Questions about sshd_config man page and comments in the file

Darren Tucker dtucker at zip.com.au
Thu Feb 23 20:13:08 EST 2006 

On Thu, Feb 23, 2006 at 12:55:13PM +0530, ponraj wrote:
> Hi ,
> 
> I have two problems when i went through a) the man page of sshd_config and 
> b) the comments quoted in sshd_config file itself. They are given below.
> 
> a)
> >From the man page of sshd_config:
> "If UsePAM is enabled, you will not be able to run sshd(8) as a 
> non-privileged user."
> 
> I changed the permission of the hostkeys to a non-privileged user and tried 
> to run sshd alongwith "UsePAM=yes" in one of the non-privileged ports . sshd 
> was successfully initiated but it failed to handle client's connection 
> request. Is this the behaviour highlighted in the man page ?

Yes.  PAM typically needs root privs and is used for more than just
authentication.

> b)Comments in sshd_config file:
> 
> # Set this to 'yes' to enable PAM authentication, account processing,
>   # and session processing. If this is enabled, PAM authentication will
>   # be allowed through the ChallengeResponseAuthentication mechanism.
>   # Depending on your PAM configuration, this may bypass the setting of
>   # PasswordAuthentication, PermitEmptyPasswords, and
>   # "PermitRootLogin without-password". If you just want the PAM
>   account and
>   # session checks to run without PAM authentication, then enable this
>   but set
>   # ChallengeResponseAuthentication=no
> 
> sshd has been started along with the following command-line configuration 
> settings.
>         # /opt/ssh/sbin/sshd -o "usepam yes" -o 
> "challengeresponseauthentication no" -o "kerberosauthentication no" -o 
> "passwordauthentication yes" -o "kerberosorlocalpasswd no"
> Authentication ,Password management modules were set to "libpam_krb5.so.1" 
> and Session,Account management modules were set to "libpam_unix.so.1" in pam 
> configuation file.
> 
> During ssh conneciton, Kerberos password got succeeded when the ssh client 
> was prompted for password. This violates the steps commented in sshd_config 
> file.Can anyone clarify this ?

The comment in the example config file is outdated and should be fixed.
PasswordAuthentication uses PAM in recent versions (>=3.9p1 from memory).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list