Re: core dump with openssh 3.8 on HP11 with PAM

From: Dan Oviatt (
Date: 03/15/04

Date: 15 Mar 2004 05:24:22 -0800 (Darren Tucker) wrote in message news:<c2uoob$bl8$>...
> In article <>,
> Dan Oviatt <> wrote:
> >>
> >
> >Well thats what I get for not checking Bugzilla first.......
> >
> >Forgive my HP ignorance, but the way I understand it, using the
> >"keyboard-interactive" method means you are letting PAM do the
> >authentication. Where if you leave PasswordAuthentication set to yes,
> >then you are kind of bypassing PAM. Is that why keyboard-interactive
> >is the "preferred" method for use with PAM?
> Yes. You can authenticate with password (ie the contents of /etc/passwd
> and/or /etc/shadow) and still have the PAM account and session modules
> run, but if you want to actually authenticate via PAM with 3.7p1 and up,
> you need to use keyboard-interactive.
> >The whole reason why I
> >even ask is that our security documentation stipulates that they want
> >ChallengeResponseAuthentication set to no, which shuts off
> >keyboard-interactive authentications. Well if you do that and have
> >PasswordAuthentication also set to no, then the user cant even login
> >because all the authentications have been shut off (we dont use public
> >key). Is there any valid (security) reason to say
> >ChallengeResponseAuthentication must be set to no, or are the security
> >people worrying about something that no longer applies to the current
> >versions of OpenSSH?
> They're probably referring to this:
> In general, disabling stuff you don't need is good policy, but for PAM
> you now need ChallengeResponseAuthentication enabled.

Thanks Darren.

Relevant Pages