Bug 1410

Comment on attachment 1405 [details]
Corrects comments in sshd_config about using PAM with OpenSSH.

>-# To disable tunneled clear text passwords, change to no here!
>+# To disable tunneled clear text passwords, change to no here! Also,
>+# remember to set the UsePAM setting to 'no'.
> #PasswordAuthentication yes
> #PermitEmptyPasswords no

What is the meaning of this change?  What does UsePam=no have to do with whether or
not PasswordAuthentication is enabled?

It might be referring to ChallengeResponseAuthentication which looks similar to a casual observer, but there is already text in sshd_config and sshd(8) that covers that.

>@@ -78,7 +79,10 @@
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to 'no'.

>+# Also, PAM will deny null passwords by default.  If you need to allow
>+# null passwords, add the "	nullok" option to the end of the
>+# securityserver.so line in /etc/pam.d/sshd.

That is very platform specific.  I would probably be OK with adding a comment in platform-neutral language to the UsePAM section that mentions this.

>-#UsePAM no
>+#UsePAM yes

That is documenting a local change, and I don't think we want to change the default.

We won't apply this diff - sshd_config isn't the place for a description of how to configure PAM.

Close resolved bugs after release.