git: ce8133a5218b - stable/13 - sshd_config: clarify password authentication options

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Thu, 16 Jun 2022 12:51:45 UTC
The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=ce8133a5218b1f0e3ed17579029fcb12be93cf2d

commit ce8133a5218b1f0e3ed17579029fcb12be93cf2d
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2022-05-25 13:32:57 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-06-16 12:50:23 +0000

    sshd_config: clarify password authentication options
    
    Passwords may be accepted by both the PasswordAuthentication and
    KbdInteractiveAuthentication authentication schemes.  Add a reference to
    the latter in the description/comment for PasswordAuthentication, as it
    otherwise may seem that "PasswordAuthentication no" implies passwords
    will be disallowed.
    
    This situation should be clarified with more extensive documentation on
    the authentication schemes and configuration options, but that should be
    done in coordination with upstream OpenSSH.  This is a minimal change
    that will hopefully clarify the situation without requiring an extensive
    local patch set.
    
    PR:             263045
    Reviewed by:    manu (earlier version)
    MFC after:      2 weeks
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D35272
    
    (cherry picked from commit 9f009e066f088e2c31442db31d2a85001040abfe)
---
 crypto/openssh/sshd_config   | 1 +
 crypto/openssh/sshd_config.5 | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index 00b6c4366526..2ef36f63ae62 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -58,6 +58,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 
 # Change to yes to enable built-in password authentication.
+# Note that passwords may also be accepted via KbdInteractiveAuthentication.
 #PasswordAuthentication no
 #PermitEmptyPasswords no
 
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index 527f3d4bb46e..8d748da9a552 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -1277,6 +1277,8 @@ The default is
 .Pa /etc/moduli .
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
+Note that passwords may also be accepted via
+.Cm KbdInteractiveAuthentication .
 See also
 .Cm UsePAM .
 The default is