From: E. K. <E.K...@fz...> - 2011-10-20 12:50:58
|
Hi, I use sshfs with pam_mount. Because some users use PasswordAuthentification, I have to set the option password_stdin in pam_mount.conf. But other users login without password and want to use PubkeyAuthentication. The Problem is, that PubkeyAuthentication does not work with the password_stdin option, because in ssfs.c, function "read_password", the options "-oPreferredAuthentications=password,keyboard-interactive" are added to the ssh parameters. If I remove the command ssh_add_arg("-oPreferredAuthentications=password,keyboard-interactive"); EVERYTHING works fine! PubkeyAuthentication then works and PasswordAuthentification still works, too. So I think, it would we better to generally remove that line. Best regards, Eberhard ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
From: Miklos S. <mi...@sz...> - 2011-10-21 14:17:36
|
"E. Kuemmerle" <E.K...@fz...> writes: > Hi, > > I use sshfs with pam_mount. > Because some users use PasswordAuthentification, I have to set the > option password_stdin in pam_mount.conf. > But other users login without password and want to use PubkeyAuthentication. > > The Problem is, that PubkeyAuthentication does not work with the > password_stdin option, because in ssfs.c, function "read_password", > the options "-oPreferredAuthentications=password,keyboard-interactive" > are added to the ssh parameters. > > If I remove the command > ssh_add_arg("-oPreferredAuthentications=password,keyboard-interactive"); > EVERYTHING works fine! > PubkeyAuthentication then works and PasswordAuthentification still > works, too. > > So I think, it would we better to generally remove that line. I think that makes sense but lets ask the original author of that line (if the email address is still valid). John, what do you think? Is there a reason to use the "PreferredAuthentications" option? Thanks, Miklos |
From: John S. S. <js...@ge...> - 2011-10-21 14:31:23
|
Den 21. okt. 2011 16:16, skrev Miklos Szeredi: > I think that makes sense but lets ask the original author of that line > (if the email address is still valid). > > John, what do you think? Is there a reason to use the > "PreferredAuthentications" option? > > Thanks, > Miklos > Actually, you are the author of that line. :) It comes from a patch you wrote which initially specified "-oPreferredAuthentications=keyboard-interactive". The patch didn't work at first for me on Debian, and so after testing "password" was added as well. If it works well without, I don't see any reason to use it. John. |
From: Miklos S. <mi...@sz...> - 2011-10-21 15:15:48
|
"John S. Skogtvedt" <js...@ge...> writes: > Den 21. okt. 2011 16:16, skrev Miklos Szeredi: >> I think that makes sense but lets ask the original author of that line >> (if the email address is still valid). >> >> John, what do you think? Is there a reason to use the >> "PreferredAuthentications" option? >> >> Thanks, >> Miklos >> > > Actually, you are the author of that line. :) Oh? I truly can't remember :) > It comes from a patch you wrote which initially specified > "-oPreferredAuthentications=keyboard-interactive". The patch didn't work > at first for me on Debian, and so after testing "password" was added as > well. > > If it works well without, I don't see any reason to use it. Yeah, I can see that pty_expect_loop() checks if ssh succeeded to connect even without a password, so I don't see a reason not to allow it by default. Committed the fix. Thanks, Miklos |