Ubuntu
openssh package

ssh client ignores PasswordAuthentication no

Bug #1052707 reported by rakslice
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Expired
Medium
Unassigned

Bug Description

With the setting "PasswordAuthentication no" in /etc/ssh/ssh_config or when passing -o PasswordAuthentication=no, ssh still prompts for a password for keyboard-interactive authentication.
---
ApportVersion: 2.0.1-0ubuntu5
Architecture: amd64
DistroRelease: Ubuntu 12.04
Package: openssh-client 1:5.9p1-5ubuntu1
PackageArchitecture: amd64
ProcEnviron:
 LANGUAGE=en_CA:en
 TERM=xterm
 PATH=(custom, user)
 LANG=en_CA.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 3.2.0-23.36-generic 3.2.14
RelatedPackageVersions:
 ssh-askpass N/A
 libpam-ssh N/A
 keychain N/A
 ssh-askpass-gnome 1:5.9p1-5ubuntu1
SSHClientVersion: OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
Tags: precise
Uname: Linux 3.2.0-23-generic x86_64
UpgradeStatus: Upgraded to precise on 2012-05-10 (139 days ago)
UserGroups: adm admin audio cdrom dialout dip floppy lpadmin plugdev sambashare sudo video

See original description
Revision history for this message
rakslice (rakslice) wrote :

This is with the stock openssh-client in Ubuntu 12.04.

$ ssh -V
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Note that I cannot reproduce this. When I do

ssh -o PasswordAuthentication=no 10.42.43.23

I can log in using authorized keys, but am not queried for a password.

Changed in openssh (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Can you please run

'apport-collect 1052707'

on the client, and give us the release on both client and server?

Changed in openssh (Ubuntu):
status: New → Incomplete
Revision history for this message
rakslice (rakslice) wrote : Dependencies.txt

apport information

tags: added: apport-collected precise
description: updated
Revision history for this message
rakslice (rakslice) wrote :

FYI: apport-collect takes a binary package, so I had to run:
apport-collect -p openssh-client 1052707

The server is FreeBSD 7.3 amd64, apparently running the sshd:
$ /usr/sbin/sshd -v
sshd: illegal option -- v
OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007

I can't repro this with an Ubuntu 12.04 server, so there is likely a server issue involved. Am I mistaken in thinking that the effect of PasswordAuthentication=no should be independent of the server version?

Revision history for this message
Robie Basak (racb) wrote :

Although I'm not sure, I think PasswordAuthentication is a specific ssh protocol mode, and a separate mode is KbdInteractiveAuthentication which technically isn't PasswordAuthentication but could still give you a password prompt depending on what the server does. Perhaps your FreeBSD server is doing this?

Please could you try ssh -o PasswordAuthentication=no -o KbdInteractiveAuthentication=no, and if that still doesn't work then please add -vvv, obscure any sensitive information and then paste the result?

Revision history for this message
rakslice (rakslice) wrote :

The password prompt still appeared when running with -o KbdInteractiveAuthentication=no.

I've attached a -vvv log.

Revision history for this message
Robie Basak (racb) wrote :

Thanks for the log. Unfortunately I can't easily experiment with how to configure ssh to turn this off. But even though I can't directly help you configure it, I think this is a configuration issue based on not understanding exactly how the configuration options map to the ssh protocol, rather than a bug.

I'm bumping the priority down to Medium since this is a less common, non-default configuration of ssh that has the issue.

It might be worth asking the community for pointers, for example on askubuntu.com or upstream. There's a more complete list of how to get help here: http://www.ubuntu.com/support/community

Changed in openssh (Ubuntu):
importance: Critical → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openssh (Ubuntu) because there has been no activity for 60 days.]

Changed in openssh (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.