sshd's PasswordAuthentication and UsePam options, and PR bin/32313

[Taylor R Campbell <campbell%mumble.net@localhost>]

PR bin/32313 has been open for nearly three years, and the state of
affairs has not changed.  I think it is pretty serious that setting
`PasswordAuthentication no' in one's sshd_config does not actually
disable password authentication by default, because it is overridden
by the undocumented but explicitly enabled `UsePam yes' later in the
default sshd_config.

Would anyone object just to changing the line `UsePam yes' to `#UsePam
no' in the default sshd_config?  This is what one finds in portable
OpenSSH these days, reflecting the actual default value.  The worst
that this change could cause is that users relying PAM to authenticate
for ssh (which is not an issue for setups with ssh keys) would have to
contact their administrators if they fail to log in after the next
system upgrade -- if the administrator etcupdates without paying
attention.  By contrast, I think that it is much more serious that an
administrator believe password authentication to be disabled when it
is still enabled, and when no documentation explains otherwise.

Documentation for the UsePam option in the man page would also be
helpful, of course, and it might even be a good idea to add a warning
to sshd if PasswordAuthentication is disabled but overridden by an
enabled UsePam.  I'd be willing to prepare patches for these, if
anyone is interested.

(I am not subscribed to this list, so please cc me in replies.)