Results 1 to 8 of 8

Thread: SSHD Password authentication still working

  1. #1
    Join Date
    Dec 2012
    Location
    SLC
    Posts
    12

    Default SSHD Password authentication still working

    I am trying to set up sshd, so that I can connect from the wan side when I am at school. I am able to connect from the lan side no problem, but I am trying to disable pasword access and move to an RSA key access so that i can forward to the server. The problem is, when I disable pw authentication in sshd config, it still asks me for a password. I have no keys stored on the server that I am aware of. I am simply trying to make sure that the password access is disabled at this point, but no matter what i put for the value in the config file I still end up being able to login. I'm so confused.


    Code:
    # To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication no
    #PermitEmptyPasswords no

    Openssue 12.2
    Openssh 6.0

  2. #2
    Join Date
    Dec 2012
    Location
    SLC
    Posts
    12

    Default Re: SSHD Password authentication still working

    Follow up, I forgot to add this is coming from a windows machine using putty to the opensuse server.

  3. #3
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    24,645
    Blog Entries
    15

    Default Re: SSHD Password authentication still working

    On Sun 11 Aug 2013 04:56:03 PM CDT, StrangeBrew79 wrote:


    Follow up, I forgot to add this is coming from a windows machine using
    putty to the opensuse server.


    Hi
    You need to generate the ssh key on the windows box, then copy into
    your ~/.ssh/authorized_keys file on the target system.

    --
    Cheers Malcolm °¿° (Linux Counter #276890)
    openSUSE 12.3 (x86_64) Kernel 3.7.10-1.16-desktop
    up 3:09, 3 users, load average: 1.25, 1.31, 1.00
    CPU AMD E2-1800@1.70GHz | GPU Radeon HD 7340


  4. #4
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    10,524
    Blog Entries
    3

    Default Re: SSHD Password authentication still working

    Quote Originally Posted by StrangeBrew79 View Post
    The problem is, when I disable pw authentication in sshd config, it still asks me for a password.
    I'm pretty sure that's standard sshd behavior. If you are not allowing password auth, and if your public_key auth is not working, then it will prompt for a password and login will fail, no matter what password is entered. I think this is intended to make it harder for attackers to know how sshd is configured.

    Putty is working fine for me, from a Vista box. I do have pageant (the putty ssh-agent) running, and I have given it my key. With that in place, putty connects without any password prompt.
    opensuse Leap 15.0; KDE Plasma 5;
    opensuse tumbleweed; KDE Plasma 5 (test system);

  5. #5
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    10,524
    Blog Entries
    3

    Default Re: SSHD Password authentication still working

    Quote Originally Posted by malcolmlewis View Post
    You need to generate the ssh key on the windows box, then copy into
    your ~/.ssh/authorized_keys file on the target system.
    It is several years ago. But I'm pretty sure that I just took my key generated under linux (with openssh), and put that on the Windows box. I then opened that key with puttygen, and puttygen converted it to a putty format key.
    opensuse Leap 15.0; KDE Plasma 5;
    opensuse tumbleweed; KDE Plasma 5 (test system);

  6. #6
    Join Date
    Dec 2012
    Location
    SLC
    Posts
    12

    Default Re: SSHD Password authentication still working

    I was wondering if it defaulted to something like that. But I am able to login using the server side account even with pw access disabled. Unless I have changed the wrong are of the config text, but I dont think I have. What i'm getting at is that I dont have any keys on either side set up yet, im purely trying to disable password login access before I move to that step, just to make sure. Yet, I am still able to login using password auth only, even with that value set to no. What am I missing? I would think with that value set to no, and no keys stored on the server that I would not be able to remotely login at all. Let me paste the entire config file maybe I am missing something else.



    Code:
    #       $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $
    
    # This is the sshd server system-wide configuration file.  See
    # sshd_config(5) for more information.
    
    # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
    
    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented.  Uncommented options override the
    # default value.
    
    #Port 22
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    
    # The default requires explicit activation of protocol 1
    #Protocol 2
    
    # HostKey for protocol version 1
    #HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key
    #HostKey /etc/ssh/ssh_host_ecdsa_key
    
    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 1024
    
    # Logging
    # obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    #LogLevel INFO
    
    # Authentication:
    
    #LoginGraceTime 2m
    PermitRootLogin no
    #StrictModes yes
    #MaxAuthTries 6
    #MaxSessions 10
    
    #RSAAuthentication yes
    #PubkeyAuthentication yes
    
    # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
    # but this is overridden so installations will only check .ssh/authorized_keys
    AuthorizedKeysFile      .ssh/authorized_keys
    
    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes
    
    # To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication no
    #PermitEmptyPasswords no
    
    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no
    
    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes
    
    # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
    # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
    # in this release. The use of 'gssapi' is deprecated due to the presence of
    # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
    #GSSAPIEnableMITMAttack no
    
    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthenticationn
    # and ChallengeResponseAuthentication to 'no'.
    UsePAM yes
    
    #AllowAgentForwarding yes
    #AllowTcpForwarding yes
    #GatewayPorts no
    X11Forwarding yes
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10
    #PermitTunnel no
    #ChrootDirectory none
    
    # no default banner path
    #Banner none
    
    # override default of no subsystems
    Subsystem       sftp    /usr/lib/ssh/sftp-server
    
    # This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    AcceptEnv LC_IDENTIFICATION LC_ALL
    
    # Example of overriding settings on a per-user basis
    #Match User anoncvs
    #       X11Forwarding no
    #       AllowTcpForwarding no
    #       ForceCommand cvs server

    Looking in the /etc/ssh driectory I have several public keys in there, is that what is enabling me to logon? Have I already generated keys unaware of what I was doing? However I do not see any keys listed in the home directory of the user on the server ~/.ssh.

  7. #7
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    10,524
    Blog Entries
    3

    Default Re: SSHD Password authentication still working

    Quote Originally Posted by StrangeBrew79 View Post
    Unless I have changed the wrong are of the config text, but I dont think I have. What i'm getting at is that I dont have any keys on either side set up yet, im purely trying to disable password login access before I move to that step, just to make sure.
    I'm not completely sure what you are doing. So I will describe what I am doing.

    Here are my changes (in the form of "diff -u" to sshd_config
    Code:
    --- sshd_config 2013/02/10 02:58:50     1.1
    +++ sshd_config 2013/02/28 23:41:02
    @@ -37,7 +37,7 @@
     # Authentication:
     
     #LoginGraceTime 2m
    -#PermitRootLogin yes
    +PermitRootLogin without-password
     #StrictModes yes
     #MaxAuthTries 6
     #MaxSessions 10
    @@ -66,7 +66,7 @@
     #PermitEmptyPasswords no
     
     # Change to no to disable s/key passwords
    -#ChallengeResponseAuthentication yes
    +ChallengeResponseAuthentication no
     
     # Kerberos options
     #KerberosAuthentication no
    So, basically, two changes from the distributed config. The first applies to root only, and denies password authentication to root. The second applies to everyone, and disables ChallengeResponseAuthentication (which can look much like password authentication).

    For my user accounts, I have a file "$HOME/.ssh/authorized_keys" with the public keys that are allowed to authenticate. I run "ssh-agent", which is started automatically when I login to KDE. And I add a key with "ssh-add". Thereafter, logins work fine without prompting for a password.
    opensuse Leap 15.0; KDE Plasma 5;
    opensuse tumbleweed; KDE Plasma 5 (test system);

  8. #8
    Join Date
    Dec 2012
    Location
    SLC
    Posts
    12

    Default Re: SSHD Password authentication still working

    Thank you sir, challenge response is exactly what I still had open. Im trying to lock myself out before I move on to adding the rsa keys. I am now unable to login after changing that value to no. (Which as odd as it sounds is exactly what I wanted)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •