I first noticed this problem when logging in via ppk. After entering the passphrase incorrectly 3 times, I was presented with a password prompt that worked, even though I had 'PasswordAuthentication=no' in the sshd_config file. In order to rectify this, I set 'UsePAM=no', but was no longer able to log into the server via ssh. I hence have set 'ChallengeResponseAuthentication=no' and 'UsePAM=yes', and I can log in using public key only, and no password prompts. Is this a correct workaround/solution, or is there a security risk? Is this a bug, or am I off base here? Please see my post here: http://forums.gentoo.org/viewtopic-p-2099561.html Reproducible: Always Steps to Reproduce: 1. Set UsePAM=no in sshd_config 2. Restart sshd 3. Try to login via ppk Actual Results: Get the following error when ssh'ing into that box: Permission denied (publickey). Expected Results: To Login via ssh without PAM Authentication
PasswordAuthentication is different from UsePAM ... but having PAM enabled usually does produce unexpected behavior such as you've described here ... when setting up a server that only allowed access via ssh keys, i set PasswordAuthentication and UsePAM to 'no' and it has always worked fine ... but ive never done keys which required passphrases
I think you are on to something here. I just disabled passphrases on my ppk setup, and set 'UsePAM no', and was able to successfully login via ssh. As soon as I used a ppk user with passphrases, I get the permission denied. Does passphrases somehow require PAM? I really don't like the thought of all my ssh activity being forced to use PAM in order to use passphrases, or being forced to not use passphrases. There has got to be a solution to this issue, right? Maybe some compile-time magic?
i assume you're emerging with USE=pam ... what if you try USE=-pam ?
If I emerge with 'USE="-pam"' I get the same behavior as if I used 'UsePAM no' in sshd_config. Except when openssh is emerged with -pam, I can't use 'UsePAM yes' to fix it, I must re-emerge it with USE="pam".
this looks like Bug 65343 ... it looks like aliz didnt rev bump openssh after adding the pamfix to the 3.9_p1-r1 ebuild though ...
OpenSSH_4.0p1 does not resolve this issue for me.
ping - any solution?
Re-assign, aliz seems MIA.
any news on this bug?
using this options i have no probs logging in ppk w/ passphrases * [ebuild R ] net-misc/openssh-4.2_p1-r1 USE="chroot ipv6 ldap pam sftplogging smartcard tcpd -X509 -hpn -kerberos -libedit -skey -static" 0 kB * UsePAM=no * PasswordAuthentication=no * ChallengeResponseAuthentication=no xyon plz try this combo - so we can close this bug soon
old
