Bug#428968: changes needed to config
ssh 4.6p1 defaults to having challenge_response_authentication and
kbd_interaction_authentication to off. The shipped config file does
not set either option by default. This means that PAM is disabled by
default. A KbdInteractiveAuthentication yes or
ChallengeResponseAuthentication yes is needed to enable PAM based
authentication.
Changing PasswordAuthentication enables non-PAM based password
authentication. Doing this while UsePAM is set to yes ends up
disabling checks for locked accounts and shadow-based expiry, as well
as ignoring any sort of pam config you might have setup.
Reply to: