From 1dcff9a3a8891db8d7fce77e43e675ce60e0fe44 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Thu, 13 May 2004 16:51:40 +1000
Subject:  - (dtucker) [sshd.8] Bug #843: Add warning about
 PasswordAuthentication to    UsePAM section.  Parts from djm@ and jmc@.

---
 sshd_config.5 | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

(limited to 'sshd_config.5')

diff --git a/sshd_config.5 b/sshd_config.5
index f8aa0f2f3..05558c569 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -624,12 +624,25 @@ If
 .Cm UsePrivilegeSeparation
 is specified, it will be disabled after authentication.
 .It Cm UsePAM
-Enables PAM authentication (via challenge-response) and session set up.
-If you enable this, you should probably disable
-.Cm PasswordAuthentication .
-If you enable
-.CM UsePAM
-then you will not be able to run sshd as a non-root user.  The default is
+Enables the Pluggable Authentication Module interface.
+If set to
+.Dq yes
+this will enable PAM authentication using
+.Cm ChallengeResponseAuthentication
+and PAM account and session module processing for all authentication types.
+.Pp
+Because PAM challenge-response authentication usually serves an equivalent
+role to password authentication, you should disable either
+.Cm PasswordAuthentication
+or
+.Cm ChallengeResponseAuthentication.
+.Pp
+If
+.Cm UsePAM
+is enabled, you will not be able to run
+.Xr sshd 8
+as a non-root user.
+The default is
 .Dq no .
 .It Cm UsePrivilegeSeparation
 Specifies whether
-- 
cgit v1.2.3