Re: adduser: what is the difference between --disabled-password and--disabled-login
Marc Haber <email@example.com> writes:
> "UsePam yes" is generally a _big_ surprise for the local admin since it
> allows passwords to be used even if "UsePasswordAuthentification no" is
> set in sshd_config.
Yes, because UsePam doesn't use password authentication; it just uses
passwords to authenticate. *sigh*. The sshd documentation is
particularly bad in this area.
To share what took me hours to figure out: There are two authentication
mechanisms in SSH that use passwords. One is called "password" and the
other is called "keyboard-interactive". When sshd_config talks about the
option UsePasswordAuthentication, it's not speaking in English, it's
speaking in terms of the SSH protocol and is talking about disabling the
password *authentication method*. The authentication method
keyboard-interactive may still be enabled.
To add an additional twist, OpenSSH uses keyboard-interactive to talk to
itself, but a lot of the other SSH clients out there only know password.
Any corrections welcome; I figured out the above by reading the source
code and looking at protocol traces and I may still have the details
Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/>