openssh unix dev - Feb 2006 - Questions about sshd_config man page and comments in the file

Hi ,

I have two problems when i went through a) the man page of sshd_config and 
b) the comments quoted in sshd_config file itself. They are given below.

a)
>From the man page of sshd_config:
"If UsePAM is enabled, you will not be able to run sshd(8) as a 
non-privileged user."

I changed the permission of the hostkeys to a non-privileged user and tried 
to run sshd alongwith "UsePAM=yes" in one of the non-privileged ports
. sshd
was successfully initiated but it failed to handle client's connection 
request. Is this the behaviour highlighted in the man page ?

b)Comments in sshd_config file:

# Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
  # be allowed through the ChallengeResponseAuthentication mechanism.
  # Depending on your PAM configuration, this may bypass the setting of
  # PasswordAuthentication, PermitEmptyPasswords, and
  # "PermitRootLogin without-password". If you just want the PAM
  account and
  # session checks to run without PAM authentication, then enable this
  but set
  # ChallengeResponseAuthentication=no

sshd has been started along with the following command-line configuration 
settings.
        # /opt/ssh/sbin/sshd -o "usepam yes" -o 
"challengeresponseauthentication no" -o "kerberosauthentication
no" -o
"passwordauthentication yes" -o "kerberosorlocalpasswd no"
Authentication ,Password management modules were set to
"libpam_krb5.so.1"
and Session,Account management modules were set to "libpam_unix.so.1"
in pam
configuation file.

During ssh conneciton, Kerberos password got succeeded when the ssh client 
was prompted for password. This violates the steps commented in sshd_config 
file.Can anyone clarify this ?

I am using OpenSSH-4.2p1 compiled with OpenSSL 0.9.7i.

--
Ponraj M

On Thu, Feb 23, 2006 at 12:55:13PM +0530, ponraj wrote:
> Hi ,
> 
> I have two problems when i went through a) the man page of sshd_config and 
> b) the comments quoted in sshd_config file itself. They are given below.
> 
> a)
> >From the man page of sshd_config:
> "If UsePAM is enabled, you will not be able to run sshd(8) as a 
> non-privileged user."
> 
> I changed the permission of the hostkeys to a non-privileged user and tried
> to run sshd alongwith "UsePAM=yes" in one of the non-privileged
ports . sshd
> was successfully initiated but it failed to handle client's connection 
> request. Is this the behaviour highlighted in the man page ?
Yes.  PAM typically needs root privs and is used for more than just
authentication.
> b)Comments in sshd_config file:
> 
> # Set this to 'yes' to enable PAM authentication, account
processing,
>   # and session processing. If this is enabled, PAM authentication will
>   # be allowed through the ChallengeResponseAuthentication mechanism.
>   # Depending on your PAM configuration, this may bypass the setting of
>   # PasswordAuthentication, PermitEmptyPasswords, and
>   # "PermitRootLogin without-password". If you just want the PAM
>   account and
>   # session checks to run without PAM authentication, then enable this
>   but set
>   # ChallengeResponseAuthentication=no
> 
> sshd has been started along with the following command-line configuration 
> settings.
>         # /opt/ssh/sbin/sshd -o "usepam yes" -o 
> "challengeresponseauthentication no" -o
"kerberosauthentication no" -o
> "passwordauthentication yes" -o "kerberosorlocalpasswd
no"
> Authentication ,Password management modules were set to
"libpam_krb5.so.1"
> and Session,Account management modules were set to
"libpam_unix.so.1" in pam
> configuation file.
> 
> During ssh conneciton, Kerberos password got succeeded when the ssh client 
> was prompted for password. This violates the steps commented in sshd_config
> file.Can anyone clarify this ?
The comment in the example config file is outdated and should be fixed.
PasswordAuthentication uses PAM in recent versions (>=3.9p1 from memory).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.