- (dtucker) [sshd.8] Bug #843: Add warning about PasswordAuthentication to

UsePAM section. Parts from djm@ and jmc@.
author: Darren Tucker <dtucker@zip.com.au> 2004-05-13 16:51:40 +1000
committer: Darren Tucker <dtucker@zip.com.au> 2004-05-13 16:51:40 +1000
commit: 1dcff9a3a8891db8d7fce77e43e675ce60e0fe44 (patch)
tree: 118f07e3092ac723ffde11caff628e2214ed6fec /sshd_config.5
parent: a86b453bb3282bac162693dc7366286c7334a91f (diff)
1 files changed, 19 insertions, 6 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index f8aa0f2f3..05558c569 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -624,12 +624,25 @@ If
 .Cm UsePrivilegeSeparation
 is specified, it will be disabled after authentication.
 .It Cm UsePAM
-Enables PAM authentication (via challenge-response) and session set up.
+Enables the Pluggable Authentication Module interface.
-If you enable this, you should probably disable
+If set to
-.Cm PasswordAuthentication .
+.Dq yes
-If you enable
+this will enable PAM authentication using
-.CM UsePAM
+.Cm ChallengeResponseAuthentication
-then you will not be able to run sshd as a non-root user.  The default is
+and PAM account and session module processing for all authentication types.
+.Pp
+Because PAM challenge-response authentication usually serves an equivalent
+role to password authentication, you should disable either
+.Cm PasswordAuthentication
+or
+.Cm ChallengeResponseAuthentication.
+.Pp
+If
+.Cm UsePAM
+is enabled, you will not be able to run
+.Xr sshd 8
+as a non-root user.
+The default is
 .Dq no .
 .It Cm UsePrivilegeSeparation
 Specifies whether
author	Darren Tucker <dtucker@zip.com.au>	2004-05-13 16:51:40 +1000
committer	Darren Tucker <dtucker@zip.com.au>	2004-05-13 16:51:40 +1000
commit	1dcff9a3a8891db8d7fce77e43e675ce60e0fe44 (patch)
tree	118f07e3092ac723ffde11caff628e2214ed6fec /sshd_config.5
parent	a86b453bb3282bac162693dc7366286c7334a91f (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index f8aa0f2f3..05558c569 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -624,12 +624,25 @@ If
624	.Cm UsePrivilegeSeparation	624	.Cm UsePrivilegeSeparation
625	is specified, it will be disabled after authentication.	625	is specified, it will be disabled after authentication.
626	.It Cm UsePAM	626	.It Cm UsePAM
627	Enables PAM authentication (via challenge-response) and session set up.	627	Enables the Pluggable Authentication Module interface.
628	If you enable this, you should probably disable	628	If set to
629	.Cm PasswordAuthentication .	629	.Dq yes
630	If you enable	630	this will enable PAM authentication using
631	.CM UsePAM	631	.Cm ChallengeResponseAuthentication
632	then you will not be able to run sshd as a non-root user. The default is	632	and PAM account and session module processing for all authentication types.
		633	.Pp
		634	Because PAM challenge-response authentication usually serves an equivalent
		635	role to password authentication, you should disable either
		636	.Cm PasswordAuthentication
		637	or
		638	.Cm ChallengeResponseAuthentication.
		639	.Pp
		640	If
		641	.Cm UsePAM
		642	is enabled, you will not be able to run
		643	.Xr sshd 8
		644	as a non-root user.
		645	The default is
633	.Dq no .	646	.Dq no .
634	.It Cm UsePrivilegeSeparation	647	.It Cm UsePrivilegeSeparation
635	Specifies whether	648	Specifies whether