• NetBSD

  • How to prevent sshd betraying hostname?

  • kc9udx

    • Post #1
    • Edited

    When connecting to sshd, I am prompted
    (user@server) Password for user@realserver.domain:
    where server is what the client calls the server but realserver.domain are the real hostname and domainname from the server.
    I am using pam, and I presume that pam generates this prompt. How can I change it so that the prompt does not reveal the hostname (and domainname)?

    • rvp replied to this.

      • Rrvp

        • Post #2

        kc9udx How can I change it so that the prompt does not reveal the hostname (and domainname)?

        A bit obscure, but mentioned here.

        qemu# diff -u /etc/pam.d/sshd.orig /etc/pam.d/sshd
--- /etc/pam.d/sshd.orig	2025-02-02 15:05:07.000000000 +0000
+++ /etc/pam.d/sshd	2025-02-11 22:24:56.642798062 +0000
@@ -10,7 +10,7 @@
 auth		optional	pam_afslog.so	no_warn try_first_pass
 # pam_ssh has potential security risks.  See pam_ssh(8).
 #auth		sufficient	pam_ssh.so	no_warn try_first_pass
-auth		required	pam_unix.so	no_warn try_first_pass
+auth		required	pam_unix.so	no_warn try_first_pass authtok_prompt="Ehh...what's up, Doc? "
 
 # account
 #account	required	pam_krb5.so
qemu#

          • kc9udx

            • Post #3
            • Edited

            I did try that first; but it seems to have no effect. Perhaps you can spot if I did something wrong:

            # $NetBSD: sshd,v 1.9.76.1 2023/06/21 21:33:02 martin Exp $
#
# PAM configuration for the "sshd" service
#

# auth
auth            required        pam_nologin.so  no_warn authok_prompt="Try 2 ? "
auth            sufficient      pam_skey.so     no_warn try_first_pass
#auth           sufficient      pam_krb5.so     no_warn try_first_pass
auth            optional        pam_afslog.so   no_warn try_first_pass
# pam_ssh has potential security risks.  See pam_ssh(8).
#auth           sufficient      pam_ssh.so      no_warn try_first_pass
auth            required        pam_unix.so     no_warn try_first_pass authok_prompt="Try? "

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
# pam_ssh has potential security risks.  See pam_ssh(8).
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so     no_warn try_first_pass
password        required        pam_unix.so     no_warn try_first_pass

            Alright... Nefermind... It was a stupid spelling error on my part the whole time.

            • Jay likes this.