Scott Ullrich wrote:
Password authentication is the default.
actually PasswordAuthentication is disabled by default.
keyboard-interactive is what you're thinking, which is diff. this is a
change in recent OpenSSH versions. Not sure when the change occurred,
but my FreeBSD 4.x boxes all have it set to yes by default, and my 5.4
and 6.0 boxes set it to no by default. This isn't FreeBSD-specific,
Googling brings up the same exact things from Linux and other OS's. I'm
sure some Linux distros change the default sshd_config, but any OS that
uses the defaults has had this disabled. Hence why it's disabled in
pfsense.
FreeBSD 4.11:
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
FreeBSD 5.4 and 6.0:
# Change to yes to enable built-in password authentication.
#PasswordAuthentication no
#PermitEmptyPasswords no
I knew it was disabled, and there was some diff between
PasswordAuthentication and keyboard-interactive, but not a clue what. a
bunch of Googling later, I don't really have a complete answer, but I
know this much. Basically keyboard-interactive is the new password
authentication mechanism that allows more than a simple username and
password. Think more advanced authentication schemes (two factor, or
anything that the server could prompt back and ask for).
The question becomes why did they disable PasswordAuthentication? They
say "to disable tunneled clear text passwords"...but I haven't been able
to find a single good explanation of just what that means.
this thread has some info, but nobody ever answers why it was disabled.
http://groups.google.com/group/comp.security.ssh/browse_thread/thread/b37e7ac9a2f381b0/3cc7d92d6ca5335d?lnk=st&q=difference+between+passwordauthentication+and+keyboard-interactive&rnum=1&hl=en#3cc7d92d6ca5335d
The best thing I've found is "some brute forcing apps don't work with
keyboard-interactive". whoopie
I really don't think it would be a big deal to enable it, or make it a
configuration option. Some clients don't support keyboard-interactive,
though they're mostly older ones.
To the original poster, if you want to enable it, change
PasswordAuthentication to yes in /etc/ssh/sshd_config and run
`/etc/rc.d/sshd reload`. I don't think that'll get overwritten at any
point but I could be wrong.
if anybody knows anything more on PasswordAuthentication vs.
keyboard-interactive, I'd be very interested to hear more.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
