Bug 853 - PAM auth needs ChallengeResponseAuthentication enabled
Summary: PAM auth needs ChallengeResponseAuthentication enabled
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: PAM support (show other bugs)
Version: 3.8.1p1
Hardware: All Linux
: P5 minor
Assignee: OpenSSH Bugzilla mailing list
URL:
Keywords:
Depends on:
Blocks: 822
  Show dependency treegraph
 
Reported: 2004-04-29 02:49 AEST by Luiz
Modified: 2004-09-11 13:18 AEST (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Luiz 2004-04-29 02:49:47 AEST 
With "ChallengeResponseAuthentication no" on sshd_config, PAM authentication is
completely disabled. 
Most users won't realize it because sshd fallbacks to shadow auth, but aditional
restrictions on PAM conf will not work.  You can confirm this behavior by
enabling/disabling ChallengeResponseAuthentication and requiring pam_deny.so for
sshd auth. 

It was working on versions up to 3.7.1p2
Comment 1 Damien Miller 2004-04-29 07:46:46 AEST 
Additional PAM restrictions are still enabled, just not the PAM "password"
restrictions. I.e. account and session controls are still enforced.

Besides, the comment for UsePAM in sshd_config is fairly clear (though not
completely explicit):

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
Comment 2 Darren Tucker 2004-06-29 12:42:09 AEST 
This has been fixed, the development snapshots have SSH password authentication
via PAM too (using a "blind" conversation function).  This will be in the next
major release (ie 3.9x).

Please try a snapshot:
ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/
and re-open this bug if the problem is not resolved.