From 1dcff9a3a8891db8d7fce77e43e675ce60e0fe44 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 13 May 2004 16:51:40 +1000 Subject: [PATCH] - (dtucker) [sshd.8] Bug #843: Add warning about PasswordAuthentication to UsePAM section. Parts from djm@ and jmc@. --- ChangeLog | 4 +++- sshd_config.5 | 25 +++++++++++++++++++------ 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7ccb6f241..7defe636c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,8 @@ - dtucker@cvs.openbsd.org 2004/05/13 02:47:50 [ssh-agent.1] Add examples to ssh-agent.1, bz#481 from Ralf Hauser; ok deraadt@ + - (dtucker) [sshd.8] Bug #843: Add warning about PasswordAuthentication to + UsePAM section. Parts from djm@ and jmc@. 20040502 - (dtucker) OpenBSD CVS Sync @@ -1110,4 +1112,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3351 2004/05/13 06:45:46 dtucker Exp $ +$Id: ChangeLog,v 1.3352 2004/05/13 06:51:40 dtucker Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index f8aa0f2f3..05558c569 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -624,12 +624,25 @@ If .Cm UsePrivilegeSeparation is specified, it will be disabled after authentication. .It Cm UsePAM -Enables PAM authentication (via challenge-response) and session set up. -If you enable this, you should probably disable -.Cm PasswordAuthentication . -If you enable -.CM UsePAM -then you will not be able to run sshd as a non-root user. The default is +Enables the Pluggable Authentication Module interface. +If set to +.Dq yes +this will enable PAM authentication using +.Cm ChallengeResponseAuthentication +and PAM account and session module processing for all authentication types. +.Pp +Because PAM challenge-response authentication usually serves an equivalent +role to password authentication, you should disable either +.Cm PasswordAuthentication +or +.Cm ChallengeResponseAuthentication. +.Pp +If +.Cm UsePAM +is enabled, you will not be able to run +.Xr sshd 8 +as a non-root user. +The default is .Dq no . .It Cm UsePrivilegeSeparation Specifies whether