Hi, Here is the content of /etc/pamd/ssh, it's actually the default, I di= dn't change it. auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow= _local auth required pam_unix.so no_warn try_first_pass account required pam_unix.so session required pam_permit.so password required pam_unix.so no_warn try_first_pass =CE just want to point out the I want to keep "unix password authenti= cation" for the users whose host or network are in opieaccess. "Unix password authenication" should be disabled for all users present in opiekeys a= nd whose hosts or network is not present in opieaccess. -----Original Message----- =46rom: [email protected] [mailto:[email protected]] On Behalf Of Erick Mechle= r Sent: Tuesday, June 22, 2004 18:34 To: Didier Wiroth Cc: [email protected] Subject: Re: Opieaccess file, is this normal? :: >From what I've read so far, if the user is present in opiekeys, t= he :: opieaccess file determines if the user (coming from a specific hos= t or :: network) is allowed to use his unix password from this specific ne= twork.=20 ::=20 :: As my opieaccess file is empty and the default rule (as mentionned= in the :: man file) is deny, I should not be able to get an ssh shell with m= y standard :: unix password. OpenSSH on FreeBSD is PAM-enabled if ChallengeResponseAuthentication = is set to yes: ChallengeResponseAuthentication Specifies whether challenge-response authentication is a= llowed. Specifically, in FreeBSD, this controls the use of PAM (= see pam(3)) for authentication. Note that this affects the = effec- tiveness of the PasswordAuthentication and PermitRootLog= in vari- ables. The default is ``yes''. Does your /etc/pam.conf disble password authentication? Cheers - Erick _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebs= d.org" _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"