Bug 843

Summary: sshd_config.5: add warning to PasswordAuthentication
Product: Portable OpenSSH Reporter: Sascha Silbe <sascha-openssh-bugs>
Component: DocumentationAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED FIXED    
Severity: normal    
Priority: P2    
Version: 3.8p1   
Hardware: All   
OS: Linux   
Bug Depends on:    
Bug Blocks: 822    
Attachments:
Description Flags
Add detail to UsePAM section of sshd_config
none
Update UsePAM entry in sshd_config
none
Incorporate djm's changes. none

Description Sascha Silbe 2004-04-20 10:08:37 AEST 
From the sample sshd_config:

=== Begin ===
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
#UsePAM no
=== End ===

Please add an appropriate warning regarding the use of UsePAM to the PasswordAuthentication section of sshd_config.5.
Thanks!
Comment 1 Darren Tucker 2004-05-03 19:21:01 AEST 
Created attachment 624 [details]
Add detail to UsePAM section of sshd_config

How's this?  For those that don't speak nroff (I don't I just mimic the bits
that look like what I want :-), the text is:

UsePAM	Enables the Pluggable Authentication Module interface.	To
	authenticate via PAM you must use ChallengeResponseAuthentication
	(keyboard-interactive for SSHv2, TIS for SSHv1) so you should
	also set PasswordAuthentication to ``no''.

	If UsePAM and PasswordAuthentication are both enabled, then users
	may authenticate via the native password mechanism, bypassing the
	PAM auth module.  In such a case, the PAM account and session
	modules will still be checked.

	If UsePAM is enabled you will not be able to run sshd as a non-
	root user.  The default is ``no''.
Comment 2 Darren Tucker 2004-05-04 13:30:37 AEST 
Created attachment 625 [details]
Update UsePAM entry in sshd_config

Update nroff formatting based on feedback from jmc@
Comment 3 Damien Miller 2004-05-12 11:54:43 AEST 
> Enables the Pluggable Authentication Module interface. To
> authenticate via PAM you must use ChallengeResponseAuthentication
> (keyboard-interactive for SSHv2, TIS for SSHv1) so you should
> also set PasswordAuthentication to ``no''.

Perhaps something like this:

Enables the Pluggable Authentication Module interface. If set to ``yes'', this
will enable PAM authentication using ChallengeResponseAuthentication and PAM
account and session module processing for all authentication types.

Because PAM challenge-response authentication usually serves an equivalent role
to password authentication, you should disable either PasswordAuthentication or
ChallengeResponseAuthentication.
Comment 4 Darren Tucker 2004-05-12 12:04:11 AEST 
Created attachment 632 [details]
Incorporate djm's changes.
Comment 5 Darren Tucker 2004-05-13 16:53:06 AEST 
Patch #632 has been committed.  Thanks for the report.