https://bugzilla.mindrot.org/show_bug.cgi?id=3658
Bug ID: 3658
Summary: Wrong comment in /etc/ssh/sshd_config
Product: Portable OpenSSH
Version: 9.6p1
Hardware: Other
OS: Illumos
Status: NEW
Severity: minor
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: marcel@telka.sk
[This is copied from downstream bug report at
https://www.illumos.org/issues/10168]
The following code fragment in sshd_config is misleading:
<pre>
# To disable tunneled clear text passwords, change
PasswordAuthentication to no.
PasswordAuthentication yes
</pre>
Indeed, Setting PasswordAuthentication to "no" will NOT disable
clear-text passwords if ChallengeResponseAuthentication keeps its
default value "yes" .
One also needs to set ChallengeResponseAuthentication to "no".
See for details, eg. https://access.redhat.com/solutions/336773 or
https://blog.tankywoo.com/linux/2013/09/14/ssh-passwordauthentication-vs-challengeresponseauthentication.html
The above code fragment should be replaced by
<pre>
# To disable tunneled clear text passwords, change
PasswordAuthentication and ChallengeResponseAuthentication to no.
PasswordAuthentication yes
ChallengeResponseAuthentication yes
</pre>
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Bug ID: 3658
Summary: Wrong comment in /etc/ssh/sshd_config
Product: Portable OpenSSH
Version: 9.6p1
Hardware: Other
OS: Illumos
Status: NEW
Severity: minor
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: marcel@telka.sk
[This is copied from downstream bug report at
https://www.illumos.org/issues/10168]
The following code fragment in sshd_config is misleading:
<pre>
# To disable tunneled clear text passwords, change
PasswordAuthentication to no.
PasswordAuthentication yes
</pre>
Indeed, Setting PasswordAuthentication to "no" will NOT disable
clear-text passwords if ChallengeResponseAuthentication keeps its
default value "yes" .
One also needs to set ChallengeResponseAuthentication to "no".
See for details, eg. https://access.redhat.com/solutions/336773 or
https://blog.tankywoo.com/linux/2013/09/14/ssh-passwordauthentication-vs-challengeresponseauthentication.html
The above code fragment should be replaced by
<pre>
# To disable tunneled clear text passwords, change
PasswordAuthentication and ChallengeResponseAuthentication to no.
PasswordAuthentication yes
ChallengeResponseAuthentication yes
</pre>
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs