From owner-freebsd-stable Fri Sep 27 14:54:38 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C97D837B401 for ; Fri, 27 Sep 2002 14:54:36 -0700 (PDT) Received: from norton.palomine.net (norton.palomine.net [66.93.48.52]) by mx1.FreeBSD.org (Postfix) with SMTP id C914D43E65 for ; Fri, 27 Sep 2002 14:54:35 -0700 (PDT) (envelope-from cjohnson@palomine.net) Received: (qmail 94456 invoked by uid 1000); 27 Sep 2002 21:54:34 -0000 Mail-Followup-To: freebsd-stable@freebsd.org, archie@dellroad.org Date: Fri, 27 Sep 2002 17:54:34 -0400 From: Chris Johnson To: Archie Cobbs Cc: freebsd-stable@freebsd.org Subject: Re: sshd_config vs. PAM Message-ID: <20020927215434.GA94394@palomine.net> References: <200209272135.g8RLZ3We005877@arch20m.dellroad.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VbJkn9YxBvnuCH5J" Content-Disposition: inline In-Reply-To: <200209272135.g8RLZ3We005877@arch20m.dellroad.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 27, 2002 at 02:35:03PM -0700, Archie Cobbs wrote: > Yow! I was surprised to notice that setting these parameters: >=20 > PasswordAuthentication no > PermitRootLogin without-password >=20 > in /etc/ssh/sshd_config have absolutely NO effect! >=20 > This is because now /etc/pam.conf seems to control everything (?) According to sshd_config(5): PAMAuthenticationViaKbdInt Specifies whether PAM challenge response authentication is allowed. This allows the use of most PAM challenge response authentication modules, but it will allow password authenticat= ion regardless of whether PasswordAuthentication is enabled. It seems, however, that it's the ChallengeResponseAuthentication setting th= at controls whether PAM authentication is enabled, and apparently its being se= t to "yes" causes the behavior you're seeing. Chris Johnson --VbJkn9YxBvnuCH5J Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9lNOYPC78Lz4X/PARAjlXAJ4lPuAya1X/3Z0JoU8BQI2vAyqnfgCdGbhW gfsbwzebSsl1VY+UkqJQXDs= =6Ijn -----END PGP SIGNATURE----- --VbJkn9YxBvnuCH5J-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message