sshd: Disable PAM if you do not want to use passwords
Hello,
Regarding bug #109846 I also have the problem that if I use
PasswordAuthentication no
in /etc/ssh/sshd_config, it is not enough to reject password
authentication. I _also_ have to disable PAM.
I discovered I had a /etc/ssh/sshd_config.dpkg-old dated 2001-09-13
This file do not have the line
UsePAM yes
If I use
PasswordAuthentication no
UsePAM no
then passwords are effectively disabled.
I think it is clearer/easier/simpler to modify two lines in
/etc/ssh/sshd_config than modifying one line in /etc/ssh/sshd_config and
one line in /etc/pam.d/ssh
I think it may be a critical security problem for upgrades from woody
since the UsePAM line is not present in /etc/ssh/sshd_config on a woody
system. It is not clear that if you add "UsePAM yes" (during the
upgrade) it will allow password authentication EVEN IF you have
PasswordAuthentication no. So this should be clearly documented.
Regards,
--
Dr. Ludovic Rousseau Ludovic.Rousseau@free.fr
-- Normaliser Unix c'est comme pasteuriser le camembert, L.R. --
Reply to: