This one time, at band camp, Ernest jw ter Kuile said: > On Tuesday 10 May 2005 17:46, Adam Skutt wrote: > > Pete Harlan wrote: > > > It would be nice if there were a way to have the pam module indicate, > > > "this failed, and that's final", as distinct from, "this failed so try > > > something else". > > > > There is. Mark the module "requisite", and a failure from it will stop > > the stack immediately. > > Only for pam. > > sshd is still free to try something else if pam returns a failure. > > but sshd.conf contains the needed flags to limit the authentication methods > > doing man sshd_config saids something like : > > UsePAM = yes > PasswordAuthentication = no > > might do the trick
As well as PubkeyAuthentication ChallengeResponseAuthentication The various Kerberos options, and there used to be a Keyboard one, but I guess that's deprecated now. sshd supports quite a few auth mechanisms. If you want only one to be authoritative, you're going to have to actually disable the others. This is not a security flaw. -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
pgpQAcG4dIgYT.pgp
Description: PGP signature
