From 9f009e066f088e2c31442db31d2a85001040abfe Mon Sep 17 00:00:00 2001 From: Ed Maste Date: Wed, 25 May 2022 09:32:57 -0400 Subject: [PATCH] sshd_config: clarify password authentication options Passwords may be accepted by both the PasswordAuthentication and KbdInteractiveAuthentication authentication schemes. Add a reference to the latter in the description/comment for PasswordAuthentication, as it otherwise may seem that "PasswordAuthentication no" implies passwords will be disallowed. This situation should be clarified with more extensive documentation on the authentication schemes and configuration options, but that should be done in coordination with upstream OpenSSH. This is a minimal change that will hopefully clarify the situation without requiring an extensive local patch set. PR: 263045 Reviewed by: manu (earlier version) MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35272 --- crypto/openssh/sshd_config | 1 + crypto/openssh/sshd_config.5 | 2 ++ 2 files changed, 3 insertions(+) diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config index 956a4bd7d7af..84250a46a6d6 100644 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@ -57,6 +57,7 @@ AuthorizedKeysFile .ssh/authorized_keys #IgnoreRhosts yes # Change to yes to enable built-in password authentication. +# Note that passwords may also be accepted via KbdInteractiveAuthentication. #PasswordAuthentication no #PermitEmptyPasswords no diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index e8b835be3d38..b842b205182c 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -1278,6 +1278,8 @@ The default is .Pa /etc/moduli . .It Cm PasswordAuthentication Specifies whether password authentication is allowed. +Note that passwords may also be accepted via +.Cm KbdInteractiveAuthentication . See also .Cm UsePAM . The default is