Turn non-PAM password authentication off by default when USE_PAM is

defined.  Too many users are getting bitten by it.

3 files changed, 10 insertions, 2 deletions

diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c
index 781c2c2..c7c1c35 100644
--- a/crypto/openssh/servconf.c
+++ b/crypto/openssh/servconf.c
@@ -185,7 +185,11 @@ fill_default_server_options(ServerOptions *options)
 	if (options->gss_cleanup_creds == -1)
 		options->gss_cleanup_creds = 1;
 	if (options->password_authentication == -1)
+#ifdef USE_PAM
+		options->password_authentication = 0;
+#else
 		options->password_authentication = 1;
+#endif
 	if (options->kbd_interactive_authentication == -1)
 		options->kbd_interactive_authentication = 0;
 	if (options->challenge_response_authentication == -1)
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index 4e3ec31..7dedb84 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -55,8 +55,8 @@
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+# Change to yes to enable built-in password authentication.
+#PasswordAuthentication no
 #PermitEmptyPasswords no
 
 # Change to no to disable PAM authentication
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index dc221e7..cf14589 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -436,6 +436,10 @@ are refused if the number of unauthenticated connections reaches
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is
+.Dq no ,
+unless
+.Nm sshd
+was built without PAM support, in which case the default is
 .Dq yes .
 Note that if
 .Cm ChallengeResponseAuthentication