[Bug 263045] sshd allows password logins when "PasswordAuthentication no" is set

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 05 Apr 2022 13:09:34 UTC

--- Comment #4 from donaldcallen@gmail.com ---
(In reply to Marek Zarychta from comment #3)

As I said in my original post, "Setting  "PasswordAuthentication no" in
/etc/ssh/sshd_config does not disable  a password logins. To accomplish that,
"KbdInteractiveAuthentication no" must be set ("yes" is the default).". So the
answer to your question "Can't you disable password authentication in
13.1-RC1?" is yes, I can.

The answer to your question "What's the real problem here?" is that
"PasswordAuthentication" with a default setting of "no" says pretty explicitly
that password authentication is off by default. Except it isn't. You also have
to disable KbdInteractiveAuthentication.

And, as I've also already pointed out, FreeBSD relative DragonFlyBSD does the
sensible thing here -- "PasswordAuthentication no" means
"PasswordAuthentication no".

You are receiving this mail because:
You are the assignee for the bug.