Mailing List Archive: [Bug 843] sshd_config.5: add warning to PasswordAuthentication

[Bug 843] sshd_config.5: add warning to PasswordAuthentication

bugzilla-daemon at mindrot

Apr 19, 2004, 4:08 PM

Post #1 of 6 (359 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=843

Summary: sshd_config.5: add warning to PasswordAuthentication
Product: Portable OpenSSH
Version: 3.8p1
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: sascha-openssh-bugs@silbe.org

From the sample sshd_config:

=== Begin ===
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
#UsePAM no
=== End ===

Please add an appropriate warning regarding the use of UsePAM to the PasswordAuthentication section of sshd_config.5.
Thanks!

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 843] sshd_config.5: add warning to PasswordAuthentication [ In reply to ]

bugzilla-daemon at mindrot

May 3, 2004, 1:21 AM

Post #2 of 6 (357 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=843

------- Additional Comments From dtucker@zip.com.au 2004-05-03 19:21 -------
Created an attachment (id=624)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=624&action=view)
Add detail to UsePAM section of sshd_config

How's this? For those that don't speak nroff (I don't I just mimic the bits
that look like what I want :-), the text is:

UsePAM Enables the Pluggable Authentication Module interface. To
authenticate via PAM you must use ChallengeResponseAuthentication
(keyboard-interactive for SSHv2, TIS for SSHv1) so you should
also set PasswordAuthentication to ``no''.

If UsePAM and PasswordAuthentication are both enabled, then users
may authenticate via the native password mechanism, bypassing the
PAM auth module. In such a case, the PAM account and session
modules will still be checked.

If UsePAM is enabled you will not be able to run sshd as a non-
root user. The default is ``no''.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 843] sshd_config.5: add warning to PasswordAuthentication [ In reply to ]

bugzilla-daemon at mindrot

May 3, 2004, 7:30 PM

Post #3 of 6 (357 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=843

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #624 is|0 |1
obsolete| |

------- Additional Comments From dtucker@zip.com.au 2004-05-04 13:30 -------
Created an attachment (id=625)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=625&action=view)
Update UsePAM entry in sshd_config

Update nroff formatting based on feedback from jmc@

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 843] sshd_config.5: add warning to PasswordAuthentication [ In reply to ]

bugzilla-daemon at mindrot

May 11, 2004, 5:54 PM

Post #4 of 6 (357 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=843

------- Additional Comments From djm@mindrot.org 2004-05-12 11:54 -------
> Enables the Pluggable Authentication Module interface. To
> authenticate via PAM you must use ChallengeResponseAuthentication
> (keyboard-interactive for SSHv2, TIS for SSHv1) so you should
> also set PasswordAuthentication to ``no''.

Perhaps something like this:

Enables the Pluggable Authentication Module interface. If set to ``yes'', this
will enable PAM authentication using ChallengeResponseAuthentication and PAM
account and session module processing for all authentication types.

Because PAM challenge-response authentication usually serves an equivalent role
to password authentication, you should disable either PasswordAuthentication or
ChallengeResponseAuthentication.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 843] sshd_config.5: add warning to PasswordAuthentication [ In reply to ]

bugzilla-daemon at mindrot

May 11, 2004, 6:04 PM

Post #5 of 6 (358 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=843

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #625 is|0 |1
obsolete| |

------- Additional Comments From dtucker@zip.com.au 2004-05-12 12:04 -------
Created an attachment (id=632)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=632&action=view)
Incorporate djm's changes.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 843] sshd_config.5: add warning to PasswordAuthentication [ In reply to ]

bugzilla-daemon at mindrot

May 12, 2004, 10:53 PM

Post #6 of 6 (358 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=843

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO| |822
nThis| |
Status|NEW |RESOLVED
Resolution| |FIXED

------- Additional Comments From dtucker@zip.com.au 2004-05-13 16:53 -------
Patch #632 has been committed. Thanks for the report.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.