Re: [Fwd: Question: sshd_config: combinations of PasswordAuthentication and ChallengeResponseAuthentication]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear Robert,

   This explains why the programmer's SSH library did not work correctly
because it cannot understand the tty.  It is likely that it used
something akin to echo $PASSWORD | ssh $HOST "cat /etc/passwd"  instead
of expect etali.

Many thanks for the explanation.

Best wishes,
J

Robert Hajime Lanning wrote:
> "PasswordAuthentication" is a built-in method of using a password.
> This is where the client gets the password from somewhere and
> passes it to the server, along with the user name.
>
> "ChallengeResponseAuthentication" is a method to tunnel the
> authentication process.  The client opens the tty and gateways
> it to the server's authentication process/library. This enforces an
> interactive authentication scheme.
>
> Using ChallengeResponseAuthentication is more secure, as it does
> its best to not allow programmatic entering of the password.  You must
> enter the password via a tty device.
>
> With PasswordAuthentication, you can:
> $ echo $PASSWORD | ssh $HOST "cat /etc/passwd"
>
> With ChallengeResponseAuthentication you have to use a chat script
> or expect.
>
> I would suggest forgoing passwords and just using keys.  Unless your
> requirement is to use both.
>
> On Mon, Feb 15, 2010 at 12:43 AM, J4 <junk4@xxxxxxxxxxxx> wrote:
>   
>> Dear all,
>>
>>    I have searched across Google for a while to try and understand the
>> security impact of certain changes in our sshd_config file, but because
>> I could not find the answer, I decided to post here. I hope that here is
>> the right place.
>>
>> A developer uses SSH to connect to servers in his application, but it
>> cannot connect.  The Dev has shown that if I change the these settings
>> in the sshd_config :-
>>
>> From:
>>
>> # To disable tunneled clear text passwords, change to no here!
>> PasswordAuthentication no
>>
>> # Change to no to disable s/key passwords
>> #ChallengeResponseAuthentication yes
>>
>>
>> To:
>>
>> ChallengeResponseAuthentication no
>> #PasswordAuthentication ...
>> (second one commented out, so the default setting is used)
>>
>>
>> I have tried to understand what the impact is for security and other
>> varibles across our systems, but cannot.
>> We use RSA and DSA keys to connect between servers, and UNIX password
>> authentication.
>> Some keys have passphases, and others do not.
>> Servers are SLES, Opensuse, Debian and HPUX.
>>
>> Can anyone think of any, or even point me to a URL that could explain
>> these in near-layman's terminology as I am not an SSH expert?
>>
>>
>> Yours sincerely,
>> J.
>>     
>
>
>
>   

[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux