• NetBSD
  • How to prevent sshd betraying hostname?

  • Edited

When connecting to sshd, I am prompted
(user@server) Password for user@realserver.domain:
where server is what the client calls the server but realserver.domain are the real hostname and domainname from the server.
I am using pam, and I presume that pam generates this prompt. How can I change it so that the prompt does not reveal the hostname (and domainname)?

  • rvp replied to this.

    kc9udx How can I change it so that the prompt does not reveal the hostname (and domainname)?

    A bit obscure, but mentioned here.

    qemu# diff -u /etc/pam.d/sshd.orig /etc/pam.d/sshd
    --- /etc/pam.d/sshd.orig	2025-02-02 15:05:07.000000000 +0000
    +++ /etc/pam.d/sshd	2025-02-11 22:24:56.642798062 +0000
    @@ -10,7 +10,7 @@
     auth		optional	pam_afslog.so	no_warn try_first_pass
     # pam_ssh has potential security risks.  See pam_ssh(8).
     #auth		sufficient	pam_ssh.so	no_warn try_first_pass
    -auth		required	pam_unix.so	no_warn try_first_pass
    +auth		required	pam_unix.so	no_warn try_first_pass authtok_prompt="Ehh...what's up, Doc? "
     
     # account
     #account	required	pam_krb5.so
    qemu# 
    • Edited

    I did try that first; but it seems to have no effect. Perhaps you can spot if I did something wrong:

    # $NetBSD: sshd,v 1.9.76.1 2023/06/21 21:33:02 martin Exp $
    #
    # PAM configuration for the "sshd" service
    #
    
    # auth
    auth            required        pam_nologin.so  no_warn authok_prompt="Try 2 ? "
    auth            sufficient      pam_skey.so     no_warn try_first_pass
    #auth           sufficient      pam_krb5.so     no_warn try_first_pass
    auth            optional        pam_afslog.so   no_warn try_first_pass
    # pam_ssh has potential security risks.  See pam_ssh(8).
    #auth           sufficient      pam_ssh.so      no_warn try_first_pass
    auth            required        pam_unix.so     no_warn try_first_pass authok_prompt="Try? "
    
    # account
    #account        required        pam_krb5.so
    account         required        pam_login_access.so
    account         required        pam_unix.so
    
    # session
    # pam_ssh has potential security risks.  See pam_ssh(8).
    #session        optional        pam_ssh.so
    session         required        pam_permit.so
    
    # password
    #password       sufficient      pam_krb5.so     no_warn try_first_pass
    password        required        pam_unix.so     no_warn try_first_pass

    Alright... Nefermind... It was a stupid spelling error on my part the whole time.

    • Jay likes this.