sshd_config: clarify password authentication options

Passwords may be accepted by both the PasswordAuthentication and
KbdInteractiveAuthentication authentication schemes.  Add a reference to
the latter in the description/comment for PasswordAuthentication, as it
otherwise may seem that "PasswordAuthentication no" implies passwords
will be disallowed.

This situation should be clarified with more extensive documentation on
the authentication schemes and configuration options, but that should be
done in coordination with upstream OpenSSH.  This is a minimal change
that will hopefully clarify the situation without requiring an extensive
local patch set.

PR:		263045
Reviewed by:	manu (earlier version)
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D35272
This commit is contained in:
Ed Maste 2022-05-25 09:32:57 -04:00
parent 57317c8971
commit 9f009e066f
2 changed files with 3 additions and 0 deletions

View File

@ -57,6 +57,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes #IgnoreRhosts yes
# Change to yes to enable built-in password authentication. # Change to yes to enable built-in password authentication.
# Note that passwords may also be accepted via KbdInteractiveAuthentication.
#PasswordAuthentication no #PasswordAuthentication no
#PermitEmptyPasswords no #PermitEmptyPasswords no

View File

@ -1278,6 +1278,8 @@ The default is
.Pa /etc/moduli . .Pa /etc/moduli .
.It Cm PasswordAuthentication .It Cm PasswordAuthentication
Specifies whether password authentication is allowed. Specifies whether password authentication is allowed.
Note that passwords may also be accepted via
.Cm KbdInteractiveAuthentication .
See also See also
.Cm UsePAM . .Cm UsePAM .
The default is The default is