Re: ssh authentication configuration?
On Tue, May 28, 2002 at 05:51:02PM -0700, Stephen Johnson wrote:
> Hello, i'm confused on a couple variables in the sshd_config file, i
> have a client that's using that 'other os' and has an ssh client that he
> likes. however, he wanted me to secure the server as much as possible,
> i've always disabled clear text passwords(PasswordAuthentication no),
> and turn on pam auth (PAMAuthenticationViaKbdInt yes). That's always
> worked fine for me as i'm using debian linux, and i don't actually know
> why i do it other than in the conf file debian adds a comment above
> telling me to do so, so i do. Well, my clients ssh client app doesn't
> seem to be able to handle pam auth, so when i disable clear text passes
Both PasswordAuthentication and PAMAuthenticationViaKbdInt go through
PAM . The difference is that PasswordAuthentication obtains a
password and hands that to the auth modules, whereas
PAMAuthenticationViaKbdInt allows modules to interact with the user so
that they can display their own prompts and collect responses.
Note that both send passwords (or other data) as *tunneled* cleartext -
in other words, the string itself is sent, but it's sent over the
> it won't let him in, even though i can get in with his account from my
> ssh client. i guess what i'm asking is, "How much of a security risk is
> using regular auth versus Pam?".
Unless you've modified your PAM configuration to use some
challenge-response authentication mechanism, and barring any relevant
undiscovered bugs in OpenSSH or PAM, there's no difference in the risks
posed by using SSH password-authentication and SSH keyboard-interactive
authentication, nor reason to turn off PasswordAuthentication but leave
 in the Debian configuration - if configured at build time without
PAM, PasswordAuthentication will use another mechanism to check
William Aoki email@example.com /"\ ASCII Ribbon Campaign
B1FB C169 C7A6 238B 280B <- key change \ / No HTML in mail or news!
99AF A093 29AE 0AE1 9734 prev. expired X
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com