Why does SSH prompt for 2 passwords?

Joe Lewis joe at relia.net
Sat Apr 19 09:33:30 PDT 2003 

I am MOST appreciative of the tutorial on the matter that I have 
recieved.  The explanations have been simple, straight foreward, and 
enlightening.  Thank all, for the help and info you have provided.

Joe

Olivier Dony wrote:
> On Fri, Apr 18, 2003 at 03:02:23PM +0200, Willie Viljoen wrote:
> 
>>On Friday 18 April 2003 0:48, someone, possibly Joe Lewis, typed:
>>
>>
>>>Password:
>>>Response:
>>>joe at 192.168.1.1's password:
>>
>>The first prompt is PAM challenge response authentication. This uses the PAM 
>>system instead of a just a flat read of /etc/master.passwd to authenticate, 
>>and is also more secure than standard plaintext authentication.
>>
>>Unless your sshd is misconfigured, your configuration files and binaries are 
>>out of sync (this happend when a system is upgraded without doing 
>>mergemaster), this should not be happening, and you should be able to log 
>>in at the first prompt. It might also be that the ssh client you are using 
>>does not handle challenge response authentication properly.
> 
> 
> Indeed and one thing you should check is whether you are not using SSH v1 by
> mistake. This might happen if you are using it with arg -1 e.g :
> 
>   $ ssh -1 somehost.domain.tld
>   Password:
>   Response: 
>   $ ssh -2 somehost.domain.tld
>   Password:
>   
> or if your ssh client is setup to try SSH v1 first, eg if using FreeBSD's 
> one as it seem, that would be :
> 
>   Protocol 1,2
> 
> in the relevant part of your /etc/ssh/ssh_config, see ssh_config(5) for more
> details.
> 
> 
>>If you are happy with standard plaintext configuration, you may edit 
>>/etc/ssh/sshd_config and change the setting to this:
>>
>># Change to no to disable PAM authentication
>>ChallengeResponseAuthentication no
> 
> 
> This will do if you control the ssh server you are connecting to, but that
> will only be a workaround and you probably want to fix the client problem,
> as the same could happen on other hosts.
> 
> 
>>I'd recommend you rather get PAM fixed though, or use public key 
>>authentication instead, that's much more secure than any form of password 
>>authentication.
> 
> 
> I'd second on using public key authentication, as this will make remote 
> logins even faster, and more secure, provided that your private key is 
> properly secured. The ssh(1) man page explains it somewhat in the SSH protocol
> version 2 section.
> 
> Hope this helps.
> 
> Olivier

More information about the freebsd-questions mailing list