Bug 843 - sshd_config.5: add warning to PasswordAuthentication
Summary: sshd_config.5: add warning to PasswordAuthentication
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 3.8p1
Hardware: All Linux
: P2 normal
Assignee: OpenSSH Bugzilla mailing list
URL:
Keywords:
Depends on:
Blocks: 822
  Show dependency treegraph
 
Reported: 2004-04-20 10:08 AEST by Sascha Silbe
Modified: 2004-09-11 13:18 AEST (History)
0 users

See Also:

Attachments
Add detail to UsePAM section of sshd_config (1.33 KB, patch)
2004-05-03 19:21 AEST, Darren Tucker 		no flags Details | Diff
Update UsePAM entry in sshd_config (1.34 KB, patch)
2004-05-04 13:30 AEST, Darren Tucker 		no flags Details | Diff
Incorporate djm's changes. (1.28 KB, patch)
2004-05-12 12:04 AEST, Darren Tucker 		no flags Details | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sascha Silbe 2004-04-20 10:08:37 AEST 
From the sample sshd_config:

=== Begin ===
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
#UsePAM no
=== End ===

Please add an appropriate warning regarding the use of UsePAM to the PasswordAuthentication section of sshd_config.5.
Thanks!
Comment 1 Darren Tucker 2004-05-03 19:21:01 AEST 
Created attachment 624 [details]
Add detail to UsePAM section of sshd_config

How's this?  For those that don't speak nroff (I don't I just mimic the bits
that look like what I want :-), the text is:

UsePAM	Enables the Pluggable Authentication Module interface.	To
	authenticate via PAM you must use ChallengeResponseAuthentication
	(keyboard-interactive for SSHv2, TIS for SSHv1) so you should
	also set PasswordAuthentication to ``no''.

	If UsePAM and PasswordAuthentication are both enabled, then users
	may authenticate via the native password mechanism, bypassing the
	PAM auth module.  In such a case, the PAM account and session
	modules will still be checked.

	If UsePAM is enabled you will not be able to run sshd as a non-
	root user.  The default is ``no''.
Comment 2 Darren Tucker 2004-05-04 13:30:37 AEST 
Created attachment 625 [details]
Update UsePAM entry in sshd_config

Update nroff formatting based on feedback from jmc@
Comment 3 Damien Miller 2004-05-12 11:54:43 AEST 
> Enables the Pluggable Authentication Module interface. To
> authenticate via PAM you must use ChallengeResponseAuthentication
> (keyboard-interactive for SSHv2, TIS for SSHv1) so you should
> also set PasswordAuthentication to ``no''.

Perhaps something like this:

Enables the Pluggable Authentication Module interface. If set to ``yes'', this
will enable PAM authentication using ChallengeResponseAuthentication and PAM
account and session module processing for all authentication types.

Because PAM challenge-response authentication usually serves an equivalent role
to password authentication, you should disable either PasswordAuthentication or
ChallengeResponseAuthentication.
Comment 4 Darren Tucker 2004-05-12 12:04:11 AEST 
Created attachment 632 [details]
Incorporate djm's changes.
Comment 5 Darren Tucker 2004-05-13 16:53:06 AEST 
Patch #632 has been committed.  Thanks for the report.