On Tuesday, October 13, 2015, Alex Wilson <[email protected]> wrote:
> On 10/13/15 11:33 AM, Eric wrote:
> >
> > So I installed the openssh-6.6.1nb3 package, disabled ssh, enabled
> > openssh; and it properly uses /opt/local/etc/ssh/sshd_config. I had to
> > first comment out the HostKeys, RSAAuthentication, PubkeyAuthentication,
> > and PasswordAuthentication for it to work properly
> >
>
> Ok, let's clear up some confusion here:
>
> The pkgsrc OpenSSH ("openssh" in svcs) will use
> /opt/local/etc/ssh/sshd_config always.
>
> The system SSH daemon ("ssh" in svcs) will use /etc/ssh/sshd_config always.
>
> There is no one config file to edit that will have an effect on both of
> them.
>
> Now, as to your password problem: if you read the manpages carefully,
> you will learn that PasswordAuthentication refers specifically to the
> "password" authentication mechanism, which is separate and distinct to
> "keyboard-interactive", which can be disabled using
> KbdInteractiveAuthentication or ChallengeResponseAuthentication.
>
> If you use "ssh -v" you can see the actual mechanisms being tried. For
> example, with the default config you will see:
>
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> ...
> Password:
>
> If you add "PasswordAuthentication no" to your config, this changes to:
>
> debug1: Authentications that can continue: publickey,keyboard-interactive
> ...
> Password:
>
> As you can see, "keyboard-interactive" is still available, and in the
> SSH client in this case, this mechanism looks the same as "password". It
> actually isn't the same under the hood, but they both do allow users to
> log in using a typed password.
>
> If you then add "ChallengeResponseAuthentication no" or
> "KbdInteractiveAuthentication no" to your sshd_config:
>
> ...
> debug1: Authentications that can continue: publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /root/.ssh/id_rsa
> debug1: No more authentication methods to try.
> Permission denied (publickey).
> $
>
> Which I imagine was your intended result.
>
> The reason why pkgsrc OpenSSH's behaviour appears to differ here is that
> it does not default to having PAM enabled, so keyboard-interactive auth
> actually fails with it automatically. If you changed "UsePAM" to yes,
> you should observe the same behaviour as the system sshd with your
> sshd_config. The system SSH daemon has UsePAM hard-coded to "yes", as it
> is really the only sensible way to use sshd on Illumos.
>
> Hope that helps.
>
That helps a lot! Thanks
-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription:
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com
