill Way
> >>PGP: http:
Re: FreeBSD, SSH and "Enter Authentication Response"
I've included copies of my /etc/ssh/ssh_config file and /etc/pam.d/ssh -
I'm running a default minimal installation of FreeBSD 5.2:
etc/ssh/ssh_config:
# $FreeBSD: src/crypto/openssh/ssh_config,v 1.21 2003/04/23
17:10:53 des Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsAuthentication no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP no
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
# VersionAddendum FreeBSD-20030423
/etc/pam.d/ssh
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#
# auth
authrequiredpam_nologin.so no_warn
authsufficient pam_opie.so no_warn
no_fake_prompts
authrequisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
authrequiredpam_unix.so no_warn
try_first_pass
# account
#accountrequiredpam_krb5.so
account requiredpam_login_access.so
account requiredpam_unix.so
# session
#sessionoptionalpam_ssh.so
session requiredpam_permit.so
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
passwordrequiredpam_unix.so no_warn
try_first_pass
Any ideas what I should change?
-Rishi
Ruben de Groot wrote:
On Tue, Jan 13, 2004 at 11:55:50AM +, Matthew Seaman typed:
On Mon, Jan 12, 2004 at 01:32:30PM -0800, Rishi Chopra wrote:
I have a nitpicky question about logging into a FreeBSD machine and
SSH. I'm using a minimal FreeBSD install and SSH Secure Shell client
v3.2.0 - the crux of the problem is I am unable to "smoothly" login.
Which FreeBSD version? And are you running the OpenSSH server
supplied with the system or one from ports?
Judging by name and version number, I think he's not running OpenSSH
at all, but the other ssh implementation from ssh.org
When I login to my machine, I'm prompted to enter an "authentication
response". A window is displayed with "Enter Authentication Response"
in the title bar, and two buttons at the bottom ('OK' and 'Cancel') -
the text says:
Enter your authentication response.
Password:
Sounds like you've got the PAM based challenge-response authentication
enabled in your /etc/ssh/sshd_config (which is the default), but
your /etc/pam.conf (FreeBSD 4.x) or /etc/pam.d (FreeBSD 5.x) has a
modified configuration.
Here are a couple of things to try --
Turn off Challenge-response authentication in /etc/ssh/sshd_config
Change:
#ChallengeResponseAuthentication yes
to
ChallengeResponseAuthentication no
and then:
# kill -HUP `cat /var/run/sshd.pid`
to get it to reread the config.
-- or --
Double check the PAM settings: they should look like this in /etc/pam.conf
# OpenSSH with PAM support requires similar modules. The session one is
# a bit strange, though...
sshdauthsufficient pam_skey.so
sshdauthsufficient pam_opie.so no_fake_prompts
#sshd authrequisite pam_opieaccess.so
#sshd authsufficient pam_kerberosIV.so try_first_pass
#sshd authsufficient pam_krb5.so try_first_pass
sshdauthrequiredpam_unix.so try_first_pass
sshdaccount requiredpam_unix.so
sshdpassword required pam_permit.so
sshdsession requiredpam_permit.so
The /etc/pam.d case is similar, except you should have a file called
'sshd' in that directory, whose contents are similar, but without the
'sshd' entries in the first column.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44
Re: FreeBSD, SSH and "Enter Authentication Response"
On Tue, Jan 13, 2004 at 11:55:50AM +, Matthew Seaman typed:
> On Mon, Jan 12, 2004 at 01:32:30PM -0800, Rishi Chopra wrote:
> > I have a nitpicky question about logging into a FreeBSD machine and
> > SSH. I'm using a minimal FreeBSD install and SSH Secure Shell client
> > v3.2.0 - the crux of the problem is I am unable to "smoothly" login.
>
> Which FreeBSD version? And are you running the OpenSSH server
> supplied with the system or one from ports?
Judging by name and version number, I think he's not running OpenSSH
at all, but the other ssh implementation from ssh.org
> > When I login to my machine, I'm prompted to enter an "authentication
> > response". A window is displayed with "Enter Authentication Response"
> > in the title bar, and two buttons at the bottom ('OK' and 'Cancel') -
> > the text says:
> >
> > Enter your authentication response.
> > Password:
>
> Sounds like you've got the PAM based challenge-response authentication
> enabled in your /etc/ssh/sshd_config (which is the default), but
> your /etc/pam.conf (FreeBSD 4.x) or /etc/pam.d (FreeBSD 5.x) has a
> modified configuration.
>
> Here are a couple of things to try --
>
> Turn off Challenge-response authentication in /etc/ssh/sshd_config
>
> Change:
>
> #ChallengeResponseAuthentication yes
>
> to
>
> ChallengeResponseAuthentication no
>
> and then:
>
> # kill -HUP `cat /var/run/sshd.pid`
>
> to get it to reread the config.
>
> -- or --
>
> Double check the PAM settings: they should look like this in /etc/pam.conf
>
> # OpenSSH with PAM support requires similar modules. The session one is
> # a bit strange, though...
> sshdauthsufficient pam_skey.so
> sshdauthsufficient pam_opie.so no_fake_prompts
> #sshd authrequisite pam_opieaccess.so
> #sshd authsufficient pam_kerberosIV.so try_first_pass
> #sshd authsufficient pam_krb5.so try_first_pass
> sshdauthrequiredpam_unix.so try_first_pass
> sshdaccount requiredpam_unix.so
> sshdpassword required pam_permit.so
> sshdsession requiredpam_permit.so
>
> The /etc/pam.d case is similar, except you should have a file called
> 'sshd' in that directory, whose contents are similar, but without the
> 'sshd' entries in the first column.
>
> Cheers,
>
> Matthew
>
>
> --
> Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
> Savill Way
> PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
> Tel: +44 1628 476614 Bucks., SL7 1TH UK
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD, SSH and "Enter Authentication Response"
On Mon, Jan 12, 2004 at 01:32:30PM -0800, Rishi Chopra wrote:
> I have a nitpicky question about logging into a FreeBSD machine and
> SSH. I'm using a minimal FreeBSD install and SSH Secure Shell client
> v3.2.0 - the crux of the problem is I am unable to "smoothly" login.
Which FreeBSD version? And are you running the OpenSSH server
supplied with the system or one from ports?
> When I login to my machine, I'm prompted to enter an "authentication
> response". A window is displayed with "Enter Authentication Response"
> in the title bar, and two buttons at the bottom ('OK' and 'Cancel') -
> the text says:
>
> Enter your authentication response.
> Password:
Sounds like you've got the PAM based challenge-response authentication
enabled in your /etc/ssh/sshd_config (which is the default), but
your /etc/pam.conf (FreeBSD 4.x) or /etc/pam.d (FreeBSD 5.x) has a
modified configuration.
Here are a couple of things to try --
Turn off Challenge-response authentication in /etc/ssh/sshd_config
Change:
#ChallengeResponseAuthentication yes
to
ChallengeResponseAuthentication no
and then:
# kill -HUP `cat /var/run/sshd.pid`
to get it to reread the config.
-- or --
Double check the PAM settings: they should look like this in /etc/pam.conf
# OpenSSH with PAM support requires similar modules. The session one is
# a bit strange, though...
sshdauthsufficient pam_skey.so
sshdauthsufficient pam_opie.so no_fake_prompts
#sshd authrequisite pam_opieaccess.so
#sshd authsufficient pam_kerberosIV.so try_first_pass
#sshd authsufficient pam_krb5.so try_first_pass
sshdauthrequiredpam_unix.so try_first_pass
sshdaccount requiredpam_unix.so
sshdpassword required pam_permit.so
sshdsession requiredpam_permit.so
The /etc/pam.d case is similar, except you should have a file called
'sshd' in that directory, whose contents are similar, but without the
'sshd' entries in the first column.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp0.pgp
Description: PGP signature
FreeBSD, SSH and "Enter Authentication Response"
I have a nitpicky question about logging into a FreeBSD machine and
SSH. I'm using a minimal FreeBSD install and SSH Secure Shell client
v3.2.0 - the crux of the problem is I am unable to "smoothly" login.
When I login to my machine, I'm prompted to enter an "authentication
response". A window is displayed with "Enter Authentication Response"
in the title bar, and two buttons at the bottom ('OK' and 'Cancel') -
the text says:
Enter your authentication response.
Password:
If I enter my password, I'm prompted with another window that has the
same title in the title bar, but says the following only:
Enter your authentication response.
I can then either select the 'OK' button or the 'Cancel' button.
If I choose cancel for the first dialogue box, I'm prompted with a
window that says "Enter Password" in the title bar and the text reading:
Password:
This is the window I normally see when I login to other *nix servers
(mainly servers on the UC Berkeley campus, mostly SunOS 5.8 boxes). Is
the FreeBSD box doing something during the SSH authentication process
that causes the client not to display the enter password dialogue as
soon as I connect to the server? How I can get my server to simply
prompt for my password the first time (e.g. can I make a change such
that I don't have to press 'OK' on a secod dialogue after entering my
password, or so that I don't have to press 'Cancel' first and then enter
my password?)
Thanks,
Rishi
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
