From 8505ccf025b444620366803d6138f283e5a611b7 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Fri, 25 Nov 2016 15:08:29 -0500
Subject: Disable PAM when using only key-based authentication, otherwise
 keyboard-interactive fails. Fixes #6963

---
 src/etc/sshd | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/etc/sshd b/src/etc/sshd
index be410a7..23351d8 100755
--- a/src/etc/sshd
+++ b/src/etc/sshd
@@ -139,6 +139,7 @@ if (isset($config['system']['ssh']['sshdkeyonly'])) {
 	$sshconf .= "ChallengeResponseAuthentication no\n";
 	$sshconf .= "PasswordAuthentication no\n";
 	$sshconf .= "PubkeyAuthentication yes\n";
+	$sshconf .= "UsePAM no\n";
 } else {
 	$sshconf .= "# Login via Key and Password\n";
 	$sshconf .= "ChallengeResponseAuthentication yes\n";
@@ -146,7 +147,6 @@ if (isset($config['system']['ssh']['sshdkeyonly'])) {
 	$sshconf .= "PubkeyAuthentication yes\n";
 }
 $sshconf .= "UseDNS no\n";
-$sshconf .= "UsePAM no\n";
 $sshconf .= "LoginGraceTime 30s\n";
 /* Hide FreeBSD version */
 $sshconf .= "VersionAddendum none\n";
-- 
cgit v1.1