mirror of
https://git.FreeBSD.org/ports.git
synced 2025-01-08 06:48:28 +00:00
5ef0f821ec
- Disable temporary HPN patch until HPN release new version.
- Fix rc.d script path in sshd.8
- Add FreeBSD-${PKGNAME} in SSH_VERSION and SSH_RELEASE like src does.
- Sync patches with src.
Security: CVE-2006-4924, CVE-2006-5051
91 lines
2.2 KiB
Groff
91 lines
2.2 KiB
Groff
--- sshd_config.5.orig Tue Aug 29 22:06:34 2006
|
|
+++ sshd_config.5 Sat Sep 30 10:39:07 2006
|
|
@@ -169,9 +170,16 @@
|
|
By default, no banner is displayed.
|
|
.It Cm ChallengeResponseAuthentication
|
|
Specifies whether challenge-response authentication is allowed.
|
|
-All authentication styles from
|
|
-.Xr login.conf 5
|
|
-are supported.
|
|
+Specifically, in
|
|
+.Fx ,
|
|
+this controls the use of PAM (see
|
|
+.Xr pam 3 )
|
|
+for authentication.
|
|
+Note that this affects the effectiveness of the
|
|
+.Cm PasswordAuthentication
|
|
+and
|
|
+.Cm PermitRootLogin
|
|
+variables.
|
|
The default is
|
|
.Dq yes .
|
|
.It Cm Ciphers
|
|
@@ -554,7 +560,22 @@
|
|
.It Cm PasswordAuthentication
|
|
Specifies whether password authentication is allowed.
|
|
The default is
|
|
+.Dq no ,
|
|
+unless
|
|
+.Nm sshd
|
|
+was built without PAM support, in which case the default is
|
|
.Dq yes .
|
|
+Note that if
|
|
+.Cm ChallengeResponseAuthentication
|
|
+is
|
|
+.Dq yes ,
|
|
+and the PAM authentication policy for
|
|
+.Nm sshd
|
|
+includes
|
|
+.Xr pam_unix 8 ,
|
|
+password authentication will be allowed through the challenge-response
|
|
+mechanism regardless of the value of
|
|
+.Cm PasswordAuthentication .
|
|
.It Cm PermitEmptyPasswords
|
|
When password authentication is allowed, it specifies whether the
|
|
server allows login to accounts with empty password strings.
|
|
@@ -597,7 +618,14 @@
|
|
or
|
|
.Dq no .
|
|
The default is
|
|
-.Dq yes .
|
|
+.Dq no .
|
|
+Note that if
|
|
+.Cm ChallengeResponseAuthentication
|
|
+is
|
|
+.Dq yes ,
|
|
+the root user may be allowed in with its password even if
|
|
+.Cm PermitRootLogin is set to
|
|
+.Dq without-password .
|
|
.Pp
|
|
If this option is set to
|
|
.Dq without-password ,
|
|
@@ -704,7 +732,9 @@
|
|
.Dq yes .
|
|
Note that this option applies to protocol version 2 only.
|
|
.It Cm RhostsRSAAuthentication
|
|
-Specifies whether rhosts or /etc/hosts.equiv authentication together
|
|
+Specifies whether rhosts or
|
|
+.Pa /etc/hosts.equiv
|
|
+authentication together
|
|
with successful RSA host authentication is allowed.
|
|
The default is
|
|
.Dq no .
|
|
@@ -814,7 +844,7 @@
|
|
.Xr sshd 8
|
|
as a non-root user.
|
|
The default is
|
|
-.Dq no .
|
|
+.Dq yes .
|
|
.It Cm UsePrivilegeSeparation
|
|
Specifies whether
|
|
.Xr sshd 8
|
|
@@ -839,7 +874,7 @@
|
|
or
|
|
.Dq no .
|
|
The default is
|
|
-.Dq no .
|
|
+.Dq yes .
|
|
.Pp
|
|
When X11 forwarding is enabled, there may be additional exposure to
|
|
the server and to client displays if the
|