From 49dee586c162d37d929302b8c1def6fb6e2f06b7 Mon Sep 17 00:00:00 2001 From: des Date: Thu, 19 Feb 2004 15:53:31 +0000 Subject: Turn non-PAM password authentication off by default when USE_PAM is defined. Too many users are getting bitten by it. --- crypto/openssh/servconf.c | 4 ++++ crypto/openssh/sshd_config | 4 ++-- crypto/openssh/sshd_config.5 | 4 ++++ 3 files changed, 10 insertions(+), 2 deletions(-) (limited to 'crypto') diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index 781c2c2..c7c1c35 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -185,7 +185,11 @@ fill_default_server_options(ServerOptions *options) if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; if (options->password_authentication == -1) +#ifdef USE_PAM + options->password_authentication = 0; +#else options->password_authentication = 1; +#endif if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; if (options->challenge_response_authentication == -1) diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config index 4e3ec31..7dedb84 100644 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@ -55,8 +55,8 @@ # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes +# Change to yes to enable built-in password authentication. +#PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable PAM authentication diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index dc221e7..cf14589 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -436,6 +436,10 @@ are refused if the number of unauthenticated connections reaches .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is +.Dq no , +unless +.Nm sshd +was built without PAM support, in which case the default is .Dq yes . Note that if .Cm ChallengeResponseAuthentication -- cgit v1.1