Page MenuHomeFreeBSD
Differential D35272

sshd: attempt to clarify PasswordAuthentication
ClosedPublic
Actions

Authored by emaste on May 20 2022, 2:20 PM.
Tags
None
Referenced Files
Unknown Object (File)
Oct 6 2024, 5:34 AM
Unknown Object (File)
Sep 30 2024, 1:46 AM
Unknown Object (File)
Sep 18 2024, 10:10 AM
Unknown Object (File)
Sep 16 2024, 8:30 PM
Unknown Object (File)
Sep 16 2024, 3:49 AM
Unknown Object (File)
Sep 5 2024, 12:46 PM
Unknown Object (File)
Sep 5 2024, 8:23 AM
Unknown Object (File)
Aug 24 2024, 4:14 AM
View All 60 Files
Subscribers
imp
manu

Details

Reviewers
manu
Commits
rGa5e7c28b9b84: sshd_config: clarify password authentication options
rGce8133a5218b: sshd_config: clarify password authentication options
rG9f009e066f08: sshd_config: clarify password authentication options
Summary

As reported in PR263045 the PasswordAuthentication option is unclear. Based on the name users expect that it enables or disables the use of passwords for authentication in general, rather than specifically RFC 4252 password authentication. Passwords can also be used with RFC 4256 KbdInteractiveAuthentication, which we use by default on FreeBSD.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

emaste requested review of this revision.May 20 2022, 2:20 PM
emaste created this revision.
manu accepted this revision.May 24 2022, 7:23 PM
manu added a subscriber: manu.

I remember being confused a long time ago with this so +1 :)

This revision is now accepted and ready to land.May 24 2022, 7:23 PM
emaste added inline comments.May 25 2022, 1:26 PM
crypto/openssh/sshd_config
59–60

Some twitter commenters did not like including the RFCs here and I basically agree; I added them to try to indicate that this is a specific type of "password" authentication, not the use of passwords in general. Perhaps instead just add a comment here "Passwords may also be accepted via KbdInteractiveAuthentication."

emaste updated this revision to Diff 106366.May 25 2022, 1:36 PM

Drop RFC numbers, just make reference to KbdInteractiveAuthentication from PasswordAuthentication description/comment.

This revision now requires review to proceed.May 25 2022, 1:36 PM
emaste added inline comments.May 25 2022, 1:46 PM
crypto/openssh/sshd_config.5
1285

Perhaps add here:

Without PAM, PasswordAuthentication uses built-in master.passwd authentication.
With PAM, PasswordAuthentication uses the PAM modules configured for the "sshd" service.

but we need to expand the KbdInteractiveAuthentication description as well to indicate that it requires PAM.

This revision was not accepted when it landed; it landed in state Needs Review.Jun 8 2022, 8:28 PM
Closed by commit rG9f009e066f08: sshd_config: clarify password authentication options (authored by emaste). · Explain Why
This revision was automatically updated to reflect the committed changes.
emaste added a commit: rG9f009e066f08: sshd_config: clarify password authentication options.
Herald added a subscriber: imp. · View Herald TranscriptJun 8 2022, 8:28 PM
emaste added a commit: rGce8133a5218b: sshd_config: clarify password authentication options.Jun 16 2022, 12:53 PM
emaste added a commit: rGa5e7c28b9b84: sshd_config: clarify password authentication options.Jun 16 2022, 1:38 PM

Revision Contents
Changeset List

PathSize
crypto/
openssh/
1 line
2 lines

Diff 106780

View Options

crypto/openssh/sshd_config

Loading...
View Options

crypto/openssh/sshd_config.5

Loading...