Turn non-PAM password authentication off by default when USE_PAM is

defined.  Too many users are getting bitten by it.

crypto/openssh/servconf.c

@@ -185,7 +185,11 @@ fill_default_server_options(ServerOptions *options)
 	if (options->gss_cleanup_creds == -1)
 		options->gss_cleanup_creds = 1;
 	if (options->password_authentication == -1)
+#ifdef USE_PAM
+		options->password_authentication = 0;
+#else
 		options->password_authentication = 1;
+#endif
 	if (options->kbd_interactive_authentication == -1)
 		options->kbd_interactive_authentication = 0;
 	if (options->challenge_response_authentication == -1)

crypto/openssh/sshd_config

@@ -55,8 +55,8 @@
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+# Change to yes to enable built-in password authentication.
+#PasswordAuthentication no
 #PermitEmptyPasswords no
 
 # Change to no to disable PAM authentication

crypto/openssh/sshd_config.5

@@ -436,6 +436,10 @@ are refused if the number of unauthenticated connections reaches
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is
+.Dq no ,
+unless
+.Nm sshd
+was built without PAM support, in which case the default is
 .Dq yes .
 Note that if
 .Cm ChallengeResponseAuthentication