LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-16-2007, 06:14 PM   #1
itnaa
Member
 
Registered: Dec 2006
Distribution: CentOS 4.4 (2.6.9-42.0.2.ELsmp)
Posts: 55

Rep: Reputation: 15
Naive SSH Questions


Hi Folks,

Am new to ssh and hope someone can help me out while I learn more about it...

I was experimenting with logging into my server using ssh. I find that with the usePAM = yes option,

(a) I get a normal login option (ie linux user account) if I simply hit return at the pass phrase request (even though I've set a pass phrase). Further, I can login to the account using the normal linux login,

(b) I directly get the linux login prompt when attempting to login into an account for which I haven't inserted the public-key. And, I can login there too.

I imagine that there's a reason for the public-private key approach to setting up an ssh session, so, am a bit concerned that it allows a linux account login. As I understand it, if it does allow a linux account login, then the passwords are being transmitted in plain text?

Thinking my logic to be true, I set usePAM = no and now I always & only get the request for the pass phrase. Naive me thinks it good, but frankly really don't have a good understanding of what's happening on the authentication front!! Any help/thoughts would be much appreciated!! Would much appreciate a nod onn whether my settings below are insecure (I realize that such a question does depend on the environment & type of use, but any absolute no-no's?)

Thanks!!

SSH: OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
OS: CentOS 4.4

----------------------------------------
Some sshd_config parameter settings:
----------------------------------------
# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
Protocol 2
SyslogFacility AUTH
LogLevel INFO
PermitRootLogin no
MaxAuthTries 10
PasswordAuthentication no
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM no
 
Old 07-16-2007, 11:53 PM   #2
masternerdguy
LQ Newbie
 
Registered: Jul 2007
Posts: 10

Rep: Reputation: 0
Smile Plain Text

Don't worry. No passwords are being transmitted in plain text. They are encrypted by the ssh client and decrypted by the ssh server. If this was not true, then there would be a lot more identity theft
 
Old 07-17-2007, 08:50 AM   #3
itnaa
Member
 
Registered: Dec 2006
Distribution: CentOS 4.4 (2.6.9-42.0.2.ELsmp)
Posts: 55

Original Poster
Rep: Reputation: 15
Thanks, but for certain cases is encryption/decrypt. possible? One of the accounts that I tried to ssh into, I hadn't placed the public key, and I got a linux type login prompt (and could log in when usePAM=yes)...

Last edited by itnaa; 07-17-2007 at 09:03 AM.
 
Old 07-17-2007, 09:12 AM   #4
masternerdguy
LQ Newbie
 
Registered: Jul 2007
Posts: 10

Rep: Reputation: 0
login prompt

Well, that is normal.
 
Old 07-17-2007, 09:24 AM   #5
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,824

Rep: Reputation: 615Reputation: 615Reputation: 615Reputation: 615Reputation: 615Reputation: 615
He seems to have "PasswordAuthentication no" in his sshd_config. Shouldn't that disable password authentication?
 
Old 07-17-2007, 09:31 AM   #6
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by AlucardZero
He seems to have "PasswordAuthentication no" in his sshd_config. Shouldn't that disable password authentication?
UsePAM=yes is overriding that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
naive question about Samba FijiJohn Linux - Software 11 07-16-2006 10:09 PM
Naive sendmail setup John Velman Slackware 1 08-30-2005 09:59 AM
suse 9.1 questions (extremely naive) mannis SUSE / openSUSE 5 10-15-2004 11:47 AM
Naive scripting question (for Nautilus) the_rydster Programming 3 11-15-2003 02:58 PM
Naive scripting question (for Nautilus) the_rydster Linux - General 0 11-15-2003 10:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration