Re: Questions about sshd_config man page and comments in the file
This is a discussion on Re: Questions about sshd_config man page and comments in the file within the OpenSSH Development forums, part of the Networking and Network Related category; Yes.This sort out the confusion. Thanks for the fix. -- M.P ----- Original Message ----- From: "Darren Tucker" <...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-23-2006
|
|||
|
|||
Re: Questions about sshd_config man page and comments in the file
Yes.This sort out the confusion. Thanks for the fix.
-- M.P ----- Original Message ----- From: "Darren Tucker" <dtucker@zip.com.au> To: "ponraj" <tryponraj@gmail.com> Cc: <openssh-unix-dev@mindrot.org> Sent: Thursday, February 23, 2006 2:58 PM Subject: Re: Questions about sshd_config man page and comments in the file > On Thu, Feb 23, 2006 at 08:13:08PM +1100, Darren Tucker wrote: >> > b)Comments in sshd_config file: > [...] >> The comment in the example config file is outdated and should be fixed. > > Does this help clear up the confusion? > > Index: sshd_config > ================================================== ================= > RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshd_config,v > retrieving revision 1.74 > diff -u -p -r1.74 sshd_config > --- sshd_config 13 Dec 2005 08:29:03 -0000 1.74 > +++ sshd_config 23 Feb 2006 09:26:42 -0000 > @@ -71,12 +71,13 @@ > > # Set this to 'yes' to enable PAM authentication, account processing, > # and session processing. If this is enabled, PAM authentication will > -# be allowed through the ChallengeResponseAuthentication mechanism. > -# Depending on your PAM configuration, this may bypass the setting of > -# PasswordAuthentication, PermitEmptyPasswords, and > -# "PermitRootLogin without-password". If you just want the PAM account > and > -# session checks to run without PAM authentication, then enable this but > set > -# ChallengeResponseAuthentication=no > +# be allowed through the ChallengeResponseAuthentication and > +# PasswordAuthentication. Depending on your PAM configuration, > +# PAM authentication via ChallengeResponseAuthentication may bypass > +# the setting of "PermitRootLogin without-password". > +# If you just want the PAM account and session checks to run without > +# PAM authentication, then enable this but set PasswordAuthentication > +# and ChallengeResponseAuthentication to 'no'. > #UsePAM no > > #AllowTcpForwarding yes > Index: sshd_config.5 > ================================================== ================= > RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshd_config.5,v > retrieving revision 1.53 > diff -u -p -r1.53 sshd_config.5 > --- sshd_config.5 3 Jan 2006 07:47:31 -0000 1.53 > +++ sshd_config.5 23 Feb 2006 09:27:42 -0000 > @@ -677,7 +677,10 @@ If set to > .Dq yes > this will enable PAM authentication using > .Cm ChallengeResponseAuthentication > -and PAM account and session module processing for all authentication > types. > +and > +.Cm PasswordAuthentication > +in addition to PAM account and session module processing for all > +authentication types. > .Pp > Because PAM challenge-response authentication usually serves an equivalent > role to password authentication, you should disable either > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@mindrot.org > http://www.mindrot.org/mailman/listi...enssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org http://www.mindrot.org/mailman/listi...enssh-unix-dev 
|
Linear Mode
