git: a5e7c28b9b84 - stable/12 - sshd_config: clarify password authentication options

From: Ed Maste <>
Date: Thu, 16 Jun 2022 13:38:22 UTC
The branch stable/12 has been updated by emaste:


commit a5e7c28b9b84b81bbb8a8242ae44cc073b0103dc
Author:     Ed Maste <>
AuthorDate: 2022-05-25 13:32:57 +0000
Commit:     Ed Maste <>
CommitDate: 2022-06-16 13:37:36 +0000

    sshd_config: clarify password authentication options
    Passwords may be accepted by both the PasswordAuthentication and
    KbdInteractiveAuthentication authentication schemes.  Add a reference to
    the latter in the description/comment for PasswordAuthentication, as it
    otherwise may seem that "PasswordAuthentication no" implies passwords
    will be disallowed.
    This situation should be clarified with more extensive documentation on
    the authentication schemes and configuration options, but that should be
    done in coordination with upstream OpenSSH.  This is a minimal change
    that will hopefully clarify the situation without requiring an extensive
    local patch set.
    PR:             263045
    Reviewed by:    manu (earlier version)
    MFC after:      2 weeks
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:
    (cherry picked from commit 9f009e066f088e2c31442db31d2a85001040abfe)
 crypto/openssh/sshd_config   | 1 +
 crypto/openssh/sshd_config.5 | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index 00b6c4366526..2ef36f63ae62 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -58,6 +58,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 # Change to yes to enable built-in password authentication.
+# Note that passwords may also be accepted via KbdInteractiveAuthentication.
 #PasswordAuthentication no
 #PermitEmptyPasswords no
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index 998d28f8c2e1..2daaa0817bd9 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -1278,6 +1278,8 @@ The default is
 .Pa /etc/moduli .
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
+Note that passwords may also be accepted via
+.Cm KbdInteractiveAuthentication .
 See also
 .Cm UsePAM .
 The default is