On Fri, 2004-09-24 at 16:27 +0200, Jonas Meurer wrote: > On 24/09/2004 Christian Guggenberger wrote: > > well, you can enable PAM, but you then need to disable ChallengeResponse > > Authentifiaction (enabled by default). > > This will prevent root logins with password when 'without-password' is set. > > Keep in mind that in this case passwords will go encrypted over the net. > > well, i forgot ... > you _always_ have to turn on PasswordAuthentication, to still allow > normal users logins, that's the relevant point. the setting of > ChallengeResponseAuthentification doesn't matter for that issue. > well, that's not true. Even with PasswordAuthentication set no, "normal" users will be allowed in with their passwords via ChallengeResponse Authentification/PAM. In that case ChallengeResponseAuthentification really _does_ matter.
But, as discussed earlier, then you have to disallow root logins completely via ssh - the "without-password" option is not as fine granulated as should/could be; it does not distinguish between ssh rsd/dsa keys and s/keys. I think upstream is working on a finer granulated scheme for that option. (i don't have the related openssh bugID handy, sorry) cheers. - Christian
