tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Why OpenSSH's UsePAM only works with password or challenge/response?

On Fri, Jan 02, 2009 at 02:11:31PM +0100, Jeremie Le Hen wrote:
> %
> %         Because PAM challenge-response authentication usually serves an
> %         equivalent role to password authentication, you should disable
> %         either PasswordAuthentication or ChallengeResponseAuthentication.
> I don't understand the logic of this.  I mean, I see PAM
> authentification as a method in itself.  I don't understand why it needs
> either ChallengeResponseAuthentication or PasswordAuthentication.
> I think I miss something, a clarification would be welcome.

If you disable ChallengeResponseAuthentication at the SSH protocol
level, there is no way for the server to send the S/KEY challenge you
want displayed to the user before authentication completes.

In other words, with both PasswordAuthentication and
ChallengeResponseAuthentication disabled at the SSH protocol level, there
is no way for most PAM modules to do anything useful.


Home | Main Index | Thread Index | Old Index