Hi Guys! :)
I encountered something that kind of scared me a week or so ago. When I
would try to login to my server with a priv/pubkey authentication and
mis-typed the passphrase for my private key, it prompts for a password.
IIRC, I was able to login with my password from that prompt, even with
'PasswordAuthentication no' in sshd_config! After a little bit of reading
it looked like PAM was overriding the sshd_config settings, so I put
'UsePAM no', but couldn't even login with my priv/pubkey setup. So what
I've done is set 'ChallengeResponseAuthentication no' and 'UsePAM yes'.
This has resolved the prompting for password after incorrectly entering
passphrases 3-times, but is this the correct solution? Is there a security
risk in doing it this way?
--
gentoo-security@gentoo.org mailing list
I encountered something that kind of scared me a week or so ago. When I
would try to login to my server with a priv/pubkey authentication and
mis-typed the passphrase for my private key, it prompts for a password.
IIRC, I was able to login with my password from that prompt, even with
'PasswordAuthentication no' in sshd_config! After a little bit of reading
it looked like PAM was overriding the sshd_config settings, so I put
'UsePAM no', but couldn't even login with my priv/pubkey setup. So what
I've done is set 'ChallengeResponseAuthentication no' and 'UsePAM yes'.
This has resolved the prompting for password after incorrectly entering
passphrases 3-times, but is this the correct solution? Is there a security
risk in doing it this way?
--
gentoo-security@gentoo.org mailing list