Why does SSH prompt for 2 passwords?
Joe Lewis
joe at relia.net
Sat Apr 19 09:33:30 PDT 2003
I am MOST appreciative of the tutorial on the matter that I have
recieved. The explanations have been simple, straight foreward, and
enlightening. Thank all, for the help and info you have provided.
Joe
Olivier Dony wrote:
> On Fri, Apr 18, 2003 at 03:02:23PM +0200, Willie Viljoen wrote:
>
>>On Friday 18 April 2003 0:48, someone, possibly Joe Lewis, typed:
>>
>>
>>>Password:
>>>Response:
>>>joe at 192.168.1.1's password:
>>
>>The first prompt is PAM challenge response authentication. This uses the PAM
>>system instead of a just a flat read of /etc/master.passwd to authenticate,
>>and is also more secure than standard plaintext authentication.
>>
>>Unless your sshd is misconfigured, your configuration files and binaries are
>>out of sync (this happend when a system is upgraded without doing
>>mergemaster), this should not be happening, and you should be able to log
>>in at the first prompt. It might also be that the ssh client you are using
>>does not handle challenge response authentication properly.
>
>
> Indeed and one thing you should check is whether you are not using SSH v1 by
> mistake. This might happen if you are using it with arg -1 e.g :
>
> $ ssh -1 somehost.domain.tld
> Password:
> Response:
> $ ssh -2 somehost.domain.tld
> Password:
>
> or if your ssh client is setup to try SSH v1 first, eg if using FreeBSD's
> one as it seem, that would be :
>
> Protocol 1,2
>
> in the relevant part of your /etc/ssh/ssh_config, see ssh_config(5) for more
> details.
>
>
>>If you are happy with standard plaintext configuration, you may edit
>>/etc/ssh/sshd_config and change the setting to this:
>>
>># Change to no to disable PAM authentication
>>ChallengeResponseAuthentication no
>
>
> This will do if you control the ssh server you are connecting to, but that
> will only be a workaround and you probably want to fix the client problem,
> as the same could happen on other hosts.
>
>
>>I'd recommend you rather get PAM fixed though, or use public key
>>authentication instead, that's much more secure than any form of password
>>authentication.
>
>
> I'd second on using public key authentication, as this will make remote
> logins even faster, and more secure, provided that your private key is
> properly secured. The ssh(1) man page explains it somewhat in the SSH protocol
> version 2 section.
>
> Hope this helps.
>
> Olivier
More information about the freebsd-questions
mailing list