- (dtucker) [sshd.8] Bug #843: Add warning about PasswordAuthentication to

UsePAM section. Parts from djm@ and jmc@.
2024-11-24 02:02:10 +08:00 · 2004-05-13 16:51:40 +10:00 · 2004-05-13 16:51:40 +10:00 · 1dcff9a3a8
commit 1dcff9a3a8
parent a86b453bb3
2 changed files with 22 additions and 7 deletions
--- a/4
+++ b/4
@ -34,6 +34,8 @@
   - dtucker@cvs.openbsd.org 2004/05/13 02:47:50
     [ssh-agent.1]
     Add examples to ssh-agent.1, bz#481 from Ralf Hauser; ok deraadt@
+ - (dtucker) [sshd.8] Bug #843: Add warning about PasswordAuthentication to
+   UsePAM section.  Parts from djm@ and jmc@.

 20040502
 - (dtucker) OpenBSD CVS Sync
@ -1110,4 +1112,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu

-$Id: ChangeLog,v 1.3351 2004/05/13 06:45:46 dtucker Exp $
+$Id: ChangeLog,v 1.3352 2004/05/13 06:51:40 dtucker Exp $
--- a/sshd_config.5
+++ b/sshd_config.5
@ -624,12 +624,25 @@ If
 .Cm UsePrivilegeSeparation
 is specified, it will be disabled after authentication.
 .It Cm UsePAM
-Enables PAM authentication (via challenge-response) and session set up.
-If you enable this, you should probably disable
-.Cm PasswordAuthentication .
-If you enable
-.CM UsePAM
-then you will not be able to run sshd as a non-root user.  The default is
+Enables the Pluggable Authentication Module interface.
+If set to
+.Dq yes
+this will enable PAM authentication using
+.Cm ChallengeResponseAuthentication
+and PAM account and session module processing for all authentication types.
+.Pp
+Because PAM challenge-response authentication usually serves an equivalent
+role to password authentication, you should disable either
+.Cm PasswordAuthentication
+or
+.Cm ChallengeResponseAuthentication.
+.Pp
+If
+.Cm UsePAM
+is enabled, you will not be able to run
+.Xr sshd 8
+as a non-root user.
+The default is
 .Dq no .
 .It Cm UsePrivilegeSeparation
 Specifies whether