openssh bugs - Dec 2007 - [Bug 1410] New: Correct UsePAM comment in sshd_config on Mac OS X

https://bugzilla.mindrot.org/show_bug.cgi?id=1410

           Summary: Correct UsePAM comment in sshd_config on Mac OS X
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 4.7p1
          Platform: Other
        OS/Version: Mac OS X
            Status: NEW
          Severity: normal
          Priority: P2
         Component: PAM support
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: vgiffin at apple.com


Created an attachment (id=1405)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1405)
Corrects comments in sshd_config about using PAM with OpenSSH.

Attached is a patch for building OpenSSH 4.7p1 on Mac OS X.

This patch corrects comments in sshd_config about using PAM with
OpenSSH.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1410





--- Comment #1 from Darren Tucker <dtucker at zip.com.au>  2007-12-29
02:56:46 ---
(From update of attachment 1405)
>-# To disable tunneled clear text passwords, change to no here!
>+# To disable tunneled clear text passwords, change to no here! Also,
>+# remember to set the UsePAM setting to 'no'.
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
What is the meaning of this change?  What does UsePam=no have to do
with whether or
not PasswordAuthentication is enabled?

It might be referring to ChallengeResponseAuthentication which looks
similar to a casual observer, but there is already text in sshd_config
and sshd(8) that covers that.
>@@ -78,7 +79,10 @@
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to 'no'.
>+# Also, PAM will deny null passwords by default.  If you need to allow
>+# null passwords, add the "	nullok" option to the end of the
>+# securityserver.so line in /etc/pam.d/sshd.
That is very platform specific.  I would probably be OK with adding a
comment in platform-neutral language to the UsePAM section that
mentions this.
>-#UsePAM no
>+#UsePAM yes
That is documenting a local change, and I don't think we want to change
the default.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1410


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX
                 CC|                            |djm at mindrot.org




--- Comment #2 from Damien Miller <djm at mindrot.org>  2008-01-20
06:46:29 ---
We won't apply this diff - sshd_config isn't the place for a
description of how to configure PAM.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1410


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added                       
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED                      




--- Comment #3 from Damien Miller <djm at mindrot.org>  2008-04-04
10:01:37 ---
Close resolved bugs after release.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.