Christos Zoulas wrote:
> On Mar 14,  3:51pm, entropy@entropy.homeip.net (maximum entropy) wrote:
> -- Subject: Re: pam, ssh, and pam_ssh
> 
> | # ssh -l entropy localhost
> | Connection closed by 127.0.0.1
> | 
> | Can you explain to me why you think this has anything to do with 
> | authorized_keys?  I see no mention of authorized_keys in the pam_ssh 
> | manpage.  It seems to me that even if you accomplish what I think you're 
> | trying to accomplish, then you're changing pam_ssh to do something 
> | fundamentally different from what it's documented to do.
> | 
> | Why are you so opposed to just disabling pam_ssh by default?  How is it 
> | in anyone's best interest for this to be the default behavior?  Several 
> | of us have already been burned by this.  If I got this behavior from a 
> | release I'd be furious right now...
> 
> We can disable pam_ssh; I am not opposed to it at all. I am just
> trying to understand how pam_ssh is supposed to work in that framework.
> So if we disable pam_ssh from /etc/pam.d/sshd, do we disable UsePam from
> /etc/ssh/sshd_config? What happens for password authentication then?

I don't think it's necessary to disable UsePam.  Having sshd use the PAM 
authentication framework is a Good Thing (in my opinion) for the same 
reasons PAM is beneficial anywhere else.  It's just the specific *new* 
authentication method provided by pam_ssh.so that I think should be 
disabled by default.  With pam_ssh.so disabled, everything will be just 
like it was before by default in terms of password and crypto key 
authentication in sshd, which should make most of us happy.

-- 
entropy -- it's not just a good idea, it's the second law.