Created attachment 1405 [details] Corrects comments in sshd_config about using PAM with OpenSSH. Attached is a patch for building OpenSSH 4.7p1 on Mac OS X. This patch corrects comments in sshd_config about using PAM with OpenSSH.
Comment on attachment 1405 [details] Corrects comments in sshd_config about using PAM with OpenSSH. >-# To disable tunneled clear text passwords, change to no here! >+# To disable tunneled clear text passwords, change to no here! Also, >+# remember to set the UsePAM setting to 'no'. > #PasswordAuthentication yes > #PermitEmptyPasswords no What is the meaning of this change? What does UsePam=no have to do with whether or not PasswordAuthentication is enabled? It might be referring to ChallengeResponseAuthentication which looks similar to a casual observer, but there is already text in sshd_config and sshd(8) that covers that. >@@ -78,7 +79,10 @@ > # If you just want the PAM account and session checks to run without > # PAM authentication, then enable this but set PasswordAuthentication > # and ChallengeResponseAuthentication to 'no'. >+# Also, PAM will deny null passwords by default. If you need to allow >+# null passwords, add the " nullok" option to the end of the >+# securityserver.so line in /etc/pam.d/sshd. That is very platform specific. I would probably be OK with adding a comment in platform-neutral language to the UsePAM section that mentions this. >-#UsePAM no >+#UsePAM yes That is documenting a local change, and I don't think we want to change the default.
We won't apply this diff - sshd_config isn't the place for a description of how to configure PAM.
Close resolved bugs after release.