Hi, Please Cc: me when replying, as I'm not subscribed. Thanks. In the sshd_config(5) manpage, one can find: % UsePAM Enables the Pluggable Authentication Module interface. If set to % ``yes'' this will enable PAM authentication using % ChallengeResponseAuthentication and PasswordAuthentication in % addition to PAM account and session module processing for all % authentication types. % % Because PAM challenge-response authentication usually serves an % equivalent role to password authentication, you should disable % either PasswordAuthentication or ChallengeResponseAuthentication. I don't understand the logic of this. I mean, I see PAM authentification as a method in itself. I don't understand why it needs that either ChallengeResponseAuthentication or PasswordAuthentication has to be enabled. I think I miss something, a clarification would be welcome! For instance, I've tried the following configuration in pam.d/sshd with OpenSSH 4.4: % auth required pam_nologin.so no_warn % auth required pam_skey.so In sshd_config(5): % PasswordAuthentication no % ChallengeResponseAuthentication yes % UsePam yes And I get the following prompt: % jarjarbinks:tataz$ ssh ... % Password [ otp-md5 98 pwnd1234 ]: <- pam_skey % otp-md5 98 pwnd1234 % S/Key Password: <- OpenSSH If I disable ChallengeResponseAuthentication, PAM isn't used anymore as stated in the manpage. Why? How can I avoid getting only pam_skey's prompt? Thanks you. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
