diff --git a/sshd_config b/sshd_config index 4b3011ec3..c423eba1b 100644 --- a/sshd_config +++ b/sshd_config @@ -72,13 +72,13 @@ AuthorizedKeysFile .ssh/authorized_keys # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and +# be allowed through the KbdInteractiveAuthentication and # PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass +# PAM authentication via KbdInteractiveAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. +# and KbdInteractiveAuthentication to 'no'. #UsePAM no #AllowAgentForwarding yes diff --git a/sshd_config.5 b/sshd_config.5 index 07635932c..faa0a0f39 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -1745,17 +1745,17 @@ Enables the Pluggable Authentication Module interface. If set to .Cm yes this will enable PAM authentication using -.Cm ChallengeResponseAuthentication +.Cm KbdInteractiveAuthentication and .Cm PasswordAuthentication in addition to PAM account and session module processing for all authentication types. .Pp -Because PAM challenge-response authentication usually serves an equivalent +Because PAM keyboard-interactive authentication usually serves an equivalent role to password authentication, you should disable either .Cm PasswordAuthentication or -.Cm ChallengeResponseAuthentication. +.Cm KbdInteractiveAuthentication. .Pp If .Cm UsePAM