Changes in tonights snapshot

Damien Miller djm at
Wed May 14 15:32:23 EST 2003

There are a couple of noteworthy changes in tonight's snapshot:

1. New UsePAM directive

There is a new sshd_config directive, UsePAM for systems built using
"configure --with-pam". This allows one to switch off all PAM calls
from sshd.

This is handy if one builds with PAM but wants to use the sshd's
ability to run as a non-root user. Previously this was impossible if
one enabled PAM support.

2. kerberos-2 at support

Markus has added support for SSH.COM's Kerberos authentication method
for protocol v.2. This has been interop tested on OpenBSD with the
in-tree Heimdal Kerberos implementation, but not with MIT Kerberos.

This needs review from someone who understands the MIT kerberos API
properly (I don't...) There is at least one minor problem:
grep for '# warning' in sshconnect2.c

3. Pubkey authentication key try order

Markus has changed the order in which pubkeys are tried. From the

>  for pubkey authentication try the user keys in the following order:
>     1. agent keys that are found in the config file
>     2. other agent keys
>     3. keys that are only listed in the config file
>  this helps when an agent has many keys, where the server might
>  close the connection before the correct key is used.

Please report problems with any of the above to bugzilla or this list.


More information about the openssh-unix-dev mailing list