Revert "sshd(8): Add USE_PAM handling defaults."
authorMatthew Dillon <dillon@apollo.backplane.com>
Tue, 18 Jun 2019 18:49:32 +0000 (11:49 -0700)
committerMatthew Dillon <dillon@apollo.backplane.com>
Tue, 18 Jun 2019 18:49:32 +0000 (11:49 -0700)
We really did not intend to turn on passworded logins or pam by default.
They need to be turned off by default so the sshd_config is secure by
default.  PAM generally allows passworded logins which we do not consider
secure by default.

This reverts commit 19523637df5f6eb42b41f3dee51bd5d7c25d2219.

crypto/openssh/servconf.c

index c2222a0..ffac5d2 100644 (file)
@@ -276,11 +276,7 @@ fill_default_server_options(ServerOptions *options)
 
        /* Portable-specific options */
        if (options->use_pam == -1)
 
        /* Portable-specific options */
        if (options->use_pam == -1)
-#ifdef USE_PAM
-               options->use_pam = 1;
-#else
                options->use_pam = 0;
                options->use_pam = 0;
-#endif
 
        /* Standard Options */
        if (options->num_host_key_files == 0) {
 
        /* Standard Options */
        if (options->num_host_key_files == 0) {
@@ -360,11 +356,7 @@ fill_default_server_options(ServerOptions *options)
        if (options->gss_strict_acceptor == -1)
                options->gss_strict_acceptor = 1;
        if (options->password_authentication == -1)
        if (options->gss_strict_acceptor == -1)
                options->gss_strict_acceptor = 1;
        if (options->password_authentication == -1)
-#ifdef USE_PAM
-               options->password_authentication = 0;
-#else
                options->password_authentication = 1;
                options->password_authentication = 1;
-#endif
        if (options->kbd_interactive_authentication == -1)
                options->kbd_interactive_authentication = 0;
        if (options->challenge_response_authentication == -1)
        if (options->kbd_interactive_authentication == -1)
                options->kbd_interactive_authentication = 0;
        if (options->challenge_response_authentication == -1)