On Tuesday 20 April 2004 14.24, Giacomo Mulas wrote: > > First, it seems to always enable PasswordAuthentication. All my > > systems have 'PasswordAuthentication no' and 'PubkeyAuthentication > > yes', so I was very surprised when I was prompted for a password > > trying to login to one of the systems, to an account with an > > outdated authorized_keys file. Investigation showed that 'UsePam > > yes' is causing this behaviour (i.e. 'UsePam no' turns off > > PasswordAuthentication). > > you are not seeing PasswordAuthentication, you are seeing > keyboard-interactive authentication. They are two distinct things and > get enabled/disabled separately. Either way, it allows people to authenticate with their account password instead of an ssh key. Is this distinction documented somewhere? I guess the sshd_config(5) section about UsePAM counts for documentation, but does not help me with my problem. So, to rephrase the question, is there a way to have PAM set up my session (specifically, pam_env) without allowing users to log in with their password? I think it's just annoying to have the session setup twice, once in pam and once in <wherever>, and have my ssh sessions look different from my local login sessions. The two sets of configuration will certainly diverge over time... cheers -- vbi -- Wir müssen heute nach den Wahrheiten leben, die uns zur Verfügung stehen, dabei aber immer bereit sein, sie morgen Irrtümer zu nennen. -- William James
Attachment:
pgpVMc7Ntnm0d.pgp
Description: signature