[Bug 263045] sshd allows password logins when "PasswordAuthentication no" is set
Date: Wed, 18 May 2022 15:12:38 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263045 Ed Maste <emaste@freebsd.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |emaste@freebsd.org --- Comment #8 from Ed Maste <emaste@freebsd.org> --- This (unfortunately) functions as expected, perhaps due to a poor choice of option names. PasswordAuthentication controls use of sshd's built-in password authentication code, not the ability to login with a password in general. KbdInteractiveAuthentication (formerly known as ChallengeResponseAuthentication) queries the user and collects their input (hence challenge & response) - this could involve a password, or it could be some other scheme. From ssh's perspective, with PasswordAuthentication no and KbdInteractiveAuthentication yes you are not using a password, you're using some interactive authentication that is opaque to sshd itself. The existing defaults are as desired, although it may be that sshd_config(5) and/or the comments in sshd_config itself need to be more clear. At least the man page description for PasswordAuthentication should be explicit about controlling sshd's built-in password support, not "password authentication". There is a hint about this in the UsePAM description in sshd_config(5) Because PAM keyboard-interactive authentication usually serves an equivalent role to password authentication, you should disable either PasswordAuthentication or KbdInteractiveAuthentication. -- You are receiving this mail because: You are the assignee for the bug.