- Document PAM ChallengeResponseAuthentication in sshd.8

 - Disable and comment ChallengeResponseAuthentication in sshd_config

3 files changed, 14 insertions, 5 deletions

diff --git a/ChangeLog b/ChangeLog
index 6e15ef3b3..71da4c457 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
 20010303
  - Remove make-ssh-known-hosts.pl, ssh-keyscan is better.
+ - Document PAM ChallengeResponseAuthentication in sshd.8
+ - Disable and comment ChallengeResponseAuthentication in sshd_config
 
 20010301
  - (djm) Properly add -lcrypt if needed. 
@@ -4178,4 +4180,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.846 2001/03/03 09:00:36 djm Exp $
+$Id: ChangeLog,v 1.847 2001/03/03 13:16:20 djm Exp $
diff --git a/sshd.8 b/sshd.8
index 79c184330..3601dff2c 100644
--- a/sshd.8
+++ b/sshd.8
@@ -644,11 +644,17 @@ The minimum value is 512, and the default is 768.
 Specifies whether
 challenge reponse
 authentication is allowed.
-Currently there is only support for
+Currently there is support for
 .Xr skey 1
-authentication.
+and PAM authentication.
 The default is
 .Dq yes .
+Note that enabling ChallengeResponseAuthentication for PAM bypasses 
+OpenSSH's password checking code, thus rendering options such as 
+.Cm PasswordAuthentication 
+and
+.Cm PermitEmptyPasswords
+ineffective.
 .It Cm StrictModes
 Specifies whether
 .Nm
diff --git a/sshd_config b/sshd_config
index 8d0af1060..2a9b86be2 100644
--- a/sshd_config
+++ b/sshd_config
@@ -41,8 +41,9 @@ RSAAuthentication yes
 PasswordAuthentication yes
 PermitEmptyPasswords no
 
-# Uncomment to disable s/key passwords 
-#ChallengeResponseAuthentication no
+# Comment to enable s/key passwords or PAM interactive authentication
+# NB. Neither of these are compiled in by default.
+ChallengeResponseAuthentication no
 
 # To change Kerberos options
 #KerberosAuthentication no