Bug 34378 - "PasswordAuthentication no" in sshd_config doesn't work as expected with ssh2
"PasswordAuthentication no" in sshd_config doesn't work as expected with ssh2
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: Security
Depends On:
  Show dependency treegraph
Reported: 2001-04-02 16:49 EDT by Jay Berkenbilt
Modified: 2008-05-01 11:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-04-02 20:17:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jay Berkenbilt 2001-04-02 16:49:09 EDT
This is with openssh-2.5.1p1-7.  I haven't tested with 2.5.2p2, but it
looks from the source code that the problem will still be there.

Changing PasswordAuthentication to no in /etc/ssh/sshd_config does not
preclude logging in using an encrypted clear-text password as it should
when ssh protocol version 2 is used because ssh falls back to an
authentication method called "keyboard-interactive" which also allows
plain-text passwords to be used.

Turning off KbdInteractiveAuthentication doesn't work either because
openssh turns it back on if challenge-response authentication is enabled.

This is easy to reproduce.  Install openssh-* on a server and use the
default /etc/ssh/sshd_config.  As a user with no .ssh directory, ssh to
that server with

ssh -2 -v server

In my case, my login is ejb and my server is gwendolyn.ql.org.

The last few lines preceding the password prompt are as follows:

debug: authentications that can continue:
debug: next auth method to try is publickey
debug: key does not exist: /home/ejb/.ssh/id_dsa
debug: next auth method to try is password
ejb@gwendolyn.ql.org's password: 

Notice that publickey, password, and keyboard-interactive are all listed as
valid authentications.  Now, if you change /etc/ssh/sshd_config to say 

PasswordAuthentication no
KbdInteractiveAuthentication no

and restart sshd (with /etc/rc.d/init.d/sshd restart) you get this:

debug: authentications that can continue: publickey,keyboard-interactive
debug: next auth method to try is publickey
debug: key does not exist: /home/ejb/.ssh/id_dsa
debug: next auth method to try is keyboard-interactive

Note that password is gone as a valid method, but keyboard-interactive is
still there.  At this point, typing ejb@gwendolyn.ql.org's password works.

A quick read of the source shows that the problem is that
keyboard-interactive authentication is always forcibly enabled, overriding
whatever is in the configuration file, if challenge-response authentication
is enabled.  It is therefore necessary to also turn set

ChallengeResponseAuthentication no

in order to disable use of ordinary passwords.  Turning all three of these
off does in fact do the trick.

Being able to disable password authentication on the server is very
important.  Without this, someone who knows another user's password can ssh
in as that user.  With this, you can require that the user knows the
password on the private key and has a copy of said key -- much tighter
especially when firewalls are concerned.  I am fully aware that no password
is ever sent in the clear across the network, but I still think this is an
important security issue.

The documentation gives no clue as to the fact that keyboard-interactive
authentication could be used for anything other than s/keys.  It also
appears, though I have not tested or attempted to verify this, that it
would currently be impossible to allow s/key authentication but not plain
text password authentication.  Take that with a grain of salt though -- I
haven't studied the code carefully enough to be sure.

Note that this is a little harder than usual to find in the code because
the variable that controls challenge-response authentication is called 


In fact, this typo (reponse vs. response) is quite prevalent in the openssh
code.  One has to assume the use of emacs dynamic abbreviations -- one of
the most powerful typographical error propagation features there is. :-)

Seriously, if the ssh bug is too subtle to fix right, at the very least,
the comments in RedHat's sshd_config could mention that to fully disable
tunneled clear-text passwords, it is necessary to turn off
PasswordAuthentication, KbdInteractiveAuthentication, and
Comment 1 Nalin Dahyabhai 2001-04-02 21:37:46 EDT
Current 2.5.2p2 packages explicitly disable ChallengeResponseAuthentication. I'm
sending a patch for the man pages upstream for inclusion in a future release of
OpenSSH.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.