From a4904f7bf19fb091b9fcf8059dedd5c5198fc039 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 23 Feb 2006 21:35:30 +1100 Subject: [PATCH] - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect current reality. Pointed out by tryponraj at gmail.com. --- ChangeLog | 6 +++++- sshd_config | 13 +++++++------ sshd_config.5 | 5 ++++- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index f942c2453..d7213862f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2006023 + - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect current + reality. Pointed out by tryponraj at gmail.com. + 2006022 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Minor tidy up: only compile in compat code if required. @@ -3877,4 +3881,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4133 2006/02/22 11:24:47 dtucker Exp $ +$Id: ChangeLog,v 1.4134 2006/02/23 10:35:30 dtucker Exp $ diff --git a/sshd_config b/sshd_config index 4957dd1a6..57f9a17bb 100644 --- a/sshd_config +++ b/sshd_config @@ -71,12 +71,13 @@ # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication mechanism. -# Depending on your PAM configuration, this may bypass the setting of -# PasswordAuthentication, PermitEmptyPasswords, and -# "PermitRootLogin without-password". If you just want the PAM account and -# session checks to run without PAM authentication, then enable this but set -# ChallengeResponseAuthentication=no +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. #UsePAM no #AllowTcpForwarding yes diff --git a/sshd_config.5 b/sshd_config.5 index 71a293ffb..6e2de10d7 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -677,7 +677,10 @@ If set to .Dq yes this will enable PAM authentication using .Cm ChallengeResponseAuthentication -and PAM account and session module processing for all authentication types. +and +.Cm PasswordAuthentication +in addition to PAM account and session module processing for all +authentication types. .Pp Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you should disable either