Re: 3.1p2 allows Password Auth
From: Darren Tucker (dtucker_at_zip.com.au)
Date: Mon, 17 Nov 2003 17:26:11 +1100 To: Asif Iqbal <email@example.com>
Asif Iqbal wrote:
> I am using openssh 3.7.1p2 with Darren Tucker's password expiration patch.
> I noticed in my config file if I have the following two entries
> PasswordAuthentication yes
> UsePAM yes
> you can bypass the PAM authentication (via challenge-response) by hitting enter
> couple times at the login prompt and then it switches to password authentication.
> Then you can login with your local password
> I am using pam_radius_auth
> Is it normal ? Am I doing something wrong ? OR is it a question for the
> pam_radius_auth's author ?
That's normal for the configuration you've currently got. If you're using
PAM (which now uses keyboard-interactive) you don't want to allow password
authentication you should disable it.
It's mentioned in the sshd_config man page:
UsePAM Enables PAM authentication (via challenge-response) and
session set up. If you enable this, you should probably disable
PasswordAuthentication. If you enable then you will not be able
to run sshd as a non-root user. The default is ``no''.
-- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.