Re: adduser: what is the difference between --disabled-password and--disabled-login

To: debian-devel@lists.debian.org
Subject: Re: adduser: what is the difference between --disabled-password and--disabled-login
From: Russ Allbery <rra@stanford.edu>
Date: Thu, 12 May 2005 16:58:20 -0700
Message-id: <[🔎] 87ll6k2e03.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] E1DWIGx-00013w-9T@scyw00225> (Marc Haber's message of "Thu, 12 May 2005 20:18:59 +0200")
References: <[🔎] 20050509123406.GI27213@rakefet> <[🔎] E1DVAyE-0005Ma-KY@scyw00225> <[🔎] 20050509171427.GA5337@www.lobefin.net> <[🔎] 20050510224033.GL27213@rakefet> <[🔎] E1DWIGx-00013w-9T@scyw00225>

Marc Haber <mh+debian-devel@zugschlus.de> writes:

> "UsePam yes" is generally a _big_ surprise for the local admin since it
> allows passwords to be used even if "UsePasswordAuthentification no" is
> set in sshd_config.

Yes, because UsePam doesn't use password authentication; it just uses
passwords to authenticate.  *sigh*.  The sshd documentation is
particularly bad in this area.

To share what took me hours to figure out:  There are two authentication
mechanisms in SSH that use passwords.  One is called "password" and the
other is called "keyboard-interactive".  When sshd_config talks about the
option UsePasswordAuthentication, it's not speaking in English, it's
speaking in terms of the SSH protocol and is talking about disabling the
password *authentication method*.  The authentication method
keyboard-interactive may still be enabled.

To add an additional twist, OpenSSH uses keyboard-interactive to talk to
itself, but a lot of the other SSH clients out there only know password.

Any corrections welcome; I figured out the above by reading the source
code and looking at protocol traces and I may still have the details
wrong.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

Reply to:

References:
- adduser: what is the difference between --disabled-password and--disabled-login
  - From: Shaul Karl <shaulk@013.net>
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Stephen Gran <sgran@debian.org>
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Shaul Karl <shaulk@013.net>
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Marc Haber <mh+debian-devel@zugschlus.de>

Prev by Date: Re: /usr/lib vs /usr/libexec
Next by Date: RC bug #308477 and MIA maintainer (?)
Previous by thread: Re: adduser: what is the difference between --disabled-password and--disabled-login
Next by thread: Re: adduser: what is the difference between --disabled-password and--disabled-login
Index(es):
- Date
- Thread