ssh client ignores PasswordAuthentication no

Bug #1052707 reported by rakslice
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Expired
Medium
Unassigned

Bug Description

With the setting "PasswordAuthentication no" in /etc/ssh/ssh_config or when passing -o PasswordAuthentication=no, ssh still prompts for a password for keyboard-interactive authentication.
---
ApportVersion: 2.0.1-0ubuntu5
Architecture: amd64
DistroRelease: Ubuntu 12.04
Package: openssh-client 1:5.9p1-5ubuntu1
PackageArchitecture: amd64
ProcEnviron:
 LANGUAGE=en_CA:en
 TERM=xterm
 PATH=(custom, user)
 LANG=en_CA.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 3.2.0-23.36-generic 3.2.14
RelatedPackageVersions:
 ssh-askpass N/A
 libpam-ssh N/A
 keychain N/A
 ssh-askpass-gnome 1:5.9p1-5ubuntu1
SSHClientVersion: OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
Tags: precise
Uname: Linux 3.2.0-23-generic x86_64
UpgradeStatus: Upgraded to precise on 2012-05-10 (139 days ago)
UserGroups: adm admin audio cdrom dialout dip floppy lpadmin plugdev sambashare sudo video

Revision history for this message
rakslice (rakslice) wrote :

This is with the stock openssh-client in Ubuntu 12.04.

$ ssh -V
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Note that I cannot reproduce this. When I do

ssh -o PasswordAuthentication=no 10.42.43.23

I can log in using authorized keys, but am not queried for a password.

Changed in openssh (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Can you please run

'apport-collect 1052707'

on the client, and give us the release on both client and server?

Changed in openssh (Ubuntu):
status: New → Incomplete
Revision history for this message
rakslice (rakslice) wrote : Dependencies.txt

apport information

tags: added: apport-collected precise
description: updated
Revision history for this message
rakslice (rakslice) wrote :

FYI: apport-collect takes a binary package, so I had to run:
apport-collect -p openssh-client 1052707

The server is FreeBSD 7.3 amd64, apparently running the sshd:
$ /usr/sbin/sshd -v
sshd: illegal option -- v
OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007

I can't repro this with an Ubuntu 12.04 server, so there is likely a server issue involved. Am I mistaken in thinking that the effect of PasswordAuthentication=no should be independent of the server version?

Revision history for this message
Robie Basak (racb) wrote :

Although I'm not sure, I think PasswordAuthentication is a specific ssh protocol mode, and a separate mode is KbdInteractiveAuthentication which technically isn't PasswordAuthentication but could still give you a password prompt depending on what the server does. Perhaps your FreeBSD server is doing this?

Please could you try ssh -o PasswordAuthentication=no -o KbdInteractiveAuthentication=no, and if that still doesn't work then please add -vvv, obscure any sensitive information and then paste the result?

Revision history for this message
rakslice (rakslice) wrote :

The password prompt still appeared when running with -o KbdInteractiveAuthentication=no.

I've attached a -vvv log.

Revision history for this message
Robie Basak (racb) wrote :

Thanks for the log. Unfortunately I can't easily experiment with how to configure ssh to turn this off. But even though I can't directly help you configure it, I think this is a configuration issue based on not understanding exactly how the configuration options map to the ssh protocol, rather than a bug.

I'm bumping the priority down to Medium since this is a less common, non-default configuration of ssh that has the issue.

It might be worth asking the community for pointers, for example on askubuntu.com or upstream. There's a more complete list of how to get help here: http://www.ubuntu.com/support/community

Changed in openssh (Ubuntu):
importance: Critical → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openssh (Ubuntu) because there has been no activity for 60 days.]

Changed in openssh (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers