http://lwn.net/Articles/544640/ This is a special feed containing comments posted to the individual LWN article titled "What's new in OpenSSH 6.2". hourly 2 http://lwn.net/Articles/545682/rss 2013-04-03T15:01:31+00:00 nix <div class="FormattedComment"> OK. On further investigation, if you are using PAM, then the password authentication method will always use it -- but if you're using keyboard-interactive, then (as the default config file somewhat confusingly suggests, without mentioning keyboard-interactive at all) PAM's account and session checks will run but PAM will not be given the opportunity to actually ask you for a password. The advantage of all this over turning on PasswordAuthentication is... somewhat opaque to me. I guess keyboard-interactive can be used for more intricate protocols, but none appear to exist other than S/Key yet, and it doesn't seem likely that many will be added as long as PAM exists, since PAM is useful for lots of non-ssh uses as well.<br> <p> </div> http://lwn.net/Articles/545681/rss 2013-04-03T14:24:16+00:00 nix <div class="FormattedComment"> Hm, is there any evidence that specifying submethods after a colon works? I can't see an implementation of that in the code, it's not documented in the manpage, and trying to use it gives<br> <p> error: Unknown authentication method "keyboard-interactive:pam" in list<br> fatal: reprocess config line 105: invalid authentication method list.<br> <p> which seems pretty conclusive.<br> <p> (FWIW, the undocumented keyword KbdInteractiveAuthentication yes" might also be necessary. It is documented as working in Match blocks but is nowhere else documented. Its default value appears to be 0, which is hard to square with keyboard-interactive authentication apparently working when password auth is turned on. Maybe PAM is a kind of password auth? The difference between password and keyboard-interactive is extremely opaque to me.)<br> </div> http://lwn.net/Articles/544957/rss 2013-03-28T16:07:05+00:00 nix <div class="FormattedComment"> AuthenticationMethods is awesome, of course, and has on its own got me to splash out on a Yubikey, now that I can use it in combination with challenge-response authentication. But the really interesting thing, I think, is KRLs. Now it becomes clear just why someone might want to use certificates rather than straight keys... there's no equivalent for straight keys of zapping certificates by serial number, nor could there be.<br> </div>