I'm still seing problems with both SSH clients I am using. On one, I get a repated login attempt. With SecureCRT on Windows I get a "Unknown Authentication Method" unless I check the box that says "keyboard interactive" only??? I am not sure what is going on here?
| Scott Ullrich <[EMAIL PROTECTED]>
10/24/2005 03:49 PM
|
|
This was touched apon a few days back, please refer to the list
archives. With that said even with the cahnges previously made by
FreeBSD to openssh, I have no issues logging in. Make sure your
logging in as root.
Scott
On 10/24/05, Ryan Neily <[EMAIL PROTECTED]> wrote:
>
> I just upgraded to 0.89.2 and it seems that PasswordAuthentication doesnt
> appear in /etc/ssh/sshd_config any longer. I'll have to try adding it and
> restarting and see if this helps.
>
> If this could be a permanent change that would be great, or at least an
> option so that it can be changed easily. Neither the SSH client nor Windows
> SecureCRT allot SSH connectivty (without making changes to the client) to
> PfSense.
>
>
>
>
>
>
> Scott Ullrich wrote:
>
> >Password authentication is the default.
> >
>
> actually PasswordAuthentication is disabled by default.
> keyboard-interactive is what you're thinking, which is diff. this is a
> change in recent OpenSSH versions. Not sure when the change occurred,
> but my FreeBSD 4.x boxes all have it set to yes by default, and my 5.4
> and 6.0 boxes set it to no by default. This isn't FreeBSD-specific,
> Googling brings up the same exact things from Linux and other OS's. I'm
> sure some Linux distros change the default sshd_config, but any OS that
> uses the defaults has had this disabled. Hence why it's disabled in
> pfsense.
>
> FreeBSD 4.11:
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
>
> FreeBSD 5.4 and 6.0:
> # Change to yes to enable built-in password authentication.
> #PasswordAuthentication no
> #PermitEmptyPasswords no
>
>
> I knew it was disabled, and there was some diff between
> PasswordAuthentication and keyboard-interactive, but not a clue what. a
> bunch of Googling later, I don't really have a complete answer, but I
> know this much. Basically keyboard-interactive is the new password
> authentication mechanism that allows more than a simple username and
> password. Think more advanced authentication schemes (two factor, or
> anything that the server could prompt back and ask for).
>
> The question becomes why did they disable PasswordAuthentication? They
> say "to disable tunneled clear text passwords"...but I haven't been able
> to find a single good explanation of just what that means.
> this thread has some info, but nobody ever answers why it was disabled.
> http://groups.google.com/group/comp.security.ssh/browse_thread/thread/b37e7ac9a2f381b0/3cc7d92d6ca5335d?lnk=st&q=difference+between+passwordauthentication+and+keyboard-interactive&rnum=1&hl=en#3cc7d92d6ca5335d
> The best thing I've found is "some brute forcing apps don't work with
> keyboard-interactive". whoopie
>
> I really don't think it would be a big deal to enable it, or make it a
> configuration option. Some clients don't support keyboard-interactive,
> though they're mostly older ones.
>
> To the original poster, if you want to enable it, change
> PasswordAuthentication to yes in /etc/ssh/sshd_config and run
> `/etc/rc.d/sshd reload`. I don't think that'll get overwritten at any
> point but I could be wrong.
>
> if anybody knows anything more on PasswordAuthentication vs.
> keyboard-interactive, I'd be very interested to hear more.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
