[Bug 3658] Wrong comment in /etc/ssh/sshd_config

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Dec 3 23:41:42 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3658

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
It's not that simple.  From a protocol standpoint,
PasswordAuthentication is definitely "clear-text passwords".

> Indeed, Setting PasswordAuthentication to "no" will NOT disable clear-text passwords if ChallengeResponseAuthentication keeps its default value "yes" .

What ChallengeResponseAuthentication (or rather,
KbdInteractiveAuthentication, for which the former is a deprecated
synonym) does depends on the compile options, and in the common case,
what the host's PAM stack is configured to do.  This might involve
passwords, or one-time tokens, something else, or a combination of all
of these things.   From a protocol perspective, sshd doesn't know. 
I'll see if we can update the comment on KbdInteractiveAuthentication
to be a bit more informative.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list