Questions about sshd_config man page and comments in the file

Darren Tucker dtucker at zip.com.au
Thu Feb 23 20:28:57 EST 2006 

On Thu, Feb 23, 2006 at 08:13:08PM +1100, Darren Tucker wrote:
> > b)Comments in sshd_config file:
[...]
> The comment in the example config file is outdated and should be fixed.

Does this help clear up the confusion?

Index: sshd_config
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshd_config,v
retrieving revision 1.74
diff -u -p -r1.74 sshd_config
--- sshd_config	13 Dec 2005 08:29:03 -0000	1.74
+++ sshd_config	23 Feb 2006 09:26:42 -0000
@@ -71,12 +71,13 @@
 
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
-# be allowed through the ChallengeResponseAuthentication mechanism. 
-# Depending on your PAM configuration, this may bypass the setting of 
-# PasswordAuthentication, PermitEmptyPasswords, and 
-# "PermitRootLogin without-password". If you just want the PAM account and 
-# session checks to run without PAM authentication, then enable this but set 
-# ChallengeResponseAuthentication=no
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
 #UsePAM no
 
 #AllowTcpForwarding yes
Index: sshd_config.5
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshd_config.5,v
retrieving revision 1.53
diff -u -p -r1.53 sshd_config.5
--- sshd_config.5	3 Jan 2006 07:47:31 -0000	1.53
+++ sshd_config.5	23 Feb 2006 09:27:42 -0000
@@ -677,7 +677,10 @@ If set to
 .Dq yes
 this will enable PAM authentication using
 .Cm ChallengeResponseAuthentication
-and PAM account and session module processing for all authentication types.
+and
+.Cm PasswordAuthentication
+in addition to PAM account and session module processing for all
+authentication types.
 .Pp
 Because PAM challenge-response authentication usually serves an equivalent
 role to password authentication, you should disable either

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list