1 |
the new 3.7.x series has updated the default settings/values/etc... of the |
2 |
sshd_config file. this is just a heads up to make sure that in your rush to |
3 |
update all your ssh servers, you didn't miss a step and accidentally open up |
4 |
your server to previously unauthorized access. |
5 |
|
6 |
(1) default PAM setting has been changed to YES |
7 |
(1a) the keyword for toggling PAM auth has been changed from |
8 |
'PAMAuthenticationViaKbdInt' to 'UsePAM' |
9 |
|
10 |
(2) if you disabled (set it to no) the PasswordAuthentication feature before |
11 |
so as to prevent users from logging in with a password (say you only wanted |
12 |
them to utilize keys), then you must explicitly set UsePAM to no, otherwise |
13 |
the PasswordAuthentication step will be bypassed by PAM |
14 |
|
15 |
(3) if you use PasswordAuthentication and PAM (the default config file does |
16 |
this), then users may now be authenticated via either option. you may notice |
17 |
this when you attempt to log in, fail password checking 3 times, and suddenly |
18 |
get a different prompt. this is because the first check (via PAM) failed and |
19 |
ssh is now falling back to password authentication. |
20 |
PAM authentication gives you this prompt: |
21 |
Password: |
22 |
PasswordAuthentication gives you this prompt: |
23 |
UserBah@rux0r's password: |
24 |
|
25 |
i think that about covers it ... for some people you may be annoyed by this |
26 |
e-mail, others may thank Gentoo devs for it ... just remember: |
27 |
(1) we all love security (more security, less rooting == better world) |
28 |
(2) knowledge is half the battle ! |
29 |
|
30 |
-mike |