Ed Maste
2022-May-12 15:19 UTC
Fwd: git: 0e12eb7b58ae - main - ssh: update sshd_config for prohibit-password option
I updated sshd_config in the FreeBSD base system to pick up the
without-password -> prohibit-password option rename (in the UsePAM
description):
---------- Forwarded message ---------
From: Ed Maste <emaste at freebsd.org>
Date: Thu, 12 May 2022 at 11:17
Subject: git: 0e12eb7b58ae - main - ssh: update sshd_config for
prohibit-password option
Author: Ed Maste <emaste at FreeBSD.org>
AuthorDate: 2022-05-10 14:08:21 +0000
Commit: Ed Maste <emaste at FreeBSD.org>
CommitDate: 2022-05-12 15:16:09 +0000
ssh: update sshd_config for prohibit-password option
The PermitRootLogin option "prohibit-password" was added as a
synonym
for "without-password" in 2015. Then in 2017 these were swapped:
"prohibit-password" became the canonical option and
"without-password"
became a deprecated synonym (in OpenSSH commit 071325f458).
The UsePAM description in sshd_config still mentioned
"without-password." Update it to match the new canonical option.
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
---
crypto/openssh/sshd_config | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index bb2e1098368e..956a4bd7d7af 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -78,7 +78,7 @@ AuthorizedKeysFile .ssh/authorized_keys
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
+# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
Ed Maste
2022-Nov-05 18:34 UTC
git: 0e12eb7b58ae - main - ssh: update sshd_config for prohibit-password option
On Thu, 12 May 2022 at 11:19, Ed Maste <emaste at freebsd.org> wrote:> > I updated sshd_config in the FreeBSD base system to pick up the > without-password -> prohibit-password option rename (in the UsePAM > description):This fix from FreeBSD is still outstanding:> --- a/crypto/openssh/sshd_config > +++ b/crypto/openssh/sshd_config > @@ -78,7 +78,7 @@ AuthorizedKeysFile .ssh/authorized_keys > # be allowed through the KbdInteractiveAuthentication and > # PasswordAuthentication. Depending on your PAM configuration, > # PAM authentication via KbdInteractiveAuthentication may bypass > -# the setting of "PermitRootLogin without-password". > +# the setting of "PermitRootLogin prohibit-password". > # If you just want the PAM account and session checks to run without > # PAM authentication, then enable this but set PasswordAuthentication > # and KbdInteractiveAuthentication to 'no'."without-password" is the deprecated alias for "prohibit-password", so we should reference the latter.