Re: sshd's PasswordAuthentication and UsePam options, and PR bin/32313

["Steven M. Bellovin" <smb%cs.columbia.edu@localhost>]

On Fri, 29 Aug 2008 14:54:18 -0400
Taylor R Campbell <campbell%mumble.net@localhost> wrote:

> PR bin/32313 has been open for nearly three years, and the state of
> affairs has not changed.  I think it is pretty serious that setting
> `PasswordAuthentication no' in one's sshd_config does not actually
> disable password authentication by default, because it is overridden
> by the undocumented but explicitly enabled `UsePam yes' later in the
> default sshd_config.
> 
> Would anyone object just to changing the line `UsePam yes' to `#UsePam
> no' in the default sshd_config?  This is what one finds in portable
> OpenSSH these days, reflecting the actual default value.  The worst
> that this change could cause is that users relying PAM to authenticate
> for ssh (which is not an issue for setups with ssh keys) would have to
> contact their administrators if they fail to log in after the next
> system upgrade -- if the administrator etcupdates without paying
> attention.  By contrast, I think that it is much more serious that an
> administrator believe password authentication to be disabled when it
> is still enabled, and when no documentation explains otherwise.
> 
> Documentation for the UsePam option in the man page would also be
> helpful, of course, and it might even be a good idea to add a warning
> to sshd if PasswordAuthentication is disabled but overridden by an
> enabled UsePam.  I'd be willing to prepare patches for these, if
> anyone is interested.
> 
> (I am not subscribed to this list, so please cc me in replies.)
> 

It strikes me as an excellent idea -- I always disable PAM for
precisely this reason.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb