This was touched apon a few days back, please refer to the list archives. With that said even with the cahnges previously made by FreeBSD to openssh, I have no issues logging in. Make sure your logging in as root.
Scott On 10/24/05, Ryan Neily <[EMAIL PROTECTED]> wrote: > > I just upgraded to 0.89.2 and it seems that PasswordAuthentication doesnt > appear in /etc/ssh/sshd_config any longer. I'll have to try adding it and > restarting and see if this helps. > > If this could be a permanent change that would be great, or at least an > option so that it can be changed easily. Neither the SSH client nor Windows > SecureCRT allot SSH connectivty (without making changes to the client) to > PfSense. > > > > > > > Scott Ullrich wrote: > > >Password authentication is the default. > > > > actually PasswordAuthentication is disabled by default. > keyboard-interactive is what you're thinking, which is diff. this is a > change in recent OpenSSH versions. Not sure when the change occurred, > but my FreeBSD 4.x boxes all have it set to yes by default, and my 5.4 > and 6.0 boxes set it to no by default. This isn't FreeBSD-specific, > Googling brings up the same exact things from Linux and other OS's. I'm > sure some Linux distros change the default sshd_config, but any OS that > uses the defaults has had this disabled. Hence why it's disabled in > pfsense. > > FreeBSD 4.11: > # To disable tunneled clear text passwords, change to no here! > #PasswordAuthentication yes > > FreeBSD 5.4 and 6.0: > # Change to yes to enable built-in password authentication. > #PasswordAuthentication no > #PermitEmptyPasswords no > > > I knew it was disabled, and there was some diff between > PasswordAuthentication and keyboard-interactive, but not a clue what. a > bunch of Googling later, I don't really have a complete answer, but I > know this much. Basically keyboard-interactive is the new password > authentication mechanism that allows more than a simple username and > password. Think more advanced authentication schemes (two factor, or > anything that the server could prompt back and ask for). > > The question becomes why did they disable PasswordAuthentication? They > say "to disable tunneled clear text passwords"...but I haven't been able > to find a single good explanation of just what that means. > this thread has some info, but nobody ever answers why it was disabled. > http://groups.google.com/group/comp.security.ssh/browse_thread/thread/b37e7ac9a2f381b0/3cc7d92d6ca5335d?lnk=st&q=difference+between+passwordauthentication+and+keyboard-interactive&rnum=1&hl=en#3cc7d92d6ca5335d > The best thing I've found is "some brute forcing apps don't work with > keyboard-interactive". whoopie > > I really don't think it would be a big deal to enable it, or make it a > configuration option. Some clients don't support keyboard-interactive, > though they're mostly older ones. > > To the original poster, if you want to enable it, change > PasswordAuthentication to yes in /etc/ssh/sshd_config and run > `/etc/rc.d/sshd reload`. I don't think that'll get overwritten at any > point but I could be wrong. > > if anybody knows anything more on PasswordAuthentication vs. > keyboard-interactive, I'd be very interested to hear more. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
