Marc Haber <[EMAIL PROTECTED]> writes: > "UsePam yes" is generally a _big_ surprise for the local admin since it > allows passwords to be used even if "UsePasswordAuthentification no" is > set in sshd_config.
Yes, because UsePam doesn't use password authentication; it just uses passwords to authenticate. *sigh*. The sshd documentation is particularly bad in this area. To share what took me hours to figure out: There are two authentication mechanisms in SSH that use passwords. One is called "password" and the other is called "keyboard-interactive". When sshd_config talks about the option UsePasswordAuthentication, it's not speaking in English, it's speaking in terms of the SSH protocol and is talking about disabling the password *authentication method*. The authentication method keyboard-interactive may still be enabled. To add an additional twist, OpenSSH uses keyboard-interactive to talk to itself, but a lot of the other SSH clients out there only know password. Any corrections welcome; I figured out the above by reading the source code and looking at protocol traces and I may still have the details wrong. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
