Re: core dump with openssh 3.8 on HP11 with PAM
From: Dan Oviatt (oviattd_at_mont.disa.mil)
Date: 15 Mar 2004 05:24:22 -0800
firstname.lastname@example.org (Darren Tucker) wrote in message news:<email@example.com>...
> In article <firstname.lastname@example.org>,
> Dan Oviatt <email@example.com> wrote:
> >> http://bugzilla.mindrot.org/show_bug.cgi?id=808
> >Well thats what I get for not checking Bugzilla first.......
> >Forgive my HP ignorance, but the way I understand it, using the
> >"keyboard-interactive" method means you are letting PAM do the
> >authentication. Where if you leave PasswordAuthentication set to yes,
> >then you are kind of bypassing PAM. Is that why keyboard-interactive
> >is the "preferred" method for use with PAM?
> Yes. You can authenticate with password (ie the contents of /etc/passwd
> and/or /etc/shadow) and still have the PAM account and session modules
> run, but if you want to actually authenticate via PAM with 3.7p1 and up,
> you need to use keyboard-interactive.
> >The whole reason why I
> >even ask is that our security documentation stipulates that they want
> >ChallengeResponseAuthentication set to no, which shuts off
> >keyboard-interactive authentications. Well if you do that and have
> >PasswordAuthentication also set to no, then the user cant even login
> >because all the authentications have been shut off (we dont use public
> >key). Is there any valid (security) reason to say
> >ChallengeResponseAuthentication must be set to no, or are the security
> >people worrying about something that no longer applies to the current
> >versions of OpenSSH?
> They're probably referring to this:
> In general, disabling stuff you don't need is good policy, but for PAM
> you now need ChallengeResponseAuthentication enabled.