[Samba] FW: Questions about Samba 4
L.P.H. van Belle
belle at bazuin.nl
Fri Aug 28 12:53:49 UTC 2015
Rowland,
if ChallengeResponseAuthentication is 'yes', and the PAM authentication policy
for sshd includes pam_unix, password authentication will be allowed through
the challenge-response mechanism regardless of the value of PasswordAuthentication.
source.
http://www.unixlore.net/articles/five-minutes-to-more-secure-ssh.html
start reading as of : Details on PAM Authentication
but a good find, maybe Volker can use this info also.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: vrijdag 28 augustus 2015 14:39
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] FW: Questions about Samba 4
>
>On 28/08/15 11:48, Volker Lendecke wrote:
>> On Thu, Aug 27, 2015 at 08:17:15AM +0200, L.P.H. van Belle wrote:
>>> This was a test on debian Jessie with sernet samba 4.2.3.
>>> and the test was, "login" with a AD user on ssh.
>>> this worked, fine, but this i noticed later.
>> Currently recompiling with the attached patch. I haven't
>> tested it yet, but I am pretty sure this will fix the issue.
>>
>> For everyone interested, the comment should be pretty
>> self-explaining.
>>
>> Volker
>>
>>
>>
>
>OK, after reading Volkers patch, I got the feeling that the problem
>wasn't actually a samba problem, so I went googling.
>
>If I change these lines in /etc/ssh/sshd_config:
>
>ChallengeResponseAuthentication no
>#PasswordAuthentication yes
>
>To:
>
>ChallengeResponseAuthentication yes
>PasswordAuthentication yes
>
>restart ssh: 'service ssh restart' on Debian wheezy
>
>Now try and login via ssh:
>
>root at dc01:~# ssh user3 at 192.168.0.196
>Password:
>Password expired. You must change it now.
>Enter new password:
>Enter it again:
>Warning: Your password will expire in 42 days on Fri Oct 9
>13:30:25 2015
>Linux debclient 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u3 x86_64
>
>The programs included with the Debian GNU/Linux system are
>free software;
>the exact distribution terms for each program are described in the
>individual files in /usr/share/doc/*/copyright.
>
>Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
>permitted by applicable law.
>Last login: Fri Aug 28 13:23:32 2015 from dc01.example.com
>user3 at debclient:~$
>
>No spinning winbind PID
>
>Have I found the cure ?
>
>Rowland
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list