summaryrefslogtreecommitdiffstats
path: root/crypto/openssh
diff options
context:
space:
mode:
authordes <des@FreeBSD.org>2004-02-19 15:53:31 +0000
committerdes <des@FreeBSD.org>2004-02-19 15:53:31 +0000
commit49dee586c162d37d929302b8c1def6fb6e2f06b7 (patch)
tree5010fbaf74aa862054845445a296426ede723407 /crypto/openssh
parent4f4561b6d6a94f0cff8f4ae3e71838599a939778 (diff)
downloadFreeBSD-src-49dee586c162d37d929302b8c1def6fb6e2f06b7.zip
FreeBSD-src-49dee586c162d37d929302b8c1def6fb6e2f06b7.tar.gz
Turn non-PAM password authentication off by default when USE_PAM is
defined. Too many users are getting bitten by it.
Diffstat (limited to 'crypto/openssh')
-rw-r--r--crypto/openssh/servconf.c4
-rw-r--r--crypto/openssh/sshd_config4
-rw-r--r--crypto/openssh/sshd_config.54
3 files changed, 10 insertions, 2 deletions
diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c
index 781c2c2..c7c1c35 100644
--- a/crypto/openssh/servconf.c
+++ b/crypto/openssh/servconf.c
@@ -185,7 +185,11 @@ fill_default_server_options(ServerOptions *options)
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->password_authentication == -1)
+#ifdef USE_PAM
+ options->password_authentication = 0;
+#else
options->password_authentication = 1;
+#endif
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index 4e3ec31..7dedb84 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -55,8 +55,8 @@
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+# Change to yes to enable built-in password authentication.
+#PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable PAM authentication
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index dc221e7..cf14589 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -436,6 +436,10 @@ are refused if the number of unauthenticated connections reaches
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
+.Dq no ,
+unless
+.Nm sshd
+was built without PAM support, in which case the default is
.Dq yes .
Note that if
.Cm ChallengeResponseAuthentication
OpenPOWER on IntegriCloud