PHK's MD5 might not be slow enough anymore

Dag-Erling Smørgrav des at des.no
Wed Feb 3 11:59:47 UTC 2010 

Matthew Dillon <dillon at apollo.backplane.com> writes:
> "Dag-Erling Smørgrav" <des at des.no> writes:
> > Matthew Dillon <dillon at apollo.backplane.com> writes:
> > > Just run sshd and put this in your sshd_config:
> > >
> > > 	# To disable tunneled clear text passwords, change to no here!
> > > 	PasswordAuthentication no
> > This does not do what you think it does.  RTFM.
> It looks like the defaults in FreeBSD are different, so shoot me.

Nope.

>     Ah, I see, YOU were the one who changed the FreeBSD defaults to be
>     less secure.

Nope.

"PasswordAuthentication no" *is* the default.

It does not disable password authentication.  It disables the SSH
"password" authentication method.  Password authentication is still
possible via PAM.

> Now I understand.

No, you don't, you're just making it up as you go along.

> So, FreeBSD users, it looks like you have to play russian roulette
> with your sshd_config options if you want the directives to actually
> work.

No Russian roulette, no sshd_config tweaking.  All you need is a
one-line change to /etc/pam.d/sshd.  See pam.conf(5) and pam_unix(8) for
further deatils.

> But hey, I'm sure DES will be happy to flip you off instead of tell
> you which options will work with FreeBSD.

I don't flip off users with valid concerns.  You don't fall into that
category.

> So I guess I'll have to instead.

I'm sure users will be eternally grateful to you for giving them
incorrect information which weakens the security of their systems.

> If you don't need PAM's extra features for your sshd access (which is
> most people)

Wrong; most people *do* need PAM.

> then turn PAM off in your sshd_config to work around the base code
> change that DES made.

UsePAM is on by default in OpenSSH-portable.

Yes, I wrote the original PAM support code for OpenSSH; so shoot me.  It
was necessary.

>  Then the other options will work as
>     intended.  And, just to be safe, also turn off the challenge-response
>     option.
>
> 	UsePAM no
> 	ChallengeResponseAuthentication no
> 	PasswordAuthentication no
>
>     There, all better.

Yeah, now you turned off *all* authentication methods except keys, and
by turning off PAM, you also turned off session management, accounting,
utmpx logging, lockout of expired accounts, etc.

If you're serious about strong authentication, use time-synchronized OTP
tokens.  Oh wait, you can't, because you need PAM and ChallengeResponse
to mediate between the user and the backend, which usually acts like a
Radius server.  Too bad.

DES
-- 
Dag-Erling Smørgrav - des at des.no

More information about the freebsd-security mailing list