- Document PAM ChallengeResponseAuthentication in sshd.8

- Disable and comment ChallengeResponseAuthentication in sshd_config

ChangeLog

@@ -1,5 +1,7 @@
 20010303
  - Remove make-ssh-known-hosts.pl, ssh-keyscan is better.
+ - Document PAM ChallengeResponseAuthentication in sshd.8
+ - Disable and comment ChallengeResponseAuthentication in sshd_config
 
 20010301
  - (djm) Properly add -lcrypt if needed. 
@@ -4178,4 +4180,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.846 2001/03/03 09:00:36 djm Exp $
+$Id: ChangeLog,v 1.847 2001/03/03 13:16:20 djm Exp $

sshd.8

@@ -644,11 +644,17 @@ The minimum value is 512, and the default is 768.
 Specifies whether
 challenge reponse
 authentication is allowed.
-Currently there is only support for
+Currently there is support for
 .Xr skey 1
-authentication.
+and PAM authentication.
 The default is
 .Dq yes .
+Note that enabling ChallengeResponseAuthentication for PAM bypasses 
+OpenSSH's password checking code, thus rendering options such as 
+.Cm PasswordAuthentication 
+and
+.Cm PermitEmptyPasswords
+ineffective.
 .It Cm StrictModes
 Specifies whether
 .Nm

sshd_config

@@ -41,8 +41,9 @@ RSAAuthentication yes
 PasswordAuthentication yes
 PermitEmptyPasswords no
 
-# Uncomment to disable s/key passwords 
+# Comment to enable s/key passwords or PAM interactive authentication
-#ChallengeResponseAuthentication no
+# NB. Neither of these are compiled in by default.
+ChallengeResponseAuthentication no
 
 # To change Kerberos options
 #KerberosAuthentication no