On 10/13/15 11:33 AM, Eric wrote: > > So I installed the openssh-6.6.1nb3 package, disabled ssh, enabled > openssh; and it properly uses /opt/local/etc/ssh/sshd_config. I had to > first comment out the HostKeys, RSAAuthentication, PubkeyAuthentication, > and PasswordAuthentication for it to work properly >
Ok, let's clear up some confusion here:
The pkgsrc OpenSSH ("openssh" in svcs) will use
/opt/local/etc/ssh/sshd_config always.
The system SSH daemon ("ssh" in svcs) will use /etc/ssh/sshd_config always.
There is no one config file to edit that will have an effect on both of
them.
Now, as to your password problem: if you read the manpages carefully,
you will learn that PasswordAuthentication refers specifically to the
"password" authentication mechanism, which is separate and distinct to
"keyboard-interactive", which can be disabled using
KbdInteractiveAuthentication or ChallengeResponseAuthentication.
If you use "ssh -v" you can see the actual mechanisms being tried. For
example, with the default config you will see:
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
...
Password:
If you add "PasswordAuthentication no" to your config, this changes to:
debug1: Authentications that can continue: publickey,keyboard-interactive
...
Password:
As you can see, "keyboard-interactive" is still available, and in the
SSH client in this case, this mechanism looks the same as "password". It
actually isn't the same under the hood, but they both do allow users to
log in using a typed password.
If you then add "ChallengeResponseAuthentication no" or
"KbdInteractiveAuthentication no" to your sshd_config:
...
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: No more authentication methods to try.
Permission denied (publickey).
$
Which I imagine was your intended result.
The reason why pkgsrc OpenSSH's behaviour appears to differ here is that
it does not default to having PAM enabled, so keyboard-interactive auth
actually fails with it automatically. If you changed "UsePAM" to yes,
you should observe the same behaviour as the system sshd with your
sshd_config. The system SSH daemon has UsePAM hard-coded to "yes", as it
is really the only sensible way to use sshd on Illumos.
Hope that helps.
signature.asc
Description: OpenPGP digital signature
------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
