Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?

From: Darren Tucker (dtucker_at_gate.dodgy.net.au)
Date: 08/02/05

• Next message: Darren Tucker: "Re: SSH on Z/OS 1.4"
• Previous message: h.wulff: "Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?"
• In reply to: h.wulff: "Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?"
• Next in thread: Richard E. Silverman: "Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 02 Aug 2005 00:41:54 GMT

On 2005-08-01, h.wulff <zuhause@aol.com> wrote:
><sshd_config>
> # Change to yes to enable tunnelled clear text passwords
> PasswordAuthentication no
></sshd_config>
>
> Thats why I assumed the clear text passwd.
> Taken from sshd_config of OpenSSH_3.8.1p1 Debian-8.sarge.4. Btw: I know
> that ssh is quite secure and there are no plain password. I wonder about
> the comment...

The "tunnelled" part implies that it's encrypted on the wire (which it
is) but as Richard noted the server must decrypt it to process it.

> So, let me ask the question another way round:
> What is the difference between "PasswordAuthentication no" and
> "PasswordAuthentication yes"?
> I can login with a password in both cases.

Debian's sshd is built with PAM, so I suspect what you see as logging
in with a password is actually challenge-response authentication from a
SSH protocol perspective.

Last time I looked, the version of OpenSSH Debian uses doesn't use PAM
for PasswordAuthentication, that capability was (re)introduced in 3.9p1
and I don't think they've backported the patch. This may or may not
matter in your case.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

• Next message: Darren Tucker: "Re: SSH on Z/OS 1.4"
• Previous message: h.wulff: "Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?"
• In reply to: h.wulff: "Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?"
• Next in thread: Richard E. Silverman: "Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Forcing new password at login (w/o requiring an old password) (sudo related) ... If you're using PAM then the user will be forced to set a new password ... when the existing one expires regardless of the authentication method. ... the user can sudo w/o additional authentication even ... Good judgement comes with experience. ... (comp.security.ssh) Re: Irish Mike gets nailed again! ... thats my question - get out how? ... now thats good judgement!! ... On Apr 6 2008 9:50 PM, Irish Mike wrote: ... gospel and regurgitates on her campaign tour? ... (rec.gambling.poker) Re: Problem with Openssh 3.6.1p2 ... > I am having a problem with openssh 3.6.1p2 where it seems to access the PAM ... > routines BEFORE it gets a password. ... Good judgement comes with experience. ... (SSH) Re: AllowUsers reference a file ... If you use PAM with sshd you can get PAM to do it, ... then add "AllowGroups admins" to ... sshd_config and SIGHUP sshd when you want to restrict access. ... Good judgement comes with experience. ... (comp.security.ssh) Re: OpenSSH 3.7.1p1 & PAM authentication on Solaris 8 ... >>and below seem to work fine on solaris 8 with pam. ... When i compile ... >>skip the authentication module, however it seems to read the session ... Good judgement comes with experience. ... (comp.security.ssh)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint