Re: Why OpenSSH's UsePAM only works with password or challenge/response?

To: Jeremie Le Hen <jeremie%le-hen.org@localhost>
Subject: Re: Why OpenSSH's UsePAM only works with password or challenge/response?
From: Thor Lancelot Simon <tls%rek.tjls.com@localhost>
Date: Sun, 4 Jan 2009 14:32:28 -0500

On Fri, Jan 02, 2009 at 02:11:31PM +0100, Jeremie Le Hen wrote:
> %
> %         Because PAM challenge-response authentication usually serves an
> %         equivalent role to password authentication, you should disable
> %         either PasswordAuthentication or ChallengeResponseAuthentication.
> 
> I don't understand the logic of this.  I mean, I see PAM
> authentification as a method in itself.  I don't understand why it needs
> either ChallengeResponseAuthentication or PasswordAuthentication.
> I think I miss something, a clarification would be welcome.

If you disable ChallengeResponseAuthentication at the SSH protocol
level, there is no way for the server to send the S/KEY challenge you
want displayed to the user before authentication completes.

In other words, with both PasswordAuthentication and
ChallengeResponseAuthentication disabled at the SSH protocol level, there
is no way for most PAM modules to do anything useful.

Thor

References:
- Why OpenSSH's UsePAM only works with password or challenge/response?
  - From: Jeremie Le Hen

Prev by Date: Why OpenSSH's UsePAM only works with password or challenge/response?
Next by Date: [ben%links.org@localhost: OpenPGP:SDK v0.9 released]
Previous by Thread: Why OpenSSH's UsePAM only works with password or challenge/response?
Next by Thread: [ben%links.org@localhost: OpenPGP:SDK v0.9 released]
Indexes:

Home | Main Index | Thread Index | Old Index