Stephen, On Tue, May 28, 2002 at 05:51:02PM -0700, Stephen Johnson wrote: > Hello, i'm confused on a couple variables in the sshd_config file, i > have a client that's using that 'other os' and has an ssh client that he > likes. however, he wanted me to secure the server as much as possible, > i've always disabled clear text passwords(PasswordAuthentication no), > and turn on pam auth (PAMAuthenticationViaKbdInt yes). That's always > worked fine for me as i'm using debian linux, and i don't actually know > why i do it other than in the conf file debian adds a comment above > telling me to do so, so i do. Well, my clients ssh client app doesn't > seem to be able to handle pam auth, so when i disable clear text passes > it won't let him in, even though i can get in with his account from my > ssh client. i guess what i'm asking is, "How much of a security risk is > using regular auth versus Pam?".
I'll assume you're using openssh version 3.x that's in the debian/testing distribution. The password will still be sent in the clear; there is a difference in the way the server handles it (that is, it palms off to PAM the responsibility of letting you in) and a difference in the way the client negotiates (iirc it's nonfunctional if the client doesn't request keyboard-interactive negotiation). However, if you use PAM auth, then the login process will also pass through PAM's session and account elements; if you have defined any strict login restrictions there, then PasswordAuthentication will bypass them. This may or may not be an issue for you, but otherwise, PasswordAuthentication has equivalent security. Personally I recommend neither and tell everyone to prefer keys and one-time passwords, but that's another story :) Joshua -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
