[Bug 263045] sshd allows password logins when "PasswordAuthentication no" is set

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 18 May 2022 15:12:38 UTC

Ed Maste <emaste@freebsd.org> changed:

           What    |Removed                     |Added
                 CC|                            |emaste@freebsd.org

--- Comment #8 from Ed Maste <emaste@freebsd.org> ---
This (unfortunately) functions as expected, perhaps due to a poor choice of
option names.

PasswordAuthentication controls use of sshd's built-in password authentication
code, not the ability to login with a password in general.

KbdInteractiveAuthentication (formerly known as
ChallengeResponseAuthentication) queries the user and collects their input
(hence challenge & response) - this could involve a password, or it could be
some other scheme.

From ssh's perspective, with PasswordAuthentication no and
KbdInteractiveAuthentication yes you are not using a password, you're using
some interactive authentication that is opaque to sshd itself.

The existing defaults are as desired, although it may be that sshd_config(5)
and/or the comments in sshd_config itself need to be more clear. At least the
man page description for PasswordAuthentication should be explicit about
controlling sshd's built-in password support, not "password authentication".

There is a hint about this in the UsePAM description in sshd_config(5)

    Because PAM keyboard-interactive authentication usually serves an
    equivalent role to password authentication, you should disable
    either PasswordAuthentication or KbdInteractiveAuthentication.

You are receiving this mail because:
You are the assignee for the bug.