[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: adduser: what is the difference between --disabled-password and--disabled-login

Marc Haber <mh+debian-devel@zugschlus.de> writes:

> "UsePam yes" is generally a _big_ surprise for the local admin since it
> allows passwords to be used even if "UsePasswordAuthentification no" is
> set in sshd_config.

Yes, because UsePam doesn't use password authentication; it just uses
passwords to authenticate.  *sigh*.  The sshd documentation is
particularly bad in this area.

To share what took me hours to figure out:  There are two authentication
mechanisms in SSH that use passwords.  One is called "password" and the
other is called "keyboard-interactive".  When sshd_config talks about the
option UsePasswordAuthentication, it's not speaking in English, it's
speaking in terms of the SSH protocol and is talking about disabling the
password *authentication method*.  The authentication method
keyboard-interactive may still be enabled.

To add an additional twist, OpenSSH uses keyboard-interactive to talk to
itself, but a lot of the other SSH clients out there only know password.

Any corrections welcome; I figured out the above by reading the source
code and looking at protocol traces and I may still have the details

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

Reply to: