- Document PAM ChallengeResponseAuthentication in sshd.8

- Disable and comment ChallengeResponseAuthentication in sshd_config
2001-03-04 00:16:20 +11:00 · 2001-03-04 00:16:20 +11:00 · 1d66c1602e
parent 459ac4b688
commit 1d66c1602e
3 changed files with 14 additions and 5 deletions
--- a/4
+++ b/4
@ -1,5 +1,7 @@
 20010303
 - Remove make-ssh-known-hosts.pl, ssh-keyscan is better.
+ - Document PAM ChallengeResponseAuthentication in sshd.8
+ - Disable and comment ChallengeResponseAuthentication in sshd_config

 20010301
 - (djm) Properly add -lcrypt if needed. 
@ -4178,4 +4180,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1

-$Id: ChangeLog,v 1.846 2001/03/03 09:00:36 djm Exp $
+$Id: ChangeLog,v 1.847 2001/03/03 13:16:20 djm Exp $
--- a/sshd.8
+++ b/sshd.8
@ -644,11 +644,17 @@ The minimum value is 512, and the default is 768.
 Specifies whether
 challenge reponse
 authentication is allowed.
-Currently there is only support for
+Currently there is support for
 .Xr skey 1
-authentication.
+and PAM authentication.
 The default is
 .Dq yes .
+Note that enabling ChallengeResponseAuthentication for PAM bypasses 
+OpenSSH's password checking code, thus rendering options such as 
+.Cm PasswordAuthentication 
+and
+.Cm PermitEmptyPasswords
+ineffective.
 .It Cm StrictModes
 Specifies whether
 .Nm
--- a/5
+++ b/5
@ -41,8 +41,9 @@ RSAAuthentication yes
 PasswordAuthentication yes
 PermitEmptyPasswords no

-# Uncomment to disable s/key passwords 
-#ChallengeResponseAuthentication no
+# Comment to enable s/key passwords or PAM interactive authentication
+# NB. Neither of these are compiled in by default.
+ChallengeResponseAuthentication no

 # To change Kerberos options
 #KerberosAuthentication no