Bug 853

Summary: PAM auth needs ChallengeResponseAuthentication enabled
Product: Portable OpenSSH Reporter: Luiz <leg>
Component: PAM supportAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED FIXED    
Severity: minor    
Priority: P5    
Version: 3.8.1p1   
Hardware: All   
OS: Linux   
Bug Depends on:    
Bug Blocks: 822    

Description Luiz 2004-04-29 02:49:47 AEST 
With "ChallengeResponseAuthentication no" on sshd_config, PAM authentication is
completely disabled. 
Most users won't realize it because sshd fallbacks to shadow auth, but aditional
restrictions on PAM conf will not work.  You can confirm this behavior by
enabling/disabling ChallengeResponseAuthentication and requiring pam_deny.so for
sshd auth. 

It was working on versions up to 3.7.1p2
Comment 1 Damien Miller 2004-04-29 07:46:46 AEST 
Additional PAM restrictions are still enabled, just not the PAM "password"
restrictions. I.e. account and session controls are still enforced.

Besides, the comment for UsePAM in sshd_config is fairly clear (though not
completely explicit):

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
Comment 2 Darren Tucker 2004-06-29 12:42:09 AEST 
This has been fixed, the development snapshots have SSH password authentication
via PAM too (using a "blind" conversation function).  This will be in the next
major release (ie 3.9x).

Please try a snapshot:
ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/
and re-open this bug if the problem is not resolved.