openssh bugs - Apr 2004 - [Bug 843] sshd_config.5: add warning to PasswordAuthentication

http://bugzilla.mindrot.org/show_bug.cgi?id=843

           Summary: sshd_config.5: add warning to PasswordAuthentication
           Product: Portable OpenSSH
           Version: 3.8p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: sascha-openssh-bugs at silbe.org

>From the sample sshd_config:
=== Begin ==# Set this to 'yes' to enable PAM authentication (via
challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and
'PermitEmptyPasswords'
#UsePAM no
=== End ==
Please add an appropriate warning regarding the use of UsePAM to the
PasswordAuthentication section of sshd_config.5.
Thanks!



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=843





------- Additional Comments From dtucker at zip.com.au  2004-05-03 19:21 -------
Created an attachment (id=624)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=624&action=view)
Add detail to UsePAM section of sshd_config

How's this?  For those that don't speak nroff (I don't I just mimic
the bits
that look like what I want :-), the text is:

UsePAM	Enables the Pluggable Authentication Module interface.	To
	authenticate via PAM you must use ChallengeResponseAuthentication
	(keyboard-interactive for SSHv2, TIS for SSHv1) so you should
	also set PasswordAuthentication to ``no''.

	If UsePAM and PasswordAuthentication are both enabled, then users
	may authenticate via the native password mechanism, bypassing the
	PAM auth module.  In such a case, the PAM account and session
	modules will still be checked.

	If UsePAM is enabled you will not be able to run sshd as a non-
	root user.  The default is ``no''.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=843

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #624 is|0                           |1
           obsolete|                            |



------- Additional Comments From dtucker at zip.com.au  2004-05-04 13:30 -------
Created an attachment (id=625)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=625&action=view)
Update UsePAM entry in sshd_config

Update nroff formatting based on feedback from jmc@



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=843





------- Additional Comments From djm at mindrot.org  2004-05-12 11:54
-------
> Enables the Pluggable Authentication Module interface. To
> authenticate via PAM you must use ChallengeResponseAuthentication
> (keyboard-interactive for SSHv2, TIS for SSHv1) so you should
> also set PasswordAuthentication to ``no''.
Perhaps something like this:

Enables the Pluggable Authentication Module interface. If set to
``yes'', this
will enable PAM authentication using ChallengeResponseAuthentication and PAM
account and session module processing for all authentication types.

Because PAM challenge-response authentication usually serves an equivalent role
to password authentication, you should disable either PasswordAuthentication or
ChallengeResponseAuthentication.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=843

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #625 is|0                           |1
           obsolete|                            |



------- Additional Comments From dtucker at zip.com.au  2004-05-12 12:04 -------
Created an attachment (id=632)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=632&action=view)
Incorporate djm's changes.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=843

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
OtherBugsDependingO|                            |822
              nThis|                            |
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED



------- Additional Comments From dtucker at zip.com.au  2004-05-13 16:53 -------
Patch #632 has been committed.  Thanks for the report.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.