sshd_config: clarify password authentication options

Passwords may be accepted by both the PasswordAuthentication and KbdInteractiveAuthentication authentication schemes. Add a reference to the latter in the description/comment for PasswordAuthentication, as it otherwise may seem that "PasswordAuthentication no" implies passwords will be disallowed. This situation should be clarified with more extensive documentation on the authentication schemes and configuration options, but that should be done in coordination with upstream OpenSSH. This is a minimal change that will hopefully clarify the situation without requiring an extensive local patch set. PR: 263045 Reviewed by: manu (earlier version) MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35272
2022-05-25 09:32:57 -04:00 · 2022-05-25 09:32:57 -04:00 · 9f009e066f
commit 9f009e066f
parent 57317c8971
2 changed files with 3 additions and 0 deletions
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@ -57,6 +57,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes

 # Change to yes to enable built-in password authentication.
+# Note that passwords may also be accepted via KbdInteractiveAuthentication.
 #PasswordAuthentication no
 #PermitEmptyPasswords no

--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@ -1278,6 +1278,8 @@ The default is
 .Pa /etc/moduli .
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
+Note that passwords may also be accepted via
+.Cm KbdInteractiveAuthentication .
 See also
 .Cm UsePAM .
 The default is