From owner-freebsd-stable  Thu Oct  4  3:48: 6 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from raven.ravenbrook.com (raven.ravenbrook.com [193.82.131.18])
	by hub.freebsd.org (Postfix) with ESMTP id 54CA537B403
	for <freebsd-stable@FreeBSD.ORG>; Thu,  4 Oct 2001 03:48:02 -0700 (PDT)
Received: from thrush.ravenbrook.com (thrush.ravenbrook.com [193.112.141.249])
	by raven.ravenbrook.com (8.11.6/8.11.3) with ESMTP id f94Alt036554;
	Thu, 4 Oct 2001 11:47:55 +0100 (BST)
	(envelope-from nb@ravenbrook.com)
Received: from thrush.ravenbrook.com (localhost [127.0.0.1])
	by thrush.ravenbrook.com (8.11.4/8.11.2) with ESMTP id f94Aknx06332;
	Thu, 4 Oct 2001 11:46:49 +0100 (BST)
	(envelope-from nb@thrush.ravenbrook.com)
From: Nick Barnes <Nick.Barnes@pobox.com>
To: Zvezdan Petkovic <zvezdan@CS.WM.EDU>
Cc: freebsd-stable@FreeBSD.ORG
Subject: Re: sshd: requiring password _and_ RSA authentication 
In-Reply-To: Message from Zvezdan Petkovic <zvezdan@CS.WM.EDU> 
   of "Wed, 03 Oct 2001 14:09:06 EDT." <20011003140906.B27029@dali.cs.wm.edu> 
Date: Thu, 04 Oct 2001 11:46:49 +0100
Message-ID: <6330.1002192409@thrush.ravenbrook.com>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

At 2001-10-03 18:09:06+0000, Zvezdan Petkovic writes:
> On Wed, Oct 03, 2001 at 04:43:39PM +0100, Nick Barnes wrote:
> > One of our servers used to run FreeBSD 2.2.8 with SSH 2 built from
> > /usr/ports/security/ssh2.  I'm not sure exactly which version of SSH
> > this was.  We had sshd configured to require both a password and RSA
> > (or maybe DSA) authentication.
> > 
> 
> I'm not sure that it checked both. I think that the first authentication
> method that succeeds lets you through. You probably had password set up
> as the first method to try.

No, it definitely did check both.  I recall testing it.  I think it
was SSH, rather than OpenSSH.  This man page suggests that I was using
the RequiredAuthentications configuration option:
<http://www.ssh.com/support/ssh/man/sshd2_config-man.html>

> Only if you set up RSA keys _without_ a passphrase. I never do that.

Thanks; I'll make sure our users are using passphrases.  This seems
like a good solution.

Nick B

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message