Proposal to add a DisableAuthentication option to sshd ServerOptions

Henry Qin hq6 at cs.stanford.edu
Fri Jun 28 03:32:46 AEST 2024


When I  looked at `man pam_unix`, I did not see any obvious options that
would
cause ssh to authenticate without prompting for a password at all, short of
setting an empty password which is similar to PermitEmptyPasswords option.

However, I am not very familiar with the internals of PAM, so pointers to
documentation would be greatly appreciated.

Also, I think adding a single line to sshd_config is simpler for most users
to
do correctly than configuring an alternate PAM stack without breaking their
primary sshd setup, which is why I think the patch may still be useful.

On Thu, Jun 27, 2024 at 7:57 AM Carson Gaspar <carson at taltos.org> wrote:

> On 6/26/2024 9:34 PM, Henry Qin wrote:
> > Hi folks,
> >
> > I've recently started to work on a patch for openssh that introduces a
> new
> > option to disable authentication.
> > I'd like to explain why I think this might be generally useful, and
> solicit
> > opinions on whether such a patch would be acceptable to the maintainers
> as
> > a pull request.
>
> Why not just use a different PAM stack? The new release allows
> specifying the stack name. This should do what you want with no code
> changes using Password / KbdInteractive AuthN.
>
> --
>
> Carson
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list