[Bug 263045] sshd password configuration options are unclear

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 263045] sshd allows password logins when "PasswordAuthentication no" is set"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 18 May 2022 21:22:53 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263045

--- Comment #11 from donaldcallen@gmail.com ---
(In reply to Marek Zarychta from comment #10)
And people commenting on bug reports should learn to read.

Ah, the old RTFM trick. Well what if the FM doesn't provide the necessary
information or is just plain wrong?

"PasswordAuthentication no" in most languages, English included means no
password authentication.

As for another part of your snotty message, man 5 sshd_config says:
"     PasswordAuthentication
             Specifies whether password authentication is allowed.  See also
             UsePAM.  The default is no.
"

The first sentence of that is pretty definitive, implying that this setting
determines whether password authentication is allowed. It doesn't. So let's
look at UsePAM:

" UsePAM  Enables the Pluggable Authentication Module interface.  If set to
             yes this will enable PAM authentication using
             KbdInteractiveAuthentication and PasswordAuthentication in
             addition to PAM account and session module processing for all
             authentication types.

             Because PAM keyboard-interactive authentication usually serves an
             equivalent role to password authentication, you should disable
             either PasswordAuthentication or KbdInteractiveAuthentication.

             If UsePAM is enabled, you will not be able to run sshd(8) as a
             non-root user.  The default is yes."

If you think this is documentation understandable by anyone other than the
person who wrote the code, then we have nothing else to talk about. We probably
don't anyway.

What I am wasting my time requesting here is a CLEAR INDICATION in the default
sshd_config as to how to enable or disable password authentication. And I
repeat -- Dragonfly gets this right. Matt and Co. have done the sensible thing
here. And I would remind you that this is a security issue.

But typically, trying to convince you people to make a small DOCUMENTATION
change is like pulling teeth. I can only imagine what it would be like if I
wanted you to change a line of code. This is a typical example of what gets me
crazy about FreeBSD, despite the systems' many virtues. It always feels like
dealing with a big, stupid committee that just can't make sensible decisions.

-- 
You are receiving this mail because:
You are the assignee for the bug.