tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Why OpenSSH's UsePAM only works with password or challenge/response?


I'm not sure it's the right list to send this.  Please redirect me if

In the sshd_config(5) manpage, one can find:

% UsePAM  Enables the Pluggable Authentication Module interface.  If set to
%         ``yes'' this will enable PAM authentication using
%         ChallengeResponseAuthentication and PasswordAuthentication in
%         addition to PAM account and session module processing for all
%         authentication types.
%         Because PAM challenge-response authentication usually serves an
%         equivalent role to password authentication, you should disable
%         either PasswordAuthentication or ChallengeResponseAuthentication.

I don't understand the logic of this.  I mean, I see PAM
authentification as a method in itself.  I don't understand why it needs
either ChallengeResponseAuthentication or PasswordAuthentication.
I think I miss something, a clarification would be welcome.

For instance, I've tried the following configuration in pam.d/sshd with
OpenSSH 4.4:
% auth            required  no_warn
% auth            required

In sshd_config(5):
% PasswordAuthentication no
% ChallengeResponseAuthentication yes
% UsePam yes

And I get the following prompt:
% jarjarbinks:tataz$ ssh ...
% Password [ otp-md5 98 pwnd1234 ]:     <- pam_skey
% otp-md5 98 pwnd1234
% S/Key Password:                       <- OpenSSH

If I disable ChallengeResponseAuthentication, PAM isn't used anymore as
stated in the manpage.  Why?  How can I get only pam_skey's prompt,
without password authentication disabled?

Thank you.
Best regards,
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >

Home | Main Index | Thread Index | Old Index