From a post on the freebsd security mailing list
http://lists.freebsd.org/pipermail/f...ry/005546.html
Code:
:Matthew Dillon <dillon@apollo.backplane.com> writes:
:> Just give up and turn off tunneled plaintext passwords over the
:> network. No (non-kerberos) telnetd, rlogind, (non anonymous) ftpd, etc.
:> Just run sshd and put this in your sshd_config:
:>
:> # To disable tunneled clear text passwords, change to no here!
:> PasswordAuthentication no
:
:This does not do what you think it does. RTFM.
:
:DES
:--
:Dag-Erling Smørgrav - des@des.no
Here's a thought, DES. Try acting like the professional you
profess to be instead of the 5-year-old you clearly are.
It looks like the defaults in FreeBSD are different, so shoot me.
Ah, I see, YOU were the one who changed the FreeBSD defaults to be
less secure. Now I understand. The OpenSSH folks give you a nice
default-secure setting and an easy way to change it in sshd_config
and your answer is to actually modify the base code in the contrib
instead and turn things all around? Shame on you.
So, FreeBSD users, it looks like you have to play russian roulette
with your sshd_config options if you want the directives to actually
work. But hey, I'm sure DES will be happy to flip you off instead
of tell you which options will work with FreeBSD. So I guess I'll have
to instead.
If you don't need PAM's extra features for your sshd access (which is
most people) then turn PAM off in your sshd_config to work around the
base code change that DES made. Then the other options will work as
intended. And, just to be safe, also turn off the challenge-response
option.
UsePAM no
ChallengeResponseAuthentication no
PasswordAuthentication no
There, all better. PAM has its advantages, but only for a very small
percentage of users. Its disadvantage is in its complexity and the
ease of which a mis-configuration can result in a security hole. If
there is no need for ssh to use it in your configuration then it
should be turned off.
-Matt
Matthew Dillon