PAMAuthenticationViaKbdInt and KeyAuth

Nalin Dahyabhai nalin at redhat.com
Wed Jun 26 02:22:56 EST 2002 

On Tue, Jun 25, 2002 at 04:58:50PM +0200, Markus Friedl wrote:
>      PAMAuthenticationViaKbdInt
>              Specifies whether PAM challenge response authentication is al-
>              lowed. This allows the use of most PAM challenge response authen-
>              tication modules, but it will allow password authentication re-
>              gardless of whether PasswordAuthentication is yes, the password
>              provided by the user will be validated through the Kerberos KDC.
>              To use this option, the server needs a Kerberos servtab which al-
>              lows the verification of the KDC's identity.  Default is ``no''.

That doesn't look right -- there's nothing that ties this to Kerberos
unless a Kerberos PAM is in use.  Attached is a possible correction.

Nalin
-------------- next part --------------
Index: sshd_config.5
===================================================================
RCS file: /cvs/openssh/sshd_config.5,v
retrieving revision 1.2
diff -u -u -r1.2 sshd_config.5
--- sshd_config.5	23 Jun 2002 00:35:26 -0000	1.2
+++ sshd_config.5	25 Jun 2002 16:20:43 -0000
@@ -305,10 +305,6 @@
 .It Cm KerberosAuthentication
 Specifies whether Kerberos authentication is allowed.
 This can be in the form of a Kerberos ticket, or if
-.It Cm PAMAuthenticationViaKbdInt
-Specifies whether PAM challenge response authentication is allowed. This
-allows the use of most PAM challenge response authentication modules, but
-it will allow password authentication regardless of whether
 .Cm PasswordAuthentication
 is yes, the password provided by the user will be validated through
 the Kerberos KDC.
@@ -425,6 +421,12 @@
 are refused if the number of unauthenticated connections reaches
 .Dq full
 (60).
+.It Cm PAMAuthenticationViaKbdInt
+Specifies whether PAM challenge response authentication is allowed. This
+allows the use of most PAM challenge response authentication modules, but
+it will allow password authentication regardless of whether
+.Cm PasswordAuthentication
+is enabled.
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is

More information about the openssh-unix-dev mailing list